- IoT Security Digest
- Posts
- š” IoT Security Digest - #2
š” IoT Security Digest - #2
Defcon approaches, BitChat release, Nation-states love weak passwords and more!
Hacker summer camp is almost here! This is the time in August where security professionals and those meddlesome hackers descend on Las Vegas for a week of learning, fun and competition. Black Hat USA will be August 2-7 and Def Con 33 is August 7-10.
I personally will be hanging out in the Embedded Systems Village at Def Con featuring:
a CTF with real IoT devices
Self-guided labs
Glitching workshop with HexTree
Embedded programming with RPi
Matter workshop with Cujo
Come by, say āHiā and pick up some stickers š
In The News
What made this attack noteworthy wasn't its scale, but how easily the hackers gained access ā by simply using the manufacturer's default password "1111."
IoT and critical Operational Technology (OT) continue to be plagued by devices with insecure default passwords. Itās 2025 and we havenāt solved this problem yet. What makes these matters worse is that in some legacy technology default credentials are not able to be changed, even if system operators desire to do so.
Researcher Adam Gowdiak was able to āextract [the] private ECC keyā contained within a Kigen eSIM chip. By performing this exploit an attacker could use the underlying keys to āreceive text and calls meant for the victimā.
Reseachers from Synacktiv reverse engineered a Thermomix TM5 kitchen appliance resulting in the discovery that the secure boot process failed to properly verify the root filesystem.
Mattās Take
This is an error Iāve seen on several devices out in the real world. If your secure boot process checks the bootloader and kernel being loaded and executed, but it fails to verify the root filesystem, what is it really protecting you against? Most attackers will be more than happy to have root access to a device without executing from kernel-space.
Tools of the Trade
BitChat
my weekend project to learn about bluetooth mesh networks, relays and store and forward models, message encryption models, and a few other things.
bitchat: bluetooth mesh chat...IRC vibes.
TestFlight: testflight.apple.com/join/QwkyFq6z
GitHub: github.com/jackjackbits/bā¦ā jack (@jack)
10:35 PM ⢠Jul 6, 2025
The release of BitChat, a BLE-based decentralized messaging app, developed by Twitter founder Jack Dorsey has been of interest to the security community in the past week.
BitChat is currently available to an limited-availability TestFlight group or via the Android app.
Talking Sasquach
If you are interested in hacking gadgets (like the Flipper Zero), 3D printing, etc. you should check out the Talking Sasquach YouTube channel. Iāve been down the Flipper Zero rabbit-hole lately so Iāve found that part of his content to be most helpful!
Return Value
As you may have noticed, Iāve been getting into writing modifications to my Flipper Zero. Iām currently am working on implementing BitChat as a flipper application and using that as an opportunities to research the security of the BitChat protocol.
Thanks for reading! And rememberā¦
You can just Reverse things.