How I Reverse Engineered and Exploited a Smart Massager
Hello people, I am writing a blog post after a long time. Guess I should make it a worthy one. I have been working with Bluetooth for quite sometimes so I have decided to write about it.
I choose to reverse engineer a smart device just because I wanted to write a blog post and this proves how security is being implemented in these Smart devices. In this post, I will be showing you how I reverse engineered a Bluetooth based (Smart) Massager and how I could exploit it to make it lethal.
Now why is a massager lethal?
Massager works on a principle called as TENS — transcutaneous electrical nerve stimulation. Our entire nervous system works based on neural impulse, which are electric signals. Sense of pinch to the sense of orgasm is an electric impulse which is going to secrete different hormones in your brain and you feel pain or pleasure.
These TENS devices are attached to a region of our body using gel electrodes which needs to be massaged and it starts sending small electric signals with specific frequency which cancels the pain signal that’s going to reach your brain. These are mostly in the range of 50 to 300V at 10 to 500mA with 1 to 250HZ.
Problem is if any of these parameters are manipulated it could result in painful experience like sudden muscle reflex, skin burn or even damage to nerves.
Bluetooth LE/4.0+ is completely different than your Bluetooth Classic as the name says, it has very low power consumption of around 15–20 ma at transmission, Which makes it easier to build battery powered applications to last longer like smart watch, beacons and this smart massager.
Bluetooth works like server-client. where the client is called as “central” which are your mobile phones/laptop and server is called as “peripheral” which are your end devices like wearable, beacon and sensor networks.
Every device will have one or more “services” in it. Based on their functionality they have different services, for example Smart watch will have one service for device information, one for heart rate information and other for firmware update.
Inside these services you will see lot of parameters called as “characteristics”. these are basically the place where your application and the device sends and receives the data,. This is entire process is handled by generic attribute in the Bluetooth LE stack.
Next question will be are there any security mechanism if you want to access these data??
Yes. Bluetooth do offer an option to secure your communication. It is a three step process.
1. Connecting — The central device just connects to the device and can access all the data in the GATT.
2. Pairing — The central device needs to pair using any I/O so any new device that tries to connect to it needs physical access. This is where all the data is being encrypted with AES when transmitted into the thin air which also transmits the key in it.
3. Bonding — This allows the device to connect to the already paired device using the pre-exchanged key which happened during pairing.
The problem with pairing is that for these devices like smart bulb or smart beacon, it is becomes hard to keep a keypad or display to pair to it so the device just works on connection without any pairing. it becomes easier for anyone to connect to it and gain access to the GATT.
Now lets talk about how I reverse engineered the Bluetooth massager
I want to open the device and show you possible attack vectors on the hardware but i will keep it for the next blog, since JTAG is located in the device.
I downloaded the official mobile application and tried to understand the inputs and outputs in the UI aka functionality.
So the application allows me to change
1. Mode of massage.
2. Intensity of the massage.
3. Timer to stop the massage.
4. View Battery level and scan for devices.
Next step is to check if the device has any kind of pairing or any security mechanism.
I used an android application called as “nrf connect” which is a GATT explorer that can connect to the device and lists all the services and characteristics.
I turned my massager ON and tried connecting with the massager.
Tada! It got connected. Now I can read and receive data from its characteristics.
On analyzing the Services and Characteristics, they have used three service for basic information like device name, Firmware and hardware version. Last service looks different and it doesn’t have any human readable information. When I did a read request on all the characteristics. I got a response which is “Characteristics 1“ to “3“.
Now I know the data is not encrypted and all transaction in GATT is in plain text or at least I believe so. Still there are possibility that the data could be encrypted. Still it was a sign of relief.
This can be also be done in your laptop’s Bluetooth by using GATTool.
So we now know how to access the GATT services and how to read and write to them. Now the question is how do you know what to write to these characteristics to control the device without the mobile application
So there is this one tedious method which i use to do.
Android mobiles has an option called as HCISNOOP, which dumped all the Bluetooth communication from and to the mobile phone into a file. It can be enabled inside your developer option.
I did a considerable amount of operations from the application and the device so data can be logged.
I opened the log file in wireshark and filtered for only GATT protocol(since my phone is a central and can perform lot of other BT protocols)
Viola! I found few GATT write and read request on handle “0x0025“ which is “0000fff1–0000–1000–8000–00805f9b34fb”.
Now the problem is how do I know which data is used for which operation. It will take some time to analyze and understand the data format and I am lazy to do that.
Since I am lazy, I use an another tool which is a MiTM(Man in the middle) Bluetooth framework called as GATTacker by Sławomir Jasek(securing.pl).
Trust me it’s an amazing tool.
You can check their GIT repo on how to install it.(you do need two machines or one VM +host with 2 BT4.0 dongles).
GATTacker typically converts your laptop as a Bluetooth proxy so the device connects to one dongle and the mobile application connects to another dongle which emulates the device and we can capture the data actively.
Active analysis! That’s why i love it.
First step is to do a scan, which scans and copies the advertisement data into a file.
Next step is to scan the device and clones all the services and characteristics in a file.
Third step is to start advertising with the Advertisement and services files.
Once the service is running. the GATTacker connects to the device and you can use the app to connect to the Device which is emulated by GATTacker.
You can see in the log that the client is connected.
Now perform various operations like setting it to different modes, intensity and time and analyse which type of data is being transmitted.
So by analyzing the data we notice for every new connection a chunk of data is being transmitted and then followed by an another packet and these doesn’t change for different connections so it is some kind of initializing data.
For every second the mobile application send a data and the device responds, this looks like data exchange to synchronize the activity.
When I performed different operation, I got the specific packets which could be used to control the operation of the device. Now let’s compare the data between different settings.
12 34 56 78 90
a1 04 01 01 0a — Mode 1 with intensity 1 and 10 minutes
a1 04 07 02 0a — Mode 7 with intensity 2 and 10 minutes
a1 04 01 05 04 — Mode 1 with intensity 5 and 4 minutes
1234 looks like header in hex
56 is mode in hex
78 is intensity in hex
90 is time in hex
These data are written to “fff1“ whose handle value is “0x0025“ as found in wireshark and GATTool.
Now based on these analysis we could reverse engineer the operation and control the device without the need of the mobile application.
We now know how to access the GATT and reverse engineer the data. Now let’s craft a exploit around it.
pyGATT is a python wrapper around GATT to write scripts so you can automate these communication.
All codes are available in this GIT Repo
Let’s see what’s in the code.
1. Imports all the bells and whistles aka libraries and starting Bluetooth
2. Connecting to the device using MAC address
3. Now write data to a specific handle with the data which we RE’d
4. Close the Bluetooth connection
Now testing the script.
I don’t like to get zapped. I could hear those heavy voltage buzzing noise from my device as a confirmation that my script worked.
if anyone have tried it in their body please do share your experience.
Unless you’re this guy
I actually wanted to see if i can play a music by triggering the device, but sadly the frequency and the width of the pulse is predefined in the firmware for different modes and not controlled in GATT. I still tried. Check the GIT code if you want to zap yourself with some tone.