BIPI
BIPI

IoT Security Assessments: Firmware, Network, and Hardware Attack Surfaces

Cybersecurity

How to systematically attack IoT devices — from firmware extraction and emulation to network protocol fuzzing and hardware debug interfaces.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 2, 2025 · 13 min read

#iot-security#firmware#uart#jtag#embedded-security

IoT devices are the soft underbelly of enterprise networks. They run outdated kernels, ship with default credentials, and rarely receive patches. A single compromised IP camera or smart thermostat can serve as a persistent foothold inside a segmented network.

Attack surface overview

  • Firmware: hardcoded credentials, outdated libraries, debug shells
  • Network interfaces: Telnet, SSH, HTTP admin panels, MQTT, CoAP, Zigbee
  • Hardware: UART console, JTAG/SWD debug ports, NAND/NOR flash chips
  • Mobile companion app: insecure API endpoints, hardcoded tokens
  • Cloud backend: unauthenticated endpoints, IDOR, mass assignment

Firmware acquisition

The fastest firmware extraction route is the vendor's own update server — download the OTA image, unzip, and run binwalk. If the update is encrypted, pivot to hardware extraction using a CH341A or flashcat programmer directly on the flash chip.

  1. Download firmware from vendor update URL or FCC ID database
  2. binwalk -e firmware.bin to extract filesystem
  3. If encrypted: identify flash chip, desolder or clip, read with CH341A
  4. strings + grep for passwords, keys, URLs, and version strings

Firmware emulation with QEMU and Firmadyne

Firmadyne automates MIPS/ARM firmware emulation so you can interact with web interfaces and daemons without physical hardware. Many devices run BusyBox Linux — the shell surface is predictable.

UART console access

UART is the most common hardware debug interface on consumer IoT. Identify TX, RX, and GND pads using a multimeter (logic analyser for confirmation), connect a USB-to-UART adapter, and open a serial terminal at 115200 baud. Boot messages often reveal root shells without authentication.

  • Use a logic analyser or oscilloscope to confirm baud rate
  • screen /dev/ttyUSB0 115200 for quick access
  • Interrupt boot loader (U-Boot) to modify kernel parameters
  • Add init=/bin/sh to kernel args for single-user root shell

Network protocol fuzzing

CoAP, MQTT, and proprietary UDP protocols on IoT devices are rarely fuzz-tested by vendors. Boofuzz and custom Scapy scripts can uncover crashes that lead to RCE.

growing yearly
CVEs with UART/JTAG as root cause vector
40%+
IoT devices still using Telnet in enterprise audits
180+ days
Average patch lag for IoT firmware CVEs
Every IoT device is a Linux computer with a web server and no patch cycle.

Remediation guidance

Segment IoT devices onto dedicated VLANs with strict egress filtering. Disable UART and JTAG interfaces in production via hardware fuse bits where possible. Require signed firmware updates with rollback protection.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.