With the commoditization of IoT surveillance technology, private and public entities alike have been rushing to put every facet of our lives under surveillance. Unfortunately, schools are no exception in the ongoing privacy race to the bottom. In this talk, we present our analysis of a popular line of IoT vape detectors marketed primarily to schools. Rey first learned of the existence of this device while he was a student in high school, scanning the local network during his lunch break. He became obsessed with the idea of reverse-engineering it, and a couple of years later he got an opportunity when a specimen appeared on eBay.

This talk will cover our journey of acquiring the device and doing a hardware teardown. Then, we'll talk about dumping the firmware, examining its behavior, and doing some light reverse-engineering to uncover some fun appsec vulnerabilities. We'll discuss implications of our findings on this particular series of devices, as well as on the ed-tech surveillance industry as a whole. We will release a copy of the device filesystem, as well as our scripts for decrypting OEM firmware and packing custom firmware updates.