# Awesome Embedded and IoT Security [![Awesome](]( > A curated list of awesome resources about embedded and IoT security. The list contains software and hardware tools, books, research papers and more. Botnets like [Mirai]() have proven that there is a need for more security in embedded and IoT devices. This list shall help beginners and experts to find helpful resources on the topic. If you are a beginner, you should have a look at the [Books](#books) and [Case Studies](#case-studies) sections. If you want to start right away with your own analysis, you should give the [Analysis Frameworks](#analysis-frameworks) a try. They are easy to use and you do not need to be an expert to get first meaningful results. > _Items marked with :euro: are comercial products._ ## Contents - [Software Tools](#software-tools) - [Analysis Frameworks](#analysis-frameworks) - [Analysis Tools](#analysis-tools) - [Extraction Tools](#extraction-tools) - [Support Tools](#support-tools) - [Misc Tools](#misc-tools) - [Hardware Tools](#hardware-tools) - [Bluetooth BLE Tools](#bluetooth-ble-tools) - [ZigBee Tools](#zigbee-tools) - [SDR Tools](#sdr-tools) - [RFID NFC Tools](#rfid-nfc-tools) - [Books](#books) - [Research Papers](#research-papers) - [Case Studies](#case-studies) - [Free Training](#free-training) - [Websites](#websites) - [Blogs](#blogs) - [Tutorials and Technical Background](#tutorials-and-technical-background) - [Conferences](#conferences) ## Software Tools Software tools for analyzing embedded/IoT devices and firmware. ### Analysis Frameworks - [EXPLIoT]( - Pentest framework like Metasploit but specialized for IoT. - [FACT - The Firmware Analysis and Comparison Tool]( - Full-featured static analysis framework including extraction of firmware, analysis utilizing different plug-ins and comparison of different firmware versions. - [Improving your firmware security analysis process with FACT]( - Conference talk about FACT :tv:. - [FwAnalyzer]( - Analyze security of firmware based on customized rules. Intended as additional step in DevSecOps, similar to CI. - [HAL – The Hardware Analyzer]( - A comprehensive reverse engineering and manipulation framework for gate-level netlists. - [HomePWN]( - Swiss Army Knife for Pentesting of IoT Devices. - [IoTSecFuzz]( - Framework for automatisation of IoT layers security analysis: hardware, software and communication. - [Killerbee]( - Framework for Testing & Auditing ZigBee and IEEE 802.15.4 Networks. - [PRET]( - Printer Exploitation Toolkit. - [Routersploit]( - Framework dedicated to exploit embedded devices. ### Analysis Tools - [Binwalk]( - Searches a binary for "interesting" stuff. - [Firmadyne]( - Tries to emulate and pentest a firmware. - [Firmwalker]( - Searches extracted firmware images for interesting files and information. - [Firmware Slap]( - Discovering vulnerabilities in firmware through concolic analysis and function clustering. - [Ghidra]( - Software Reverse Engineering suite; handles arbitrary binaries, if you provide CPU architecture and endianness of the binary. - [Radare2]( - Software Reverse Engineering framework, also handles popular formats and arbitrary binaries, has an extensive command line toolset. - [Trommel]( - Searches extracted firmware images for interesting files and information. ### Extraction Tools - [Binwalk]( - Extracts arbitrary files utilizing a carving approach. - [FACT Extractor]( - Detects container format automatically and executes the corresponding extraction tool. - [Firmware Mod Kit]( - Extraction tools for several container formats. - [The SRecord package]( - Collection of tools for manipulating EPROM files (can convert lots of binary formats). ### Support Tools - [JTAGenum]( - Add JTAG capabilities to an Arduino. - [OpenOCD]( - Free and Open On-Chip Debugging, In-System Programming and Boundary-Scan Testing. ### Misc Tools - [Cotopaxi]( - Set of tools for security testing of Internet of Things devices using specific network IoT protocols. - [dumpflash]( - Low-level NAND Flash dump and parsing utility. - [flashrom]( - Tool for detecting, reading, writing, verifying and erasing flash chips. - [Samsung Firmware Magic]( - Decrypt Samsung SSD firmware updates. ## Hardware Tools - [Bus Blaster]( - Detects and interacts with hardware debug ports like [UART]( and [JTAG]( - [Bus Pirate]( - Detects and interacts with hardware debug ports like UART and JTAG. - [Shikra]( - Detects and interacts with hardware debug ports like UART and JTAG. Among other protocols. - [JTAGULATOR]( - Detects JTAG Pinouts fast. - [Saleae]( - Easy to use Logic Analyzer that support many protocols :euro:. - [Ikalogic]( - Alternative to Saleae logic analyzers :euro:. - [HydraBus]( - Open source multi-tool hardware similar to the BusPirate but with NFC capabilities. - [ChipWhisperer]( - Detects Glitch/Side-channel attacks. - [Glasgow]( - Tool for exploring and debugging different digital interfaces. - [J-Link]( - J-Link offers USB powered JTAG debug probes for multiple different CPU cores :euro:. ### Bluetooth BLE Tools - [UberTooth One]( - Open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation. - [Bluefruit LE Sniffer]( - Easy to use Bluetooth Low Energy sniffer. ### ZigBee Tools - [ApiMote]( - ZigBee security research hardware for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems. Killerbee compatible. - Atmel RZUSBstick - Discontinued product. Lucky if you have one! - Tool for development, debugging and demonstration of a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. Killerbee compatible. - [Freakduino]( - Low Cost Battery Operated Wireless Arduino Board that can be turned into a IEEE 802.15.4 protocol sniffer. ### SDR Tools - [RTL-SDR]( - Cheapest SDR for beginners. It is a computer based radio scanner for receiving live radio signals frequencies from 500 kHz up to 1.75 GHz. - [HackRF One]( - Software Defined Radio peripheral capable of transmission or reception of radio signals from 1 MHz to 6 GHz (half-duplex). - [YardStick One]( - Half-duplex sub-1 GHz wireless transceiver. - [LimeSDR]( - Software Defined Radio peripheral capable of transmission or reception of radio signals from 100 KHz to 3.8 GHz (full-duplex). - [BladeRF 2.0]( - Software Defined Radio peripheral capable of transmission or reception of radio signals from 47 MHz to 6 GHz (full-duplex). - [USRP B Series]( - Software Defined Radio peripheral capable of transmission or reception of radio signals from 70 MHz to 6 GHz (full-duplex). ### RFID NFC Tools - [Proxmark 3 RDV4]( - Powerful general purpose RFID tool. From Low Frequency (125kHz) to High Frequency (13.56MHz) tags. - [ChamaleonMini]( - Programmable, portable tool for NFC security analysis. - [HydraNFC]( - Powerful 13.56MHz RFID / NFC platform. Read / write / crack / sniff / emulate. ## Books - 2020, Fotios Chantzis, Evangel Deirme, Ioannis Stais, Paulino Calderon, Beau Woods: [Practical IoT Hacking]( - 2020, Jasper van Woudenberg, Colin O'Flynn: [The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks]( - 2019, Yago Hansen: [The Hacker's Hardware Toolkit: The best collection of hardware gadgets for Red Team hackers, Pentesters and security researchers]( - 2019, Aditya Gupta: [The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things]( - 2018, Mark Swarup Tehranipoor: [Hardware Security: A Hands-on Learning Approach]( - 2018, Mark Carney: [Pentesting Hardware - A Practical Handbook (DRAFT)]( - 2018, Qing Yang, Lin Huang [Inside Radio: An Attack and Defense Guide]( - 2017, Aditya Gupta, Aaron Guzman: [IoT Penetration Testing Cookbook]( - 2017, Andrew Huang: [The Hardware Hacker: Adventures in Making and Breaking Hardware]( - 2016, Craig Smith: [The Car Hacker's Handbook: A Guide for the Penetration Tester]( - 2015, Keng Tiong Ng: [The Art of PCB Reverse Engineering]( - 2015, Nitesh Dhanjan: [Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts]( - 2015, Joshua Wright , Johnny Cache: [Hacking Wireless Exposed]( - 2014, Debdeep Mukhopadhyay: [Hardware Security: Design, Threats, and Safeguards]( - 2014, Jack Ganssle: [The Firmware Handbook (Embedded Technology)]( - 2013, Andrew Huang: [Hacking the XBOX]( ## Research Papers - 2019, Almakhdhub et al: [BenchIoT: A Security Benchmark for the Internet of Things]( - 2019, Alrawi et al: [SoK: Security Evaluation of Home-Based IoT Deployments]( - 2019, Abbasi et al: [Challenges in Designing Exploit Mitigations for Deeply Embedded Systems]( - 2019, Song et al: [PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary]( - 2018, Muench et al: [What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices]( - 2017, O'Meara et al: [Embedded Device Vulnerability Analysis Case Study Using Trommel]( - 2017, Jacob et al: [How to Break Secure Boot on FPGA SoCs through Malicious Hardware]( - 2017, Costin et al: [Towards Automated Classification of Firmware Images and Identification of Embedded Devices]( - 2016, Kammerstetter et al: [Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation]( - 2016, Chen et al: [Towards Automated Dynamic Analysis for Linux-based Embedded Firmware]( - 2016, Costin et al: [Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces]( - 2015, Shoshitaishvili et al:[Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware]( - 2015, Papp et al: [Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy]( - 2014, Zaddach et al: [Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares]( - 2014, Alimi et al: [Analysis of embedded applications by evolutionary fuzzing]( - 2014, Costin et al: [A Large-Scale Analysis of the Security of Embedded Firmwares]( - 2013, Davidson et al: [FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution]( ## Case Studies - [Binary Hardening in IoT products]( - [Cracking Linksys “Encryption”]( - [Deadly Sins Of Development]( - Conference talk presenting several real world examples on real bad implementations :tv:. - [Dumping firmware from a device's SPI flash with a buspirate]( - [Hacking the DSP-W215, Again]( - [Hacking the PS4]( - Introduction to PS4's security. - [Multiple vulnerabilities found in the D-link DWR-932B]( - [Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol]( - [PWN Xerox Printers (...again)]( - [Reversing Firmware With Radare]( - [Reversing the Huawei HG533]( ## Free Training - [CSAW Embedded Security Challenge 2019]( - CSAW 2019 Embedded Security Challenge (ESC). - [Embedded Security CTF]( - Microcorruption: Embedded Security CTF. - [Hardware Hacking 101]( - Workshop @ BSides Munich 2019. - [IoTGoat]( - IoTGoat is a deliberately insecure firmware based on OpenWrt. - [Rhme-2015]( - First riscure Hack me hardware CTF challenge. - [Rhme-2016]( - Riscure Hack me 2 is a low level hardware CTF challenge. - [Rhme-2017/2018]( - Riscure Hack Me 3 embedded hardware CTF 2017-2018. ## Websites - [Hacking Printers Wiki]( - All things printer. - [OWASP Embedded Application Security Project]( - Development best practices and list of hardware and software tools. - [OWASP Internet of Things Project]( - IoT common vulnerabilities and attack surfaces. - [Router Passwords]( - Default login credential database sorted by manufacturer. - [Siliconpr0n]( - A Wiki/Archive of all things IC reversing. ### Blogs - [/dev/ttyS0's Embedded Device Hacking]( - [Exploiteers]( - [Hackaday]( - [jcjc's Hack The World]( - [Quarkslab]( - [wrong baud]( - [Firmware Security]( - [PenTestPartners]( - [Attify]( - [Patayu]( - [GracefulSecurity - Hardware tag]( - [Black Hills - Hardware Hacking tag]( ### Tutorials and Technical Background - [Azeria Lab]( - Miscellaneous ARM related Tutorials. - [JTAG Explained]( - A walkthrough covering UART and JTAG bypassing a protected login shell. - [Reverse Engineering Serial Ports]( - Detailed tutorial about how to spot debug pads on a PCB. - [UART explained]( - An in depth explanation of the UART protocol. ## Conferences Conferences focused on embedded and/or IoT security. - []( - The Hague, September. - [ USA]( - Santa Clara, June. ## Contribute Contributions welcome! Read the [contribution guidelines]( first. ## License [![CC0](]( To the extent possible under law, Fraunhofer FKIE has waived all copyright and related or neighboring rights to this work.