MCH2022

The smart home I didn't ask for
2022-07-23, 23:20–23:50, Battery 🔋

What happens when your home is “smart” before you even move in? More and more buildings are pre-installing smart devices that tenants didn’t ask for and may not want. These devices focus on comfort and convenience, an excellent focus as long as security is also considered. Given the deep integration these devices have, a vulnerable system could lead to devastating consequences like the loss of privacy and even unauthorized access. As a security researcher, these were my thoughts when I saw the tablet mounted on the wall of my new apartment.

In a short period, I discovered multiple vulnerabilities in the system. A concern for sure, considering the system allows for remote access and has integration with services in my apartment and the building. This talk will cover my path, my process, and coverage of the vulnerabilities I discovered.


The smart home system is based on a wall-mounted Android tablet, and is installed in thousands of properties throughout Europe. It allows for controlling lights, heating, motorized blinds, opening a building's main entrance door among other things.

The talk will contain the following contents:

  • Introduction
  • Presentation of the smart home system
  • Methodology
  • How did I evaluate its security
  • Findings
  • Description of vulnerabilities found
  • Impacts and countermeasures
  • Disclosure timeline
  • Interactions with vendor
  • Raise awareness
  • Conclusion

Nils is a Senior Security Engineer on Kudelski Security’s research team performing research on various topics including privacy, authentication, big data analytics, and internet scanning. He also writes blog posts on various topics for Kudelski’s research blog. Nils likes open source software and has presented his research at DEF CON and Black Hat Arsenal. He was part of creating a massively distributed system for breaking RSA public keys.