Previously, we reviewed The Ghidra Book: The Definitive Guide because several of us were working with Ghidra, and it was a topic that made sense. Similarly, we spend a lot of time thinking and talking about Internet of Things (IoT) Security. Whether it is Craig Young winning the first-ever SOHOpelessly Broken contest at DEF CON or the team running the IoT Hack Lab at SecTor for multiple years, IoT is a popular subject within the team. So, it only made sense that we would take a look at Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things.
One of the aspects of the book that I appreciated was the layout. I’m often overwhelmed with a new book, especially if I don’t plan on reading it cover to cover. With tech books, I often aim to skip topics I’m familiar with or read sections related to projects I’m currently working on. In this case, having two tables of contents – Brief Contents, which came with the parts of the book and chapter titles, and the Contents in Detail, which came with both of those as well as a detailed breakdown – was excellent. The index shares a similar level of breakdown that at times seemed excessive or perhaps inaccurate. This may make more sense with an example.
Given that this is an IoT hacking book, I decided to take a look at their references to binwalk. There are five pages in total referenced in the index. Three of those pages are next to ‘binwalk,’ and the other two are next to ‘binwalk Nmap command.’ There is no binwalk Nmap command, so I was curious to know what those two pages were. The pages are part of the Network Assessments chapter in a section titled, “Identifying IoT Devices on the Network,” and a sub-section titled, “Uncovering Passwords by Fingerprinting Services.” This sub-section takes you on a journey that feels disconnected. Almost like it starts with the conclusion and the authors tried to figure out a way to tell the story of how they got there. It feels very out of place and lacks a lot of explanation. The other three pages that reference just binwalk include an entry in an appendix of tools and two pages on the tool. The first two pages (tying Nmap and binwalk) seemed like a mistake that wasn’t caught, and the others felt like the minimal explanation I would have wanted to see.
Beyond that, however, I enjoyed the material that was referenced. Let’s see how others felt.
Practical IoT Hacking is full of great information. The book covers a very diverse set of technologies and crosses fluidly between the domains of hardware, software, networking, and RF. This book has enough guidance to get someone started with an audit, but it does lack depth and may lose some novice students at times. Although I’ve yet to work through any of the exercises, the instructions generally seem clear for anyone with moderate Linux experience. The book comes with supplemental resources for completing various exercises throughout the book including working with external devices like Software Defined Radio (SDR) interfaces, Raspberry Pi, ESP32, and Arduino. I’m personally really looking forward to working through some of the hardware hacking hands on activities in part 3 of the book.
I was, however, surprised at times about which topics were selected (or omitted) and how many pages went toward different tactics or tools. For example, there is a section about MQTT which includes a 10-page exercise to recreate an existing password cracking tool, but there is no mention that clients can request all the data at once from a broker by using a wildcard topic name. In the section about WiFi, I also wondered about why there is a section about WPA2-Enterprise containing just a brief explanation of the attack surface rather than referencing or demonstrating any of the various tools for automating these attacks. Personally, I would have preferred to read a little more about WPA3 and the attacks described in Mathy Vanhoef’s research. There is also a notable absence of some key vulnerability categories commonly affecting HTTP interfaces for IoT devices. While there is a passing reference to cross-site request forgery, I came across no mention of locating or exploiting DNS rebinding, command injection, directory traversal, or HTTP authentication bypass vulnerabilities. Overall, there is relatively little discussion about the prevalence of flaws in local IoT web interfaces or how to find them.
The section which really got my attention as lacking content was chapter 39 titled “Firmware Hacking.” This chapter outlines how to extract filesystems and perform device emulation after obtaining a firmware image. I feel that this chapter really fails to capture a lot of basic information researchers should be looking for when analyzing firmware. The chapter focuses on a rather dull CVE and analysis tool from 5-6 years ago. Unfortunately, this academic tool is very limited in its capabilities, and I think readers would have been much better served by a few pages discussing the intricacies of using chroot, nvram-faker, and LD_PRELOAD or sideloading firmware components onto dev boards and other devices. The book does not really discuss the tremendous value from being able to identify system components, review server-side sources, and find vulnerabilities or even backdoors.
As I’ve said, the book is full of all sorts of interesting information, but it also has some notable gaps and room for expansion. I would recommend this book to someone interested in understanding more about the IoT attack surface and getting hands on with some tried and tested techniques, but I don’t think it is ideal for teaching readers processes for finding vulnerabilities in new devices.
Rating: 3.9/5
– Craig Young
Principal Security Researcher
Tripwire
Practical IoT Hacking is definitely a book I would recommend to anyone involved with IoT, especially those working in any type of cybersecurity role as well as any type of IoT developer. The book has a good mix of general to specific knowledge across the main domains that comprise the IoT. I really like how they introduced the subject in the first chapter, especially how they introduced and explained the legal issues that one can face when doing security research. I also like that they introduced other high-level aspects at the beginning such as threat modeling and a security testing methodology. The next parts of the book focused on network, hardware, and radio hacking, and these chapters included pretty much what I would expect from a book like this. The final two chapters rounded off the book nicely with discussions on attacking mobile applications as well as a full walk through of hacking a smart home. I do say that the steps they went through to hack a smart treadmill felt a little lame to me (at first) as the hack required physical access to the device, and in our world, if you have physical access, then it is game over. However, they did illustrate how to break out of the device’s UI, and from a security perspective, there is knowledge for others to gain from that illustration. One area of improvement for the book could be to add a more extended discussion on IoT and its relationship to vendor and/or cloud infrastructure. Overall, I enjoyed the book and will likely revisit it again in the future.
Rating: 4.5/5
– Lane Thames
Principal Security Researcher
Tripwire
Practical IoT Hacking is a sharp well designed book that first takes readers by the hand through the IoT landscape. It reveals why IoT security is important and the multiple threat models and processes that can be used in a simple but effective way. After a short introduction on security testing methodologies, the book takes the reader into the network portal of IoT, giving examples of common workplace and home setups with detailed attacks that most people with beginner knowledge would be able to reproduce. The hardware hacking section of the book is where things get interesting for me as a reader. With limited experience in physical hardware hacking knowledge, I felt that the author gave very detailed and easy-to-understand examples as well as introduced some cool tools such as Ghidra and JTAGulator.
Near the end of the book, in the final chapters, the author goes quickly over some examples and tools that can be used for targeting the IoT ecosystem, which for this part resides mainly in a reader’s house or on their phone. With that said, the author does give real-world examples that could take place and offers many tools to test out their examples. Overall, I enjoyed Practical IoT Hacking. The book gives many real-world examples and plenty of resources that a reader can use to help themselves dive deeper into the IoT landscape.
Rating: 4.5/5
– Matt Jerzewski
Security Researcher
Tripwire
Practical IoT Hacking provides quite the range of information from looking for security issues at the application layer to physical access. The book suggests to start looking for vulnerabilities by using a vulnerability scanner. This is a great suggestion because a lot of IoT devices suffer from the same if not similar issues. The book also touches on firmware extraction using binwalk, which can give you access to a wealth of information about the services on the device. Near the end of the book, the authors explain how to use JTAG for exploiting IoT devices. Overall, Practical IoT Hacking provides a broad range of information and gives a reader an idea how to start looking for security issues on IoT devices.
Rating: 4.0/5
– Andrew Swoboda
Senior Security Researcher
Tripwire
At the end of the day, I think that I would tend to agree with Andrew when rating this one and would call it a 4.0/5 myself.
Overall Rating: 4.2/5
#TripwireBookClub – Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things