← All talks

Unlock Secrets: HMI Hacking with Raspberry Pi #shorts

BSides Frankfurt1:49515 viewsPublished 2026-01Watch on YouTube ↗
About this talk
At BSides Frankfurt, clear text credentials unlocked an HMI. Connecting a rogue device via a printer revealed network vulnerabilities. A Raspberry Pi transparently bridged the connection, granting remote access via LTE modem. Simple, yet effective. #BsidesFrankfurt #Bsides #BsidesFra #NetworkSecurity #EthicalHacking
Show transcript [en]

very very abstract very high level description as basically like a fancy tablet you could say right they were locked though so not of much use then we found some drawers and as you could expect we of course had a bit of a look at the files there and of course there were clear text credentials to that HMI so we could unlock it that was pretty cool then we noticed there there was also a printer and we noticed that the network cables and ports were colorcoded and we noticed that that printer had the same color coding with its network cable and port as the HMI had. So since the HMI needs to be connected to the OT

network, that might mean that then also the printer is connected to the same network. So why not try and uh plant our rope device here. But we figured okay maybe they might have some network access controls here. Um so let's do it in a somewhat clever way. So we assumed that is this is the setup. You have a printer that then authenticates towards the switch and the switch once um successfully authenticated would open that port for the printer to then reach the network. Cool. What did we do? Super simple. Again, Raspberry Pi to the rescue with two Ethernet interfaces. We bridge the connection. Um, and then using silent bridge, for example, we had a transparent bridge. We would then

assume the IP and the MAC address of the printer and would then be looking the same to the switch into the remaining network infrastructure as the printer would. Super cool, super simple. Now, interestingly enough, uh I didn't really think about that beforehand, but I think the Y team already disclosed that that this would work. And I was surprised that it did. We again had an LTE model underground in a mountain. I didn't expect this to work. It worked brilliantly. So we had again connection via our cloud infrastructure to our C2 server. Right? So that worked. And then the cool thing is once we had this installation in place, we could then also remotely pretty much inject

packages into the

Related talks

0:38
Microsoft Security: Safe PC or Password Risk? #shorts
BSides Frankfurt
0:41
IP Geolocation Inaccuracy: Understanding Network Routing #shorts
BSides Frankfurt
0:18
Vibe Coding Explained: Simple Rules for Secure Programs #shorts
BSides Frankfurt
0:22
Microsoft Shared Folder Error 1272: Security Policy Explained #shorts
BSides Frankfurt
0:25
Impossible Game Bot: The Ultimate Training Data Challenge #shorts
BSides Frankfurt
1:22
Microsoft Share Error: Security Policies & Honeypot Gold! #shorts
BSides Frankfurt