Determining whether the Hövding bicycle airbag is secure against cyber attacks

Sammanfattning: This thesis is about cyber-security and penetration testing. More specifically it concerns penetration testing of a Hövding bicycle airbag which is a smart alternative to a traditional bicycle helmet. The thesis focuses on exploiting Bluetooth Low Energy, firmware analysis and reverse engineering. The research question is as follows: Is the Hövding bicycle airbag secure against cyber attacks? No previous work has been done with regards to penetration testing the Hövding, despite its popularity. The Hövding’s latest model allows users to connect to their Hövding using a smartphone, with Bluetooth Low Energy as a communication protocol. There is limited research that has been done on exploiting this protocol, which is relatively complex and secure. To answer the research question a number of threats and attacks is identified with the help of the STRIDE model and whose risk is assessed with the DREAD model. These attacks are later executed in a series of penetration tests on the Hövding. The result shows that the Hövding has been securely developed and no vulnerabilities are found. Although no vulnerabilities are found the thesis discusses various approaches that can be useful for further work relating penetration testing similar devices. Regarding further work on the Hövding, there might be some vulnerabilities left to be discovered, perhaps related to hardware hacking or firmware tampering.