Expl-iot: IoT Security Testing Framework

Loading Click here to add:
Add to notification list

After working on IoT security testing for a few years, we realized that there is a lot of time spent on learning and setting up different tools including hardware, radio and software. As the IoT technology is new there is no standard software to test most of the components and the tools available are either not mature yet or do only specific job. With this problem at hand we envisioned a software that would allow developers and researchers to automate most of the IoT security testing steps. We began our journey with writing a flexible and extendable framework that would help the community and us in writing quick IoT test cases and exploits. The objectives of the framework are:

  1. Easy of use
  2. Extendable
  3. Support for hardware, radio and IoT protocol analysis

We released the beta version (in ruby) of Expl-iot in 2017. Once we started implementing hardware and radio functionality, we realized that ruby does not have much support for hardware and radio analysis which led us to deprecate it and re-write it in python to support more functionality. We are currently working on the python3 version and will release it in a month or two. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases. This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework. 

Aseem Jakhar 
Aseem is the Director R&D at Payatu Software Labs LLP, a boutique security testing organization with specialization in IoT, embedded, mobile and cloud security. He is a speaker and trainer at international security conferences like Blackhat, Hack in Paris, Brucon, Hack in the box, Defcon, Zer0con, PHDays to name a few. He is also an open source developer and has written various open source security projects including - Indroid/Jugaad - Runtime Thread injection toolkit for Arm/x86, Dexfuzzer - A dumb fuzzer for dex files, DIVA Android - Damn Insecure and Vulnerable App for Android and Expliot framework. Sources: - Expliot (Ruby) DIVA Android - Indroid - Jugaad - Dexfuzzer