IoT Security Lab - Dark Arts Vault

Welcome to the IoT Security Lab

The Internet of Things (IoT) represents the interconnection of everyday physical objects through network infrastructure, enabling them to collect, exchange, and act upon data. This lab explores the security challenges and attack vectors inherent in IoT ecosystems.

Lab Objectives:

Understand IoT architecture and communication models
Identify security vulnerabilities in IoT devices
Analyze attack vectors and defensive strategies
Evaluate communication protocols and their security implications

IoT Categories

Consumer IoT

Smart homes, wearables, connected appliances, entertainment systems, and personal devices.

Examples: Smart thermostats, fitness trackers, voice assistants, smart locks

Industrial IoT (IIoT)

Manufacturing equipment, SCADA systems, supply chain management, and critical infrastructure.

Examples: Industrial sensors, automated factories, power grid controls, logistics tracking

Core IoT Components

Sensors

Data collection devices

Cameras

Visual monitoring

Gateways

Network bridges

Cloud Servers

Data processing

Remote Apps

User interfaces

Security Challenge: Each component introduces potential attack surfaces. Weak authentication, poor access control, and clear-text communications create exploitable vulnerabilities.

IoT Operating Systems

ARM mbed OS

Optimized for ARM Cortex-M microcontrollers, designed for low-power IoT devices

Windows 10 IoT

Microsoft's IoT platform for enterprise and industrial applications

Contiki

Open-source OS for constrained IoT devices with network connectivity

Ubuntu Core

Minimal Ubuntu for secure IoT deployments with transactional updates

IoT Architecture Layers

IoT systems follow a layered architecture that enables data flow from physical devices to user applications. Understanding this architecture is crucial for identifying security vulnerabilities at each layer.

1. Edge Technology Layer (Perception)

Physical devices that sense and collect data from the environment

Components: Sensors, actuators, RFID tags, smart meters, cameras, wearables

Vulnerabilities: Physical tampering, weak device authentication, firmware exploitation

2. Access Gateway Layer

Bridges between edge devices and the internet, performing protocol translation and aggregation

Components: IoT gateways, routers, base stations, edge computing nodes

Vulnerabilities: Man-in-the-middle attacks, gateway compromise, traffic interception

3. Internet Layer

Network infrastructure that enables global connectivity and data transmission

Components: Internet protocols (IPv4/IPv6), cellular networks, satellite communications

Vulnerabilities: DDoS attacks, packet sniffing, routing attacks, DNS spoofing

4. Middleware Layer

Data processing, storage, and management infrastructure

Components: Cloud platforms, databases, analytics engines, message queues

Vulnerabilities: Data breaches, unauthorized access, injection attacks, insecure APIs

5. Application Layer

User-facing applications and services that consume IoT data

Components: Mobile apps, web dashboards, automation rules, analytics interfaces

Vulnerabilities: Weak authentication, session hijacking, XSS, CSRF, privilege escalation

Communication Models

Device-to-Device (D2D)

Direct communication between IoT devices without intermediary infrastructure.

Examples: Bluetooth pairing, Zigbee mesh networks, NFC transactions

Security Risks: Eavesdropping, unauthorized pairing, replay attacks

Device-to-Cloud (D2C)

Devices connect directly to cloud services for data storage and processing.

Examples: Smart thermostats, fitness trackers, connected cameras

Security Risks: Credential theft, API vulnerabilities, data interception

Device-to-Gateway (D2G)

Devices communicate through a local gateway that aggregates and forwards data.

Examples: Smart home hubs, industrial controllers, home automation systems

Security Risks: Gateway compromise, local network attacks, lateral movement

IoT Network Topology Builder

Build your own IoT network by dragging devices onto the canvas. Visualize how different components interact in a typical IoT deployment.

Device Palette

Sensor

Camera

Thermostat

Smart Lock

Smart Light

Gateway

Router

Cloud

Network Canvas

Drag devices here to build your network

IoT Communication Protocols

Different IoT applications require different communication protocols based on range, power consumption, bandwidth, and security requirements.

Protocol	Range	Power	Bandwidth	Security Level	Common Uses
WiFi (802.11)	~100m	High	High (Mbps)	High	Smart home, cameras, streaming devices
Zigbee	10-100m	Low	Low (250 Kbps)	Medium	Home automation, sensors, mesh networks
RFID	~10m	Very Low	Very Low	Low	Asset tracking, access control, inventory
LTE-Advanced	Wide Area	High	Very High (Gbps)	High	Connected vehicles, industrial IoT, remote monitoring
LPWAN (LoRaWAN)	~15km	Very Low	Very Low	Medium	Agriculture, smart cities, environmental monitoring
Sigfox	~50km	Very Low	Very Low (100 bps)	Low	Asset tracking, simple sensors, utilities
Bluetooth/BLE	~10m	Low	Medium (2 Mbps)	Medium	Wearables, beacons, proximity devices
Z-Wave	~30m	Low	Low (100 Kbps)	High	Home automation, security systems

Security Considerations:

RFID & Sigfox: Limited or no encryption, vulnerable to eavesdropping and replay attacks
Zigbee & Bluetooth: Encryption available but often poorly implemented or using default keys
WiFi & LTE: Strong encryption standards (WPA3, TLS) but vulnerable if misconfigured
LPWAN: Security varies by implementation; LoRaWAN supports AES-128 encryption

Smart Home Vulnerability Assessment

Click on devices to discover their vulnerabilities. This smart home contains multiple security weaknesses common in real-world deployments.

Living Room

Smart TV 3

Voice Assistant 4

Smart Lights

Kitchen

Smart Fridge 2

Coffee Maker

Bedroom

Smart Lock 5

Security Camera 4

Thermostat

Office

WiFi Router 3

Network Printer 2

IoT Gateway

Central hub connecting all devices

Total Devices: 10 | Vulnerable Devices: 7 | Known Vulnerabilities: 23

IoT Vulnerability Scanner Simulator

This simulated scanner demonstrates how security professionals discover and assess IoT devices on a network. In real-world scenarios, tools like Shodan, Nmap, and specialized IoT scanners are used for defensive security assessments.

Educational Purpose: This is a simulation. Never scan networks or devices without explicit authorization. Unauthorized scanning is illegal and unethical.

IoT Vulnerability Scanner v3.2

Ready to scan... Enter target and click Start Scan

Common IoT Vulnerabilities Detected

Default Credentials

Devices shipped with factory default usernames and passwords (admin/admin, root/12345)

Outdated Firmware

Unpatched vulnerabilities in device firmware with known exploits

Open Debug Ports

Telnet (23), SSH (22), or custom debug interfaces exposed to network

Unencrypted Communications

Data transmitted in clear-text, allowing network sniffing attacks

Buffer Overflows

Input validation failures allowing code execution via malformed data

Insecure APIs

Web APIs lacking authentication, authorization, or input validation

IoT Attack Scenario Walkthrough

Follow this realistic attack scenario to understand how IoT vulnerabilities are exploited. This educational walkthrough demonstrates defensive principles through offensive awareness.

Ethical Reminder: This scenario is for educational purposes only. Attacking systems without authorization is illegal. Use this knowledge to defend, not to harm.

1

Reconnaissance - Network Discovery

Attacker uses Shodan or network scanning tools to identify IoT devices exposed to the internet. Searches for specific device types, open ports, and default configurations.

Defense: Implement network segmentation, use firewalls to restrict internet-facing devices, disable UPnP.

2

Initial Access - Default Credentials

Attacker attempts authentication using manufacturer default credentials found in documentation or credential databases. Many IoT devices never have passwords changed.

Defense: Force password change on first setup, implement strong password policies, use multi-factor authentication.

3

Firmware Exploitation

Attacker downloads device firmware, extracts it using binwalk, and analyzes for hardcoded credentials, backdoors, or vulnerable services. Known vulnerabilities are exploited for root access.

Defense: Regular firmware updates, encrypted firmware, secure boot mechanisms, vulnerability scanning.

4

Lateral Movement

With one device compromised, attacker pivots to other devices on the same network. IoT devices often trust local network traffic, allowing easy lateral movement.

Defense: Network segmentation (VLANs), zero-trust architecture, micro-segmentation for IoT devices.

5

Data Exfiltration & Persistence

Attacker establishes persistent access (backdoor), monitors network traffic, exfiltrates sensitive data, or recruits device into botnet for DDoS attacks (Mirai-style).

Defense: Network monitoring, intrusion detection systems, regular security audits, device behavior analysis.

6

Impact & Consequences

Privacy breach (camera/microphone access), physical security compromise (smart locks), data theft, botnet participation, ransom demands, or use as attack platform.

Defense: Incident response plan, device isolation capabilities, backup and recovery procedures, security awareness training.

Firmware Analysis Workflow

Firmware analysis is critical for discovering vulnerabilities in IoT devices. This workflow demonstrates the process used by security researchers to analyze device firmware.

1. Firmware Acquisition

Obtain firmware from manufacturer website, device extraction (JTAG/UART), or intercept during update process. May require physical access to device flash memory.

2. Firmware Extraction

Use tools like binwalk to identify and extract filesystem from firmware image. Common formats include SquashFS, JFFS2, YAFFS2, or encrypted containers.

3. File System Analysis

Examine extracted files for configuration files, scripts, binaries, and web interfaces. Search for hardcoded credentials, API keys, certificates, and backdoors.

4. Binary Analysis

Disassemble binaries using tools like Ghidra or IDA Pro. Identify architecture (ARM, MIPS), analyze functions, look for buffer overflows, format string vulnerabilities, and logic flaws.

5. Network Service Analysis

Identify running services (web servers, telnet, SSH), analyze authentication mechanisms, test for injection vulnerabilities, and assess API security.

6. Dynamic Testing (Emulation)

Emulate firmware using QEMU or similar tools. Test discovered vulnerabilities in safe environment. Develop proof-of-concept exploits and validate findings.

7. Reporting & Disclosure

Document findings, assess severity (CVSS scoring), follow responsible disclosure practices. Provide manufacturers time to patch before public disclosure.

Common Firmware Analysis Tools:

binwalk: Firmware extraction and analysis
Ghidra/IDA Pro: Reverse engineering and disassembly
QEMU: Firmware emulation
firmwalker: Automated firmware security analysis
strings: Extract readable text from binaries
radare2: Advanced binary analysis framework

IoT Security Assessment Quiz

Test your knowledge of IoT security concepts. Answer all 12 questions to earn your XP and track your progress.