Things to hack
There are many potential targets for security assessments. Below are some suggestions, and if there is some product missing from the lab that you would like to use for your thesis you can head to the Request a Purchase page.
- Devices that are difficult to acquire, such as medical or industrial equipment (pacemakers, X-ray machines, bulldozers, etc.). Consider whether you might have access to such a device.
- An MG Marvel car (available from October 2023)
- Devices embedding radio transmitters/receivers (for example IoT devices relying on ZigBee. LoRaWAN, Bluetooth)
- SCADA control system equipment such as programmable logic controllers (PLCs)
- Anything under the Google Open Source Software Vulnerability Reward Program or any other bug bounty program.
- Open source IoT operating systems such as TinyOS, RIOT, Contiki, Mantis OS, Nano RK, LiteOS, FreeRTOS, Apache Mynewt, Zephyr OS, Ubuntu Core 16 (Snappy), ARM mbed, Yocto and Raspbian.
- The provably secure election system Verificatum (talk to Pontus about this opportunity)
- Baby monitors and similar home surveillance systems
- Internet-connected toys (dolls with microphones, etc.)
- Google PlayStore 100M-user apps. Google offers a bug bounty on the biggest apps, which also vouches for the legality of security testing them.
- Power grid asset management equipment
- Smart electricity meters
- Cloud providers with bug bounty programs, like Google Cloud Platform.
- Alarm systems
- nRF9160 which is used in a lot of IoT devices. Explore with Nordic Thingy:91.
- JetBrain’s Code with Me. Jetbrains are a suspected attack vector in the recent SolarWinds attack.
- Open source, like linux, nginx, apache, openssl, kvm, bash, vim, imagemagick, etc.
- Elk: The world’s fastest audio operating system
- Health-related equipment, such as blood glucose meters, even pace makers, if we can get a hold of one
- Smart power sockets and other home automation equipment
- Smart glasses
- VR headset
- Robots
- Vehicle entertainment systems
- Headphones
- Industrial IoT (Cranes, heavy machinery, trucks)
- Smart refrigerators
- Sport-related equipment, e.g. Garmin’s sports watches, appear to feature large attack surfaces.
- Connected pets?
- Smart car alarms
- Vehicles, e.g. electronic scooters
- Electric mopeds (some come with GPS, smartphone apps and a kill switch, now-a-days).
- OBD II dongles used to connect your smart phone to your car
- Drones
- Robot vacuum cleaners (particularly interesting if they have a camera)
- Electronic door locks
- Childrens’ smart watches