How Hacking an Air Purifier Helps Understand RED and CRA

Published on: March 31, 2025

Estimated reading time: 5 minutes

Introduction

Imagine purchasing a smart air purifier for your home, expecting it to simply clean the air. However, after some digging, you realize the device is constantly sending data back to a cloud server, tracking its usage and even logging your location. Concerned about privacy and control, you decide to take matters into your own hands by hacking the device to work offline.

This is exactly what James Warner has done and, in today’s blog post, we’re going to use his excellent work Hacking a Smart Home Device, in which he goes into great detail about the process of reverse engineering and hacking a Smart Home Purifier, to understand what are the most common pitfalls when designing Smart Devices for the customer market and, more importantly, how RED and CRA are aimed at avoiding vulnerabilities in IoT devices.

Find the original article here: https://jmswrnr.com/blog/hacking-a-smart-home-device

Reverse engineering

The process began with network log analysis, a crucial step in understanding how the device communicates over the network. Warner used Wireshark to capture and inspect network traffic, identifying key data exchanges between the smart device and its cloud server. By analyzing the communication patterns, he was able to extract valuable information, such as the protocols used and the specific API calls made by the device.

After mapping out the network interactions, Warner moved on to firmware analysis. He extracted the firmware from the device, looking for clues on how it operated internally. By decompiling and inspecting the firmware, he identified command structures, authentication mechanisms, and potential vulnerabilities that could be exploited to gain control. His findings suggested that the device was built using the ESP32 microcontroller, a popular choice for IoT devices due to its built-in Wi-Fi capabilities and ease of programming.

With a clearer understanding of the firmware, Warner looked to modify or override the device's default behavior. One of the major breakthroughs was the ability to send custom commands to the device using intercepted API calls. This allowed him to bypass cloud restrictions and control the device locally without relying on an external server. This not only enhanced privacy but also improved responsiveness by reducing latency associated with cloud-based communication.

To solidify his control over the smart home device, Warner explored hardware-level modifications. He connected directly to the device’s internal serial communication interfaces, allowing him to flash custom firmware onto the ESP32 chip. This step enabled him to fully reprogram the device to work with Home Assistant. By doing so, he eliminated the need for proprietary applications and cloud-based control, making the device more versatile and secure.

All in all, Warner did an incredible job reverse engineering the product and applying the custom modifications but, as stated in the introduction, most of it could have been rendered useless if the manufacturer followed the recommendations suggested by the standards behind CRA and RED, like EN 18031 and ETSI EN 303 645..

Why RED and CRA Matter

Reverse engineering the purifier’s firmware reveals security flaws that could allow an attacker to take control of the device remotely. This discovery underscores the importance of regulatory frameworks like the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA), which aim to ensure that smart devices meet robust security and privacy standards. Without such regulations, consumers remain vulnerable to data breaches and unauthorized control of their household devices.

Had the air purifier followed the CRA's policies regarding secure boot and secure storage, the attack would not have been possible. 

But what are Secure Boot and Secure storage?

Secure Boot 

Secure Boot is a fundamental security feature designed to ensure that only verified and trusted firmware is executed on a device. It works by using cryptographic signatures to validate the authenticity of firmware before it is loaded. During the boot process, the system checks the signature of the firmware against a stored public key. If the signature does not match, the device refuses to boot, preventing unauthorized or malicious code from running. 

This mechanism is crucial for maintaining the integrity of IoT devices, as it blocks attempts to install rogue firmware that could compromise security. By implementing Secure Boot, manufacturers can mitigate risks such as firmware tampering, unauthorized access, and persistent malware infections, reinforcing device security and user trust.

While this alone could not have prevented all of the attacks performed by the author, it sure would have made it impossible to load a modified version of the firmware and, most of all, Secure Boot is a necessary component in establishing the Chain of Trust that leads into Secure Storage.

Secure storage & Flash Encryption

Secure storage and flash encryption are critical components in protecting sensitive data stored on embedded systems and devices. Secure storage ensures that data, such as cryptographic keys, user credentials, and confidential files, are stored in a protected manner, preventing unauthorized access and tampering. Flash encryption adds an additional layer of security by encrypting data at the hardware or software level before writing it to non-volatile flash memory. This prevents attackers from extracting or modifying data, even if they gain physical access to the storage medium. 

Many modern microcontrollers and embedded platforms, such as ESP32, implement flash encryption along with secure boot mechanisms to safeguard firmware integrity and prevent malicious modifications. By combining secure storage with flash encryption, systems can maintain data confidentiality and integrity, enhancing overall cybersecurity in IoT and embedded applications. 

Conclusion

In this post, we explored the technical details of hacking an air purifier, demonstrating the potential vulnerabilities in connected devices and the risks posed by insufficient security measures. The author of the hacking performed an incredible work with a good goal but at the same time, he is highlighting vulnerabilities in the device that can be used in a malicious way. The aim of the Cyber Resilience Act (CRA) and Radio Equipment Directive (RED) is to protect the consumer and the internet, as a critical infrastructure of the European Union. The standards supporting CRA and RED, like EN 18031 or ETSI EN 303 645, are giving guidance, as implementing secure storage, that are not present in the air purifier. Proper implementation of secure boot, encrypted firmware, authentication mechanisms, and hardware-based protections could have prevented unauthorized access and malicious modifications. This case study highlights the importance of proactive security strategies in IoT device design, ensuring compliance with industry regulations while safeguarding users from cyber threats. 

As connected devices become increasingly integrated into daily life, manufacturers must prioritize robust security frameworks to prevent exploitation and maintain user trust.

How Security Pattern can help.

We are experts at security, standards, and regulations. Reach out to us for a specialised assessment of your specific use case. Or check out our services for Compliance Readiness and Compliance Gap Analysis.