🔧

Hardware / IoT

Hardware and IoT challenges involve extracting, analysing, and exploiting firmware from embedded devices — reading debug interfaces like UART and JTAG, reversing proprietary protocols, and manipulating signals with logic analysers.

What is it?

Hardware and IoT security deals with the security of physical devices — routers, smart home gadgets, industrial controllers, medical devices, and custom embedded systems. Attackers target these devices through debug ports left enabled, unencrypted firmware update mechanisms, insecure bootloaders, and hard-coded credentials.

It blends electronics knowledge (serial protocols, PCB reading, soldering) with software RE (firmware extraction, MIPS/ARM binary analysis) and network security (exposing management APIs).

How it works in a CTF

In a CTF, hardware challenges usually provide a firmware image (.bin file), a logic analyser capture (.sal, .csv), or a description of a physical setup. Your goal is to extract a flag by analysing the firmware filesystem, reversing a binary, decoding a captured serial conversation, or exploiting a hardcoded credential.

Common workflow: run binwalk -e firmware.bin → explore the extracted filesystem → search for credentials and keys → reverse interesting binaries with Ghidra → or decode protocol capture with Sigrok.

Example challenge types
Binwalk extract filesystem from .binHard-coded root password in /etc/shadowUART console gives root shellDecrypt firmware update (AES key in binary)Logic analyser capture decode (UART/I²C/SPI)JTAG debug port code executionWeb interface command injection (router)Private key in firmware filesystemInsecure bootloader bypassMQTT broker unauthenticated subscribeOTA update replay attackExposed JTAG test pads on PCB

Sample Challenge

FirmwareFrenzy
Hardware Medium 250 pts
You receive a 4 MB binary dump from a consumer IoT router: router_fw.bin. The vendor claims the firmware is encrypted, but the security team suspects the flag is stored in plain text inside the filesystem.
router_fw.bin
How to solve it
  1. Run binwalk router_fw.bin — it detects a SquashFS filesystem at offset 0x50000 and a LZMA-compressed kernel.
  2. Extract: binwalk -e router_fw.bin — a directory _router_fw.bin.extracted/ appears.
  3. Run firmwalker _router_fw.bin.extracted/ — it highlights /etc/config/system as containing a password.
  4. Open the file — it contains: option flag 'FLAG{b1nwalk_squashfs_4_th3_w1n}'.
FLAG{b1nwalk_squashfs_4_th3_w1n}

Official Resources & Standards

OWASP IoT Project
OWASP's attack surface areas, testing guide, and security considerations for IoT devices.
OfficialOWASP
IoTGoat
OWASP's intentionally insecure firmware based on OpenWrt — includes a ready-to-run QEMU image.
OfficialOWASPLab Firmware
OpenOCD
Open-source on-chip debugger supporting JTAG and SWD — used to attach GDB to hardware targets.
ToolOpen Source
Sigrok / PulseView
Free logic analyser software supporting 50+ hardware devices for protocol decoding.
ToolOpen Source

Free Training & Practice

Embedded Security CTF (GitHub)
Collection of hardware/firmware CTF challenges with setup guides and Docker environments.
FreeChallenges
DVID — Damn Vulnerable IoT Device
Training board firmware with intentional vulnerabilities covering UART, debug ports, and auth bypass.
FreeLab Firmware
HackTheBox Hardware Challenges
Firmware images, logic captures, and RF challenges covering UART, I²C, and custom protocols.
Free TierChallenges
Exploit.ST — Intro to Hardware Hacking
Free YouTube series covering hardware hacking fundamentals — UART, JTAG, and SPI.
FreeVideos
Firmware Security Testing Methodology
OWASP's structured 9-step methodology for extracting and analysing IoT firmware.
FreeReference
Practical IoT Hacking (Fotios Chantzis)
Comprehensive book on IoT exploitation — Chapter 1 freely available from No Starch.
BookPartial Free

Essential Tools

Binwalk
Firmware entropy analysis and recursive extraction — first tool to run on any firmware image.
FreeOpen Source
Firmwalker
Script to search extracted firmware for credentials, keys, and interesting files.
FreeOpen Source
Ghidra
RE firmware binaries (MIPS, ARM, PowerPC) with the built-in disassembler and decompiler.
FreeOpen Source
minicom / screen
Connect to UART serial consoles on embedded devices — often yields a root shell.
FreeOpen Source

Getting Started Tips

💡 Tip: First step with any firmware: run `binwalk -e firmware.bin` to extract the filesystem, then `firmwalker` on the extracted path.
💡 Tip: Look for UART test points on PCBs — they frequently give an unauthenticated root shell. A USB-TTL adapter costs ~$3.
💡 Tip: Check for default credentials in `/etc/passwd`, `/etc/shadow`, and init scripts before attempting anything more complex.
💡 Tip: Emulate firmware with QEMU (`qemu-mips-static`) when you don't have physical hardware — most Linux-based IoT firmware runs under QEMU.