Skip to main content
To KTH's start page To KTH's start page

Ethical Hacking

In this project we do ethical hacking (penetration testing / white hat hacking) of various devices and systems.

Additional information

More information about the Ethical hacking lab can be found here .

Vulnerabilities published

CVE-2023-42143  - Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware. Student: Adam Lindberg, Supervisor: Emre Süren, Examiner: Pontus Johnson

CVE-2023-42144  - Cleartext Transmission in Shelly Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password. Student: Adam Lindberg, Supervisor: Emre Süren, Examiner: Pontus Johnson

CVE-2023-46892  - The radio frequency communication protocol being used by Meross MSH30Q 4.5.23 is vulnerable to replay attacks, allowing attackers to record and replay previously captured communication to execute unauthorized commands or actions (e.g., thermostat's temperature). Student: Adam Lindberg, Supervisor: Emre Süren, Examiner: Pontus Johnson

CVE-2023-46889  - Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it. Student: Adam Lindberg, Supervisor: Emre Süren, Examiner: Pontus Johnson

CVE-2022-34138  - In the Biltema IP and Baby Camera with Software v124, the use of insecure direct object references (IDOR) in the web server allows attackers to access sensitive information by not properly authenticating the credentials when accessing a protected resource. Students: Tova Stroeven & Felix Soderman, Supervisor: Pontus Johnson, Examiner: Anita Kullen

CVE-2022-35860  - Missing AES encryption in Corsair K63 Wireless 3.1.3 allows physically proximate attackers to inject and sniff keystrokes via 2.4 GHz radio transmissions. Students: Niklas Tomsic, Supervisors: Roberto Guanciale & Johan von Konow, Examiner: Gerald Quentin Maguire Jr. 

CVE-2021-34086  - In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests. Students: Linus Backlund & Linnéa Ridderström, Supervisor: Pontus Johnson, Examiner: Anita Kullen.

CVE-2021-34087  - In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page. Students: Linus Backlund & Linnéa Ridderström, Supervisor: Pontus Johnson, Examiner: Anita Kullen.

CVE-2021-22263  - An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. Students: John Augustsson & Johan Carlsson, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt.

CVE-2021-22228  - An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql. Students: John Augustsson & Johan Carlsson, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt.

CVE-2021-39866  - A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. Students: John Augustsson & Johan Carlsson, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt.

CVE-2021-37147  - Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. LF line ending forwarded. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-37148  - Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests, "chunked" is chunked and Bad chunked body parsing. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-37149  - Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests, multiple issues. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-22959  The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-22960  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-34594  - Relative path traversal vulnerability through TwinCAT OPC UA Server, Beckoff Security Advisory , Johannes Olegård, Emre Süren, and Robert Lagerström.  

CVE-2021-41504 - An Elevated Privilege issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. Students: Hristo Georgiev & Azad Mustafa, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt.

CVE-2021-41503  - DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. Students: Hristo Georgiev & Azad Mustafa, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt.

CVE-2021-41136  - Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-38512  - An issue was discovered in the actix-http crate before 3.0.0-beta.9 for Rust. HTTP/1 request smuggling (aka HRS) can occur, potentially leading to credential disclosure. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-37555  - TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser. Student: Julia Lokrantz, Supervisor: Pontus Johnson, Examiner: Ibrahim Orhan.

CVE-2021-33197 - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-33039  - Reserved.

CVE-2021-32715  - hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-32714  - hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. Students: Asta Olofsson & Mattias Grenfeldt, Supervisor: Robert Lagerström, Examiner: Pawel Herman.

CVE-2021-32471  - Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. Pontus Johnson. With proof-of-concept code from Compsci boffin .

CVE-2020-28396  - a Protection Mechanism Failure was found in Siemens SICAM A8000 Remote Terminal Unit Series. Student: Sam Hamra, Supervisor: Mathias Ekstedt, Examiner: Pontus Johnson.

CVE-2020-15019  - Reserved.

CVE-2020-13119  - ismartgate PRO 1.5.9 is vulnerable to clickjacking. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12843  - ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12842  - ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12841  - ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload imae files via /index.php Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12840  - ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload sound files via /index.php Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12839  - ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkExpirationDate.php. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12838  - ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/mailAdmin.php. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12837  - ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12282  - iSmartgate PRO 1.5.9 is vulnerable to CSRF via the busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.) Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12281 - iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to create a new user via /index.php. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.
CVE-2020-12280  - iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php. Student: Madeleine Berner, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2020-15781  - XSS in Siemens SICAM A8000 RTUs. Student: Emma Good, Supervisor: Pontus Johnson, Examiner: Mathias Ekstedt

CVE-2019-12941  - AutoPi Wi-Fi/NB and 4G/LTE devices allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. Students: Aldin Burdzovic and Jonathan Matsson, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12944  - Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable. Student: Arvid Viderberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12943  - Insecure permission, password reset function, in TTLock Open Platform. Student: Arvid Viderberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12942  - Insecure permission, account revocation mechanism, in TTLock Open Platform. Student: Arvid Viderberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12821  - Vulnerability in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. Students: Theodor Olsson and Albin Larsson Forsberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12820  - Vulnerability in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, possible MiTM attack on http. Students: Theodor Olsson and Albin Larsson Forsberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2019-12797  - Vulnerability in a clone version of an ELM327 OBD2 Bluetooth device, hardcoded PIN leading to arbitrary commands to an OBD-II bus of a vehicle. Students: Ludvig Christensen and Daniel Dannberg, Supervisor: Pontus Johnson, Examiner: Robert Lagerström.

CVE-2018-3786  - A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument. Pontus Johnson

Reports

[1]
F. Heiding et al., "Penetration testing of connected households," Computers & security (Print), vol. 126, 2023.
[2]
E. Süren et al., "PatrIoT : practical and agile threat research for IoT," International Journal of Information Security, vol. 22, no. 1, pp. 213-233, 2023.
[3]
F. Heiding, S. Katsikeas and R. Lagerström, "Research communities in cyber security vulnerability assessments : A comprehensive literature review," Computer Science Review, vol. 48, 2023.
[4]
J. Henning, "Pentesting on a WiFi Adapter : Afirmware and driver security analysis of a WiFi Adapter, with a subset of WiFi pentesting," , 2023.
[5]
A. Pétursson, "Ethical Hacking of a Ring Doorbell," , 2023.
[6]
O. Antal, "A cybersecurity audit of the Garmin Venu," , 2023.
[7]
S. Liu, "Penetration testing of Sesame Smart door lock," , 2023.
[8]
Y. Tian, "Are Children Safe with Smart Watches? : Security Analysis and Ethical Hacking on Children’s Smart Watches," , 2023.
[9]
N. Vatn, "Underneath the Surface : Threat modeling and penetration testing of a submarine robot," , 2023.
[10]
A. Lindberg, "Penetration testing of current smart thermostats : Threat modeling and security evaluation of Shelly TRV and Meross Smart Thermostat," , 2023.
[11]
Y. Wang, "An Attribution Method for Alerts in an Educational Cyber Range based on Graph Database," , 2023.
[12]
S. Feller, "A study of Oracle Cloud Infrastructure : Demonstration of the vulnerability or reliability of certain services through penetration attacks," , 2023.
[13]
H. Stenhav, "Security evaluation of the Matrix Server-Server API," , 2023.
[14]
E. Rencelj Ling et al., "Securing Communication and Identifying Threats in RTUs : A Vulnerability Analysis," in ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security, 2022.
[15]
L. Manfredh, "Assessing the security of a Garmin Smartwatch through Ethical hacking," , 2022.
[16]
J. Ingers and J. Sjöblom, "IoT Penetration Testing : Examining the cyber security of connected vehicles," , 2022.
[17]
H. Mellin, "Determining whether the Hövding bicycle airbag is secure against cyber attacks," , 2022.
[18]
T. Stroeven and F. Söderman, "Cybersecurity Evaluation of an IP Camera," , 2022.
[19]
F. Huang, "Ethical hacking of Sennheiser smart headphones," , 2022.
[20]
A. Winkelmann, "Unauthorized Smart Lock Access : Ethical Hacking of Smart Lock Systems," , 2022.
[21]
X. Liu, "Ethical Hacking of a Smart Video Doorbell," , 2021.
[22]
D. Isabar, "Threat Modeling and Penetration Testing of a Yanzi IoT-system : A Survey on the Security of the system’s RF communication," , 2021.
[23]
N. Hjärne and I. Kols, "IoT Security Assessment of a Home Security Camera," , 2021.
[24]
N. Hellesnes, "Ethical Hacking of an IoT camera," , 2021.
[25]
L. Backlund and L. Ridderström, "Hacking and Evaluating the Cybersecurity of an Internet Connected 3D Printer," , 2021.
[26]
A. Palm and B. Gafvelin, "Ethical Hacking of Android Auto in the Context of Road Safety," , 2021.
[27]
R. Baran and C. Lindén, "Etisk hackning : Säkerheten i en nätbutik," , 2021.
[28]
E. Dzidic and B. Jansson Mbonyimana, "Penetration Testinga Saia Unit : A Control System for Water, Ventilation, and Heating in Smart Buildings," , 2021.
[29]
A. Altin and V. Nicolaou, "Race Conditions in Web Applications," , 2021.
[30]
G. Rubbestad and W. Söderqvist, "Hacking a Wi-Fi based drone," , 2021.
[31]
J. Lokrantz, "Etisk hackning av en smart foderautomat," , 2021.
[32]
R. Achkoudir and Z. Alsaadi, "Ethical Hacking of a Smart Plug," , 2021.
[33]
R. A. Y. Malkhasian, "Ethical hacking of Danalock V3 : A cyber security analysis of a consumer IoT device," , 2021.
[34]
R. Salih, "Adagio For The Internet Of Things : IoT penetration testing and security analysis of a smart plug," , 2021.
[35]
J. Karlsson Malik, "Ethical hacking of Garmin’s sports watch," , 2021.
[36]
H. Georgiev and A. Mustafa, "Hacking commercial IP cameras : Home Surveillance," , 2021.
[37]
J. Larsson, "Are modern smart cameras vulnerable to yesterday’s vulnerabilities? : A security evaluation of a smart home camera," , 2021.
[38]
J. Feng and J. Tornert, "Denial-of-service attacks against the Parrot ANAFI drone," , 2021.
[39]
S. Veijalainen and T. Noreng Karlsson, "Evaluating the security of a smart door lock system," , 2021.
[40]
S. Skoog and G. Malki, "Penetrationstestning av IoT-produkter : Etisk hackning av en smart kamera," , 2021.
[41]
J. Augustsson and J. Carlsson, "Clean Code : Investigating Data Integrity and Non-Repudiation in the DevOps Platform GitLab," , 2021.
[42]
M. Florez Cardenas and G. Acar, "Ethical Hacking of a Smart Fridge : Evaluating the cybersecurity of an IoT device through gray box hacking," , 2021.
[43]
J. Öberg, "Can a robot’s confidentiality be trusted?," , 2021.
[44]
A. Lindeberg, "Hacking Into Someone’s Home using Radio Waves : Ethical Hacking of Securitas’ Alarm System," , 2021.
[45]
F. Heiding and R. Lagerström, "Ethical Principles for Designing Responsible Offensive Cyber Security Training," in Privacy and Identity 2020, 2020, pp. 21-39.
[46]
N. Kakouros, P. Johnson and R. Lagerström, "Detecting plagiarism in penetration testing education," in Nordsec 2020, The 25th Nordic Conference on Secure IT Systems, November 23-24, Online, 2020.
[47]
L.-E. Hamid and S. Möller, "How Secure is Verisure’s Alarm System?," , 2020.
[48]
B. Ceylan, "Evaluating APS Ecosystem Security : Novel IoT Enabled Medical Platform for Diabetes Patients," , 2020.
[49]
R. Hassani, "Security evaluation of a smart lock system," , 2020.
[50]
M. Khorsravi Joashaghani, "Enhanced password recovery through user profiling : Improving password guessing accuracy by utilizing user metadata," , 2020.