Skip to main content

Fredrik Heiding

Profile picture of Fredrik Heiding




About me

I am a Ph.D. candidate at the Division of Network and Systems Engineering at KTH, Sweden, with Pontus Johnson and Ulrik Franke as my primary supervisors. Between 2019 and 2022, I was supervised by Robert Lagerström, who later paused his research career at KTH to pursue a career at Google. My research focuses oncybersecurity, specifically on vulnerability assessments of critical societal functions, such as power plants, and consumer technology, such as IoT devices.

Since September 2022, I have been located at the Harvard School Of Engineering And Applied Sciences,Boston, USA, to research malware isolation. The study uses logical segregation to create a secure environment where users can open potentially harmful files.

My previous research includes a penetration testing framework for IoT devices, a vulnerability assessment of connected households, and a vulnerability assessment of connected vehicles. When assessing the security of connected households, 22 devices such as smart refrigerators and vacuum cleaners, were tested. 17 new CVEs were discovered across the 22 devices, several of which received a critical ranking (9.8/10) by the National Vulnerability Database. For the vulnerability assessment on connected vehicles, two new CVEs were discovered, CVE-2019-12941 and CVE-2019-12797. Both CVEs received a critical severity ranking and could, in the right conditions, the hacker manipulate critical functions such as brakes, acceleration, and steering. The hack was automated using shell script and Rust to create a malware that propagates to nearby vehicles.

Research has also been conducted to create an incentive-based platform forphishing awarenesstraining. Interviews with organizations revealed dissatisfaction with current anti-phishing methodologies, for example, due to the high cost or low impact. The study aims to create a user-centered platform for phishing awareness training based on the concrete input shared by the organization.

A literaturereview on penetration testing has also been conducted, analyzing 537,629 articles from the Scopus database. A Python script was used to scrape the articles and extract relevant information, such as citation data. The Louvain community detection algorithm was used to create research communities within the area.

Hacking lab:I am responsible for the NSE hacking lab, an environment that facilitates penetration testing of a wide range of devices, including ICS devices, commercial IoT products, vehicular systems, social engineering, and much more. The lab contains sophisticated hacking tools and potentially vulnerable devices that can be used to test ones hacking skills. The lab hosts more than 50 hacking theses annually. We often get contacted by organizations who want to give us a product to hack, if you are interested in contributing, please feel free to .

Selected published articles

Other mentions and media coverage

Discovered vulnerabilities

CVE-2019-12942, TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.

CVE-2019-12943, TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

CVE-2019-12941, AutoPi Wi-Fi/NB, and 4G/LTE devices before 2019-10-15 allow an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.

CVE-2019-12797, A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

CVE-2020-12282, CSRF via the Busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.)

CVE-2020-12837, Malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used.

CVE-2020-12843, Malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.

CVE-2020-13119, Clickjacking vulnerability.

CVE-2020-12838, Privilege escalation by appending PHP code to /cron/mailAdmin.php.

CVE-2020-12839, privilege escalation by appending PHP code to /cron/checkExpirationDate.php.

CVE-2020-12842, privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.

CVE-2020-12280, CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php.

CVE-2020-12281, CSRF allowing remote attackers to create a new user via /index.php.

CVE-2020-12840, CSRF allowing remote attackers to upload sound files via /index.php

CVE-2020-12841, CSRF allowing remote attackers to upload image files via /index.php

CVE-2019-12821, A vulnerability was found in the app of a smart robot vacuum cleaner while adding a device to the account using a QR code. The QR code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. Generating a QR-code containing information about the device ID makes it possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six-digit number that depends on the specific device.

CVE-2019-12820, Exploiting unencrypted credentials (sent using HTTP) between server and device. 


Cybersecurity in a Socio-Technical Context (DD2510), teacher | Course web