1366 IoT Security Practice Labs
1366.1 Learning Objectives
By the end of this chapter, you should be able to:
- Conduct systematic IoT device security audits using industry checklists
- Configure network segmentation to isolate IoT devices
- Verify HTTPS/TLS certificate validity using command-line tools
- Document security findings in professional audit reports
- Implement compensating controls for identified vulnerabilities
1366.2 Introduction
Security knowledge becomes valuable only through practical application. These hands-on labs guide you through real security assessment techniques used by professionals. Each lab includes step-by-step instructions, verification checklists, and templates for documenting findings.
These labs are designed to be safe:
- Only assess devices you own - never scan or test others’ networks without permission
- Document everything - good notes help you learn and provide evidence
- Start simple - complete Lab 1 before attempting advanced labs
If you’re uncomfortable with any step, skip it and move to the next. The goal is learning, not completing every checkbox.
1366.3 Lab 1: IoT Device Security Audit Checklist
Objective: Learn to assess the security posture of an IoT device using a systematic checklist approach.
Time Required: 30-45 minutes
Materials Needed:
- Any IoT device you own (smart plug, camera, sensor, etc.)
- Computer with network scanning capability
- Notepad for recording findings
1366.3.1 Step 1: Physical Security Assessment (5 min)
Check for physical security vulnerabilities:
| Check Item | Pass/Fail | Notes |
|---|---|---|
| Are there exposed debug ports (UART, JTAG)? | [ ] | Document port locations |
| Can the device be opened without tools? | [ ] | Note tamper evidence |
| Are there any printed credentials on device/packaging? | [ ] | Document if found |
| Is the firmware chip accessible/removable? | [ ] | Note chip type if visible |
Debug ports often appear as:
- 4-pin header (UART: TX, RX, VCC, GND)
- 10-20 pin header (JTAG)
- Unpopulated solder pads on PCB
Printed credentials may include:
- Default password on sticker
- Setup code for pairing
- Serial number that doubles as password
1366.3.2 Step 2: Network Security Assessment (10 min)
Analyze network behavior:
# Find your IoT device's IP address (run on same network)
nmap -sn 192.168.1.0/24
# Scan open ports on the device (replace IP)
nmap -sV 192.168.1.XXX
# Check for unencrypted traffic (if you have Wireshark)
# Filter: ip.addr == 192.168.1.XXX| Check Item | Pass/Fail | Notes |
|---|---|---|
| Does device use HTTPS for web interface? | [ ] | Check certificate validity |
| Are unnecessary ports open? | [ ] | List open ports |
| Does device phone home to unexpected servers? | [ ] | Note domains contacted |
| Is traffic encrypted (TLS/SSL)? | [ ] | Check with Wireshark |
1366.3.3 Step 3: Authentication Assessment (10 min)
Test authentication mechanisms:
| Check Item | Pass/Fail | Notes |
|---|---|---|
| Did device ship with default password? | [ ] | Was change forced? |
| Is password complexity enforced? | [ ] | Test weak passwords |
| Does device support 2FA/MFA? | [ ] | Enable if available |
| Are there hidden admin accounts? | [ ] | Check documentation |
| Does device lock after failed attempts? | [ ] | Test brute force protection |
1366.3.4 Step 4: Firmware and Updates (10 min)
| Check Item | Pass/Fail | Notes |
|---|---|---|
| Is automatic update enabled? | [ ] | Enable if available |
| When was last update released? | [ ] | Check manufacturer site |
| Are updates signed/verified? | [ ] | Check update process |
| Can you roll back firmware? | [ ] | Note if possible |
1366.3.5 Step 5: Privacy Assessment (5 min)
| Check Item | Pass/Fail | Notes |
|---|---|---|
| What data does device collect? | [ ] | Read privacy policy |
| Can you disable data sharing? | [ ] | Check settings |
| Is data stored locally or cloud? | [ ] | Note storage location |
| Can you delete your data? | [ ] | Test data deletion |
1366.3.6 Scoring Your Device
| Score Range | Risk Level | Recommended Action |
|---|---|---|
| 0-5 checks passed | HIGH Risk | Consider replacing or isolating |
| 6-10 checks passed | MEDIUM Risk | Implement compensating controls |
| 11-15 checks passed | LOWER Risk | Maintain vigilance |
| 16+ checks passed | GOOD Security Posture | Continue monitoring |
1366.3.7 Audit Report Template
Use this template to document your findings:
## IoT Security Audit Report
**Device:** [Name and Model]
**Date:** [Date]
**Auditor:** [Your Name]
### Executive Summary
[1-2 sentence overall assessment]
### Findings
| Category | Score | Critical Issues |
|----------|-------|-----------------|
| Physical | X/4 | |
| Network | X/4 | |
| Authentication | X/5 | |
| Firmware | X/4 | |
| Privacy | X/4 | |
| **Total** | **X/21** | |
### Recommendations
1. [Most critical fix]
2. [Second priority]
3. [Third priority]
### Risk Acceptance
[Note any risks accepted and justification]1366.4 Lab 2: Network Segmentation for IoT Devices
Objective: Create a separate network segment for IoT devices to limit breach impact.
Time Required: 45-60 minutes
Materials Needed:
- Router with VLAN or guest network capability
- IoT devices to move to new network
- Computer for configuration
1366.4.1 Why Segment IoT Devices?
IoT devices on your main network can access everything:
BEFORE (Risky):
IoT Device ←→ Your Computer ←→ Your Files
↑
No protection between them
AFTER (Safer):
IoT Device ←→ [Firewall] ←→ Your Computer
↑
IoT cannot reach your computer directly1366.4.2 Option A: Guest Network (Easiest)
Most routers support guest networks. This is the quickest way to isolate IoT devices.
Step 1: Access router admin (usually 192.168.1.1)
Step 2: Enable guest network
Step 3: Configure settings:
- Name:
IoT_Devices - Password: [Strong unique password]
- Enable client isolation
- Disable access to main network
Step 4: Connect IoT devices to guest network
Step 5: Verify isolation - IoT devices shouldn’t see your computer
1366.4.3 Option B: VLAN (More Secure)
For advanced users with managed switches:
| VLAN | Purpose | Devices |
|---|---|---|
| VLAN 1 (Default) | Trusted | Computers, phones |
| VLAN 10 (IoT) | Smart home | Lights, thermostats, speakers |
| VLAN 20 (Cameras) | Most restricted | Security cameras |
1366.4.4 Firewall Rules Template
# Allow IoT to reach internet
ALLOW: VLAN_IoT → Internet (ports 80, 443, 8883)
# Block IoT from main network
DENY: VLAN_IoT → VLAN_Main (all ports)
# Allow main network to control IoT
ALLOW: VLAN_Main → VLAN_IoT (specific ports only)
# Block IoT-to-IoT lateral movement (optional paranoid mode)
DENY: VLAN_IoT → VLAN_IoT (all ports)1366.4.5 Verification Checklist
| Test | Expected Result | Actual |
|---|---|---|
| IoT device reaches internet | Works | [ ] |
| IoT device pings your computer | Blocked | [ ] |
| Your computer controls IoT device | Works | [ ] |
| IoT device scans network | Only sees IoT VLAN | [ ] |
Problem: IoT device can’t be controlled after segmentation
Solutions:
- Check firewall allows traffic FROM main network TO IoT
- Some devices require broadcast/multicast - enable mDNS relay
- Cloud-based devices may work fine; local-control devices need direct access
1366.5 Lab 3: HTTPS Certificate Verification
Objective: Verify that your IoT devices use proper TLS/HTTPS encryption.
Time Required: 20 minutes
Materials Needed:
- Browser with developer tools
- IoT device with web interface
1366.5.1 Step-by-Step Verification
Step 1: Access device web interface
Navigate to: https://192.168.1.XXX (note: HTTPS not HTTP)
Step 2: Check certificate in browser
- Click padlock icon → “Certificate”
- Note issuer, expiration, and validity
Step 3: Use OpenSSL to inspect certificate
# Check certificate details
openssl s_client -connect 192.168.1.XXX:443 -showcerts
# Check supported TLS versions
nmap --script ssl-enum-ciphers -p 443 192.168.1.XXXStep 4: Evaluate results
| Check | Secure | Insecure |
|---|---|---|
| Protocol | TLS 1.2 or 1.3 | SSL 3.0, TLS 1.0/1.1 |
| Certificate | Valid, not expired | Self-signed, expired |
| Cipher Suite | AES-256-GCM | RC4, DES, 3DES |
| Key Size | RSA 2048+ or ECC 256+ | RSA 1024 or less |
1366.5.2 Common Issues and Fixes
| Issue | Risk Level | Fix |
|---|---|---|
| Self-signed certificate | Medium | Accept for local only, or install custom CA |
| Expired certificate | High | Update firmware or contact manufacturer |
| TLS 1.0/1.1 only | Medium | Disable old protocols if possible |
| HTTP only (no HTTPS) | Critical | Use VPN or replace device |
Many IoT devices use self-signed certificates because:
- They don’t have domain names (just IP addresses)
- Getting CA-signed certs requires internet access during manufacturing
- Certificate renewal is complex for embedded devices
Self-signed is acceptable IF:
- Device is on isolated network
- You verify the certificate fingerprint manually
- Traffic is already on a VPN
Self-signed is risky IF:
- Device is internet-accessible
- You haven’t verified the fingerprint
- You’re sending sensitive data
1366.5.3 Certificate Fingerprint Verification
For self-signed certificates, manually verify the fingerprint:
Step 1: Get fingerprint from device (usually in admin interface or documentation)
Step 2: Compare with OpenSSL output:
openssl s_client -connect 192.168.1.XXX:443 2>/dev/null | \
openssl x509 -fingerprint -sha256 -nooutStep 3: If fingerprints match, certificate is authentic (not MITM attack)
1366.6 Resources for Further Learning
1366.6.1 Books
- “Practical IoT Hacking” by Fotios Chantzis
- “IoT Penetration Testing Cookbook” by Aaron Guzman
- “Abusing the Internet of Things” by Nitesh Dhanjani
1366.6.2 Standards and Frameworks
1366.6.3 Tools
| Category | Tools |
|---|---|
| Vulnerability Scanning | Nmap, Nessus, OpenVAS |
| Firmware Analysis | Binwalk, Firmwalker, FACT |
| Network Analysis | Wireshark, tcpdump |
| Penetration Testing | Metasploit, Burp Suite |
1366.6.4 Online Resources
1366.6.5 Certifications
| Certification | Focus |
|---|---|
| GIAC GICSP | Critical Infrastructure Protection |
| CISM | Information Security Management |
| CEH | Ethical Hacker (IoT module) |
| IoT Security Practitioner | IoT Security Foundation |
1366.7 Summary
Hands-on security labs develop practical skills that complement theoretical knowledge:
- Device audits reveal real vulnerabilities using systematic checklists
- Network segmentation limits breach impact through isolation
- Certificate verification ensures encrypted communications
- Documentation creates professional audit trails
These labs can be repeated with different devices to build experience across IoT ecosystems.
1366.8 What’s Next
Based on your security learning path:
- For exam preparation: Exam Preparation Guide - Practice problems and study strategies
- For advanced theory: Advanced Security Concepts - Cryptography, secure boot, side-channel attacks
- For case studies: Security Case Studies - Learn from Mirai, Jeep, Ring incidents
- For frameworks: Security Frameworks - OWASP, NIST, ETSI compliance