Imagine a hacker opening your front door – not with a lock pick, but with the help of data. What sounds like science fiction is now reality.
Every smart door lock and every connected light bulb is a potential attack vector. ‘At the Bavarian research network ForDaySec, we are investigating how everyday digital life can be made secure, whether that involves robot vacuum cleaners or digital AI assistants,’ says Professor Stefan Katzenbeisser in the video. The holder of the Chair of Computer Engineering at the University of Passau is the spokesperson of the research network, in which researchers from five Bavarian universities and from different disciplines have joined forces. For four years, they have been investigating how security in the Internet of Things (IoT) can be better implemented without overloading users with technical details.
On Wednesday, 25 March 2026, the researchers will present their findings in Munich. As a preview they have summarised some of the technical highlights briefly and concisely in this video. In Munich, representatives from science and practice will be guests at the event, including Caroline Krohn-Atug from the Federal Office for Information Security (BSI) and Tatjana Halm from the Bavarian Consumer Association (Verbraucherzentrale Bayern e.V.). Tech journalist Eva Wolfangel will give the keynote speech on the topic: ‘The weak point is not in front of the screen, but in the system.’
In the so-called Security Show Case, researchers have developed prototypes for realistic scenarios that demonstrate how to secure everyday digital life. Dr Henrich C. Pöhls, Managing Director of the IT Security Centre at the University of Passau, coordinated the work. ‘In ForDaySec, we saw that users are willing to invest time into IT security-critical decisions – but we also need to make the technical possibilities available to them.’
Scenario 1: When smart door locks don't receive security updates
Smart door keys promise convenient access, but many cheap IoT devices are not kept up to date by the manufacturer. Sebastian Jänich from Ludwig Maximilian University in Munich shows how attackers could take over such systems: ‘A door lock with a security vulnerability can be manipulated remotely without physical access.’ Jänich, who conducts research at the Chair of Programming Languages and AI, has developed the following solution: firmware retrofitting by binary patching.
What does that mean specifically? Instead of waiting for updates from the manufacturer, the door lock's firmware is patched locally and the security is improved. ‘We identify critical functions and protect them with additional security checks.’ The door lock with retrofitted firmware then automatically blocks suspicious access attempts. What makes the solution developed in ForDaySec so special is that the method also works with older devices and extends their service life by fixing known vulnerabilities that the manufacturer ignores or no longer maintains with manufacturer updates.
Scenario 2: When an attacker spoofs the surveillance camera
Surveillance cameras are supposed to provide security, but often the recipient does not know where the video image originates from. As shown in the video, the attacker could send a still image while robbing the area under surveillance. Emiliia Geloczi, research assistant at the Chair of Computer Engineering at the University of Passau, shows two identical smart homes: ‘One has a normal IoT hub, the other is equipped with our security monitor developed in ForDaySec.’
In the first house, an attacker easily manages to manipulate the video stream displayed on the monitor in the test. In the second house, the situation is different: "Our monitor requests re-authentication at regular intervals – using signatures that can only be created on a specific device. "
Put simply, it is a digital ID check for this specific hardware in the camera: it must re-authenticate itself at short intervals using a digital signature. Even if a hacker intercepts a transmission, they cannot reproduce this signature without owning the device. ‘The signature is only generated in the memory on request, it uses the unique physical properties of the respective device (so-called PUF) and thus it is not stored anywhere,’ explains Geloczi. The homeowner does not notice any of this, as the process runs automatically in the background.
Scenario 3: When the smartphone becomes a pivot point
Marius Momeu, research assistant at the Chair of IT Security at the Technical University of Munich, has examined the following scenario: ‘An attacker exploits a vulnerability in the operating system kernel to take control of a user's smartphone – and with it, their entire smart home.’
The kernel is the heart of an operating system. It manages memory, processes and hardware access. A flaw here can give an attacker almost unlimited control. ‘Suddenly, the attacker opens the front door, switches off cameras or manipulates alarm systems,’ Momeu explains.
He has developed protective mechanisms in ForDaySec to prevent such attacks. ‘We isolate critical system functions so that even a compromised kernel can no longer attack devices.’
Scenario 4: When the smart light bulb opens the front door as an insider
Dr Henrich C. Pöhls from the University of Passau has investigated an often-underestimated risk: discarded smart home devices. ‘Users rarely consider that a seemingly harmless smart light bulb may still contain sensitive security information when it is disposed of – such as the Wi-Fi password or access credentials for the smart home control centre.’
The light bulb is taken to the recycling centre, but instead of being recycled, it ends up in the wrong hands. ‘An attacker could read the stored data and use it to gain access to the original smart home,’ explains Pöhls. He compares today's smart home security to a hotel where all checked-in guests get the same key and thus can open all rooms’ doors: ‘A door lock that is controlled by a smartphone over Wi-Fi should not be able to receive any commands from a light bulb – unfortunately, today all internal participants in the Wi-Fi network are often treated as equally trustworthy.’
His alternative approach, which he developed at the Chair of IT Security at the University of Passau under Professor Joachim Posegga, is that each device is given a per-device cryptographic key. Once this is deleted from the Wi-Fi router, even a compromised light bulb can no longer send commands to a door lock. ‘With this measure, which is quite easy for users to implement, we reduce the potential for attack, we create more digital privacy and we strengthen security in the smart home.’
The interdisciplinary research network ‘ForDaySec – Security in Everyday Digitalisation’ comprises researchers from five Bavarian universities in the fields of computer science, sociology and law. The spokesperson is Prof. Dr. Stefan Katzenbeisser from the University of Passau. The unique feature of the network is the interdisciplinary linking of technical processes with legal issues – such as update obligations – and sociological analyses of user acceptance. The Bavarian Ministry of Science is funding the network with 3.3 million euros.
![[Translate to Englisch:]](/fileadmin/_processed_/8/1/csm_IMG_0010-4_8ce6409111.jpg "[Translate to Englisch:]")
