Book Image

IoT Penetration Testing Cookbook

By : Aaron Guzman, Aditya Gupta
Book Image

IoT Penetration Testing Cookbook

By: Aaron Guzman, Aditya Gupta

Overview of this book

IoT is an upcoming trend in the IT industry today; there are a lot of IoT devices on the market, but there is a minimal understanding of how to safeguard them. If you are a security enthusiast or pentester, this book will help you understand how to exploit and secure IoT devices. This book follows a recipe-based approach, giving you practical experience in securing upcoming smart devices. It starts with practical recipes on how to analyze IoT device architectures and identify vulnerabilities. Then, it focuses on enhancing your pentesting skill set, teaching you how to exploit a vulnerable IoT device, along with identifying vulnerabilities in IoT device firmware. Next, this book teaches you how to secure embedded devices and exploit smart devices with hardware techniques. Moving forward, this book reveals advanced hardware pentesting techniques, along with software-defined, radio-based IoT pentesting with Zigbee and Z-Wave. Finally, this book also covers how to use new and unique pentesting techniques for different IoT devices, along with smart devices connected to the cloud. By the end of this book, you will have a fair understanding of how to use different pentesting techniques to exploit and secure various IoT devices.
Table of Contents (19 chapters)
Title Page
About the Authors
About the Reviewers
Customer Feedback


In mobile application security testing, there is a four-phase methodology which can be categorized by the following:

  • Application mapping: Application mapping pertains to the application's logic and the application's business function. Think of application mapping as gathering information about the application to be used in the next phase.
  • Client-side attacks: Client-side attacks pertain to data being stored in the application and how that data can be manipulated from the client side.
  • Network attacks: Network attacks pertain to network layer concerns such as SSL/TLS or maybe XMPP protocol data.
  • Server attacks: Server attacks apply to API vulnerabilities and backend server misconfigurations brought to light as a result of API testing.

This methodology may vary if testing is conducted via a white box or black box perspective. What is relevant from both the white and black box testing perspective is the Mobile Application Security Verification Standard (MASVS). The MASVS aimed to establish...