— Selected work

What I’ve actually
built and broken.

A sample of real projects — IoT investigations, RF and hardware tooling, and network engineering. Client work doesn’t appear here; this is the research, the experiments, and the things I’ve published openly. It’s also the honest answer to "do you actually know how this stuff works?"

01
— Security Research

The Facial Recognition Terminal Nobody Audited

How a common access control device used in businesses and schools fails completely open.

The problem

Facial recognition terminals are showing up everywhere — office lobbies, school entrances, gym check-ins, apartment buildings, warehouses. They’re sold as modern access control: employees or students scan their face instead of swiping a badge. The pitch is efficiency and security. The reality is that most of the people responsible for buying and installing these devices have no idea what’s actually running inside them — and neither do the students, employees, or visitors handing over their biometric data. I pulled one of these terminals onto an isolated lab network to find out. The device was marketed under one brand name, but inside it was a generic Chinese OEM platform sold under dozens of different names at every price point. What I found was a device that had no meaningful security at any layer.

The approach

Service enumeration with nmap to map every open port, then manual assessment of each one: the web management interface, an open telnet service, a backend service referenced in JavaScript source, and an RTSP video endpoint. Client-side JavaScript source review revealed credentials and stream paths that the device had no business exposing. Each finding fed the next — standard methodology for building a complete compromise chain.

The finding

The web interface accepted factory default credentials with no lockout and no rate limiting — but that barely mattered, because a publicly documented authentication bypass (CVE-2021-33044) returned the full admin dashboard with zero credentials whatsoever. The login page shipped a hardcoded encryption key in plaintext JavaScript, visible to any browser without authentication. The algorithm was Triple DES — cryptographically broken and deprecated by NIST since the 1990s. The device also exposed a fully unauthenticated RTSP video stream: any device on the same network could open it silently, with no credentials, no log entry, and no indication to anyone that the feed was being accessed. This is a facial recognition terminal. It was actively scanning and recording faces. Anyone on the network could watch that in real time. Telnet was open on port 23, transmitting everything in cleartext. An undocumented service on port 5000 was listening with unknown purpose. The full compromise chain — from discovery to live biometric video feed — required zero credentials. These findings apply to any network this class of device is placed on: a school, a medical office, a corporate lobby, an apartment complex.

Takeaway

These terminals are routinely purchased by facilities managers and IT teams who have no way to assess what’s inside them. The hardware is almost always a generic OEM platform — the same chipset family behind the Mirai botnet — rebadged and resold under hundreds of brand names. A higher price tag does not mean better security. Any organization using facial recognition for access control should treat these devices as untrusted by default: isolated VLAN, no internet access, egress filtering, and active monitoring of every outbound connection. Better yet, ask the vendor for a third-party security assessment before the device ever touches a network with students or employees on it.

nmapCVE-2021-33044RTSPBiometricsIoTOEM firmwareAccess control
02
— Hardware & Tooling

Wardrive Analysis Platform

Turning raw wireless captures into readable intelligence.

The problem

Wardriving produces enormous, messy datasets — thousands of 802.11 and BLE observations with randomized MACs, missing vendor data, and no easy way to make sense of them after the drive.

The approach

Built a cross-platform analysis tool (Electron desktop app plus a mobile PWA) that ingests capture data, performs OUI vendor lookups, separates BLE and Zigbee observations, handles MAC randomization, and supports WiGLE CSV import. Session save/load lets you revisit and compare drives over time.

The finding

A reusable platform that converts a night of capture into something you can actually analyze — vendor breakdowns, device categories, and signal patterns — instead of a wall of hex. Published open-source.

Takeaway

The capture is the easy part. The value is in the tooling that makes the data legible afterward.

ElectronPWATypeScriptRFWiGLE
View on GitHub
03
— Security Research

Bluetooth LE Security Research

Decoding advertisements and testing pairing vulnerabilities.

The problem

BLE devices broadcast constantly and pair with little user friction. How much can you learn passively, and how do real-world devices hold up against known pairing attacks?

The approach

Decoded raw BLE advertisement packets down to the manufacturer-data level to identify devices and vendors. Then tested a published BLE pairing CVE against my own hardware using an academic research toolkit — strictly on devices I own — to understand the attack surface firsthand.

The finding

Confirmed how much device and vendor information leaks from passive advertisement monitoring alone, and reproduced the pairing-vulnerability behavior against one of my own devices while another resisted it. A practical, hands-on understanding of where BLE security actually breaks down versus where it holds.

Takeaway

Passive BLE monitoring reveals more than most device owners realize. Pairing security varies wildly between vendors, even for the same class of device.

BLEReverse engineeringCVE researchRF
04
— Hardware & Tooling

Multi-Radio Surveillance Detection Rig

Detecting the detectors.

The problem

Automated license-plate-reader and surveillance devices broadcast identifiable wireless signatures. Could a portable rig passively detect and log them in the field?

The approach

Built a multi-radio platform combining WiFi and BLE monitoring with a reflashed Zigbee dongle running Sniffle. Wrote a custom bridge script targeting a specific manufacturer ID to flag known surveillance hardware in the captured stream, correlating across radios.

The finding

A working detection rig that passively identifies specific surveillance devices by their wireless fingerprints — entirely passive, no transmission, all on equipment I built and own.

Takeaway

Surveillance hardware is itself detectable. The same passive-monitoring techniques used to map networks work just as well for mapping the things mapping you.

ESP32SniffleZigbeePythonRF
View on GitHub
05
— Network & Infrastructure

Segmented Network & NVR Deployment

A hardened home network that treats every camera as hostile.

The problem

A growing fleet of IP cameras and IoT devices, several of which (see project 01) phone home to third parties. They needed to function without being trusted.

The approach

Designed a segmented UniFi network with isolated VLANs for IoT and cameras, firewall rules preventing those segments from reaching the internet or the trusted LAN, and a self-hosted Frigate NVR pulling RTSPS streams locally so footage never depends on a vendor cloud. Added a separate NAS as an archival target over SMB.

The finding

Cameras work fully — live view, recording, detection — while being firewalled off from the internet and the rest of the network. Footage stays local. If a camera is compromised or phones home, it reaches nothing of value.

Takeaway

You don’t have to trust a device to use it. Segmentation plus local recording lets you run "untrustworthy" hardware safely.

UniFiVLANFrigateRTSPSFirewall
06
— Hardware & Tooling

IP Camera Firmware Liberation

Replacing locked vendor firmware with open-source.

The problem

A PTZ camera shipped with closed vendor firmware of unknown provenance — exactly the kind of black box that phones home (see project 01). Could it be reflashed with open firmware that the owner controls?

The approach

Identified the flash chip and read the bootloader over UART to understand the boot process — the highest-value first step before touching anything. Used a CH341A SPI programmer to interface with the flash directly, working toward replacing the stock image with OpenIPC, an open-source camera firmware.

The finding

Established the hardware access path — UART boot log captured, SPI flash interface confirmed — for moving the camera off opaque vendor firmware onto auditable open-source firmware the owner fully controls.

Takeaway

For a camera you can’t audit, the firmware is the threat. Hardware-level access means you’re never fully locked into whatever the vendor shipped.

OpenIPCCH341AUARTFirmwareSPI
— More on GitHub

The rest of it
lives in the open.

Most of my hobby and research work is published under HyTechProjects. Some of it is polished, some of it is me messing with things at 2am. Both are part of the practice.