SEC556: IoT Penetration Testing

  • In Person (3 days)
  • Online
18 CPEs
SEC556 facilitates examining the entire IoT ecosystem, helping you build the vital skills needed to identify, assess, and exploit basic and complex security mechanisms in IoT devices. This course gives you tools and hands-on techniques necessary to evaluate the ever-expanding IoT attack surface.

What You Will Learn

A growing trend in recent years has seen small-form factor computing devices increasingly accessing networks to provide connectivity to what typically used to be disconnected devices. While we can debate if your home appliances truly need Internet access, there is no debate that the Internet of Things (IoT) is here to stay. It allows for deeper connectivity of many devices that are indeed useful, with great benefits to homes and enterprises alike.

Unfortunately, with this proliferation of connected technology, many of these devices do not consider or only minimally consider security in the design process. While we have seen this behavior in other types of testing as well, IoT is different because it utilizes and mixes together many different technology stacks such as custom Operating System builds, web and API interfaces, various networking protocols (e.g., Zigbee, LoRA, Bluetooth/BLE, WiFi), and proprietary wireless. This wide range of diverse, poorly secured technology makes for a desirable pivot point into networks, opportunities for modification of user data, network traffic manipulation, and more.

SEC556 will familiarize you with common interfaces in IoT devices and recommend a process along with the Internet of Things Attack (IoTA) testing framework to evaluate these devices within many layers of the Open Systems Interconnection (OSI) model. From firmware and network protocol analysis to hardware implementation issues and all the way to application flaws, we will give you the tools and hands-on techniques to evaluate the ever-expanding range of IoT devices. The course approach facilitates examining the IoT ecosystem across many different verticals, from automotive technology to healthcare, manufacturing, and industrial control systems. In all cases, the methodology is the same but the risk model is different.

Once we have been empowered to understand each individual challenge, we can understand the need for more secure development and implementation practices with IoT devices.

You will be able to

  • Assess IoT network-facing controls, web applications, and API endpoints with an IoT focus
  • Examine hardware to discover functionality and find interaction points and use them to obtain data from the hardware
  • Uncover firmware from hardware and other means, and explore it for secrets and implementation failures
  • Sniff, interact with, and manipulate WiFi, LoRA, and Zigbee wireless technologies and understand security failures in implementation
  • Interact with Bluetooth Low Energy (BLE) for device manipulation
  • Automate recovery of unknown radio protocols to perform replay attacks and additional analysis

You will receive with this course

  • BusPirate 3.6a and cable
  • SPI Flash integrated circuit
  • Solderless breadboard
  • HackRF One with antenna
  • HackRF ANT500 antenna
  • USB Logic analyzer
  • Dupont wires
  • RaspberryPi 2G Vilros Kit (32 Gig SD card) (Note: this comes with a U.S. plug, so international students will need to bring an adapter)
  • USB wireless adapter
  • TP-Link Bluetooth Low Energy USB adapter
  • 433Mhz IoT remote-controlled outlet (110/120V only, EU and APAC students will need to bring a voltage converter)
  • A pair of CC2531 custom-flashed USB Zigbee adapters
  • USB 3.0 4-port hub
  • Ethernet cable
  • Custom Slingshot Linux Virtual Machine
  • Custom Raspberry Pi image (PIoT.01)

Syllabus (18 CPEs)

Download PDF
  • Overview

    This course section introduces the overall problem with IoT security and examines how testing can address the problem in largely generic terms, given the multitude of IoT implementations. The first technical concepts include network recon and attacks as well as key web application issues often found with IoT devices, such as authentication bypass, RFI, and command injection. Additionally, we will examine API requests from mobile apps to back-end services and the devices themselves, then use the tools testers need to inspect and exploit network and web-based IoT.

    • Lab 1.1: Wireshark filters and PCAP inspection
    • Lab 1.2: Nmap scan of an IoT device and exploitation with Metasploit
    • Lab 1.3, Part 1: Burp Suite interception on IoT web portal for exposed secrets
    • Lab 1.3, Part 2: Using Postman to send password data to an IoT API
    • Lab 1.4, Part 1: Exploiting an IoT portal for consumer-grade devices
    • Lab 1.4, Part 2: Injecting commands into vulnerable IoT web services

    Course introduction

    Course methodology for testing IoT: Modified IoTA

    Tooling for IoTA: Introducing hardware tools

    Network discovery and recon

    Active network discovery

    Network exploitation for IoT

    Web services in IoT

    Web and API recon and discovery

    Tools for web services

    Web service attack types and exploitation

  • Overview

    This section will introduce key concepts to perform recon against various hardware devices for destructive and semi-destructive testing for hardware, as well as hardware identification, communication, and exploitation using various hardware tools. We will also examine ways to recover device operating systems (firmware) and analyze them to recover stored secrets and various implementation flaws.

    • Lab 2.1: Obtaining and analyzing Specification Sheets
    • Lab 2.2: Sniffing serial and SPI
    • Lab 2.3: Recovering firmware from PCAP
    • Lab 2.4: Recovering filesystems with binwalk
    • Lab 2.5: Pillaging the filesystem
    • Background and importance of IoT hardware
    • Opening the device
    • Examining and identifying components
    • Discovering and identifying ports
    • A soldering primer
    • Sniffing, interaction, and exploitation of hardware ports: Serial, SPI, JTAG
    • Recovering firmware
    • Firmware analysis
    • Pillaging the firmware
  • Overview

    This course section focuses on the more popular and developing, documented, and standardized wireless technologies often found in IoT technology. The concepts introduced include capturing traffic, gaining access to networks and encrypted data, and interacting with and compromising IoT devices and their functions. The section will introduce the concepts to analyze and exploit non-standard and proprietary RF communications often found in IoT devices

    • Lab 3.1: WiFi PSK cracking
    • Lab 3.2: BLE device interaction
    • Lab 3.3: Zigbee traffic capture
    • Lab 3.4: Conducting a replay transmission attack on IoT
    • Wi-Fi
    • Bluetooth Low Energy
    • Zigbee
    • LoRA
    • SDR


Attendees are expected to have a working knowledge of TCP/IP and web technologies and a basic knowledge of the Linux command lines before they come to class. While SEC556 is technically in-depth, it is important to note that programming knowledge is NOT required for the course.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2/M3 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 60GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • A wired Ethernet network adapter is required for this course. This can be either an internal or an external USB-based network adapter but you cannot use wireless networking alone.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"It has been amazing to watch the progression and widespread adoption of what we now know as the Internet of Things in both our homes and enterprises  whether you realize it or not! However, while IoT-enabled technologies have arguably made our lives better by improving conveniences and our ability to obtain more accurate data about our environment, we unknowingly increase our attack surface through their use."

"In other words, the benefits often come at a cost, in many cases because of lackluster development practices by many IoT manufacturers that fail to consider the entirety of the attack surface of their device ecosystem. This failure is largely seen as financial; baking security in from the start is an expense that reduces the already low profit margins on IoT devices. Delays from adopting enhanced security measures can prevent a timely push to market, further compounding profit-per-device issues."

"With the increased adoption of IoT, attackers have also focused their efforts on IoT platforms. Techniques and tool capabilities have become exponentially more sophisticated, and they are often used for good to unlock additional features and capabilities. However, less-ethical attackers have gained the same sophistication with their toolsets, giving them the upper hand in exploiting the technology we rely on for critical tasks. The IoT adoption rate, in combination with the sophistication of attackers, paints a grave picture for the future of IoT and the networks IoT devices are connected to unless we begin now to improve the security of all facets of the IoT ecosystem."

"We are very excited to deliver interactive, hands-on labs and a suite of hardware and software tools to equip IoT analysts and developers with practical skills, methodologies, and thought processes that they can bring back to their organizations and apply on day one. The skills you will build in this class will be valuable for today's IoT technology and serve as a foundation for tomorrow's advancements, regardless of your vertical, application, or data." - Larry Pesce, James Leyte-Vidal, and Steven Walbroehl


This course is perfect to learn essential contents of IoT pen testing.
Junya Fujita
I really liked the firmware dumping hardware-based stuff, followed by the Bluetooth BLE and SDR exercises. I had not done this before and it was taught well enough that I could go out into the field and do them again.
Caleb Jaren
The labs work well for bringing concepts home and making them real. The work done to scale/virtualize them and make them repeatable is amazing.
Lee Neely
Lawrence Livermore National Laboratory

    Register for SEC556

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.