🔐 Awesome Connected Things Security Resources

A curated repository of IoT, Embedded, Industrial & Automotive, Core Tech security knowledge.

---

Table of Contents

• Hardware Attacks
  • Fundamentals
  • Interface Attacks
    • UART
    • JTAG
    • SWD (Serial Wire Debug)
    • SPI
    • I2C
    • TPM
  • Memory Extraction
    • eMMC
  • Side-Channel and Fault Injection
    • Fundamentals
    • Glitching Attacks
    • Power Analysis
• Wireless Protocols
  • RF Fundamentals
  • Bluetooth / BLE
    • Fundamentals
    • Exploitation Techniques
    • Vulnerability Research
    • Conference Talks
    • Tools - Software
    • Tools - Hardware
    • Tools
    • Hacking Bluetooth Coffee Machines
  • Zigbee / Z-Wave
    • Fundamentals
    • Exploitation
    • Tools - Software
    • Tools - Hardware
  • LoRa / LoRaWAN
    • Fundamentals
    • Exploitation
    • Tools
  • Matter / Thread
    • Fundamentals
    • Security Research
  • Cellular (GSM/LTE/5G)
    • Fundamentals
    • Exploitation
    • Tools
  • NFC/RFID
  • DECT (Digital Enhanced Cordless Telecommunications)
  • Wi-Fi
    • Protocol Vulnerabilities
    • Exploitation
    • Reverse Engineering WiFi
  • USB
  • UWB (Ultra-Wideband)
  • TETRA
• Firmware Security
  • Fundamentals
  • Extraction
  • Static Analysis Tools
  • Dynamic Analysis and Emulation
    • Emulation Tutorials
  • OTA Update Security
    • Fundamentals
    • Attack Vectors
  • RTOS Security
    • Zephyr RTOS
    • FreeRTOS
  • Reverse Engineering Tools
    • Reverse Engineering Tutorials
    • Ghidra Tutorials
  • Online Assemblers
  • ARM Exploitation
  • Binary Analysis
  • Secure Boot
    • Development
    • Bypasses
  • UEFI Security
  • Symlink Attacks
  • Router Firmware Analysis
  • Router Exploitation
    • Netgear Series
    • TP-Link Series
    • Cisco Series
  • Secure Boot Bypasses
• Network and Web Protocols
  • MQTT
    • Fundamentals
    • Security and Exploitation
    • Known CVEs
    • Tools
    • Applications
    • Malware Research
  • CoAP
    • Specifications and Security
    • Tools - Software
    • Tools - Hardware
    • Research and Tutorials
  • IoT Protocols Overview
• Cloud and Backend Security
  • AWS IoT Security
    • Fundamentals
    • Tools
    • Vulnerabilities
  • Firebase / Cloud Misconfigurations
• Mobile Application Security
  • Android
    • Android Kernel Exploitation
    • Android Scudo Allocator
  • iOS
• Industrial and Automotive
  • ICS/SCADA
  • Automotive Security
  • EV Chargers
• Payment Systems
  • ATM Hacking
  • Payment Village
• Tools
  • Hardware Tools
    • Multi-Purpose
    • Debug Adapters
    • RF/SDR
    • USB
    • Glitching
    • Flipper Zero
    • Hak5
  • Software Tools
    • Exploitation Frameworks
    • Firmware Analysis
  • Fuzzing Tools
    • Fundamentals
    • IoT-Specific Fuzzing
    • Tools
  • Pentesting Operating Systems
  • Search Engines
• Defensive Security
  • Threat Modeling
    • STRIDE Framework
    • IoT-Specific Threat Modeling
  • Secure Development
    • Guidelines and Standards
    • Hardening Guides
  • Incident Response
• Learning Resources
  • Training Platforms
  • Cheatsheets
  • Vulnerability Guides
  • Pentesting Guides
  • YouTube Channels
  • Books
    • Hardware Hacking
    • Firmware and Reverse Engineering
    • IoT Security
    • Wireless and RF
    • Embedded and Mobile
    • NFC/RFID
    • Industrial and General Security
    • White Papers and Reports
  • IoT Series
• Labs and CTFs
  • Vulnerable Applications
    • IoT
    • Router/Firmware
    • Hardware
    • Wireless
    • Industrial
    • VoIP
  • CTF Competitions
    • Hardware CTFs
    • IoT CTFs
    • Embedded/Firmware CTFs
    • ARM CTFs
  • Continuous Learning Platforms
  • Lab Setup
• Research and Community
  • Technical Research
  • Blogs
  • Community Platforms
  • Villages
  • Researchers to Follow
  • Device-Specific Research
    • Cameras
    • Smart Home Devices
    • Smart Speakers
    • Printers
    • Drones
    • Kitchen Appliances
    • NAS Devices
    • Game Consoles
    • Phones/Tablets
  • TrustZone and TEE Research
  • Pwn2Own Research
• Contributing
• License

Hardware Attacks

Fundamentals

• IoT Hardware Guide
• Intro to Hardware Hacking - Dumping Your First Firmware
• An Introduction to Hardware Hacking
• Hardware Toolkits for IoT Security Analysis
• Hardware Hacking for IoT Devices - Offensive IoT Exploitation

Interface Attacks

UART

• Identifying UART Interface
• Serial Terminal Basics
• Reverse Engineering Serial Ports
• Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
• Using UART to Connect to a Chinese IP Cam
• A Journey into IoT Hardware Hacking: UART
• Accessing and Dumping Firmware Through UART
• UART Connections and Dynamic Analysis on Linksys e1000
• UARTBruteForcer
• UART Exploiter

JTAG

• Hardware Hacking 101: Introduction to JTAG
• How to Find the JTAG Interface
• Analyzing JTAG
• Bus Pirate JTAG Connections with OpenOCD
• Extracting Firmware from External Memory via JTAG
• The Hitchhacker's Guide to iPhone Lightning and JTAG Hacking
• Debugging AVR Microcontrollers Through JTAG

SWD (Serial Wire Debug)

• SWD Protocol Overview - HardBreak Wiki
• Unveiling Vulnerabilities: Exploring SWD Attack Surface in Hardware
• Introduction to ARM Serial Wire Debug Protocol
• Serial Wire Debug and CoreSight Architecture
• LibSWD - Serial Wire Debug Open Library
• Hardware Hacking and Exploitation Bootcamp - SWD

SPI

• Hardware Hacking 101: Identifying and Dumping eMMC Flash
• Dumping Firmware from Router Using Bus Pirate - SPI
• Extracting Flash Memory over SPI
• Extracting Firmware from Embedded Devices (SPI NOR Flash)
• How to Flash Chip of a Router with a Programmer
• TPM 2.0: Extracting Bitlocker Keys Through SPI

I2C

• IoT Security Part 16: Hardware Attack Surface I2C
• I2C Exploitation - HackTricks
• Non-invasive I2C Hardware Trojan Attack Vector (PDF)
• Hardware Hacking: I2C Injection with Bus Pirate
• Safeguarding SPI, I2C, and I3C Protocols

TPM

• Introduction to TPM (Trusted Platform Module)
• Trusted Platform Module Security Defeated in 30 Minutes

Memory Extraction

eMMC

• eMMC Protocol
• RPMB: A Secret Place Inside the eMMC
• eMMC Data Recovery from Damaged Smartphone
• Unleash Your Smart-Home Devices: Vacuum Cleaning Robot Hacking
• Hands-On IoT Hacking: Rapid7 at DEF CON 30

Side-Channel and Fault Injection

Fundamentals

• Side Channel Attacks - Yifan Lu
• Attacks on Implementations of Secure Systems
• Fuzzing, Binary Analysis, IoT Security Collection

Glitching Attacks

• NAND Glitching Attack on Wink Hub
• Voltage Glitching with Crowbars Tutorial
• Voltage Glitching Attack using iCEstick Glitcher
• FPGA Glitching and Side Channel Attacks - Samy Kamkar
• Hardware Power Glitch Attack - rhme2
• Keys in Flash - Glitching AES Keys from Arduino
• Implementing Practical Electrical Glitching Attacks
• How to Voltage Fault Injection
• Glitcher Part 1 - Reproducible Voltage Glitching on STM32 Microcontrollers
• STM32L05 Voltage Glitching

Power Analysis

• Breaking AES with ChipWhisperer
• ChipWhisperer Wiki
• Rowhammer Bit Flips to Steal Crypto Keys

Other Microcontrollers

• Dumping the Amlogic A113X Bootrom
• Retreading The AMLogic A113X TrustZone Exploit Process
• Reverse Engineering an Unknown Microcontroller
• Hacking Microcontroller Firmware Through a USB
• There's A Hole In Your SoC: Glitching The MediaTek BootROM

PCIe and DMA Attacks

• A Practical Tutorial on PCIe for Total Beginners on Windows - Part 1
• A Practical Tutorial on PCIe for Total Beginners on Windows - Part 2
• PCIe DMA Attack against a Secured Jetson Nano (CVE-2022-21819)

---

Wireless Protocols

RF Fundamentals

• Complete Course in Software Defined Radio - Michael Ossmann
• SDR Notes - Radio IoT Protocols Overview
• Understanding Radio
• Introduction to Software Defined Radio
• Introduction to GNU Radio Companion
• Creating a Flow Graph in GNU Radio Companion
• Analyzing Radio Signals 433MHz
• Recording Specific Radio Signals
• Replay Attacks with Raspberry Pi and rpitx
• Reverse Engineering a Car Key Fob Signal
• GRCON 2021 - Capture the Signal

Bluetooth / BLE

Fundamentals

• Awesome Bluetooth Security
• BLE-NullBlr: Step by Step Guide to BLE Understanding and Exploiting
• Traffic Engineering in a Bluetooth Piconet
• BLE Characteristics: A Beginner's Tutorial
• Intro to Bluetooth Low Energy (PDF)
• Bluetooth LE Security Study Guide
• Reverse Engineering BLE Devices
• My Journey Towards Reverse Engineering a Smart Band — Bluetooth-LE RE

Exploitation Techniques

• Intel Edison as Bluetooth LE Exploit Box
• Reverse Engineering and Exploiting a Smart Massager
• I Hacked MiBand 3
• GATTacking Bluetooth Smart Devices
• Examining the August Smart Lock
• Practical Introduction to BLE GATT Reverse Engineering
• MojoBox - Yet Another Not So Smartlock
• Bluetooth Smartlocks
• Bluetooth Beacon Vulnerability
• Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero
• Grand Theft Auto: A peek of BLE relay attack
• How I Hacked Smart Lights: CVE-2022-47758
• NFC Relay Attack on Tesla Model Y

Vulnerability Research

• Finding Bugs in Bluetooth
• Sweyntooth Vulnerabilities
• BrakTooth: Causing Havoc on Bluetooth Link Manager
• BLUFFS: Bluetooth Forward and Future Secrecy Attacks (CVE-2023-24023)
• AirDrop Leak - Sniffing BLE Traffic from Apple Devices
• BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
• BRAKTOOTH: Causing Havoc on Bluetooth Link Manager (PDF)
• Norec Attack: Stripping BLE encryption from Nordic's Library (CVE-2020-15509)

Conference Talks

• Blue2thprinting: WTF Am I Even Looking At?
• Open Wounds: Last 5 Years Have Left Bluetooth to Bleed
• Sniffing Bluetooth Through My Mask During the Pandemic

Tools - Software

• Bluing - Intelligence Gathering for Bluetooth
• BlueToolkit - Bluetooth Classic Vulnerability Testing
• btproxy
• hcitool and bluez
• Testing with GATT Tool
• crackle - Cracking BLE Encryption
• bettercap
• BtleJuice - Bluetooth Smart MITM Framework
• GATTacker
• BTLEjack - BLE Swiss Army Knife
• DEDSEC Bluetooth Exploit
• BrakTooth ESP32 PoC
• SweynTooth BLE Attacks
• ESP32 Bluetooth Classic Sniffer
• Bluetooth Hacking Collection

Tools - Hardware

• nRF52840 Dongle
• Ubertooth One
• CSR 4.0 Bluetooth Dongle
• ESP32
• Sena UD100
• ESP-WROVER-KIT

Tools

• ice9-bluetooth-sniffer
• InternalBlue - Bluetooth Experimentation Framework

Hacking Bluetooth Coffee Machines

• Hacking Bluetooth to Brew Coffee from Github Actions - Part 1
• Hacking Bluetooth to Brew Coffee from Github Actions - Part 2
• Hacking Bluetooth to Brew Coffee from Github Actions - Part 3

Zigbee / Z-Wave

Fundamentals

• Introduction and Protocol Overview
• ZigBee and Z-Wave Security Brief
• Hacking ZigBee Networks

Exploitation

• Hacking IoT Devices with Attify Zigbee Framework
• Zigator: Analyzing Security of Zigbee-Enabled Smart Homes
• Security Analysis of Zigbee with Zigator and GNU Radio
• Low-Cost ZigBee Selective Jamming

Tools - Software

• Killerbee
• ZigDiggity
• Zigator
• Z3sec
• zigbear

Tools - Hardware

• ApiMote
• RaspBee
• ATUSB IEEE 802.15.4 Adapter
• USRP

LoRa / LoRaWAN

• LoRaWAN Security Overview - Tektelic
• Security Vulnerabilities in LoRaWAN
• Low Powered and High Risk: Attacks on LoRaWAN Devices
• LAF - LoRaWAN Auditing Framework
• ChirpOTLE - LoRaWAN Security Framework

Fundamentals

• LoRaWAN Security Survey - ScienceDirect
• LoRaWAN - Wikipedia

Exploitation

• Millions of Devices Using LoRaWAN Exposed - SecurityWeek
• Do You Blindly Trust LoRaWAN Networks? - IOActive
• LoRaWAN Encryption Keys Easy to Crack - Threatpost
• LoPT: LoRa Penetration Testing Tool (PDF)

Tools

• LoRa Craft - Packet Interception
• Open Source LoRaWAN Hacking Tool
• LoRaWAN Hackaday Projects

Matter / Thread

Fundamentals

• Matter Standard - CSA-IoT
• Matter Protocol Wikipedia
• Matter Protocol Complete Guide 2025
• How to Secure Smart Home Devices with Matter
• Smart Home Device Solutions for Matter - DigiCert

Security Research

• Security Vulnerabilities and Attack Scenarios in Smart Home with Matter
• Trust Matters: Uncovering Vulnerabilities in Matter Protocol - Nozomi
• Matter over Thread Security
• State-of-the-Art Review on IoT Wireless PAN Protocol Security
• Matter Smart Home - Krasamo

Cellular (GSM/LTE/5G)

• Awesome Cellular Hacking
• Introduction to GSM Security
• Breaking LTE on Layer Two
• 5Ghoul - 5G NR Attacks and Fuzzing
• Exploiting CSN.1 Bugs in MediaTek Basebands
• SIM Hijacking
• SigPloit - Telecom Signaling Exploitation Framework
• LTE Sniffer

Fundamentals

• GSM Security Part 2
• What is Base Transceiver Station
• Introduction to SS7 Signaling
• SS7 Network Architecture
• Introduction to SIGTRAN

Exploitation

• How to Build Your Own Rogue GSM BTS
• GSM Vulnerabilities with USRP B200
• Security Testing 4G (LTE) Networks
• Case Study of SS7/SIGTRAN Assessment

Tools

• ss7MAPer - SS7 Pentesting Toolkit
• Fake BTS Detector (SCL-8521)

NFC/RFID

• Awesome RFID/NFC Security Talks
• RFID Discord Group
• SoK: Security of EMV Contactless Payment Systems

DECT (Digital Enhanced Cordless Telecommunications)

• Real Time Interception of DECT Cordless Telephone
• Eavesdropping on Unencrypted DECT Voice Traffic
• Decoding DECT Voice Traffic: In-depth Explanation

---

Wi-Fi

Protocol Vulnerabilities

• Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues
• Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects
• WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations
• Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks

Exploitation

• Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)
• Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 2)
• Over The Air: Exploiting The Wi-Fi Stack on Apple Devices
• Reverse-engineering Broadcom wireless chipsets
• Exploiting Qualcomm WLAN and Modem Over the Air
• Windows Wi-Fi Driver RCE Vulnerability – CVE-2024-30078
• When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 1
• When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 2

Reverse Engineering WiFi

• Reverse Engineering WiFi on RISC-V BL602
• Unveiling secrets of the ESP32: creating an open-source MAC Layer
• Unveiling secrets of the ESP32: reverse engineering RX

USB

• ALL ABOUT USB-C: INTRODUCTION FOR HACKERS
• Hi, My Name is Keyboard
• How to Weaponize the Yubikey

UWB (Ultra-Wideband)

• UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

TETRA

• All cops are broadcasting: TETRA under scrutiny

---

Firmware Security

Fundamentals

• Introduction to Firmware Analysis - OWASP
• OWASP Firmware Security Testing Methodology
• IoT Security Verification Standard (ISVS)
• Reversing 101
• Hands-on Firmware Extraction, Exploration, and Emulation

Extraction

• Router Analysis Part 1: UART Discovery and SPI Flash Extraction
• Hardware Hacking Tutorial: Dumping and Reversing Firmware
• Firmware Samples - firmware.center
• BasicFUN Series: Hardware Analysis / SPI Flash Extraction
• BasicFUN Series: Reverse Engineering Firmware / Reflashing SPI Flash
• Retrofitting encrypted firmware is a Bad Idea

Static Analysis Tools

• EMBA - Embedded Linux Firmware Analyzer
• FACT - Firmware Analysis and Comparison Tool
• Binwalk v3
• Firmwalker
• fwanalyzer
• fwhunt-scan - UEFI Firmware Analysis
• ByteSweep
• QueryX - Static Taint Tracking
• FirmGraph
• BINSEC
• unblob - Extraction Framework
• fchk - Security Checks for Firmware
• Checksec.sh
• Firmware Modification Kit

Dynamic Analysis and Emulation

• Firmadyne - Automated Firmware Emulation
• FirmAE - Firmware Analysis and Emulation
• QEMU
• PANDA - Architecture-Neutral Dynamic Analysis
• Avatar2 - Dynamic Firmware Analysis
• Renode - Embedded Systems Emulator
• Unicorn Engine - CPU Emulator
• Qiling Framework
• HALucinator
• FirmWire - Baseband Firmware Emulation
• SymQEMU
• S2E - Selective Symbolic Execution
• Bochs - x86 Emulator
• SAME70 Emulator
• Emulate Until You Make it

Emulation Tutorials

• Firmware Emulation with QEMU
• Emulating ARM Router Firmware - Azeria Labs
• Emulating IoT Firmware Made Easy
• IoT Binary Analysis and Emulation Part 1
• Cross Debugging for ARM/MIPS with QEMU
• QEMU + Buildroot 101
• Simulating and Hunting Firmware Vulnerabilities with Qiling
• Qiling and Binary Emulation for Automatic Unpacking
• Debugging D-Link: Emulating Firmware and Hacking Hardware
• Adaptive Emulation Framework for Multi-Architecture IoT
• Automatic Firmware Emulation through Invalidity-guided Knowledge Inference
• Emulating RH850 architecture with Unicorn Engine
• Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing
• Challenges and Pitfalls while Emulating Six Current Icelandic Household Routers
• My Emulation Goes to the Moon... Until False Flag
• How to Emulate Android Native Libraries Using Qiling

OTA Update Security

Fundamentals

• IoT Firmware Security and Update Mechanisms
• Implementing OTA Updates for IoT Devices
• Secure OTA Boot Chains and Firmware Verification
• The Key to Firmware Security in Connected IoT Devices
• Security Considerations for OTA Updates - Stack Overflow

Attack Vectors

• Top 10 IoT Vulnerabilities - OTA Update Attacks
• Updating IoT Devices 2025: Best Practices
• Review of IoT Firmware Vulnerabilities and Auditing Techniques
• Secure OTA Firmware Update Mechanism (PDF)

RTOS Security

Zephyr RTOS

• Zephyr RTOS GitHub
• Zephyr Vulnerabilities List
• NCC Group Zephyr and MCUboot Security Assessment
• 26 Flaws in Zephyr and MCUboot
• Tackling Security in Zephyr RTOS
• Enhancing Security with Zephyr RTOS

FreeRTOS

• FreeRTOS 13 Vulnerabilities in TCP/IP Stack
• Exploiting Memory Corruption in FreeRTOS - ShmooCon
• RTOS Security Analysis - USENIX
• Dynamic Vulnerability Patching for RTOS
• AWS FreeRTOS Vulnerabilities

Reverse Engineering Tools

• Ghidra
• IDA Pro
• Radare2
• Cutter - GUI for Radare2
• Binary Ninja
• GDB
• RetDec - Decompiler
• Diaphora - Binary Diffing
• Angr - Binary Analysis
• Frida - Dynamic Instrumentation
• Ret-sync
• OllyDbg
• x64dbg
• Hopper
• Immunity Debugger
• PEiD
• Ghidriff - Ghidra Binary Diffing Engine
• The rev.ng decompiler goes open source
• Intro to Cutter
• pyghidra-mcp: Headless Ghidra MCP Server
• Mindshare: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities

Reverse Engineering Tutorials

• Reverse Engineering and Patching with Ghidra
• Reverse Engineering with Ghidra: Breaking Firmware Encryption
• Reversing Firmware with Radare
• Reversing ESP8266 Firmware
• Automating Binary Vulnerability Discovery with Ghidra and Semgrep
• Finding Bugs in Netgear Router

Ghidra Tutorials

• Debugger Ghidra Class
• Ghidra 101: Cursor Text Highlighting
• Ghidra 101: Decoding Stack Strings
• Extending Ghidra Part 1: Setting up a Development Environment
• Expanding the Dragon: Adding an ISA to Ghidra
• Ghidra nanoMIPS ISA module
• Binary type inference in Ghidra
• Writing a Ghidra processor module

Online Assemblers

• AZM Online ARM Assembler - Azeria Labs
• Online Disassembler
• Compiler Explorer

ARM Exploitation

• Azeria Labs ARM Tutorials
• ARM Exploitation for IoT
• Damn Vulnerable ARM Router (DVAR)
• Exploit Education
• A Guide to ARM64 / AArch64 Assembly on Linux
• ARMv8 AArch64/ARM64 Full Beginner's Assembly Tutorial
• A Noobs Guide to ARM Exploitation
• ARM64 Reversing And Exploitation Series (8ksec) - Parts 1-10
• AArch64 memory and paging
• We are ARMed no more ROPpery Here

Binary Analysis

• Practical Binary Analysis

Secure Boot

Development

• Writing a Bootloader

Bypasses

• Pwn the ESP32 Secure Boot
• Pwn ESP32 Forever: Flash Encryption and Secure Boot Keys Extraction
• ESP32 Secure Boot Bypass (CVE-2020-13629)
• Amlogic S905 SoC: Bypassing Secure Boot
• Defeating Secure Boot with Symlink Attacks
• PS4 Secure Boot Hacking - Fail0verflow
• Dell BIOS Vulnerabilities - BIOSDisconnect
• U-Boot USB DFU Vulnerability (CVE-2022-2347)
• Breaking Secure Boot on Silicon Labs Gecko

UEFI Security

• Using Symbolic Execution to Detect UEFI Vulnerabilities
• HP Enterprise UEFI Vulnerabilities
• Emulating and Exploiting UEFI Firmware
• The Dark Side of UEFI: A technical Deep-Dive into Cross-Silicon Exploitation
• Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution
• PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack
• For Science! - Using an Unimpressive Bug in EDK II
• Hydroph0bia: SecureBoot bypass for Insyde H2O

---

Symlink Attacks

• Zip Slip Vulnerability

---

Router Firmware Analysis

• A Journey into IoT: Discover Components and Ports
• A Journey into IoT: Firmware Dump and Analysis
• A Journey into IoT: Radio Communications
• A Journey into IoT: Internal Communications
• Dynamic Analysis of Firmware Components in IoT Devices
• RV130X Firmware Analysis
• TP-Link Firmware Decryption C210 V2 cloud camera bootloaders

Router Exploitation

• Hunting for Unauthenticated n-days in Asus Routers
• Pulling MikroTik into the Limelight
• Exploiting MikroTik RouterOS Hardware with CVE-2023-30799
• Rooting Xiaomi WiFi Routers
• Route to Safety: Navigating Router Pitfalls
• ROPing our way to RCE
• ROPing Routers from scratch: Tenda Ac8v4
• PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers
• Puckungfu 2: Another NETGEAR WAN Command Injection
• Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024–54887
• Exploiting Zero-Day (CVE-2025–9961) Vulnerability in the TP-Link AX10 Router
• FiberGateway GR241AG - Full Exploit Chain
• Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC
• Rooting the TP-Link Tapo C200 Rev.5

Netgear Series

• Netgear Orbi: Introduction, UART Access, Recon
• Netgear Orbi: Crashes in SOAP-API
• Netgear Orbi: NDay Exploit CVE-2020-27861
• The Last Breath of Our Netgear RAX30 Bugs

TP-Link Series

• TP-Link TDDP Buffer Overflow Vulnerability
• Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750
• TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)

Cisco Series

• Patch Diffing a Cisco RV110W Firmware Update - Part 1
• CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM
• Flashback Connects - Cisco RV340 SSL VPN RCE

Secure Boot Bypasses

• Bypassing Secure Boot using Fault Injection
• Breaking Secure Boot on Google Nest Hub (2nd Gen)
• Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces

Network and Web Protocols

MQTT

• Introduction to MQTT
• MQTT Broker Security 101
• Hacking the IoT with MQTT
• IoT Security: RCE in MQTT Protocol
• IoXY - MQTT Intercepting Proxy
• MQTT-PWN

Fundamentals

• Understanding the MQTT Protocol Packet Structure

Security and Exploitation

• Are Smart Homes Vulnerable to Hacking?
• Penetration Testing Sesame Smart Door Lock
• Servisnet Tessa - MQTT Credentials Dump (Metasploit)
• Eclipse Mosquitto Unquoted Service Path

Known CVEs

• CVE-2020-13849 - DoS vulnerability (CVSS 7.5)
• CVE-2023-3028 - Insufficient authentication (CVSS 9.8)
• CVE-2021-0229 - Resource consumption (CVSS 5.3)
• CVE-2019-5432 - Malformed packet crash (CVSS 7.5)

Tools

• Mosquitto - Open Source MQTT Broker
• HiveMQ
• MQTT Explorer
• Nmap MQTT Library
• Seven Best MQTT Client Tools

Applications

• Using IoT MQTT for V2V and Connected Cars
• MQTT Hardware Development Projects
• 100,000 Connected Cars with Kubernetes, Kafka, MQTT, TensorFlow
• Authenticating Devices Using MQTT with Auth0
• Deep Learning UDF for MQTT IoT Anomaly Detection
• Guide to MQTT: Hacking a Doorbell

Malware Research

• WailingCrab Malware Using MQTT for C2
• Alert: New WailingCrab Malware Loader
• MQTT on Snapcraft

CoAP

• IETF Security Protocol Comparison
• RFC 8613 - OSCORE
• Radware - CoAP Protocol Overview

Specifications and Security

• EMQX on CoAP and IoT Security (2024)
• RFC 8323 - CoAP over TCP
• RFC 8824 - SCHC Header Compression

Tools - Software

• CoAP NSE (Nmap)
• Copper - Firefox CoAP Plugin
• libcoap CLI Tools
• Scapy CoAP Plugin
• Eclipse Californium (Java)
• Peach Fuzzer

Tools - Hardware

• Raspberry Pi / Arduino + 6LoWPAN
• Zolertia
• OpenMote
• Nordic Boards

Research and Tutorials

• SpectralOps - Top IoT Protocol Security Issues
• IoT Pentest Lab Setup Guide (2025)
• CoAP Exposure Study (2024)

IoT Protocols Overview

• IoT Protocols Overview
• IoT Attack Surface - OWASP
• IoT Architecture

---

• Attacking IoT Devices from Web Perspective
• Awesome Industrial Protocols

Cloud and Backend Security

AWS IoT Security

• AWS Penetration Testing Policy
• AWS Pentesting Guide - HackerOne
• A few notes on AWS Nitro Enclaves
• Pacu - AWS Exploitation Framework
• ScoutSuite - Multi-cloud Security Auditing
• Prowler - Cloud Security Assessment

---

Fundamentals

• Comprehensive AWS Pentesting Guide - BreachLock
• AWS Pentest Methodology - MorattiSec
• AWS Penetration Testing Methodology - Rootshell
• AWS Penetration Testing Techniques 2025

Tools

• CloudFox - Cloud Attack Paths
• S3Scanner - Leaky Bucket Discovery
• Cloudfoxable Labs
• AWS Security Pentesting Resources

Vulnerabilities

• 7 Best AWS Pentesting Tools 2026
• PayloadsAllTheThings - AWS Pentest

Firebase / Cloud Misconfigurations

• Firebase Security Rules Testing
• Misconfigured Firebase Databases

---

Mobile Application Security

Android

• Android App Reverse Engineering 101
• Android Application Pentesting Book
• Android Pentest Video Course - TutorialsPoint
• Android Tamer
• Android Hacker's Handbook
• A first look at Android 14 forensics
• Deobfuscating Android ARM64 strings with Ghidra
• Introduction to Fuzzing Android Native Components
• Hacking Android Games
• Intercepting HTTPS Communication in Flutter

Android Kernel Exploitation

• Android Kernel Exploitation
• Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
• Attacking the Android kernel using the Qualcomm TrustZone
• Driving forward in Android drivers
• Analyzing a Modern In-the-wild Android Exploit
• Exploiting Android's Hardened Memory Allocator
• GPUAF - Two ways of Rooting All Qualcomm based Android phones
• The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit
• Qualcomm DSP Kernel Internals
• Binder Fuzzing

Android Scudo Allocator

• Android: Scudo
• Behind the Shield: Unmasking Scudo's Defenses
• scudo Hardened Allocator — Unofficial Internals Documentation

iOS

• iOS Pentesting Guide
• OWASP Mobile Security Testing Guide

---

• An iOS hacker tries Android
• Analyzing IOS Kernel Panic Logs
• Blasting Past iOS 18
• Emulating an iPhone in QEMU
• First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200)
• Exploring UNIX pipes for iOS kernel exploit primitives

Industrial and Automotive

ICS/SCADA

• ICS Village
• ICS Discord Group
• Controlthings.io Platform
• Applied Cyber Security and the Smart Grid
• Deep Lateral Movement in OT Networks
• Hacking ICS Historians: The Pivot Point from IT to OT
• OPC UA Deep Dive Series - Parts 1-5
• Inside a New OT/IoT Cyberweapon: IOCONTROL
• Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000

Automotive Security

• Awesome Vehicle Security
• Car Hacking Village
• Jeep Hack
• Subaru Head Unit Jailbreak
• Car Hacking Practical Guide 101

---

• CAN Injection: keyless car theft
• How I Hacked my Car Series - Parts 1-6
• How I Also Hacked my Car
• Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime
• Recovering an ECU firmware using disassembler and branches
• Automotive Memory Protection Units: Uncovering Hidden Vulnerabilities

EV Chargers

• A Detailed Look at Pwn2own Automotive EV Charger Hardware
• Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex
• Reverse engineering an EV charger

---

Payment Systems

ATM Hacking

• Introduction to ATM Penetration Testing
• Pwning ATMs for Fun and Profit
• Jackpotting ATMs Redux - Barnaby Jack
• Root Shell on Credit Card Terminal

---

Payment Village

• Payment Village

---

Tools

Hardware Tools

• Bus Pirate
• Bus Pirate 5: The Swiss ARRRmy Knife of Hardware Hacking
• The Shikra
• Attify Badge
• Flipper Zero
• HackRF
• RTL-SDR
• An In-Depth Look at the ICE-V Wireless FPGA Development Board

Multi-Purpose

• Logic Analyzer - Saleae
• JTAGulator
• EEPROM Reader/SOIC Cable

Debug Adapters

• ST-Link
• Segger J-Link
• FTDI-based Adapters
• Black Magic Probe

RF/SDR

USB

• FaceDancer21
• RfCat

Glitching

Flipper Zero

Hak5

• Hak5 Field Kits

Software Tools

• Expliot Framework
• RouterSploit
• HomePwn
• Firmware Analysis Toolkit (FAT)
• Shambles: The Next-Generation IoT Reverse Engineering Tool

Exploitation Frameworks

• IoTSecFuzz
• PENIOT
• ISF - Industrial Security Framework
• HAL - Hardware Analyzer
• PRET - Printer Exploitation Toolkit

Firmware Analysis

• Samsung Firmware Magic

Fuzzing Tools

• The art of Fuzzing: Introduction
• A LibAFL Introductory Workshop
• The Blitz Tutorial Lab on Fuzzing with AFL++
• State of Linux Snapshot Fuzzing
• Fuzzing between the lines in popular barcode software
• Boofuzz
• Syzkaller - Kernel Fuzzer
• parking-game-fuzzer

Fundamentals

• OWASP Fuzzing Info
• Fuzz Testing of Application Reliability
• FuzzingPaper Collection
• Google Fuzzing Forum

IoT-Specific Fuzzing

• Fuzzing ICS Protocols
• Fuzzowski - Network Protocol Fuzzer
• FIRM-AFL: High-Throughput IoT Firmware Fuzzing
• Snipuzz: Black-box Fuzzing of IoT Firmware
• Fuzzing IoT Binaries Part 1
• Fuzzing IoT Binaries Part 2
• Awesome Embedded Fuzzing

Tools

• AFL Training Exercises
• Frankenstein - Broadcom/Cypress Firmware Emulation for Fuzzing
• Dr. Memory

Pentesting Operating Systems

• AttifyOS
• IoT Penetration Testing OS v1
• EmbedOS
• Sigint OS - LTE IMSI Catcher
• Instant GNU Radio OS
• Dragon OS - SDR Software
• Skywave Linux - SDR
• Zephyr RTOS
• Ubuntu LTS

Search Engines

• Shodan
• Censys
• ZoomEye
• BinaryEdge
• Thingful
• Wigle
• Hunter.io
• BuiltWith
• NetDB
• Recon-ng
• PublicWWW
• FCC ID Database

---

Defensive Security

Threat Modeling

• STRIDE Threat Model Guide - Practical DevSecOps
• OWASP Threat Modeling Process
• STRIDE-based Threat Modeling for IoT Precision Agriculture

STRIDE Framework

• What is STRIDE in Threat Modeling - Security Compass
• Threat Modeling with ATT&CK - MITRE
• What is Threat Modeling - Fortinet

IoT-Specific Threat Modeling

• STRIDE Threat Modeling for IoT Smart Home
• STRIDE Threat Modeling for Smart Solar Energy Systems
• STRIDE Threat Modeling for IoT Healthcare Systems
• STRIDE for IoT Agriculture - IEEE

Secure Development

• OWASP IoT Top 10
• ETSI EN 303 645 - IoT Security Standard
• Compiler Options Hardening Guide for C and C++
• Linux Hardening Guide
• Docker Security – Step-by-Step Hardening
• How To Secure A Linux Server

---

Guidelines and Standards

• NIST IoT Cybersecurity Framework

Hardening Guides

• IoT Device Hardening Best Practices
• Embedded Linux Hardening
• Zephyr RTOS Security Features

Incident Response

• IoT Forensics and Incident Response
• Embedded Device Forensics

---

Learning Resources

Training Platforms

• OpenSecurityTraining2
• cryptopals

Cheatsheets

• Hardware Hacking Cheatsheet
• Nmap Tutorial
• Pentest Hardware Handbook
• THC's favourite Tips, Tricks & Hacks
• Cross Cache Attack CheetSheet

Vulnerability Guides

• OWASP IoT Top 10 2018 Mapping
• Reflecting on OWASP IoT Top 10
• CVE North Stars
• IoT Vulnerabilities with CVE and PoC
• Linux Privilege Escalation

Pentesting Guides

• Shodan Pentesting Guide
• Modern Vulnerability Research on Embedded Systems
• Awesome Embedded Systems Vulnerability Research

YouTube Channels

• Joe Grand
• LiveOverflow
• Binary Adventure
• EEVBlog
• Craig Smith
• IoTSecurity101
• Besim ALTINOK
• Ghidra Ninja
• Cyber Gibbons
• Scanline
• Aaron Christophel
• Valerio Di Giampietro
• Gamozo Labs - Printer Hacking

Books

Hardware Hacking

• The Hardware Hacking Handbook - Jasper van Woudenberg & Colin O'Flynn (2021)
• Practical Hardware Pentesting - Jean-Georges Valle (2021)
• Practical Hardware Pentesting 2nd Edition (2023)
• Hardware Hacking: Have Fun While Voiding Your Warranty - Joe Grand (2004)
• Hacking the Xbox - Andrew "bunnie" Huang (2013)
• The Art of PCB Reverse Engineering - Keng Tiong (2015)
• Manual PCB-RE: The Essentials - Keng Tiong (2021)
• Hardware Security Training, Hands-on! (2023)
• Hardware Security: Challenges and Solutions (2025)
• Mastering Hardware Hacking (2025)
• Ultimate Hardware Hacking Gear Guide
• Microcontroller Exploits (2024)

Firmware and Reverse Engineering

• The Firmware Handbook - Jack Ganssle (2004)
• Learning Linux Binary Analysis - Ryan O'Neill (2016)
• Fuzzing Against the Machine (2023)
• Ghidra Software Reverse Engineering 2nd Edition (2025)
• The Definitive Handbook on Reverse Engineering Tools (2025)

IoT Security

• Abusing the Internet of Things - Nitesh Dhanjani (2015)
• IoT Penetration Testing Cookbook - Aaron Guzman & Aditya Gupta (2017)
• Practical IoT Hacking: The Definitive Guide (2021)
• PatrIoT: Practical and Agile Threat Research for IoT (2022)

---

Wireless and RF

• Inside Radio: An Attack and Defense Guide - Qing Yang, Lin Huang (2018)
• Hack the Airwaves: Advanced BLE Exploitation (2023)

Embedded and Mobile

• Linksys WRT54G Ultimate Hacking - Paul Asadoorian (2007)

NFC/RFID

• Near Field Communication (NFC): From Theory to Practice (2012)
• Security Issues in Mobile NFC Devices - Michael Roland (2024)

Industrial and General Security

• Gray Hat Hacking 5th Edition (2018)
• Black Hat Python 2nd Edition (2021)

White Papers and Reports

• IOActive: State of Silicon Chip Hacking 2025

---

IoT Series

• IoT Series I-IV
• Intro to Embedded RE Series

Labs and CTFs

Vulnerable Applications

• DVID - Damn Vulnerable IoT Device
• IoTGoat - Vulnerable OpenWrt Firmware
• IoT-vulhub
• DVRF - Damn Vulnerable Router Firmware
• BLE CTF
• Microcorruption
• ARM-X CTF

IoT

Router/Firmware

Hardware

• Hardware Hacking 101
• Damn Vulnerable Safe
• Sticky Fingers DV-Pi

Wireless

Industrial

• Damn Vulnerable Chemical Process
• Damn Vulnerable SS7 Network

VoIP

• Hacklab VulnVoIP

CTF Competitions

• RHme Series (2015-2017)
• IoT Village CTF

---

Hardware CTFs

• RHme-2016
• RHme-2017

IoT CTFs

• IoTSec CTF

Embedded/Firmware CTFs

• Emulate to Exploitate

ARM CTFs

• Azeria Labs ARM Challenges

Continuous Learning Platforms

• Hack The Box
• Root Me
• Pwnable.kr
• CTFtime

Lab Setup

• IoT Lab Setup Guide
• Router Analysis Toolkit
• Webthings Gateway - Raspberry Pi

---

Research and Community

Technical Research

• Dropcam Hacking
• LED Light Hacking
• PS4 Jailbreak Status
• Lenovo Watch X Privacy Issues
• Smart Scale Privacy Issues
• Besder IP Camera Security Analysis
• Smart Lock Vulnerabilities

Blogs

• Team82 Research
• Voidstarsec
• wrongbaud
• Firmware Analysis
• Exploitee.rs
• Payatu Blog
• Raelize Blog
• JCJC Dev
• W00tsec
• Devttys0
• Embedded Bits
• Keenlab
• Courk.cc
• IoT Security Wiki
• Cybergibbons
• Firmware.RE
• K3170makan
• Tclaverie
• Besimaltinok
• Ctrlu
• IoT Pentest
• Duo Decipher
• Sp3ctr3
• 0x42424242
• Dantheiotman
• Danman
• Quentinkaiser
• Quarkslab
• Ice9
• F-Secure Labs
• MG.lol
• CJHackerz
• Bunnie's Blog
• Synacktiv Publications
• Cr4.sh
• Ktln2
• Naehrdine
• Limited Results
• Fail0verflow
• Exploit Security
• Attify Blog
• Jilles.com
• Syss Tech Blog
• HardBreak Wiki
• 8ksec
• Starlabs
• boschko.ca
• 0xtriboulet
• Nozomi Networks

Community Platforms

• IoTSecurity101 Telegram
• IoTSecurity101 Reddit
• IoTSecurity101 Discord
• Hardware Hacking Telegram

Villages

• IoT Village
• RF Hackers

---

Researchers to Follow

• Jilles
• Joe Fitz
• Aseem Jakhar
• Cybergibbons
• Jasper
• Dave Jones
• bunnie
• Ilya Shaposhnikov
• Mark C.
• Aaron Guzman
• Yashin Mehaboobe
• Arun Magesh
• Mr-IoT
• QKaiser
• 9lyph

---

Device-Specific Research

Cameras

• ARLO: I'M WATCHING YOU
• Hacking a Tapo TC60 Camera
• Rooting a Hive Camera
• Pwn2Own: Synology BC500 IP Camera
• Turning Camera Surveillance on its Axis
• Pwn2Own Ireland 2024 – Ubiquiti AI Bullet

Smart Home Devices

• Hacking a Smart Home Device
• The Silent Spy Among Us: Smart Intercom Attacks
• Pwnassistant - Home Assistant RCE
• Hacking Sonoff Smart Home IoT Device

Smart Speakers

• Turning Google smart speakers into wiretaps for $100k
• Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets
• Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
• Streaming Zero-Fi Shells to Your Smart Speaker

Printers

• Pwning a Brother labelmaker, for fun and interop!
• lexmark printer haxx
• Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw
• Print Scan Hacks: Brother devices

Drones

• DJI Mavic 3 Drone Research: Firmware Analysis
• DJI Mavic 3 Drone Research: Vulnerability Analysis
• DJI - The ART of obfuscation
• Local Privilege Escalation on the DJI RM500 Smart Controller

Kitchen Appliances

• Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

NAS Devices

• A Pain in the NAS: Synology DS920+ Edition
• Weekend Destroyer - RCE in Western Digital PR4100 NAS
• Exploiting the Synology TC500 at Pwn2Own Ireland 2024

Game Consoles

• Hacking the Nintendo DSi Browser
• mast1c0re: Exploiting the PS4 and PS5 through a game save
• Being Overlord on the Steam Deck with 1 Byte
• Hacking the XBox 360 Hypervisor

Phones/Tablets

• Pixel 6 Bootloader Series
• Solo: A Pixel 6 Pro Story
• Gaining kernel code execution on an MTE-enabled Pixel 8
• Bypassing MTE with CVE-2025-0072
• Debugging the Pixel 8 kernel via KGDB
• A First Glimpse of the Starlink User Terminal
• Diving into Starlink's User Terminal Firmware

TrustZone and TEE Research

• ARM TrustZone: pivoting to the secure world
• TEE Reversing
• A Deep Dive into Samsung's TrustZone - Parts 1-3
• Researching Xiaomi's TEE
• Kinibi TEE: Trusted Application Exploitation
• Reversing Samsung's H-Arx Hypervisor Framework
• EL3vated Privileges: Glitching Google WiFi Pro from Root to EL3

Pwn2Own Research

• Your not so "Home Office" - SOHO Hacking at Pwn2Own
• Pwn2Own Toronto 2023 Series - Parts 1-5
• Pwn2Own: WAN-to-LAN Exploit Showcase

---

Contributing

Contributions welcome. Submit a PR with new resources following the existing structure.

License

This collection is provided for educational and research purposes.