The Internet of Things (IoT) can be referred to as, “A system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention” (Aeris, 2021). IoT devices can be broadly categorized into five categories: Consumer, Commercial, Industrial, Infrastructure, and Military (Maayan, 2020). Billions of devices are installed across these categories globally. It is estimated that there will be more than 75 billion connected devices by 2025 (Maayan, 2020). This represents a 10x increase since 2018. IoT devices generate an estimated 500 zettabytes of data annually and is expected to grow exponentially (Liton, 2018). These devices have been plagued with security issues since inception due to weak, guessable or hardcoded passwords, unsecure network services, insecure ecosystem interfaces, unsecure and outdated components, and a variety of other security problems (Stahie, 2020). These factors present a unique opportunity for a workshop to present these concepts and teach participants how to identify vulnerabilities and how they would be used in an attack against unsecure devices. This workshop is tailored to beginner to intermediate participants.

Below is our proposed outline for our workshop factoring in 10 minute breaks each hour. Content and exercises will be packaged for distribution to all CactusCon participants.

Workshop Outline: 4 hour (50 minutes with 10 minute breaks)

Hour 1 – The first hour of the workshop will focus on concepts, terminology, and foundation setting for advanced concepts and hands on in later sections.
- Pentesting concepts and overview - Students will review the basics for pentesting and how a pentest would be conducted at a high level.
- Security Architecture Discussion - Students will then learn about security architectures and how to implement within small businesses and enterprise networks. This is to demonstrate the defensive aspects of cybersecurity and its interaction with offensive operations. It will also provide the specific architecture of our “lab environment” that students will interact with.
- IoT Devices Overview – Students will learn about IoT devices across the various categories of devices, the common protocols these devices use for networking, and specific protocols and nuances to these devices.
Hour 2 – Focus on this session will be on how to identify information and vulnerabilities associated with IoT devices. Students will be introduced to Shodan, Google Searching, and other reconnaissance techniques. From these results students will evaluate vulnerabilities and how they may be used to carry out attacks on the environment or a specific device.
- Reconnaissance – Students will be introduced to reconnaissance tools and techniques associated with pentesting in general and then use tools and resources more specific to IoT devices.
- Vulnerability Identification and Analysis – Students will learn how to analyze IoT vulnerabilities and determine which are viable options to begin the attack phase.
- Attack Methodology – Students will learn what an attack methodology is, the different components, and how to develop the methodology to improve chances of success during an engagement.
Hour 3 – Focus of this section will be developing the tools necessary to carry out the attack on the device. This will include three different options (Logging In / Default Passwords, Phishing, Malware / Script) and focus at a high level considering the time constraints.
- Scripting – Students will receive a basic introduction on scripting and use that to develop an attack that will allow the attacker to control the cameras.
- Conducting the Attack – Students will use the tools, techniques, and script learned during the workshop to impact the target environment.
Hour 4 – The final hour will focus on exfiltration, effects, and actions on objectives. During this time we will discuss what the access has allowed us to do and what the potential impacts are. This will lead to a review and key takeaways.
- Exfiltration / Effects / Actions on Objectives – Students will learn what valuable information could be obtained from this type of attack. Additionally, students will understand the specific information that can be obtained from these devices and how they can possibly be a pivot point into other systems within the environment.
- Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions.

Aeris (2021). What is IoT? Defining the Internet of Things (IoT). Aeris. https://www.aeris.com/what-is-iot/.
Liton, M. (2018, February 7). How Much Data Comes From The IoT? Sumo Logic. https://www.sumologic.com/blog/iot-data-volume/#:~:text=IoT%20data%20is%20measured%20in,to%20grow%20exponentially%2C%20not%20linearly.
Maayan, G. (2020, January 13). The IoT Rundown For 2020: Stats, Risks, and Solutions. Security Today. https://securitytoday.com/articles/2020/01/13/the-iot-rundown-for-2020.aspx.
Stahie, S. (2020, October 19). Lack of Security in IoT Devices Explained. What Can We Do About It. Security Boulevard. https://securityboulevard.com/2020/10/lack-of-security-in-iot-devices-explained-what-can-we-do-about-it/#:~:text=Weak%2C%20guessable%20or%20hardcoded%20passwords,services%20are%20another%20big%20issue.