"Security is not a product, but a process." — Bruce Schneier
IoT & Embedded Systems Security
Track your progress through this week's content
Opening Framing
The Internet of Things (IoT) has dissolved the perimeter. We no longer have a "corporate network"
inside a firewall; we have lightbulbs talking to cloud servers, infusion pumps connected to Wi-Fi,
and cars receiving over-the-air firmware updates.
The Fundamental Shift: In traditional IT (Information Technology), we prioritize
Confidentiality. If a bank server is attacked, we shut it down to protect the data. In OT
(Operational Technology) and IoT, we prioritize Availability and Safety. If a
connected pacemaker or a chemical plant valve is attacked, shutting it down might kill
someone.
Why This Course Exists: IoT devices are rarely designed with security in mind. They
are constrained by power, cost, and legacy code. This course is about the offensive and defensive
techniques required to secure this chaotic new world.
Week Learning Outcomes:
Contrast the CIA Triad (IT) with the AIC/Safety Triad (OT/IoT).
Dissect the anatomy of an IoT device (MCU vs MPU, Firmware types).
Map the expanded attack surface (Physical, Radio, Network, Cloud).
Analyze the Mirai Botnet source code to understand automated exploitation.
Apply OSINT techniques (Shodan, FCC ID) to perform passive reconnaissance.
Evaluate the impact of new regulations (EU CRA, US Cyber Trust Mark).
1) The Paradigm Shift: CIA vs AIC
You cannot secure IoT using only IT mental models.
IoT devices are Cyber-Physical Systems (CPS). They translate digital bits into
kinetic action.
Bit to Atom: A command `set_temp(100)` turns on a physical heater.
Atom to Bit: A physical temperature sensor sends data `temp=100` to the cloud.
Kinetic Impact: Unlike a database breach, an IoT breach can cause fires, crashes,
floods, or physical injury. This is the defining characteristic of our field.
2) Anatomy of an IoT Device
To hack it, you must know what it is made of. It is not just a "small computer".
The Brain: MCU vs MPU
Feature
Microcontroller (MCU)
Microprocessor (MPU)
Architecture
Everything on one chip (CPU, RAM, Flash).
Separate RAM, Flash, Peripherals.
OS
Bare Metal or RTOS (FreeRTOS).
Full OS (Linux, Android).
Resources
KB of RAM, MB of Flash.
GB of RAM, GB of Storage.
Typical Device
Smart Bulb, Thermostat, Sensor.
Smart TV, Router, Gateway.
Security Implication
Hard to patch. No ASLR/DEP usually.
Complex attack surface. Full Linux stack vulnerabilities.
Firmware Types
Bare Metal / Superloop
Code runs in a `while(1)` loop. No OS. Direct hardware access.
Vuln: Memory corruption crashes the whole device instantly.
RTOS (Real-Time OS)
Scheduler handles tasks (Network, Sensor, GUI). e.g., FreeRTOS, Zephyr.
Vuln: Task isolation is often weak. One crashed task can halt the scheduler.
3) The Expanded Attack Surface
In web security, you worry about ports 80/443. In IoT, the attack surface is 360 degrees.
Layer 1: Physical Surface
If the attacker can touch the device, it's game over.
Storage: Desoldering the Flash chip to read firmware directly.
Layer 2: Wireless/Radio Surface
Signals leave the building. You can be attacked from the parking lot.
Wi-Fi: Deauth attacks, weak WPA2 psk.
Bluetooth (BLE): Spoofing, Man-in-the-Middle (MITM) during pairing.
Zigbee/LoRa: Replay attacks, Key sniffing.
SDR (Software Defined Radio): Replaying garage door openers (Sub-GHz).
Layer 3: Network Surface
The "Traditional" attack surface, but with older protocols.
Telnet: Yes, it is still used in 2025.
UPnP: Universal Plug and Play exposing internal devices to the WAN.
Unencrypted Protocols: MQTT, HTTP, FTP sends passwords in cleartext.
Layer 4: Cloud/API Surface
The "Backend" that controls the device.
Insecure APIs: IDOR (Insecure Direct Object Reference) allowing User A to turn
off User B's alarm.
Hardcoded API Keys: Found inside the firmware image.
Layer 5: Supply Chain Surface
The code you didn't write and the chips you didn't design.
Third-Party Libraries: "Ripple20" found flaws in a TCP/IP stack used by
hundreds of vendors.
Counterfeit Chips: Cloned hardware with backdoors or lower tolerances.
Vendor Compromise: Attackers hacking the build server (SolarWinds style) to
push malicious firmware updates.
4) Deep Dive: OWASP IoT Top 10
The definitive list of IoT vulnerabilities. We will break down each one.
I1: Weak, Guessable, or Hardcoded Passwords
The Flaw: Shipping devices with credentials like `admin:1234` or hardcoding a
backdoor root password in the firmware that represents a "Golden Key" for all devices.
Real World: The Mirai Botnet. Mirai didn't use an exploit; it just tried 62 common
user/pass combos via Telnet. It enslaved 600,000 devices in days.
I2: Insecure Network Services
The Flaw: Running unnecessary services (Telnet, SSH, FTP, Debug) or exposing them to
the internet via UPnP.
Remediation: Shrink the attack surface. If you don't need it, close the port.
I3: Insecure Ecosystem Interfaces
The Flaw: The device is safe, but the Mobile App or Cloud API is weak.
Real World: Nissan Leaf API. Security researchers found they could drain the
battery of any Nissan Leaf in the world just by knowing the VIN number, because the API had no
authentication.
I4: Lack of Secure Update Mechanism
The Flaw: Devices that cannot be patched, or updates that are sent over HTTP without
digital signatures.
Remediation: All firmware updates must be Signed (Cryptographically
verified) and Encrypted.
I5: Use of Insecure or Outdated Components
The Flaw: Using a 5-year-old version of OpenSSL or a legacy Linux kernel.
The Fix: Maintain a Software Bill of Materials (SBOM) and monitor for CVEs.
I6: Insufficient Privacy Protection
The Flaw: Storing user data (voice, video, GPS) that isn't needed for the device to
function.
Example: A smart vacuum uploading a map of your house to the cloud.
I7: Insecure Data Transfer and Storage
The Flaw: Storing Wi-Fi passwords in plaintext in the EEPROM or sending telemetry
over unencrypted MQTT.
I8: Lack of Device Management
The Flaw: No way to inventory devices or decommission them safely (wipe data) when
selling.
I9: Insecure Default Settings
The Flaw: Shipping with debug ports open or "Guest Mode" enabled by default.
I10: Lack of Physical Hardening
The Flaw: Allowing easy access to the PCB, debug pads, or SD card slots.
5) Deep Dive: The Mirai Botnet
In 2016, three teenagers created a botnet that took down the internet for the US East Coast. It
relied entirely on fundamental IoT weaknesses.
The Code Anatomy
Mirai wasn't complex. It was brutally efficient.
scanner.c (Simplified Logic)
// 1. Generate random IP address
ip = generate_random_ip();
// 2. Try to connect to Port 23 (Telnet)
if (connect(sock, ip, 23) == SUCCESS) {
// 3. Brute force with small dictionary
for (int i=0; i < 62; i++) {
if (try_login(usernames[i], passwords[i])) {
report_success_to_loader(ip, user, pass);
break;
}
}
}
The Combo List
Mirai didn't crack passwords; it guessed them. The 62 combinations included:
Stuxnet (2010) is the most famous cyber-weapon in history. It destroyed nuclear centrifuges in Iran.
It is the ultimate example of "Effects-Based" cyber attacks.
The Kill Chain
Infection: USB drives dropped in parking lots (Bridging the Air Gap).
Propagation: 4 Zero-Day exploits in Windows Print Spooler and LNK files (Layer
3).
The Target: It looked specifically for Siemens Step7 software (SCADA Layer 2).
The Payload:
It injected malicious ladder logic into the PLC (Level 1).
The logic spun the centrifuges at 1410 Hz (too fast) then 2 Hz (too slow), causing them
to shatter (Level 0).
The Mask: It replayed "System Normal" sensor data to the control room,
so operators saw nothing wrong until they heard the explosions (S.A.I.C violation).
7) The OSINT Toolkit
Before an attacker touches a device, they perform Passive Reconnaissance.
Shodan: The Search Engine for IoT
Google crawls text; Shodan crawls banners. It connects to port 80, 21, 22, 502 (Modbus) and
records the response.
Shodan Query Cheat Sheet
# Find exposed Webcams
"Server: SQ-WEBCAM" port:80
# Find Industrial Control Systems (Modbus)
port:502
# Find MQTT Brokers with no auth
port:1883 "MQTT Connection Code: 0"
# Find default Routers in Australia
country:AU default password
# Find VNC (Remote Desktop) without Auth
"authentication disabled" "RFB 003.008"
FCC ID Lookup
Every wireless device sold in the USA must register with the FCC. This public database is a
goldmine.
Search:fccid.io/[ID_ON_BACK_OF_DEVICE]
Pro Tip: Always check the FCC ID first. It tells you exactly what hardware you are
attacking (Chipset, RAM, Flash, Frequency) without opening the box.
8) Regulations: The Law Has Arrived
For decades, IoT was the "Wild West". That ended in 2024.
EU Cyber Resilience Act (CRA)
Mandatory key features: - No default passwords.
- Mandatory vulnerability reporting (within 24 hours).
- Security updates for the expected lifespan of the product (min 5 years).
Penalty: Up to €15M or 2.5% of global turnover.
UK PSTI Act (2024)
Bans generic default passwords (e.g., "admin"). Requires a published point of contact for
vulnerability researchers.
US Cyber Trust Mark
A voluntary labeling program (like Energy Star) for secure IoT devices. Consumers scan a QR code to
see privacy data.
9) Career Pathways in IoT Security
Where does this course lead you? The industry is desperate for specialists.
3. Are there unpatched RCE (Remote Code Execution) vulnerabilities?
XP REWARD: +300 XP (The Watcher)
Tools of the Trade
The standard toolkit from Phase 1 (Reconnaissance).
Tool
Function
Cost
Link
Shodan
Search engine for IoT devices.
Freemium
shodan.io
Censys
Competitor to Shodan, better for Certs.
Freemium
censys.io
GreyNoise
Analyze "Background Noise" (Is this IP scanning everyone?).
Freemium
greynoise.io
Aircrack-ng
Wi-Fi packet capture and cracking.
Free
aircrack-ng.org
Wireshark
Packet analysis.
Free
wireshark.org
Binwalk
Firmware extraction tool.
Free
github.com/ReFirmLabs/binwalk
Glossary of Terms
AIC / CIAA
Availability, Integrity, Confidentiality, Authenticity. The priority stack for IoT/OT.
Attack Surface
The sum of all potential entry points (Physical, Network, Radio, Supply Chain).
Cyber-Physical System (CPS)
A system where software controls physical mechanisms/processes.
Firmware
Permanent software programmed into a read-only memory.
Kinetic Impact
Physical damage or effect caused by a cyber attack.
MCU
Microcontroller Unit. A low-power computer-on-a-chip (RAM+CPU+Flash).
Mirai
A malware that turns networked devices running Linux into remote controlled bots.
OSINT
Open Source Intelligence. Gathering data from public sources (Google, Shodan, FCC).
RTOS
Real-Time Operating System. An OS designed for deterministic task execution (e.g., FreeRTOS).
SBOM
Software Bill of Materials. A list of all software components/libraries in a device.
Shodan
A search engine for internet-connected devices.
Side-Channel Attack
Attacking a device by measuring physical leakage (power consumption, electromagnetic radiation)
rather than software bugs.
Stuxnet
A malicious computer worm, first uncovered in 2010, that targets industrial control systems.
UART
Universal Asynchronous Receiver-Transmitter. A hardware serial protocol often used for debugging
consoles.
Weekly Reflection
Look around your room. Pick one "Smart" device.
1. Who made the chip inside it? (Supply Chain)
2. When was it last updated? (Lifecycle)
3. Does it need to be on the internet? (Attack Surface)
"Security is not a product, but a process." — Bruce Schneier