DeepSec 2025 Talk: Hacking Furbo: A Pet Project – Julian B., Calvin S.
Embarking on our first hardware hacking project, we came across the `Furbo` treat dispensing smart-camera for pets. This device had previous security research completed; however, years had passed without further analysis. With a few devices in tow, we pulled them apart and got to hacking. Over the course of 3 months of research, we identified vulnerabilities in the mobile application, in the Bluetooth communications, and on the device. This talk will showcase our journey to destroy pet-surveillance devices, our struggles with defeating the firmware encryption, more than a few vulnerabilities found along the way, and we will show you how we got it to play Darude Sandstorm!
We asked Julian and Calvin a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- This was our first ever hardware hacking project and we have no formal electronics experience
- This was also our first time ever working with BLE and BLE Hacking
- The scope of this project involved many vectors including: UART, Chip-Off, Firmware Modification, Reverse Engineering, Mobile and Web Analysis, BLE
- We were able to bypass the subscription model in place by the manufacture enabling unlimited features at no cost
- We found just under 40 vulnerabilities and registered 17 CVEs from this research
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We wanted to attempt a hardware hacking project as we had seen many talks and presentations about hardware hacking research previously. It has always been something that interested us, and we thought with our combined skill sets we would have what was needed to take on this research project. IoT is only growing, and device security is not something consumers always think about. We wanted to see what we could learn and also try to find out if security is getting better in the IoT space.
Why do you think this is an important topic?
IoT is everywhere, and general consumers don’t always think about the dangers of installing devices in their homes. We believe IoT can be designed securely, but there are so many factors that play into a secure design that things are usually missed, which leaves devices and their consumers vulnerable. The goal of this research was to bring attention to vulnerable design practices and provide others with the knowledge to find them and report them responsibly.
Is there something you want everybody to know – some good advice for our readers maybe?
Hardware hacking can often seem like a daunting or challenging task. Many people think it requires expensive equipment and years of electronics experience to approach this type of research. This is not the case, and I think we proved that with this research being our first ever hardware hacking project. We have no formal electronics experience and were entirely self-taught by using other people’s research and talks that are available online. Anyone can do this, and with how many IoT devices are released every year, I think we need more people taking a look at them in order to make sure we have secure devices that we can trust.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Hardware hacking is becoming more accessible to everyone because of the wealth of knowledge being shared online. Device security is also getting better, and we noticed really great improvements compared to the security that was in place in 2021 for these devices. That being said, certain manufacturers are also going to greater lengths to make research harder by restricting access to documentation and designing products in a way that makes them hard to interact with. Security by obscurity is not a good approach, and it is unfortunate that this is still a method some companies used to claim they are secure. We are also worried about Right to Repair laws and how consumers are losing more and more rights by the day, which could prevent research like this from occurring without legal risks.
Penetration tester by day, Julian identifies vulnerabilities to exploit for a wide range of clients. An OSINT enthusiast by night, Julian follows emerging threats to the Western world.
Calvin is a Security Researcher at jTag Labs Ltd and a full-time Systems Administrator by day. With a passion for security that extends into his off-hours, Calvin applies his deep knowledge of systems architecture and administration to uncover vulnerabilities in real-world software and infrastructure. His past research includes multiple disclosures, such as the Roomcast vulnerabilities (CVE-2023-33742 through CVE-2023-33745) and a series of flaws in Caterease (CVE-2024-38881 through CVE-2024-38891). Calvin’s approach bridges practical IT operations and offensive security, helping make systems more secure through responsible disclosure and hands-on research.