A beginner-to-job-ready guide to IoT cryptography: from zero crypto knowledge to breaking and building secure embedded systems.
Lab Setup
| Item | What it does |
|---|---|
| ESP32 DevKit (x1 minimum) | IoT device TLS client, victim device in attack labs |
| Linux VM (Ubuntu/Kali on VirtualBox/VMware) | Broker, CA server, attacker machine all in one |
| VM Network Mode: Bridged | Gives VM its own IP so ESP32 can reach it over WiFi |
| Mosquitto, mitmproxy, OpenSSL, Wireshark | All free, all on the VM |
Phase 1 - The Foundation
What is crypto, what is a certificate, and why does IoT keep getting it wrong?
| # | Blog | Link |
|---|---|---|
| 1 | What TLS Actually Does (And Why Your IoT Device Needs It) | TLS Explained: Why Your IoT Device Needs It |
| 2 | Certificates From Scratch The Trust Chain Nobody Explains | The TLS Certificate Chain Explained (Root, Intermediate, and Server Certificates) |
| 3 | Setting Up Your Own CA and Issuing Certs with OpenSSL | Setting Up Your Own CA and Issuing Certs with OpenSSL |
Phase 2 - Hands-On TLS with ESP32
Get it working. Then understand what you actually built.
| # | Blog | Link |
|---|---|---|
| 4 | ESP32 + TLS: Your First Secure MQTT Connection | ESP32 + TLS: Your First Secure MQTT Connection |
| 5 | What the TLS Handshake Looks Like on the Wire (Wireshark Lab) | What the TLS Handshake Looks Like on the Wire (Wireshark Lab) |
| 6 | mTLS When the Server Also Checks YOU | Mutual TLS (mTLS) Explained: When the Server Also Verifies the Client |
Phase 3 - Breaking It
Now we attack everything we just built.
| # | Blog | Link |
|---|---|---|
| 7 | MITM Attack on a TLS IoT Device | MITM Attack on a TLS IoT Device - What Breaks and What Doesn't |
| 8 | Cert Pinning The Fix, and How Attackers Bypass It | coming soon |
| 9 | Embedded Crypto Pitfalls: Hardcoded Keys and Weak RNG | coming soon |
| 10 | Breaking mTLS: Stolen Certs and Certificate Confusion | coming soon |
Phase 4 - Real World Defence
What good IoT crypto actually looks like in production.
| # | Blog | Link |
|---|---|---|
| 11 | Secure Provisioning How to Get Certs Onto Devices Safely | coming soon |
| 12 | Building a Hardened ESP32 TLS Client Checklist and Final Lab | coming soon |
| 13 | Secure OTA Updates Why Your Update Channel Is an Attack Surface (Full OTA deep-dive series coming in the future stay tuned) | coming soon |
Job Readiness Map
This series directly prepares you for embedded security roles requiring:
| Skill | Covered |
|---|---|
| TLS/mTLS implementation |  Parts 4, 5, 6 |
| Embedded cryptography fundamentals | Parts 1, 2, 9 |
| Secure device provisioning and cert management | Parts 3, 11 |
| Threat modeling and secure design | Part 12 |
| Network security — MITM, segmentation | Parts 7, 8 |
| Secure OTA update concepts | Part 13 (awareness level) |