IoT Exploitation Masterclass: Hardware & RF Hacking - Smriti Gaba & Yianna Paris - DCSG2026

Name of Training: IoT Exploitation Masterclass: Hardware & RF Hacking
Trainer(s): Smriti Gaba and Yianna Paris
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost (GST included): $2,558 USD / equivalent to $3,300 SGD 

Early bird price valid until February 8, 2026.

Short Summary:

Uncover the IoT attack surface through hands-on hardware exploitation and RF hacking using a custom vulnerable IoT device. Students will learn to identify vulnerabilities, from PCB component analysis to wireless protocols, performing practical attacks including firmware extraction and analysis, debug interface exploitation, and RF based replay and injection attacks.

Course Description:

This 2-day course provides comprehensive hands-on training in IoT security exploitation using a purpose-built vulnerable embedded system. Students will progress from hardware-level exploitation techniques starting from PCB component analysis, mapping attack surface, UART/JTAG debugging, firmware extraction, analysis and modification, understanding secure boot and overview of advanced sophisticated attacks like fault injection to RF hacking fundamentals covering RFID attacks, protocol analysis, replay attacks, and wireless exploitation.

Each student receives a custom IoT security testing board featuring multiple vulnerabilities across hardware interfaces, firmware, and wireless communications. Through practical labs based on real-world attack scenarios, participants learn how attackers compromise IoT ecosystems at various layers: extracting hardcoded credentials, manipulating firmware, intercepting wireless communications, and chaining exploits for complete device takeover. The course demonstrates actual vulnerability patterns from commercial IoT devices, showing not just how to perform attacks but why these flaws exist, their impact on device security, user privacy, and wireless communication. By bridging hardware and RF security disciplines, this training equips security professionals, penetration testers, and product teams with the skills needed to assess and defend today's connected device infrastructure.

Course Outline: 

Day 1: Hardware Hacking fundamentals

Morning session

1. Introduction and lab setup

• Intro and course overview
• Details on target board and setup instructions (We will prepare everything before the training to save time for setup and configurations)
• Mission: what we’ll exploit over 2 days (Agenda)
• Verification of setup and environment configuration.

2. IoT Architecture & Attack surface mapping 

• Understanding IoT device components and security boundaries.
• Methodology, building strategy
• Identifying assets and mapping attack surface
• PCB component analysis and identifying security relevant components
• Information gathering, schematics and datasheets
• Useful tools (multimeters, logic analyzers, FTDI... etc)

Exercise 1: Identifying components on the victim board.

3. Debug Interfaces 

• Introduction to debug interfaces and types
• Security concerns and attack paths

a. UART: 

• Identifying UART pinouts using multimeter and logic analyzer
• Baud rate detection techniques
• Connecting to debug consoles and Uboot
• Extracting sensitive info from boot logs (Boot log analysis)
• Real world attack scenarios on UART and what leads to shell access

Exercise 2: Identifying UART pins and pinout on target board

Exercise 3: Gaining root shell access via UART

b. JTAG: 

• Introduction to JTAG and SWD protocols
• Security concerns and attack paths
• JTAG pin identification and boundary scan
• Connecting debuggers (OpenOCD, J-link)
• Reading/writing memory and registers
• Getting to know GDB important commands
• Firmware dumping via debug interfaces

Exercise 4: JTAG interface discovery and connection 

Exercise 5: Firmware extracting using JTAG/SWD

Afternoon session 

1. Firmware extraction techniques

• Intro to flash memories: NAND, NOR, eMMC and protocols (SPI, I2C)
• Different types of programmers and tools for flash dumping and reprogramming
• Chip identification and pinout discovery

Exercise 6: Extracting firmware from SPI flash chip

2. Firmware analysis and Reverse engineering 

• Understanding firmware formats and file systems
• Using binwalk for firmware unpacking
• Analyzing file system continents (squashfs, jffs2, ubifs)
• Basic static analysis of binaries using Ghidra
• Finding hardcoded credentials, other sensitive information
• Identifying vulnerable services and backdoors
• Analyzing update mechanisms

Exercise 7: Unpacking and analyzing firmware 

Exercise 8: Finding hidden credentials and backdoors

3. Firmware modification and reprogramming 

• Modifying extracted firmware images
• Adding backdoors and persistent mechanisms
• Repackaging and flashing modified firmware

Exercise 9: Modifying firmware to add backdoor 

Exercise 10: Reflashing modified firmware to device

Summary and Key takeaways of Day 1

Day 2: Wireless communication and RF fundamentals

Morning session 

1. Secure boot and protection bypass techniques 

• Understanding secure boot mechanism
• Bypassing secure boot techniques
  
• Basic intro to fault injection techniques and sophisticated hardware attacks
  
• Demo videos and examples
  
• Real world examples of fault injection attacks and secure boot bypass

2. Introduction to wireless interfaces 

• Overview of wireless protocols in IoT: BLE, WiFi, Zigbee, LoRa
  
• Common wireless security mistakes
  
• Extracting wireless credentials from firmware
  
• BLE security mechanisms and common weaknesses
  
• Using basic BLE tools (bluetoothctl, nRF Connect)
  
• BLE device enumeration and characteristic reading

Exercise 11: Scanning and connecting to BLE devices with simple commands 

3. Hardware security real world case studies 

• Commercial device vulnerability examples:
  
  • UAV Drones vulnerabilities
    
  • UART exposed on IP cameras
    
• Attack chain examples showing progression from hardware to network compromise
  
• Discussion session

Afternoon session 

1. RF Basics for IoT Security 

• Radio frequency spectrum and common IoT frequencies
  
• Basic concepts: frequency, amplitude, modulation
  
• Wireless attack surface in IoT devices
  
• Video Demo/walkthrough: Signal capture, analysis, and replay attack on an IoT device

2. RFID Technology Deep Dive 

• RFID technology overview (125kHz LF, 13.56MHz HF)
  
• Common RFID applications: access control, transit cards, hotel keys
  
• Security vulnerabilities and attack vectors
  
• Live Demo 1: Reading and cloning access cards
  
• Live Demo 2: Emulating cloned cards for access
  
• Tools: Proxmark3, Flipper Zero demonstration

Interactive Activity- Students read their own RFID cards/badges, discuss what information is exposed and security recommendations

3. Discussion, any topic coverage, Q&A 

Summary and Key takeaways: Thank you Note

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

• Basic understanding of electronics concepts (voltage, current, digital logic)
• Familiarity with Linux command line
• Basic networking knowledge (TCP/IP, common protocols)
• Understanding of programming/scripting fundamentals (Python preferred)
• Ability to read datasheets and technical documentation
  

Recommended Experience:

• Prior exposure to embedded systems or IoT devices
• Familiarity with wireless protocols (WiFi, Bluetooth) at a conceptual level

Pre-Work:

• Review basic RF concepts (frequencies, modulation)
• Optional: Familiarize yourself with tools like Binwalk, Wireshark, URH

What Students Should Bring:

Laptop with the following specifications:

• OS: Linux (Ubuntu 22.04+ recommended), Windows 10/11 with WSL2, or macOS
• Minimum: 16GB RAM, 50GB free disk space
• USB 3.0 ports (at least 2)
• Administrator/root access for tool installation
• Virtualization enabled in BIOS (for VM-based labs)

Recommended:

• USB hub (for multiple hardware devices)
• Notepad and pen for taking notes
• Multimeter (if you have one - not required, extras will be available)

What the Trainer Will Provide:

Each student receives a comprehensive hardware kit to keep:

• Custom IoT security testing board (vulnerable target device with multiple attack vectors)
• USB-to-UART adapter (CH340/FTDI)
• Logic analyzer
• Basic jumper wire set
• SPI flash programmer and pomona clip

Shared resources (available during training):

• HackRF One SDRs, Pluto SDR (available for demonstrations)
• Proxmark3, flipper zero (available for demonstrations)
• Additional specialized RF equipment
• Backup hardware components

Digital materials: 

• Comprehensive lab manual and slides with step-by-step instructions
• Virtual machine images with pre-configured tools
• Reference firmware samples and code examples
• Video recordings of key demonstrations
• Cheat sheets and reference guides

Trainer(s) Bio:

Smriti is a Senior Security Researcher at Alpitronic, one of the world's leading EV charger manufacturers, where she enhances product security and drives secure design practices for next-generation charging infrastructure. With over 6 years of specialized experience in hardware hacking, IoT security, embedded systems, automotive security, and RF exploitation, she has conducted security evaluations on diverse embedded targets including drones, routers, RF-based smart meters, IoT ecosystems, automotive ECUs, and 5G communication systems. As a technical lead, Smriti has developed and delivered multiple trainings in the hardware security domain at beginner, intermediate, and advanced levels for both internal teams and external customers.

Yianna is a security researcher and technical lead with a background in software engineering, breaking systems across various technical layers. She currently works as a Senior Offensive Security Consultant at Xebia in the Netherlands, where she focuses on hunting vulnerabilities, integrating product security within engineering teams and securing physical hardware and cloud infrastructure. Radio turned from interest to professional focus when she was introduced to tracking aircrafts in Australia using ADS-B, a variety of SDR’s, and decoding digital signals from audio to GPS coordinates. She likes to sniff out problems, assessing and securing networks by digging deeper into radio devices such as security cameras, drones, printers, and agricultural robotics. Using this experience, Yianna has developed custom trainings on key topics like reconnaissance, secure code review, reverse engineering firmware, and web, hardware and wireless exploitation.

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.