Fredrik Heiding

Fredrik Heiding is pursuing a Ph.D. in electrical engineering from the Division of Network and Systems Engineering (NSE). Since 2022, he is based in Cambridge, US, as a research fellow at Harvard John A. Paulson School of Engineering and Applied Sciences (SEAS). Fredrik's research interests include AI-enabled cyberattacks, red teaming, phishing, cybersecurity policies, and the economics of cybersecurity.

Fredrik is working with the World Economic Forum's Cybercrime Center to facilitate cyber-related information sharing across various industries, help with industry-specific information on implementing AI-enhanced cybersecurity, and highlight success cases from various industries and sectors.

In 2023, Fredrik presented his work on AI-enabled spear phishing at Black Hat US and Defcon, together with Bruce Schneier and Arun Vishwanath. In 2022, Fredrik got media attention for hacking the King of Sweden and the Swedish European Commissioner.  Fredrik's research has contributed to discovering more than 30 new CVEs (see selected highlights below). He is also researching national cybersecurity strategies and structural modeling of how the cybersecurity market (particularly phishing) is affected by different AI regulation scenarios (fully regulated, regulated with exceptions, and not regulated).

See Google Scholar for an updated list of my research publications.

Selected discovered vulnerabilities

CVE-2019-12942, TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.

CVE-2019-12943, TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.

CVE-2019-12941,AutoPi Wi-Fi/NB, and 4G/LTE devices before 2019-10-15 allow an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.

CVE-2019-12797,A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

CVE-2020-12282,CSRF via the Busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.)

CVE-2020-12837,Malicious file uploads via the form for uploading images to garage doors. The magic bytes of PNG must be used.

CVE-2020-12843,Malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.

CVE-2020-13119, Clickjacking vulnerability.

CVE-2020-12838,Privilege escalation by appending PHP code to /cron/mailAdmin.php.

CVE-2020-12839,privilege escalation by appending PHP code to /cron/checkExpirationDate.php.

CVE-2020-12842,privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.

CVE-2020-12280,CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php.

CVE-2020-12281,CSRF allowing remote attackers to create a new user via /index.php.

CVE-2020-12840,CSRF allowing remote attackers to upload sound files via /index.php

CVE-2020-12841,CSRF allowing remote attackers to upload image files via /index.php

CVE-2019-12821,A vulnerability was found in the app of a smart robot vacuum cleaner while adding a device to the account using a QR code. The QR code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. Generating a QR-code containing information about the device ID makes it possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six-digit number that depends on the specific device.

CVE-2019-12820,Exploiting unencrypted credentials (sent using HTTP) between server and device.