Back to the articles
Your Resource Directory for IoT Security
Table of contents
Updated with new resources: 16th April 2024
It is quite difficult to find good content if you are interested in this niche. That’s why we wanted to share with you our directory, which we collected to serve as a small library for IoT Security professionals and enthusiasts.
No matter whether you enjoy reading, watching, or listening, you will find some great options here to learn from numerous talented professionals.
Books
- Aditya Gupta: The IoT Hacker’s Handbook - With its comprehensible format and engaging style, this book provides a practical introduction to IoT security, covering many topics, from hardware hacking through firmware exploitation to attacking Zigbee networks.
- Vijay Kumar Velu: Mastering Kali Linux for Advanced Penetration Testing - Kali Linux is the de facto standard toolbox for security professionals, so getting familiar with tools like Nmap, Wireshark, Metasploit or Burp Suite is essential for anyone interested in hacking.
- Fotios Chantzis: Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things - A book that focuses on understanding the risks of IoT devices and on how to build a testing methodology targeting the whole IoT ecosystem, including hardware, network and radio hacking.
- Dennis Andriesse: Practical Binary Analysis - This book fills a gap in the literature by focusing on the techniques, tools, and mindset you need specifically for binary analysis, starting from the basics of disassembly and binary formats, through more advanced topics like binary instrumentation, dynamic taint analysis, and symbolic execution.
- Jon Erickson: Hacking: The Art of Exploitation - Yes, we know that this is not the most up-to-date one, but it fits the “old but gold” category perfectly. It explains the spirit of hacking through some basic techniques and offers a starting point with knowledge anyone can expand upon.
- Bruce Dang: Practical Reverse Engineering - If you already have a good understanding of how programs are generally written, executed, and debugged, this book will help you to explore the program’s execution environment, focusing on x86, x64, and ARM, but also discussing Windows Kernel basics.
- Peter Kim: The Hacker Playbook: Practical Guide to Penetration Testing - Although this is a more generic, less IoT specific one, it is actually a series of 3 books, so altogether gives quite a detailed guidance.
- Maria Markstedter: Blue Fox: ARM Assembly Internals and Reverse Engineering. Maria has an extensive background in this topic, this book is a great one to gain a better understanding.
Online Learning Resources
- Simply Cyber - Some cool lists, and cheat sheets here by Gerald Auger. He also hosts daily live videos on Youtube, has his own discord community, and is also active on LinkedIn.
- BugBountyHunter - Although it is not too focused on IoT, you can still find good tools, and concepts here. Their tool list is especially useful.
- Open Security Training 2 - They start from the basics and go way beyond that. One of the best teaching materials for reverse engineering.
- SANS - They offer an IoT specific pentester course, SEC556. It is quite comprehensive, as it covers skills to identify, assess, and exploit basic and complex security mechanisms in IoT devices. Comes with a higher price tag as well.
- CompTIA - Offering education and certification as well. More generic, and not really IoT-specific, so we would recommend it if your first want to learn the basics - let’s say for pentesting. We have seen recommendations popping up in communities. The Youtube channel of Professor Messer includes tonnes of videos, prepping you for the exams, and explaining the material.
- Pentest Magazine Courses - They offer a variety of security related courses, most of them available for a single purchase, and in the range of 200-400 dollars. The one for IoT security stands out to be linked here. There are also a a few other, industry-specific ones, like for automotive, or industrial IoT.
Podcasts
News Podcasts
To listen to while preparing for the day, or commuting.
- CyberWire Daily (Spotify | Apple - Daily news podcast to get your specialized news feed.
- Cyber Security Headlines (Spotify | Apple) - A short, few minutes recap every day in the morning about recent events.
- CISO Series (Spotify | Apple) - A podcast that often brings topics around security professionals and security vendors. Light and entertaining, even while discussing more serious topics.
Security and Hacking-Focused Podcasts
- Smashing Security (Spotify | Apple) - The show discusses the latest cybercrime acts, new ways of hacking, and privacy questions. Hosted by Graham Cluly and Carole Theriault.
- 7 minute security (Spotify | Apple) - Produced by 7 minute Security, a security service provider specializing in assessment and pentesting. As you can guess, this means the podcast is more focused on actual pentesting.
- Darknet Diaries (Spotify | Apple) - They are telling the stories as they should be - in full thriller mode. You have to raise your hat for the great mood, and images that they draw for each story, building a truly unique brand. Each episode is an interview about a specific topic/hack/malware, etc.
- Security Weekly - (Website) Actually, this includes several threads, eg. business security, application security, enterprise security, etc. This is one of our favorites, discussing firmware hacking. Part of the SC Media family.
- Below the Surface (Apple) - A quite new series, launched in 2023. It is fully focused on the state of supply chain security. This is the only one we found that is truly focused on firmware. The series is part of the SC media family.
- Security Now (Website | Apple) - Part of the “This Week in Technology” content family. Each episode discusses a series of mini-topics, including news, regulations, hacking practices, and more.
- CyberWire Word Notes (Spotify | Apple) - Each episode discusses just one word in a few minutes. Perfect for some light education while commuting.
- CyberWire-X (Website)- Half editorial, half sponsored. The first half is dedicated to a topic, and the second half is usually an interview with a sponsor. Although it is paid, still a good show to hear about new tech.
Security Trends & Compliance
These podcasts focus more on security at a higher level in companies. Lots of CISO-focused content, as well as security challenges on organizational levels.
YouTube Channels
- John Hammond - 10-30 minute long videos of each topic. John understands infotainment, his videos are easy-to-consume and funny. We had a cool collaboration with him, we gave him our tool, and watched in horror as he tried to use it in dark mode.
- LiveOverflow - 10-15 min videos about hacking tips, concepts, and cybersec challenges.
- HackerSploit - Quite detailed deep dives into topics, expect longer videos, sometimes over an hour.
- The Cyber Mentor - Explainer videos where he goes through each step with screenshare. Gaining massive popularity because he is easy to follow.
- OpenSecurityTraining2 - This is your go-to YT channel if you want to learn reverse engineering.
- Low Level Learning - Good videos about embedded stuff. We love every episode.
- Matt Brown - Small channel, but quite unique content. He is fully dedicated to IoT and hacks into devices on camera.
- Flashback Team - Super cool guy, with impressive IoT hacks. Must follow.
- JSON SEC - Smaller channel, its fame is mostly attributed to this great video about hacking IoT cameras.
- Hak5 -They have a wide range of topics in cyber security. Definitely worth following.
- Gerald Auger, PhD - Simply Cyber - Channel by Geral Auger, already mentioned among learning resources.
- Stacksmashing - Channel focusing on hardware and reverse engineering.
- Pink Draconian - Bug Hunting and walkthroughs.
- Motasem Hamdan - Beginner-friendly videos, illustrated with hand-drawn charts on whiteboard. We liked this firmware analysis video so much that we reached out. And he liked our tool so much that he created a video of it.
- Netsec - The biggest subreddit when it comes to practical cybersecurity with 470k members, as far as we could see. This is where a topic can reach 100+ upvotes, and dozens of comments. The members have wide-ranging backgrounds and this means that IoT security is represented with a smaller ratio. A lot of users are not necessarily super technical, but the quality of posts is generally pretty high as someone would expect from a community that is well-known for critical thinking.
- Penetration Testing for Humans - Share and discuss anything you think is related to penetration testing. Unfortunately, not the most active subreddit, there are only a few posts per week and not too many answers. There are questions from junior pentesters or people aspiring to become security analysts, and again, a lot of technical posts are more web application security testing oriented. Still, there are interesting posts from time to time regarding cryptography or binary exploitation that are relevant to IoT as well.
- PenTesting - Quite an active group. You see a lot of very specific questions, and answers, and sometimes quite advanced topics are discussed. Similarly to above, a large percentage of the content is related to job finding and people trying to understand what it takes to be an efficient pentester in the field. Still, there are good networking and protocol analysis-related posts, lots of material on how to use Linux for offensive security, and what open-source tools others use in their daily life to attack systems during their evaluations.
- AskNetsec The small sister of the netsec group. This is where you are directed if you need help or answers. As far as we could tell, there are usually answers, so it is worth trying, although recently there were some concerns about some answers being generated via Chat GPT. Still, this might be a good place to post a question if one feels that the big netsec group is neglecting that particular topic. There are a lot of networking security posts as the name suggests, things like enterprise security architecture and related tooling are often discussed, but IoT security-related posts are rare.
- Red Team Security - Here, you find more material on binary exploitation and reverse engineering compared to the generalist pentest groups, malware analysts often post here and there are frequent announcements of hobby projects that could help malware analysts, reverse engineers, and IoT security researchers alike.
- Security CTF: CTF announcements & writeups - if you want to learn from others’ real-life experiences, this is a great place to be. Almost daily posts, CTF writeups, occasional youtube walkthroughs, etc. This is obviously super technical content compared to the above, and everything that has to do with crypto, binary reverse engineering, exploitation, and protocol analysis should be super useful for any aspiring IoT security analysts. Work through those writeups yourself, fire up gdb, qira, Ghidra, or whatever you use, and repeat the work of others! You’ll find it exceptionally useful later on.
- Reverse Engineering - again, one of the bigger communities with 133k members, so activity is higher as well. In our experience, this community is very well versed in the topic to the extent that users can instantly answer the most obscure questions regarding quirks of IDA and Ghidra, or identify exotic, long-forgotten architectures just by looking at the hexdump of the executable you are trying to analyze. The community is fairly well versed in program analysis topics as well, including symbolic execution, and knowledge of advanced fuzzing tools and approaches from academia. They can also suggest github repos instantly if you thought you came up with the next viral IDA plugin. We recommend this subreddit for anyone who wants to be a black-belt reverse engineer.
- Embedded - big community, users usually post some very specific questions about issues they face. Quite a wide range of topics covered.
- Embedded Linux, much smaller and more specific. It is a very helpful niche community. Job and career-related questions pop up regularly as well.
- Darknet Diaries - The reddit thread of the podcast we mentioned above. This is less technical, but it is a good place to find your daily security news or find some overlaps between popular culture and cybersecurity. Lots of interesting stories, memes, satire, and people ranting about yet another security breach of this and that big corporation. Recommended to augment your therapy sessions.
This list will keep evolving
We are pretty sure there are a lot more out there, so we will keep updating this post.
Help us expand the list! If you have a good recommendation, send it to us via our contact form or via email to info@bugprove.com and we will evaluate it, and add it if it fits.