Attacking Real-World IoT and Embedded Devices

Instructors:  Julien Cohen-Scali & Lucas Van Haaren
Dates:  June 15 to 18 2026
Location:  Hilton DoubleTree Montreal
Capacity:  25

In this training, participants will learn to reverse, emulate, and fuzz real-world IoT and embedded devices commonly found in modern homes and small businesses. We focus on attacking widely-deployed targets, many of which were previously featured at Pwn2Own, using software-driven techniques, public firmware images, and real-world exploitation workflows.

Unlike traditional hardware-centric IoT trainings, our approach emphasizes firmware analysis, network interaction, emulation, and vulnerability discovery via binary exploitation, fuzzing and reversing. Participants will work on actual devices from vendors like TP-Link, Linksys, Draytek, Netgear, Synology, Wyze, and more.

What You'll Learn

• Reverse engineering and emulating firmware from real consumer devices
• Extracting and analyzing firmware from online sources
• Network interface and API attack surface analysis
• Emulation with QEMU and tools like firmware-mod-kit, unblob
• Coverage-guided and grammar-based fuzzing for embedded software
• Practical vulnerabilities: from debug interfaces to insecure web UIs
• How vendors fail — and how to responsibly disclose bugs

Course Outline

Day 1 – Identify Your First Target

Focus: PCB identification and introduction to IoT security testing methodology

Target 1: Don't get Shocked, elec 101

• Basics of PCB analysis
• Identifying your first ICs
• Take Infos from Datasheet
• Recognize Interesting Ports

Target 2: Philips Hue Bridge

• Firmware unpacking & static analysis
• Light protocol fuzzing and attack scenarios
• Emulating targets and exploring plugin attack vectors
• Teardown demo for one device

Day 2 – Routers in the Crosshairs

Focus: Consumer routers and gateway devices

Targets: Linksys, Draytek, Netgear (firmware-based analysis)

• Firmware emulation
• Debug interface discovery (UART, Telnet, JTAG...)
• Reverse engineering OpenWRT based firmwares
• Reverse engineering custom web interfaces
  • Auth bypass and command injection
  • Exploring CGI/web components
• All in place and teardown demo for one device!

Day 3 – Hacked at First Sight: IP Cameras

Focus: Surveillance and video devices

Targets: Tapo CAM & Synology TC500

• Reverse engineering of network services
• RTC Fuzzing
• Exploiting weak authentication and default credentials
• Intercept Network communications
• Get hands dirty, go teardown!

Day 4 – Forgotten Peripherals

Focus: Often-overlooked devices with juicy bugs

Targets: Surprise target pool - Full day of guided IOT pwn in group

• Firmware collection and reverse engineering
• Attack surface Discovery
• Exploiting outdated firmware components

Bonus: CVE walk-throughs of past Pwn2Own bugs

BIO

Julien Cohen-Scali is a Cybersecurity Researcher at FuzzingLabs, specializing in reverse engineering, binary exploitation, and IoT/embedded security. He has over five years of hands-on experience in low-level security research and offensive security. His technical work focuses on deep system analysis across x86/x64, ARM, and MIPS architectures, with a strong emphasis on firmware reverse engineering, vulnerability research, and exploit development. Julien has worked extensively on real-world IoT targets, from router and embedded service analysis to firmware emulation and hardware-assisted debugging. He has participated in Pwn2Own (IoT category) and contributed to research on AI systems and mobile basebands, including work on Ollama and Samsung Exynos. As part of FuzzingLabs, he also delivers advanced, practice-oriented offensive security training.

Lucas Van Haaren is a security researcher specializing in software reverse engineering and vulnerability research, with a strong focus on IoT devices and network appliances. He works at FuzzingLabs, where he develops automated solutions for IoT vulnerability research as part of FuzzForge. His work involves black-box vulnerability research, in-depth binary analysis using reverse engineering tools such as Ghidra, IDA, and Angr, and dynamic instrumentation with GDB and custom tooling. Lucas has deep experience with Linux systems, virtualization, and emulation technologies (QEMU, KVM), which he leverages to build scalable environments for firmware analysis and vulnerability research.

To Register

Click here to register.