I thought I’d give some brief references for anyone interested in IoT hacking. My experience here is fairly comprehensive; I have a couple of CVEs already, with a few more in the pipeline. My Masters dissertation was on the topic, and I am writing papers on it as part of my PhD work.
BOOKS:
There are three that should be on any bookshelf. They are:
“The IoT Hacker’s Handbook” by Aditya Gupta
“Practical IoT Hacking” by Fotios Chantzis and Ioannis Stais
“Practical Hardware Pentesting” by Jean-Georges Valle
These three books are a fantastic introduction to both on-board (e.g. JTAG, UART, I2C) and remote (Bluetooth, RFID, Zigbee). I would recommend you read through all three at least once.
HARDWARE:
In terms of hardware, this will depend on what you wish to investigate; the tools required for firmware dumping are wildly different from those needed for Bluetooth attacks. These are the ones I’ve found most useful (prices are approximate in GBP at the time of writing).
RFID: Proxmark3 Easy. This is honestly the best piece of entry level pentesting kit you can buy. It allows you to read and write all manner of RFID tags. There is a big brother version, the RDV4, but you don’t need that when starting out. The Easy should be around £60-70. Pick up some rewritable cards as well for a few pounds and have fun!
Bluetooth: A lot of people swear by the Ubertooth One (about £100 from eBay). Personally I found it really flaky. Instead I would look at a Nordic Semiconductor nRF52840 dongle at around £15. Add to that an Adafruit BlueFruit (based on the nRF51822 chipset) for £25 and that should be enough. If you want to try MitM attacks, then a couple of Raspberry Pi’s and a pair of cheap Bluetooth dongles should be plenty (probably £100 all in)
RF (433/868MHz): A lot of devices still use these reserved bands for communication, and you can capture transmissions using a cheap DVB-T dongle (£15-20). By default these will scan up to about 1.2GHz. For capturing transmissions at higher frequencies then you’ll either need a Yardstick One (about £100) or a HackRF (about £250). The last two have whole ecosystems around them; personally I think they’re more suited to advanced topics.
I have not included anything around Z-Wave and Zigbee as they are not popular protocols in the devices I test (smart locks, mainly). You can find tools to interface with them for a few tens of pounds. I’ve also not included any on-board debugging tools, as that’s not my area of expertise. I would suggest taking a look at the Attify Badge for around £40.
SOFTWARE:
These are the tools I uses in my dissertation:
BLUETOOTH:
BTLEjack – https://github.com/virtualabs/btlejack
Sweyntooth scripts – https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks
BTLEjuice – https://github.com/DigitalSecurity/btlejuice
HomePWN – https://github.com/Telefonica/HomePWN
Gattacker – https://github.com/securing/gattacker
RF:
URH – https://github.com/jopohl/urh
SDR# – https://airspy.com/download/
RFID:
HomePWN – https://github.com/Telefonica/HomePWN
Proxmark3 (Iceman Fork) – https://github.com/RfidResearchGroup/proxmark3
The above should give you plenty to work with. Find some willing test subjects (that you own!); I have found that anything cheap from AliExpress with one or more of these protocols enabled should give you plenty of enjoyment. Same goes for things from eBay and Amazon. I have broken into £10 devices and £310 devices, so take your pick! It’s fun, you get your hands dirty, and IoT hacking is a skill that will be in ever greater demand in the next decade.