{"guid":"17ff3ad3-2a01-52c9-b3e3-08a55942b49b","title":"Hacking the Aeotec Smart Hub: The little hub that could","subtitle":null,"slug":"why2025-101-hacking-the-aeotec-smart-hub-the-little-hub-that-could","link":"https://program.why2025.org/why2025/talk/DJKYA7/","description":"Pwn2Own Ireland added a new target in the smarthome category: the Aeotec Smart Hub. We assumed this target would be an easy win. However, getting the firmware of this device turned out te be a lot harder than anticipated. First, we had to modify the board to dump the encrypted flash. Then, we abused a secure boot flaw to get the decryption key. This process took so long, we had no time left to look for vulnerabilities, but our approach may be interesting for others looking at similar targets.\n\nUsually extracting the firmware of an IoT device is easy. The firmware is often not encrypted on flash and debug interfaces such as UART are often exposed and left open. This was our assumption when we started investigation the Aeotec. However, we turned out to be very wrong on our assumptions. \n\nThe Aeotec firmware is actually encrypted on flash, with a key that is stored in OTP. Furthermore, all debug interfaces such as UART were closed down. This meant we needed  to go through great lengths, first doing in-circuit dumping of the flash, then breaking the encryption configuration in order to get code execution on the APCPU.\n\nOur goal was to do vulnerability research, but we ran out of time for that. By sharing our process, we hope to help others who are interested in this or other devices with a similar configuration.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/","original_language":"eng","persons":["Daan Keuper","Thijs Alkemade"],"tags":["101","2025","why2025","Hacking","Delphinus","why2025-eng","Day 5"],"view_count":122,"promoted":false,"date":"2025-08-11T14:00:00.000+02:00","release_date":"2025-08-12T00:00:00.000+02:00","updated_at":"2026-01-01T07:45:03.909+01:00","length":2341,"duration":2341,"thumb_url":"https://static.media.ccc.de/media/events/why2025/101-17ff3ad3-2a01-52c9-b3e3-08a55942b49b.jpg","poster_url":"https://static.media.ccc.de/media/events/why2025/101-17ff3ad3-2a01-52c9-b3e3-08a55942b49b_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/why2025/101-17ff3ad3-2a01-52c9-b3e3-08a55942b49b.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/why2025/101-17ff3ad3-2a01-52c9-b3e3-08a55942b49b.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/why2025-101-hacking-the-aeotec-smart-hub-the-little-hub-that-could","url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_title":"What Hackers Yearn 2025","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025","related":[],"recordings":[{"size":367,"length":2341,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T15:00:52.740+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/av1-hd/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/89871","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":383,"length":2341,"mime_type":"video/webm","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T15:30:10.026+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-hd/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/89899","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":105,"length":2341,"mime_type":"video/webm","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-12T15:00:24.246+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-sd/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/89868","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":113,"length":2341,"mime_type":"video/mp4","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-12T13:58:53.581+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-sd/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_sd.mp4","url":"https://api.media.ccc.de/public/recordings/89772","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":35,"length":2341,"mime_type":"audio/mpeg","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-12T13:35:20.376+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/mp3/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/89708","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":23,"length":2341,"mime_type":"audio/opus","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-12T13:35:16.424+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/opus/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_opus.opus","url":"https://api.media.ccc.de/public/recordings/89707","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":474,"length":2341,"mime_type":"video/mp4","language":"eng","filename":"why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-12T13:16:54.288+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-hd/why2025-101-eng-Hacking_the_Aeotec_Smart_Hub_The_little_hub_that_could_hd.mp4","url":"https://api.media.ccc.de/public/recordings/89694","event_url":"https://api.media.ccc.de/public/events/17ff3ad3-2a01-52c9-b3e3-08a55942b49b","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"}]}