Endpoint Security , Governance & Risk Management , Hardware / Chip-level Security

HardPwn 2024: A Researcher's Passion for Hacking IoT Devices

Engineer Dennis Giese on Hacking Robot Vacuum Cleaners and Running Hackathons
HardPwn 2024: A Researcher's Passion for Hacking IoT Devices
Security researcher and engineer Dennis Giese hacked an Ecovacs robot vacuum and found multiple vulnerabilities. (Image: Shutterstock)

Dennis Giese, a security researcher and engineer, built his first computer at around age 8 using spare parts. Years later, he hacked his first robot vacuum cleaner. Giese recently reflected on his journey as a researcher and ethical hacker during HardPwn, a hardware hackathon hosted by Hardwear.io in Amsterdam.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

That early fascination with hardware drove him to work with around 70 robots over the years. "I didn't know much then, but through trial and error, I figured it out and gained a lot of foundational knowledge," Giese said.

A regular speaker at security-related events, Giese is now a prominent figure in hardware security. For the past three years, he has volunteered at HardPwn.

"There aren't many hardware hackathons around. HardPwn is one of the few and most relevant," he explained. "At these events, researchers can experiment freely with expensive,

vendor-sponsored hardware without worrying about damage. When it's my own hardware, I'm more cautious to avoid breaking it, which limits the types of attacks I try."

Dennis Giese, security researcher and engineer

At HardPwn, participants work with real devices from companies including Amazon, Google, Meta, and, this time, Xiaomi. "We search for vulnerabilities in these consumer electronics to raise security standards," he said. "Verifying these fixes requires testing on devices that haven't been previously hacked, making it more challenging than typical software testing. This process demands creativity to identify issues and develop new solutions. Hackathons offer a chance to build innovative tools." Giese pointed out the unique importance of events like Hardpwn, where academic research can translate into practical applications with real industry collaboration. "Manufacturers actively engage in developing solutions, which bridges the gap between theory and practice," he said.

Uncovering Robotic Vulnerabilities

One of his notable discoveries involved security vulnerabilities in Ecovacs robot vacuum cleaners. Having analyzed the Xiaomi vacuum robots he had used at home, Dennis became interested in the category.

"In 2018, I got an Ecovacs robot vacuum cleaner for reverse-engineering. But the hardware was not great, so I put it in storage. I went back to Ecovacs in 2022 and hacked the X1 model."

Working with fellow security researcher Braelynn Luedtke, Giese reverse-engineered the firmware and looked into the communication protocols of the device. "There, we found many vulnerabilities: broken TLS encryption, command injection via BLE - aka BLE RCE - and the broken logic in the live video feature that allows bypass of the PIN. For the live video bypass, you still need to access the account by getting the credentials from the broken TLS encryption or by credential stuffing," Giese said.

The vulnerabilities that Giese found could enable hackers to control these

devices via Bluetooth and Wi-Fi, accessing cameras, microphones, Wi-Fi credentials and room maps. "For those with smart home devices that control things like heating or lighting, it's crucial to avoid simple passwords. Otherwise, someone could control your home's systems, retrieve device data, or even view a layout of your house," Giese pointed out.

Although Ecovacs initially claimed the vulnerabilities required proximity, implying minimal user risk, further scrutiny led to firmware updates addressing the issues.

A Call for Awareness

For most people, hardware security isn't a major concern. Giese stressed, but certain users - politically active or high-risk individuals - should assess their exposure. "Regular users should simply be mindful, especially with cameras and microphones, and carefully consider their placement in private spaces like living rooms or bedrooms," he advised.

In an IoT ecosystem, many devices connect to the cloud, which communicates across multiple units. While this can contain potential vulnerabilities to individual or limited devices, attackers still often discover flaws by physically tampering with a device and then exploiting weaknesses via cloud access. For example, with Ecovacs' 28 million devices across the U.S. and Europe, the potential impact of such vulnerabilities could be far-reaching.

Growth in Hardware Security

The demand for hardware security expertise is growing, as securing these devices requires understanding both the hardware and the software running on them. "Examining a device's firmware can reveal issues that may scale widely," Giese said.

To excel in hardware security, he emphasized the need for a unique skill set encompassing both hardware and software vulnerabilities. "While many security professionals understand software, few have hands-on hardware knowledge. Physical access to a device makes it harder for vendors to defend, creating a need for experts skilled in both areas," he said. This expertise is rare, making hardware security a highly valued and well-compensated field. According to Giese, companies increasingly seek experienced professionals with dual knowledge in hardware and cybersecurity.

For those interested in developing hardware security skills, Dennis suggests starting small. "Build a simple embedded device on a development board and control it via the internet. Begin with basic setups to understand device functionality, then shift to identifying vulnerabilities," he said.

Many cybersecurity professionals lack hands-on hardware experience, but a solid foundation in computer science and hardware is essential before adding cybersecurity expertise. "Cutting corners won't lead to true competence in hardware security," Giese said.


About the Author

Athira Nair

Athira Nair

Writer

Nair is a senior content specialist and former journalist based in Amsterdam. Her topics of interest include businesses, private market investments, and technology.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.