IoT Security: Firmware Analysis, Protocols, and Hardware Hacking

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

IoT devices ship with constraints that make traditional security approaches difficult — limited compute, minimal memory, long deployment lifecycles, and update mechanisms that range from fragile to nonexistent. Securing these devices requires understanding firmware internals, communication protocols, and hardware-level attack surfaces that software-focused security professionals rarely encounter.

Firmware Analysis

Firmware analysis starts with extraction. Obtain firmware through vendor download pages, OTA update interception, or physical extraction from flash memory chips using tools like a Bus Pirate or CH341A programmer with flashrom.

Use binwalk to identify embedded filesystems, compressed archives, and executable sections:

“bash binwalk -e firmware.bin `

This extracts squashfs, cramfs, JFFS2, and other filesystem images. Once extracted, analyze the filesystem for hardcoded credentials, private keys, debug interfaces, and configuration files. grep -r through the extracted filesystem for passwords, API keys, and connection strings.

Static analysis of binaries with Ghidra or IDA reveals authentication logic, crypto implementations, and command injection vulnerabilities. Cross-reference function calls against known vulnerable patterns — strcpy, sprintf, system()` with user-controlled arguments.

Emulate firmware with QEMU or Firmadyne to perform dynamic analysis without physical hardware. This allows you to run the firmware, interact with web interfaces, and fuzz services in a controlled environment.

Communication Protocols

IoT devices communicate over protocols with varying security properties:

MQTT is a lightweight publish/subscribe protocol. Default configurations allow anonymous access and unencrypted communication. Require TLS and client certificate authentication. Use ACLs to restrict which topics each client can publish to and subscribe from.

CoAP (Constrained Application Protocol) is UDP-based, designed for resource-constrained devices. DTLS provides transport encryption, but many implementations skip it. CoAP also supports object security with OSCORE for end-to-end encryption.

BLE (Bluetooth Low Energy) pairing has known weaknesses. Just Works pairing provides no protection against MITM attacks. Use LE Secure Connections with numeric comparison when possible. Even with secure pairing, custom GATT services often lack application-layer authentication.

Zigbee uses AES-128 for encryption, but the network key distribution mechanism has known weaknesses. Zigbee sniffers like Killerbee can capture and crack network keys during the join process.

Hardware Hacking

Physical access opens attack vectors that remote testing cannot reach:

UART (Universal Asynchronous Receiver/Transmitter) debug ports often provide root shell access. Identify UART pins with a multimeter or logic analyzer, connect with a USB-to-UART adapter, and you frequently land in a root shell with no authentication.

JTAG/SWD debug interfaces allow direct memory access, firmware extraction, and runtime debugging. Use OpenOCD with a JTAG adapter to read flash memory, set breakpoints, and modify execution flow.

SPI and I2C buses carry data between components. Intercepting these buses with a logic analyzer reveals cryptographic keys, configuration data, and inter-chip communication that may expose vulnerabilities.

Manufacturers should disable debug interfaces in production firmware, but many do not. Physical security assessments frequently find active JTAG and UART ports on production devices.

Update Mechanisms

Secure updates are the most impactful control for IoT security. A device that cannot be updated is permanently vulnerable to any flaw discovered after manufacturing.

Implement signed firmware updates — the device verifies the update signature before applying it. Use a dedicated signing key stored in an HSM. Include version checking to prevent rollback attacks where an attacker installs an older, vulnerable firmware version.

OTA (Over-the-Air) updates must use TLS for transport and verify the update server’s certificate. Support staged rollouts and automatic rollback if the updated firmware fails health checks.

Related Career Paths

IoT security skills map to Security Researcher and Penetration Tester career paths. Both roles increasingly encounter IoT devices in assessment scope, and hardware hacking skills differentiate candidates.

Next Steps

• Assess your IoT security knowledge with the skills assessment
• Browse the skills library for related hardware and embedded security topics
• Explore job listings that require IoT and embedded security expertise

Related Guides in This Series

• OT/SCADA Security: ICS Protocols, Air-Gapped Networks, and the Purdue Model

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.