Practical Internet of Things (IoT) Exploitation

October 31st & November 1-2nd

Hackfest is proud to offer “Practical Internet of Things (IoT) Exploitation” training to learn everything about IoT hacking and hardware hacking!


Practical IoT Exploitation is a hands-on class focusing on the Internet of Things Security and Exploitation with a practitioner’s approach.

IoT or the Internet of Things is one of the most popular trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device’s security till now.

“Practical IoT Exploitation” is a class offering attendees the ability to assess and exploit the security of these smart devices - by looking at the devices from an attackers approach, diving deep into Embedded security issues, reverse engineering firmware, analyzing radio communications and more.

The 3-days action packed training will cover different varieties of IoT devices and will have numerous labs focusing on real world security issues found in commercial Internet of Things solutions.

The course labs include both real world devices and emulated environments provided to the attendees during the training. Practical IoT Exploitation training class is designed for individuals who want to kickstart their career in IoT Pentesting and walk out of the class on completion with having the skill sets needed to perform a real-world IoT Pentest.

The training is beginner friendly and does not expect the attendees to have any prior knowledge of IoT Security. The attendees will be provided with VM image of AttifyOS for IoT pentesting, created by the trainers themselves. 

After the 3-days class, the attendees will be able to:

  • Extract, dump and analyze device firmwares 
  • Analyzing firmware and binaries 
  • Hands-on Labs with UART, SPI and JTAG Exploitation
  • Device Scanning and reversing communication APIs
  • 3rd party and USB based Attacks 
  • SDR based exploitation for IoT devices
  • Attacks on BLE, ZigBee - Hands-on labs 

Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. The class will conclude with a CTF exercise where the attendees will have to apply all the different skillsets learnt during the 3-day class.



  • Badge for conferences of November 3rd and 4th
  • Lunch for the 3 days of training (October 31st & November 1-2nd)
  • Coffee breaks

Course Content

Topics that will be covered in the class include:

  • Embedded Device security analysis
  • Accessing Root console via Serial Interfacing
  • NAND Glitching
  • Dumping data from an SPI flash
  • JTAG identification, debugging and exploitation
  • Emulating and Reversing firmware
  • Exploiting firmware binaries - ARM and MIPS exploitation
  • Backdooring firmware and flashing to device
  • External media based attacks
  • M2MXML, CoAP and MQTT vulnerabilities
  • ICS based vulnerabilities
  • Sniffing Radio Signals
  • Extracting data from captured signal
  • Sniffing and Exploiting BLE based devices
  • Sniffing and Exploiting ZigBee based devices
  • Conducting a real-world IoT pentest
  • CTF



Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, a specialized IoT and mobile security firm. He is a mobile security expert and evangelist. Gupta has conducted a lot of in-depth research on mobile application security and IoT device exploitation, and is the author of Learning Pentesting for Android Devices and IoT Hackers Handbook .

Gupta is the creator and lead instructor for the popular training course “Offensive Internet of Things Exploitation,” which has seen great success at Black Hat USA 2015, Black Hat USA 2016, and Brucon. He has discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more. Gupta published a research paper on ARM Exploitation titled “A Short Guide on ARM Exploitation.”

In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities. Gupta is a frequent speaker and trainer at various international security conferences such as Black Hat, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, and Clubhack. He also provides private and customized training programmes for organizations.