Skip to main content
  1. Posts/

Practical IoT Pentest Associate

Introduction #

The Practical IoT Pentest Associate is a certification by TCM Security that examines the test takers ability to identify vulnerabilities within the firmware of an IoT device.

This was such a fun learning experience for me as the bulk of my previous experience covers web and cloud development with very little hardware exposure.

Learning Material #

The learning material for this certification was fantastic. I personally really enjoy the video format over purely text based learning. While not strictly necessary for the exam, the learning material starts with three sections of eight to ten modules each dedicated to the hardware aspects of IoT hacking. It covers the basics of reading schematics, hardware components, safety calculations, and taking measurements. From there, it goes into logic analysis, OSINT, and conducting live enumeration using UART shells; the entire time giving real world examples using a cheap TP-Link Wifi Router that you can purchase and follow along with. Following UART shells, the material covers other protocols such as SPI and how to extract device firmware for more detailed static analysis. It wraps up the material with performing reverse engineering on compiled binaries in order to extract functionality and examine that functionality for weaknesses. All in all, after completing the learning material, I was extremely confident going into the exam.

Exam Format #

The exam environment of this certification is actually quite unique when compared to others such OSCP or even TCM Security’s own PNPT. In most other exams, you connect to a VPN and then can launch your attacks from your own machine. With PIPA however, you still connect to a VPN, but you’re provided credentials to then log into a remote machine (An Ubuntu machine, if I recall correctly) via a browser interface that contains everything you need for the exam. This includes the firmware of the target device, some logic analyzer samples, a datasheet for the device, and any tools that you may require.

To complete the exam, you are given two days of lab time, when you can connect to the remote machine and perform your hacking and analysis, and then an additional two days to write and submit your report.

Another unique experience about TCM Security’s exam formats (this goes for all of their certifications) is the lack of flags to capture. There is no local.txt or proof.txt files. Instead, you are judged on how well you can find and document realistic vulnerabilities. This can seem intimidating, especially with a certification like PIPA where there is no clear “end goal” (owning the domain controller, for example), but if you follow what you learned in the material, it is still pretty straight forward what to do in order to succeed.

My Tips and Suggestions #

  • Take breaks - You should be taking a short break every hour or two. Step away from your desk, stretch, grab a water, etc. This is equally true when you’re feeling stuck. Maybe take a longer break and have a meal, or do something that takes your mind away from the exam completely. Two days is plenty of time, so don’t feel bad if you need to take a longer break to unwind. For me, doing this helped greatly as I could come back with fresh thoughts and new ideas to try.
  • Plan your day accordingly - Plan your exam for a time that makes sense for you and your routine. If you’re a morning person, start your exam in the morning, if you aren’t, maybe start in the afternoon.
  • Take detailed notes - TCM’s reporting expectation are little different from others such as Offsec. TCM’s graders want a realistic report that’s formatted as if you’re a pentester hired by the customer. This means you have write your report in a way that the vulnerability is understandable, clear to reproduce, and includes remediation suggestions. To do this, make sure that you are annotating everything you do in your notes, even failed attempts in case you need to revisit that section. I failed my first attempt at the exam not because I didn’t find all the vulnerabilities, but because I didn’t produce a detailed enough report. On my second try, I simply retraced my steps from the first attempt, taking better screen grabs and adding additional notes as I went and passed the second attempt no problem.
  • Know that it’s okay to fail - While this is an associate level exam, it shouldn’t be scoffed at for being “easy”. It’s a different format than most people are used to, and the lack of flags can be a bit jarring when trying to measure your progress. There’s no “you got 70 points, and you know you passed” I found myself questioning whether I found everything, and truly didn’t know until I got my results back from the grader. So keep this in mind if you don’t achieve success on your first try. Get your feedback, learn from it, and knock it out of the park on the second go! There’s a reason TCM provides two attempts with every purchase after all!

Final Thoughts #

PIPA is a fun exam on a fascinating topic, and I’d encourage anyone even remotely curious about hardware hacking to give it a go.