Fredrik Heiding

I am a Ph.D. candidate at the Division of Network and Systems Engineering at KTH, Sweden, with Pontus Johnson and Ulrik Franke as my primary supervisors. Between 2019 and 2022, I was supervised by Robert Lagerström, who later paused his research career at KTH to pursue a career at Google. My research focuses oncybersecurity, specifically on vulnerability assessments of critical societal functions, such as power plants, and consumer technology, such as IoT devices.

Since September 2022, I have been located at the Harvard School Of Engineering And Applied Sciences,Boston, USA, to research malware isolation. The study uses logical segregation to create a secure environment where users can open potentially harmful files.

My previous research includes a penetration testing framework for IoT devices, a vulnerability assessment of connected households, and a vulnerability assessment of connected vehicles. When assessing the security of connected households, 22 devices such as smart refrigerators and vacuum cleaners, were tested. 17 new CVEs were discovered across the 22 devices, several of which received a critical ranking (9.8/10) by the National Vulnerability Database. For the vulnerability assessment on connected vehicles, two new CVEs were discovered, CVE-2019-12941 and CVE-2019-12797. Both CVEs received a critical severity ranking and could, in the right conditions, the hacker manipulate critical functions such as brakes, acceleration, and steering. The hack was automated using shell script and Rust to create a malware that propagates to nearby vehicles.

Research has also been conducted to create an incentive-based platform forphishing awarenesstraining. Interviews with organizations revealed dissatisfaction with current anti-phishing methodologies, for example, due to the high cost or low impact. The study aims to create a user-centered platform for phishing awareness training based on the concrete input shared by the organization.

A literaturereview on penetration testing has also been conducted, analyzing 537,629 articles from the Scopus database. A Python script was used to scrape the articles and extract relevant information, such as citation data. The Louvain community detection algorithm was used to create research communities within the area.

Hacking lab:I am responsible for the NSE hacking lab, an environment that facilitates penetration testing of a wide range of devices, including ICS devices, commercial IoT products, vehicular systems, social engineering, and much more. The lab contains sophisticated hacking tools and potentially vulnerable devices that can be used to test ones hacking skills. The lab hosts more than 50 hacking theses annually. We often get contacted by organizations who want to give us a product to hack, if you are interested in contributing, please feel free to .

Selected published articles

• PatrIoT: practical and agile threat research for IoT
• Automating threat modeling using an ontology framework.
• Anomaly-based Intrusion Detection using Tree Augmented Naive Bayes.
• Securing IoT devices using Geographic and Continuous Login Blocking: A honeypot study.
• Ethical Principles for Designing Responsible Offensive Cybersecurity Training.

Other mentions and media coverage

• Received a visit from the Royal family and the King of Sweden, to whom I displayed how to hack a smartphone and an IP camera.
• Displayed how to hack a smartphone for the European Commissioner.
• Featured in national television (SVT rapport) for hacking connected vehicles.
• Featured in the annual KTH commercial "pitch your research".
• Frequently held voluntary lectures to raise the cybersecurity awareness of elementary school students and high school students.
• Best research presentation award @ Energy Dialogue 2020.
• Best research presentation award @ Energy Dialogue 2021.
• Hosting KTH Energy Platform in the NSE Hacking Lab.

Discovered vulnerabilities

CVE-2019-12942, TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.

CVE-2019-12943, TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

CVE-2019-12941, AutoPi Wi-Fi/NB, and 4G/LTE devices before 2019-10-15 allow an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.

CVE-2019-12797, A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

CVE-2020-12282, CSRF via the Busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.)

CVE-2020-12837, Malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used.

CVE-2020-12843, Malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.

CVE-2020-13119, Clickjacking vulnerability.

CVE-2020-12838, Privilege escalation by appending PHP code to /cron/mailAdmin.php.

CVE-2020-12839, privilege escalation by appending PHP code to /cron/checkExpirationDate.php.

CVE-2020-12842, privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.

CVE-2020-12280, CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php.

CVE-2020-12281, CSRF allowing remote attackers to create a new user via /index.php.

CVE-2020-12840, CSRF allowing remote attackers to upload sound files via /index.php

CVE-2020-12841, CSRF allowing remote attackers to upload image files via /index.php

CVE-2019-12821, A vulnerability was found in the app of a smart robot vacuum cleaner while adding a device to the account using a QR code. The QR code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. Generating a QR-code containing information about the device ID makes it possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six-digit number that depends on the specific device.

CVE-2019-12820, Exploiting unencrypted credentials (sent using HTTP) between server and device.