Sign up to save your podcasts
Or
Share Hacking the Aeotec Smart Hub: The little hub that could (WHY2025)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Hacking the Aeotec Smart Hub: The little hub that could (WHY2025)
Pwn2Own Ireland added a new target in the smarthome category: the Aeotec Smart Hub. We assumed this target would be an easy win. However, getting the firmware of this device turned out te be a lot harder than anticipated. First, we had to modify the board to dump the encrypted flash. Then, we abused a secure boot flaw to get the decryption key. This process took so long, we had no time left to look for vulnerabilities, but our approach may be interesting for others looking at similar targets.
Usually extracting the firmware of an IoT device is easy. The firmware is often not encrypted on flash and debug interfaces such as UART are often exposed and left open. This was our assumption when we started investigation the Aeotec. However, we turned out to be very wrong on our assumptions.
The Aeotec firmware is actually encrypted on flash, with a key that is stored in OTP. Furthermore, all debug interfaces such as UART were closed down. This meant we needed to go through great lengths, first doing in-circuit dumping of the flash, then breaking the encryption configuration in order to get code execution on the APCPU.
Our goal was to do vulnerability research, but we ran out of time for that. By sharing our process, we hope to help others who are interested in this or other devices with a similar configuration.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/
about this event: https://program.why2025.org/why2025/talk/DJKYA7/
View all episodes
Pwn2Own Ireland added a new target in the smarthome category: the Aeotec Smart Hub. We assumed this target would be an easy win. However, getting the firmware of this device turned out te be a lot harder than anticipated. First, we had to modify the board to dump the encrypted flash. Then, we abused a secure boot flaw to get the decryption key. This process took so long, we had no time left to look for vulnerabilities, but our approach may be interesting for others looking at similar targets.
Usually extracting the firmware of an IoT device is easy. The firmware is often not encrypted on flash and debug interfaces such as UART are often exposed and left open. This was our assumption when we started investigation the Aeotec. However, we turned out to be very wrong on our assumptions.
The Aeotec firmware is actually encrypted on flash, with a key that is stored in OTP. Furthermore, all debug interfaces such as UART were closed down. This meant we needed to go through great lengths, first doing in-circuit dumping of the flash, then breaking the encryption configuration in order to get code execution on the APCPU.
Our goal was to do vulnerability research, but we ran out of time for that. By sharing our process, we hope to help others who are interested in this or other devices with a similar configuration.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/
about this event: https://program.why2025.org/why2025/talk/DJKYA7/