Breaking News: US online retail shops have delisted major Chinese brands at the direction of the FCC. One of the reasons given for their removal was the apparent vulnerabilities present in these devices.

This leads to some uncomfortable questions. I love asking these questions! Maybe I just like to stir the pot…

Should US manufacturers be held to the same standard?

What kinds of vulnerabilities in an IoT device should require delisting or a product recall?

In The News

Major US online retailers remove listings for millions of prohibited Chinese electronics

The follow brands have been among those pulled from online stores:

• Huawei

• Hikvision

• ZTE

• Dahua

It just so happens that I’ve been messing around with a Dahua camera in my livestreams and went ahead and made a dedcated video you can watch below.

Tools of the Trade

Free Enterprise IoT Pentesting Masterclass

Over the past week I’ve dropped one video per day! The now complete 7 part video series details the end-to-end process of conducting an IoT pentest on enterprise/commercial grade devices. All for FREE. Check it out below:

Return Value

This Saturday, I attending BSidesNoVA for the first time! I was super impressed by this conference.

For starters, it was only $50! Seriously, what conference can you attend for that price nowadays? The talks were really cool, multiple CTFs, and a happy hour all included.

Happy Hacking 👋 

Q4 is looming. The deep breath before the plunge. In the same way that we all procrastinated in school when that big assignment got closer, so to companies will be frantically lining up time for their annual pentests in the coming months. I get it! I just want to let people know that you can also do pentests in first 3/4th of the year. 😉 Crazy idea I know…

In The News

Hosting a WebSite on a Disposable Vape

I love the hardware hacking community! Bogdan Ionescu modified his Vape device with a ARM Cortex-M0+ to run a webserver.

Hackers Hijacked Google’s Gemini AI With a Poisoned Calendar Invite to Take Over a Smart Home

Well AI security has now hit home in the IoT world! We probably need to have a conversation about how much of this smart home tech we allow into our homes… no it will be fine!

Hackers Break into Virtual Dashcam Service

• I recently did some research on a Chinese police bodycam, so this story caught my eye. There is always a bigger possible impact when these public safety systems send their data to a central location and that data isn’t secured.

Tools of the Trade

NIST Finalizes ‘Lightweight Cryptography’ Standard to Protect Small Devices

NIST has unveiled a few new cryptographic algorithms specifically designed for lightweight embedded devices that lack computer resources for traditional algorithms. It will be interesting to see how the adoption of these methods goes.

Return Value

Let me cook! I may have been quiet lately, but there are big things on the horizon. October is going to be fun! I plan to do a bunch of livestreaming (be sure to subscribe to be notified). Also will drop a ton of content. stay tuned!

We’re back from DefCon! What a great time it was! Specifically the Embedded Systems Village was amazing. CTF was competitive. Demos were cool. Definitely check it out next yaer if you couldn’t make it.

DefCon ESV

In The News

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

US CISA has warned about a critical flaw, tracked as CVE-2025-1727, in the radio-based linking protocol between End-of-Train (EoT) and Head-of-Train (HoT) systems.

Getting a Shell on the LAU-G150-C Optical Network Terminal

Great writeup here by Spaceraccoon on getting a UART shell on a LAU-G150-C Optical Network Terminal. Also, if you haven’t you should definitely check out his new book.

Gigabyte motherboards vulnerable to UEFI malware bypassing Secure Boot

Vulnerabilities in Gigabyte motherboards could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode and potentially bypass secure boot.

Tools of the Trade

Hashcat 7.0 Release

The hashcat we all love just did a major version release that packs a ton of new features. Check it out!

Bleak Python Library

This is my go to python library when I need to write custom BLE service interaction.

Return Value

Returning from DefCon is always an interesting experience. You leave the company of tons of super smart people with lots of ideas of things to learn and build. Time to LOCK IN.

Hacker summer camp is almost here! This is the time in August where security professionals and those meddlesome hackers descend on Las Vegas for a week of learning, fun and competition. Black Hat USA will be August 2-7 and Def Con 33 is August 7-10.

I personally will be hanging out in the Embedded Systems Village at Def Con featuring:

• a CTF with real IoT devices

• Self-guided labs

• Glitching workshop with HexTree

• Embedded programming with RPi

• Matter workshop with Cujo

Come by, say “Hi” and pick up some stickers 😁 

In The News

Iranian Hackers Breach US Water Facilities

IoT and critical Operational Technology (OT) continue to be plagued by devices with insecure default passwords. It’s 2025 and we haven’t solved this problem yet. What makes these matters worse is that in some legacy technology default credentials are not able to be changed, even if system operators desire to do so.

eSIM Bug in Millions of Phones Enables Spying, Takeover

Researcher Adam Gowdiak was able to “extract [the] private ECC key” contained within a Kigen eSIM chip. By performing this exploit an attacker could use the underlying keys to “receive text and calls meant for the victim”.

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

Reseachers from Synacktiv reverse engineered a Thermomix TM5 kitchen appliance resulting in the discovery that the secure boot process failed to properly verify the root filesystem.

Matt’s Take

This is an error I’ve seen on several devices out in the real world. If your secure boot process checks the bootloader and kernel being loaded and executed, but it fails to verify the root filesystem, what is it really protecting you against? Most attackers will be more than happy to have root access to a device without executing from kernel-space.

Tools of the Trade

BitChat

Twitter tweet

The release of BitChat, a BLE-based decentralized messaging app, developed by Twitter founder Jack Dorsey has been of interest to the security community in the past week.

BitChat is currently available to an limited-availability TestFlight group or via the Android app.

Talking Sasquach

If you are interested in hacking gadgets (like the Flipper Zero), 3D printing, etc. you should check out the Talking Sasquach YouTube channel. I’ve been down the Flipper Zero rabbit-hole lately so I’ve found that part of his content to be most helpful!

Return Value

As you may have noticed, I’ve been getting into writing modifications to my Flipper Zero. I’m currently am working on implementing BitChat as a flipper application and using that as an opportunities to research the security of the BitChat protocol.

Thanks for reading! And remember…

Welcome to the first post of the IoT Security Digest!

I have been overwhelmed with the number of signups I’ve received so far and am so grateful that you subscribed! I can’t wait to go on this journey with you of sharing my take on what’s going on in the world of IoT security.

The IoT security sector is filled with lots of news that can sometimes stoke fear that the world is falling. Sometimes it is… but as with so much in the media things can get overblown for clicks. I hope to use this newsletter to cut through the noise. That’s a great transition to the first news story…

In The News

TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert

Hot Take:

CISA has announced that they have added CVE-2023-33538 to their Known Exploited Vulnerabilities catalog. I decided it would be a cool vuln to do a video on! I purchased a TL-WR740N V1 which is stated to be vulnerable in the CVE database and the news article.

I could not reproduce this vuln for the life of me. CISA and CVE also fail to mention that this “vulnerability” is only exploitable remotely if remote management is enabled and the attacker knows the device password. These risk details are from my own manual analysis of the device’s web interface since no details are provided in the CVE. It’s possible that this CVE is completely invalid or that it doesn’t actually apply to the WR740N V1 device.

This is not the first time that CISA has over-hyped an announcement like this.

Security Advisory: Airoha-based Bluetooth Headphones and Earbuds

A vulnerability in bluetooth headphones that use the Airoha Systems on a Chip (SoC) was discovered by researchers Frieder Steinmetz and Dennis Heinze and presented at the Troopers 2025 conference. The vulnerabilities discovered allows an attacker within bluetooth range to eavesdrop on audio, extract the connected device’s phone number and contacts and completely control over the headphone’s memory.

Insights from Matt

The post states that the vulnerable devices used “reference implementations using Airoha’s Software Development Kit (SDK)”.

In plain English, this means that headphone developers from Bose, Sony, JBL, and others used example code provided by Airoha in their final product. The feature that they left in their production devices was meant for remote debugging. It’s a security flaw as old as they come where features that were meant for development and debugging are left in production code leaving a system vulnerable.

Tools of the Trade

Here are some cool tools and educational resources that are either new or new to me. I’ve been on an RF story arc lately 😉 Keep an eye out here in the future for some trainings that are in the works…

• CRC RevEng

  • This is a tool recently introduced to me that I used to reverse engineer the CRC checksum in an RF protocol.

• Universal Radio Hacker

  • A great tool for performing demodulation, decoding and packet reverse engineering of data captured by a software defined radio (SDR).

• SDR++

  • Another RF tool! This is a simple to use SDR receiver program that lets search across a frequency range for various signals

Return Value

Given that I’m on an RF learning arc, I figured diving into custom radio transmissions using the Flipper Zero would be a good skill to work on. My end goal is to develop a custom app to interact with the dog shock collar I’ve been reverse engineering.

• subghz docs

• custom app development

Thanks for reading! And remember…