Real-World IoT and Embedded Device Hacking

Learn how to attack real, off-the-shelf and supposedly secure devices that are in wide-spread use around the world.

10 February – 13 February 2020
Berlin, Germany
Purchase TicketsCan't attend?

Pricing (Prices exclude 20% VAT for Estonia)


until February 01


after February 01


Tickets Available






The Westin Grand

Friedrichstraße 158-164, 10117 Berlin, Germany

View on Google Maps


10 February 2020 – 13 February 2020

Have you ever looked at a physical device and wondered what was possible? How does it work? Why is it secure? What does information flowing between components look like using a logic analyzer? And most importantly, can we hack it?

This course is all about hardware exploration, from understanding how common devices are designed and manufactured up to manipulating each component to behave how you want it to behave, and not how the manufacturer anticipated.

For manufacturers, understanding how controls are subverted is vital in designing more robust and secure devices. For security personnel, understanding how to attack devices and how to review a device for security is critical for working with the new wave of connected devices. For developers, this class will teach the methods used by hackers and teach them to defend against them.

The devices the students will hack in this course range from access control systems (such as used in some embassies and power plants), connected cameras, smart lightning controllers, industrial gateways and more.

The training focuses on teaching how to perform a hardware security audit, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses.

Finally, we also look at how the conducted attacks can be prevented and how more secure device architectures can be designed.

Learn how to hack fingerprint access control systems, smart cameras, wearables, bitcoin wallets and more.

What this class will teach

In this class students will learn how to find hardware security issues on real-world embedded devices:

  • Building a hardware security lab
  • Tools for embedded device analysis
  • Basic firmware analysis
  • Finding & abusing debugging capabilities (JTAG, SWD, Serial consoles)
  • Dumping memory devices & ICs
  • Identifying & extracting secrets from dumps
  • Analyzing busses
  • Man-in-the-middle attacks on in-device busses
  • Attacks on devices with secure-elements
  • Basic side-channel attacks
  • Processors and their (in)security features

Who this training is for

  • Security engineers getting into IoT/embedded security
  • Developers
  • Hardware designers
  • Everyone who is curious about securing the Internet-of-Things


Day 1 - The basics

Day 1 is a crash-course into the world of embedded device hacking and covers:

  • Basic firmware analysis

    • From firmware blob to extracted filesystem
    • Identifying encrypted/unencrypted firmware
    • Determining hardware-details from a firmware dump
    • Finding vulnerabilities using static analysis
  • Analyzing signals

    • Logic signals
    • Basic signal analysis using a logic analyzer
    • Signal trainer: Identifying unknown signals
    • Probing on real devices
    • Embedded protocols (SPI, I2C, UART, etc)

Day 2 - Getting our hands dirty

On day 2 we will start looking at devices from the real world and how to abuse design decisions made in the production of them.

  • Architecture analysis

    • Identifying components
    • Understanding a device architecture
    • Building a basic hardware threat model
  • Introduction to our custom and off-the shelf hardware and software tools
  • Hands-on hacking

    • Finding debug interfaces (Consoles, finding undocumented JTAG & SWD pinouts, etc)
    • Using OpenOCD to dump firmware
    • Analyzing dumped firmware & flash contents
    • Extracting secrets from dumps
  • How does a secure device look?

Day 3 - Breaking better secured devices

We don't have JTAG, SWD, or a serial console - what now? On day 3 we will look at attacks on in-device bus systems, such as I2C and secure-elements - and how to abuse them to our advantage.

  • Introduction to secure-elements

    • ISO7816 (Smartcard protocol) and 1-wire
    • Analyzing 1-wire communication
    • Common Secure-Elements/Authentication chips and their pitfalls
    • Case-studies of real-world secure-element issues
  • Hands-on embedded man-in-the-middle attacks

    • Introduction to the MITM hardware & software tools
    • Building a Python-based MITM attack tool for different protocols
  • Real-device hands-on:

    • Man-in-the-middle attack on a secure-element
    • TOCTTU (Time of check to time of use) man-in-the-middle attack for bypassing secure-boot

Day 4 - Insecure chips & side-channels

On day 4 we focus on two other layers of security: The processor and unintentional side-channels. Most software developers just assume the hardware to do the correct thing, but often issues exists in the processors themselves that can be exploited to gain code-execution or bypass security checks. We also look at side-channel attacks: Unintentional information leakage, for example through the power consumption of a device, can cause secrets to leak from devices or be used to bypass access protections.

  • Processor security features

    • Fuses, crypto accelerators, read-out protection
    • Attacks
    • Glitching
    • Boot ROM issues
  • Side-channel attacks

    • Timing side-channels
    • RF side-channels
    • Power side-channels
  • Hands-on

    • Exploiting a timing side-channel
    • Bring-your-own/choose-your-own target lab
Trainer Thomas Roth Headshot
Training by Thomas Roth

Thomas is best known for his attacks on embedded devices. His research focuses on mobile and embedded systems with published research on TrustZone, payment terminals, and embedded security.

Companies paying
Online by Credit Card

Purchase Online Now

Individuals, Wire Transfers,
or Group Discounts

Request an Invoice

Can't attend? Would you like this training at your location? We'll be in touch.

Courses are offered multiple times a year at locations worldwide.
All of our courses are also offered at a location of your choice.