DeepSec 2023 Talk: I Just Wanted to Learn the Water Temperature… – Imre Rad
The story started as a hobby project: I was about to retrieve the current temperature of a non-smart water heater in my apartment. To not void the warranty, I was looking for a non-intrusive solution that purely relies on off-the-shelf smart home gadgets only. Understanding the undocumented APIs of these IoT devices required reverse engineering the corresponding official mobile applications and eavesdropping on the network communication between them and the cloud management services. Researching this uncovered design flaws in the pairing protocol and vulnerabilities in the implementation that allowed attackers to steal victim sessions and to impersonate these devices for a life-time. We asked Imre a few more questions about his talk. Please tell us the top 5 facts about your talk. Recognizing digits on a still picture is far from easy (regardless the