Last year, the Nozomi Networks Labs team participated in two hackathons at the Cyber-Defence Campus of armasuisse Science and Technology, focusing on ICS and automotive security. These events highlighted the importance of securing critical infrastructure—from industrial control systems to modern vehicles. This year, we maintained our partnership with armasuisse by participating in the Domotics Hackathon, where we focused on protocols for building automation and firmware analysis.
In this blog, we take a look at our latest hackathon experience, where we improved our knowledge of the BACnet protocol, performed firmware emulation and fuzzing, and tested out our own security solutions in a simulated building automation environment. Our participation at the Domotics Hackathon once again served as an opportunity for knowledge-sharing, cutting-edge research, and hands-on experimentation with real-world devices.
Firmware Emulation and Fuzzing Training
Before diving into the Domotics Hackathon challenges, our team participated in a three-day workshop on firmware emulation and fuzzing, conducted by researchers from HexHive at EPFL under the guidance of Professor Mathias Payer. Building on our pre-existing advanced knowledge of the topic, the course skillfully combined theoretical insights with hands-on exercises, beginning with fundamentals like firmware extraction and the use of tools such as binwalk and QEMU. Even though we already had a solid background on these topics, the training deepened our understanding of Linux boot processes—including u-boot— while also refining our ability to map attack surfaces with network and process analysis utilities. We also explored on static analysis techniques, including the ARM Cortex-A ISA, dissecting ELF file formats, and leveraging Ghidra’s advanced capabilities—particularly its Python scripting features for automated reverse engineering. The workshop culminated in a practical look at dynamic analysis methodologies, featuring QEMU-based rehosting experiments and a short introduction to black-box fuzzing with AFL. By the end of the sessions, we had not only consolidated our advanced knowledge but were well-positioned to tackle the firmware-level challenges at the hackathon.
We highly appreciated the HexHive training, as it provided not only fundamental skills, but also exposure to cutting-edge research tools. We plan to integrate newly acquired techniques into our vulnerability research pipeline.
Scapy Training
After attending the Fuzzing training, the Labs team also participated in a full-day Scapy training conducted by Guillaume Valadon, former Director of Security Research at Quarkslab and lead maintainer of the Scapy project. The training was split into three segments:
- Scapy Introduction, which covered:
- Packet manipulation and network scanning
- Protocol visualization and custom dissectors
- Leveraging Scapy as a Python module
- Practical Exercises:
- Tackling multi-protocol scenarios, including encryption and certificate analysis
- Exploring solutions provided in dedicated solution branches
- Team Project: BACnet Protocol Implementation, involving:
- Building a Scapy library for the BACnet protocol
- Gaining a deeper understanding of building automation communication flows
The training complemented our firmware knowledge by offering new ways to analyze network traffic—particularly BACnet, a focal point of the Domotics Hackathon; it refined our packet manipulation expertise, empowering us to quickly develop custom protocol dissectors and efficiently parse new network behaviors—especially relevant for BACnet and other industrial protocols.
From protocol-level visibility to exploit testing, the Domotics Hackathon deepened our understanding of building automation. We discovered common misconfigurations and potential attack surfaces that underscore the need for specialized security solutions.
Domotics Hackathon: Hacking Building Automation
Following the trainings, the Domotics Hackathon kicked off with a clear objective: exploring BACnet, a widely adopted protocol in building automation. Experts, researchers, and representatives from government agencies joined forces to investigate new vulnerabilities, share knowledge, and promote a culture of proactive cybersecurity in operational technology (OT) settings.
armasuisse set up multiple demos using devices from different vendors, including:
- Avelon
- Honeywell
- MBS
- SAIA Saia Burgess Controls
- Sauter Controls
- Siemens
- Wago
Hands-On Testing with Nozomi Networks Solutions
A highlight of our participation was the opportunity to test our products—Nozomi Networks P550 and Vantage—in a live demo environment. All it took to get a functioning environment was to connect the P550 sensor to the SPAN port of the main switch, ensuring comprehensive visibility into all network traffic. Meanwhile, the Vantage cloud platform aggregated that data for further analysis.
With this setup we were able to show to hackathon participants the main features of our solution, such as:
- Asset Detection: Our technology correctly identified each device, enriched asset inventories with AI-driven information, and mapped out their links.
- Real-Time Anomaly Detection: Hackathon participants tried manipulating BACnet variable data (e.g., faking temperature readings) to see if our solution would pick it up. We configured threshold-based alerts, and our sensor successfully detected unusual behavior in real time.
This hands-on demo mirrored the approach of the previous ICS hackathons we attended. Building automation systems are among the first—and most critical—security checkpoints for physical access to a building. The demos presented during the hackathon allowed us to test our product strategies, refine them, and strengthen them for real-world scenarios.
Practical Hardware Analysis
In addition to network and firmware analysis, our team also explored hardware security on various building automation devices.
The first device was the BACnet Controller; With spare controllers available to experiment on, we teamed up with armasuisse to conduct a deep-dive hardware analysis.Our initial goal was to extract the firmware from the on-board QuadSPI flash memory. Using a HydraBUS interface and custom code, we forced the memory to communicate over a single channel, eventually dumping the full content of the memory. Unfortunately, the dump turned out to be encrypted.Pivoting to a second strategy, we discovered that the SWD interface was unexpectedly open. Leveraging openOCD and GDB, we successfully dumped the unencrypted flash content—giving us valuable insights into the device’s firmware
On the final day, we joined another team working on a different controller where the SWD port was closed.Their approach centred on bypassing the SWD protection via a fault injection voltage glitching attack. After multiple attempts, they succeeded in injecting a glitch to temporarily disable security checks, gaining access to the debug port and ultimately extracting the firmware.
These hands-on hardware attacks illustrate how even seemingly minor features—like an open SWD port—can become vectors for deeper system compromise. The experience was reminiscent of our automotive hackathon explorations, where physical access and low-level debugging interfaces can expose critical information about embedded systems.
Collaboration with Vendors and Researchers
During the hackathon, vendors like Sauter Controls brought portable demos for live testing. While analyzing traffic from their central controller, we discovered a discrepancy in how our products (i.e., P550 and Vantage) detect the firmware version. As with previous hackathons, collaboration and open dialogue with device manufacturers propelled mutual learning and improvements.
Engaging with the broader security community—researchers, government agencies, and private vendors—fueled future research projects and cultivated an environment of cooperative learning.
Results and Final Considerations
Through these collaborative efforts, we gained practical insights into how our solutions perform under real-world conditions, thereby refining our detection and anomaly response capabilities. The ability to recreate high-fidelity environments—complete with real devices, protocols, and simulated attacks—proved essential for validating and enhancing our tools’ performance. By working closely with vendors, we can tailor our asset detection algorithms to their specific device fields, enrich threat intelligence with firmware- and vendor-specific data, and ensure a faster time-to-detection for emerging threats.
Ultimately, this hackathon showcased the importance of bridging research, vendor collaboration, and hands-on experimentation to advance cybersecurity in building automation. Each discovery and improvement, from hardware attack strategies to software-based anomaly detection, contributes to a deeper understanding of operational technology risks. As we continue supporting vendors in building more secure ecosystems, these collaborative exercises serve as a foundation for developing stronger, more resilient ICS/OT security solutions.
The Domotics Hackathon demonstrated once again that hackathons offer much more than a simple challenge: they drive innovation, skill-building, and community engagement in critical infrastructure security. By immersing ourselves in firmware analysis, fuzzing, and BACnet protocol exploration, we gained a deeper awareness for the evolving threats and solutions in building automation systems.
Our ongoing collaboration with the armasuisse Cyber Defence Campus continues to yield valuable research opportunities, from ICS forensics to advanced automotive and now domotics security.