2025-10-04 –, ENG 103
Embarking on our first hardware hacking project, we came across the Furbo treat dispensing smart-camera for pets. Over the course of 3 months of research we identified nearly 40 vulnerabilities across the mobile application, the Bluetooth communications, and devices. This talk will showcase our journey to destroy pet-surveillance devices, our struggles with defeating the firmware encryption, more than a few vulnerabilities found along the way, and we will show you how we got it to play Darude Sandstorm!
Our talk revisits the question of the security of smart home devices.
It has been a trend to label everything as highly insecure, brimming with RCEs, but (as is seen with our research) that's not entirely true. In our case, despite the device being inexpensive, it was built to a relatively high standard. IoT vendors have been working to improve the security, and while many devices are still insecure, there have been those who have been working hard to change that. The IoT market is maturing and there have been efforts to improve the baseline across the industry.
We are also using this as an avenue to demonstrate the importance of assessing all of the various components of a hardware device—from mobile application, to Bluetooth protocol, to debug ports, and binaries.
Penetration tester by day, Julian identifies vulnerabilities to exploit for a wide range of clients. OSINT enthusiast by night, Julian follows emerging threats to the Western world.
Calvin Star is a Security Researcher at jTag Labs Ltd and a full-time Systems Administrator by day. With a passion for security that extends into his off-hours, Calvin applies his deep knowledge of systems architecture and administration to uncover vulnerabilities in real-world software and infrastructure. His past research includes multiple disclosures, such as the Roomcast vulnerabilities (CVE-2023-33742 through CVE-2023-33745) and a series of flaws in Caterease (CVE-2024-38881 through CVE-2024-38891). Calvin's approach bridges practical IT operations and offensive security, helping make systems more secure through responsible disclosure and hands-on research.