Endpoint Security
,
Governance & Risk Management
,
Hardware / Chip-level Security
Engineer Dennis Giese on Hacking Robot Vacuum Cleaners and Running Hackathons
Dennis Giese, a security researcher and engineer, built his first computer at around age 8 using spare parts. Years later, he hacked his first robot vacuum cleaner. Giese recently reflected on his journey as a researcher and ethical hacker during HardPwn, a hardware hackathon hosted by Hardwear.io in Amsterdam.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
That early fascination with hardware drove him to work with around 70 robots over the
years. “I didn’t know much then, but through trial and error, I figured it out and gained a lot
of foundational knowledge,” Giese said.
A regular speaker at security-related events, Giese is now a prominent figure in hardware
security. For the past three years, he has volunteered at HardPwn.
“There aren’t many hardware hackathons around. HardPwn is one of the few and most
relevant,” he explained. “At these events, researchers can experiment freely with expensive,
vendor-sponsored hardware without worrying about damage. When it’s my own hardware, I’m
more cautious to avoid breaking it, which limits the types of attacks I try.”
At HardPwn, participants work with real devices from companies including Amazon, Google, Meta,
and, this time, Xiaomi. “We search for vulnerabilities in these consumer electronics to raise
security standards,” he said. “Verifying these fixes requires testing on devices that haven’t
been previously hacked, making it more challenging than typical software testing. This process
demands creativity to identify issues and develop new solutions. Hackathons offer a chance to
build innovative tools.”
Giese pointed out the unique importance of events like Hardpwn, where academic research can
translate into practical applications with real industry collaboration. “Manufacturers actively
engage in developing solutions, which bridges the gap between theory and practice,” he said.
Uncovering Robotic Vulnerabilities
One of his notable discoveries involved security vulnerabilities in Ecovacs robot vacuum
cleaners. Having analyzed the Xiaomi vacuum robots he had used at home, Dennis became interested in the category.
“In 2018, I got an Ecovacs robot vacuum cleaner for reverse-engineering. But the hardware
was not great, so I put it in storage. I went back to Ecovacs in 2022 and hacked the X1 model.”
Working with fellow security researcher Braelynn Luedtke, Giese reverse-engineered the firmware
and looked into the communication protocols of the device. “There, we found many
vulnerabilities: broken TLS encryption, command injection via BLE – aka BLE RCE – and the
broken logic in the live video feature that allows bypass of the PIN. For the live video bypass,
you still need to access the account by getting the credentials from the broken TLS encryption
or by credential stuffing,” Giese said.
The vulnerabilities that Giese found could enable hackers to control these
devices via Bluetooth and Wi-Fi, accessing cameras, microphones, Wi-Fi credentials and room
maps. “For those with smart home devices that control things like heating or lighting, it’s crucial
to avoid simple passwords. Otherwise, someone could control your home’s systems, retrieve
device data, or even view a layout of your house,” Giese pointed out.
Although Ecovacs initially claimed the vulnerabilities required proximity, implying minimal user
risk, further scrutiny led to firmware updates addressing the issues.
A Call for Awareness
For most people, hardware security isn’t a major concern. Giese stressed, but certain users – politically active or high-risk individuals – should assess their exposure.
“Regular users should simply be mindful, especially with cameras and microphones, and carefully
consider their placement in private spaces like living rooms or bedrooms,” he advised.
In an IoT ecosystem, many devices connect to the cloud, which communicates across multiple
units. While this can contain potential vulnerabilities to individual or limited devices, attackers still
often discover flaws by physically tampering with a device and then exploiting weaknesses via
cloud access. For example, with Ecovacs’ 28 million devices across the U.S. and Europe, the
potential impact of such vulnerabilities could be far-reaching.
Growth in Hardware Security
The demand for hardware security expertise is growing, as securing these
devices requires understanding both the hardware and the software running on them.
“Examining a device’s firmware can reveal issues that may scale widely,” Giese said.
To excel in hardware security, he emphasized the the need for a unique skill set encompassing
both hardware and software vulnerabilities. “While many security professionals understand
software, few have hands-on hardware knowledge. Physical access to a device makes it harder
for vendors to defend, creating a need for experts skilled in both areas,” he said. This expertise
is rare, making hardware security a highly valued and well-compensated field. According to
Giese, companies increasingly seek experienced professionals with dual knowledge in
hardware and cybersecurity.
For those interested in developing hardware security skills, Dennis suggests starting small.
“Build a simple embedded device on a development board and control it via the internet. Begin
with basic setups to understand device functionality, then shift to identifying vulnerabilities,” he
said.
Many cybersecurity professionals lack hands-on hardware experience, but a solid
foundation in computer science and hardware is essential before adding cybersecurity
expertise. “Cutting corners won’t lead to true competence in hardware security,” Giese said.