Fredrik Heiding

Fredrik Heiding is a research fellow at Harvard John A. Paulson School of Engineering and Applied Sciences (SEAS), and is pursuing a Ph.D. in electrical engineering from the Division of Network and Systems Engineering at KTH. His research interests include usable security & privacy, cybersecurity policies, technical fraud & deception, ethical hacking, disinformation, and the economics of information security.

At Harvard, Fredrik is currently working with Bruce Schneier to investigate how cyberattacks can be automated using Large Language Models. He will present their latest work (“Devising and Detecting Phishing: Large Language Models (GPT3, GPT4) vs. Smaller Human Models (V-Triad, Generic Emails”) at Black Hat US in August 2023. He is also analyzing Darknet marketplaces to find malware targeting the 100 most common IoT devices from US smart cities.

In 2022, Fredrik got media attention for hacking the King of Sweden and the Swedish European Commissioner. The hacks were conducted with the NSE Hacking Lab and, of course, done after consent had been given. Fredrik has been part of creating and improving the NSE Hacking Lab since 2019. He also recently published three articles on ethical hacking. During the first study, 537,629 articles on ethical hacking were scraped from the Scopus database, resulting in 16 research communities and discoveries, such as that 4 out of 5 of the most cited universities were located in China. Subsequently, Fredrik created a penetration testing framework for IoT and later applied the framework to test the security of 22 smart devices commonly found in connected households. Of the 22 tested devices, 17 CVEs were discovered, some of which ranked critical by the National Vulnerability Database. The vulnerabilities included persistent backdoors (hidden information channels that leak the data collected by the device) and poor security protocols (making it easy to access the device without authentication).

Supervisors at KTH:

Ulrik Franke (2022 - present)

Pontus Johnson (2022 - present)

Robert Lagerström (2019 - 2022, who paused his research to join Google's Cloud Security department).

Hacking lab: I am responsible for the NSE hacking lab, an environment that facilitates penetration testing of a wide range of devices, including ICS devices, commercial IoT products, vehicular systems, social engineering, and much more. The lab contains sophisticated hacking tools and potentially vulnerable devices that can be used to test one's hacking skills. The lab hosts more than 50 hacking theses annually. We often get contacted by organizations who want to give us a product to hack. If you are interested in contributing, please feel free to .

Selected published articles

See Google Scholar for an updated list. 

Other mentions and media coverage

• Received a visit from the Royal family and the King of Sweden, to whom I displayed how to hack a smartphone and an IP camera.
• Displayed how to hack a smartphone for the European Commissioner.
• Featured in national television (SVT rapport) for hacking connected vehicles.
• Featured in the annual KTH commercial "pitch your research".
• Frequently held voluntary lectures to raise the cybersecurity awareness of elementary school students and high school students.
• Best research presentation award @ Energy Dialogue 2020.
• Best research presentation award @ Energy Dialogue 2021.
• Hosting KTH Energy Platform in the NSE Hacking Lab.

Discovered vulnerabilities

CVE-2019-12942, TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.

CVE-2019-12943, TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

CVE-2019-12941,AutoPi Wi-Fi/NB, and 4G/LTE devices before 2019-10-15 allow an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.

CVE-2019-12797,A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

CVE-2020-12282,CSRF via the Busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.)

CVE-2020-12837,Malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used.

CVE-2020-12843,Malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.

CVE-2020-13119, Clickjacking vulnerability.

CVE-2020-12838,Privilege escalation by appending PHP code to /cron/mailAdmin.php.

CVE-2020-12839,privilege escalation by appending PHP code to /cron/checkExpirationDate.php.

CVE-2020-12842,privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.

CVE-2020-12280,CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php.

CVE-2020-12281,CSRF allowing remote attackers to create a new user via /index.php.

CVE-2020-12840,CSRF allowing remote attackers to upload sound files via /index.php

CVE-2020-12841,CSRF allowing remote attackers to upload image files via /index.php

CVE-2019-12821,A vulnerability was found in the app of a smart robot vacuum cleaner while adding a device to the account using a QR code. The QR code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. Generating a QR-code containing information about the device ID makes it possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six-digit number that depends on the specific device.

CVE-2019-12820,Exploiting unencrypted credentials (sent using HTTP) between server and device.