xorl %eax, %eax

Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things

leave a comment »

A month or so ago, I was thrilled when I saw that this book was published. First because it covers a very interesting topic that not a lot of information of that level of detail was ever consolidated so nicely to a single place before, and secondly because one of the authors is an old friend of mine, Fotios Chantzis (AKA ithilgore).


The reasons why it took me so long to write about it was because I had to study it and it’s quite extensive, including several hands-on exercises and even VMs to run them on! It’s a large (464 pages long) book but it doesn’t fill this space with unnecessary information. It’s a book that can get anyone without any prior knowledge of IoT hacking and raise them to a level that they’d feel comfortable with debugging hardware devices, understanding the most common exploitation avenues, and have a solid foundation for the most frequently used protocols and standards.


Table of contents 



Part One: The IoT Threat Landscape
Chapter 1: The IoT Security World
Chapter 2: Threat Modeling
Chapter 3: A Security Testing Methodology

Part Two: Network Hacking
Chapter 4: Network Assessments
Chapter 5: Analyzing Network Protocols
Chapter 6: Exploiting Zero-configuration Networking

Part Three: Hardware Hacking
Chapter 7: UART, JTAG, and SWD Exploitation
Chapter 8: Hacking SPI and I2C
Chapter 9: Firmware Hacking

Part Four: Radio Hacking
Chapter 10: Short Range Radio: Abusing RFID
Chapter 11: Bluetooth Low Energy
Chapter 12: Medium Range Radio: Hacking Wi-Fi
Chapter 13: Long Range Radio: LPWAN

Part Five: Targeting the IoT Ecosystem
Chapter 14: Attacking Mobile Applications
Chapter 15: Hacking the Smart Home

Appendix A: Tools for IoT Hacking


If you are an experienced IoT security researcher you might find some of the content too basic for you since the book assumes the reader has no prior experience with this field. However, even for those experienced IoT hackers, there are lots of in-depth details that you might not be aware of.

Now, if you are not that experienced but interested in this subject, then that’s the best resource that is currently available to get you from zero knowledge to a competent IoT security researcher. 

I know F. Chantzis for almost two decades now and from the day he started working on this I was certain the end result would be a world-class book. Just to be clear, I am not discrediting the other authors and contributors, just saying that knowing Fotis I had no doubt that he wouldn’t let something below perfect to be released with his name attached to it.

To summarize, this is the most complete IoT hacking book to get someone with no knowledge of the domain or even a seasoned professional, and elevate them to level where they won’t just feel comfortable performing IoT security research, but they’d also have all the required skills to do so.

Written by xorl

March 29, 2021 at 13:51

Posted in books

Why tasking is important in a threat intelligence team (using NSA’s UTT as example)

leave a comment »

Following the theme of my previous posts, I have published an educational video that goes through the well known PRISM slidedeck from the NSA. That slidedeck has tons of useful information for anyone working in threat intelligence, but I’d like to focus on one area only to make this blog post quick and comprehensive. I want to focus on the Unified Targeting Tool (UTT) that was mentioned and explained there.

What I liked about UTT was its pure focus in tasking (meaning assigning intelligence tasks such as collection, exploitation, etc. when the information is not readily available to analysts), something that in the private sector we tend to usually ignore. The job of your analysts isn’t to go out and chat with cyber-criminals, create sock puppet accounts, negotiate with vendors, etc. it is to use all the available information to build intelligence. The above operations are part of the tasking & collection.

Here is a screenshot of the UTT slide I reconstructed for my video and in summary what it says is that the analyst uses UTT to fill in a web form with the information they need from PRISM (but for the sake of this blog post assume your own threat intelligence data lake). Then UTT had two paths, one was for searching in records it already had and the other was for searching for near-realtime information (AKA surveillance). This distinction is CRUCIAL in tasking as intelligence gathering is usually not as time-sensitive as surveillance. Then it does a series of checks (like is this for a U.S. citizen) and if the information wasn’t available the FBI was tasked to go the relevant companies and get/collect that data and feed them back to PRISM.

Now if I had to redesign this for a private entity, what I would do is something like what you see below. Having a solid tasking process for threat intelligence is extremely beneficial for the entire intelligence function. But before going there, what I wrote is basically… First someone needs to review the analyst(s)’ request in case they try to access something which they are not allowed. Then, if it’s something you already have you pass it and if it isn’t, you open a ticket to your collectors to find it. If it’s a near-realtime (AKA surveillance) request, then you need to create the equivalent tracking rules and alerts. The great part is that most of that can be automated with modern TIP and SOAR solutions out there.

So what’s the value of a concrete tasking process (ideally accompanied with a tool like UTT)? Here is what:

  • Provides visibility on what analysts are interested in (AKA helps develop/improve PIRs)
  • Helps identify the best vendors/sources to focus on
  • Create/maintain only alerting for threats the analysts care about
  • Ensures analysts cannot just “read everything” which could result in serious privacy violations
  • Useful to prioritize the intelligence collection and technical requirements
  • Removes the need for analysts to get familiar with all the tools/vendors used (and change over time)
  • Can help in deduplication of work when multiple identical requests are issued
  • Analysts use their time to do analysis, not collection

Written by xorl

February 1, 2021 at 15:50

Passive collection of satellite traffic for threat intelligence

leave a comment »

In Black Hat USA 2020 there was this interesting talk, the: Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks which touched on a cyber intelligence collection method that became popular in the early 2010s.

In October 2020 I published an educational video showing how DFS, that’s Japan’s military signals intelligence agency, was doing its first steps in exactly this space. That is, using traditional SIGINT (eavesdropping on satellite broadcasts) to detect cyber threats. Japan’s DFS did this in close collaboration with the NSA since their satellite SIGINT stations were operated jointly by both agencies. I published that video because it was a unique opportunity to see the early stages (in 2011-2013) of a SIGINT agency using their skillset and resources to adapt to the rising domain of cyber threats. This is a photo of the MALLARD station in Japan which was (is?) jointly operated by DFS and NSA for satellite SIGINT collection.

And the following slide (this is from my reconstruction of the slidedeck) shows the process that DFS was following to take advantage of this new intelligence source. To simplify this for the average reader… Think of J6 as your cybersecurity department, DFS as your threat intelligence team(s), CIRO as the leadership of your threat intelligence team(s), MOD as your company’s leadership, and SIGINT collection as eavesdropping on internet traffic from satellites that are broadcasting it back to earth.

Some of the challenges that DFS faced back then was not knowing which communication satellites/frequencies/channels to monitor (and NSA was helping by providing details on that), but also handling the amount of broadcasted data in near real-time meant that their processing and storage requirements skyrocketed. Nowadays, another challenge would be that some parts of the internet (like web traffic) are mostly encrypted, but this Black Hat USA talk surfaced an interesting area that I’m sure threat intelligence companies will be considering which is… Why not replicate what signals intelligence agencies have been doing for more than a decade now in the private sector?

By that I mean monitoring/receiving satellite broadcasts (AKA passive SIGINT collection) and look for indicators and warnings of cyber operations – e.g. C2 traffic, spear-phishing campaigns, exploitation of certain vulnerabilities, etc. Now this brings a ton of ethical and legal considerations such as: Is it illegal if you are just “listening”? Most email traffic is still unencrypted, is it the same as people talking in public domain then? What happens if you start processing sensitive personal information? etc.

On the technical side, there are also some interesting challenges and opportunities such as: Would there be a need for a private sector XKeyscore utility for “selectors” or will industry-used technologies like Sigma rules and YARA cover those needs? Also, some cloud providers now offer satellite ground stations as a service. Does this mean that setting up a global SIGINT collection network is something trivial or there is still a need for company-owned resources?

In any case… I find it interesting that the private sector is catching up on this and I’m very curious to see what this is going to bring in the threat intelligence industry.

Written by xorl

January 26, 2021 at 12:36

On attribution: APT28, APT29…Turla: No, they are NOT the same

leave a comment »

Earlier today someone forwarded me (outside of work) a threat intelligence “report” – quotes because it was far from being a finished product – that was recommending that people impacted by one of those three nation-state actors should be communicated as “Russia targeting your organization”. I found this assessment dangerously wrong and inaccurate so let me explain here why and maybe my post will help others avoid similar oversimplifications.

I cannot reference classified attribution intelligence products, but one of the most reputable public sources is Välisluureamet, Estonia’s foreign intelligence service. In Välisluureamet’s 2018 unclassified report they attributed those groups to specific organizations within the Russian Federation government. So let’s assume that this is accurate for the sake of this blog post.

Why is it dangerously wrong to communicate that getting targeted by APT28, APT29 or Turla is “Russia targeting you” rather than the specific actors? Simply because they are significantly different organizations, with different modus operandi, different objectives, and different TTPs. This means that your threat model will be entirely different if you want to be protected against APT28 versus Turla or APT29. To be more precise…

APT28 (GRU’s 6th Directorate/Military Intelligence)
A military intelligence agency is usually after intelligence of military value. Specifically this agency has shown that they are one of the most active actors in cyber with massive resources but not extremely sophisticated. Of course, when there are big geopolitical events, military research, investigations on Russian military activities or military exercises they will be around, and they will be after any connected systems that can get them military intelligence that could benefit the Russian Federation and its allies. They have been seen using all intelligence disciplines without any noticeable preference on cyber over other means of collection.

APT29 (SVR/Foreign Intelligence)
This is the equivalent of the CIA for Russia and just like the CIA, their cyber operations are typically more on the targeted and less on the bulk collection. In numerous occasions they have been seen conducting close access operations, and their objectives typically are related to political and economical information. For example, finding dirt to recruit someone as an SVR agent or finding out the details of a commercial agreement or research that could benefit the Russian state or its allies. They are less in the SIGINT and more in the HUMINT space so they are more likely to recruit an insider to get them what they want than perform an extremely sophisticated cyber operation.

Turla (FSB’s 16th Center/Signals Intelligence)
Turla is the equivalent of the NSA’s Signals Intelligence Directorate (SID) and because of that, they are one of the most sophisticated cyber actors out there operating at a level similar to that of the NSA, including bulk collection. This means that they collect intelligence for a variety of agencies both for Russia but also Russia’s allies under various agreements. So their target space is massive and they are the most advanced cyber operators of the Russian government. They have a massive organization and their sole purpose is SIGINT. So if you are targeted by Turla then expect some very advanced and complex cyber operations. Also, if you are targeted by Turla it doesn’t mean that it’s Russia targeting you, it could be that they execute an intelligence collection agreement for an ally of Russia that doesn’t have such cyber intelligence collection capabilities, similarly to what the NSA’s SID and other large SIGINT agencies do.

And this is why oversimplifying in a threat intelligence product that any of the above actors should be treated as simply “Russia is after you” is dangerous for cyber security departments/customers that have to develop defensive controls to protect their assets.

If you are unsure about the attribution it’s better to stay away from attributing it at all until you have sufficient evidence, and focus on the lower level indicators and warnings that you can share to help defenders take some action. For example, what did you observe in terms of TTPs or even IOCs. It’s better to share high confidence intelligence than “it’s the Russians” that has zero practical application to develop protections without more context that can help in understanding the motivations and intentions.

The same applies if you are a briefer delivering those threat intelligence products, choose your words wisely. Finally, do not forget that some of those agencies collaborate on certain projects including sharing some software tools, libraries and TTPs (typically through lessons-learned sessions and internal policies).

Hopefully that clears it out…

Written by xorl

January 25, 2021 at 10:59

DeepINTEL 2020

leave a comment »

On 18 November 2020 I got the opportunity to present at DeepINTEL. This is an Austria-based TLP:AMBER conference for intelligence. Because of that I cannot say much about it but I’ll try to share some insights without exposing any sensitive information.

At DeepINTEL 2020 my presentation was about GEOINT based on some cases I worked on throughout 2020 while supporting a few investigative groups and organizations, outside of my professional career. In addition to that, the last 3 years I had completed several GEOINT trainings and certifications. So in that presentation I shared some real world examples and practical techniques for GEOINT analysts. However, that was a TLP:AMBER talk so I cannot share anything else in a public blog post.

This was my first time presenting at DeepINTEL and I was positively surprised with the level of professionalism, skill level of the participants, and that rare atmosphere of active participation. DeepINTEL didn’t have a large audience or dozens of tracks with talks, but everyone was actively participating with the goal of knowledge sharing in a quite open discussion. The organizers went to great extends to ensure the privacy of everyone involved and that was also reflected to all the participants.

If you are looking for a high quality conference about intelligence that reminds you more of a community gathering rather than an industry event, then you’ll love this event. Personally I cannot wait for the next one! :)

Written by xorl

January 21, 2021 at 11:57