Hacking into colgate smart tooth brush for fun!
I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP
I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco
In this article, I am gonna share how I hacked BLE powered Smart tooth brush and how can an attacker can cause nuissance remotely by draining battery and attacker can remotely control vibration motor of the brush.
Disclaimer: I am not responsible if someone abuses this information in this blog against someone and I wrote this article to bring awareness among those app devs and people using those application and devices
Reverse Engineering android application
Initially , I Reverse Engineered the app to understand how application works internally and what kind of permission it has to understand about data it collects from users. but unfortunately I did not able to reverse engineer application fully due to usage of Android native functions for sending and receiving GATT commands to brush via BLE then instead of reverse engineering .so native files using ARM supported binary reverse engineering tool such as IDA64 , ghidra etc I enabled btsnoop or bluetooth logging option in developer options in Android to log all bluetooth packets sent and received from the phone.
I collected log using adb utility from android phone into PC and I analysed the logs to find values of each Bluetooth Service (GATT) which manipulated to control brush and basically any device supports BLE can connect to this brush without any pin or password and bluetooth module of this always power on so anyone in range of brush can connect and control it without knowledge of its owner
Technically attacker can make this brush work overnight and drain its charge to create nuisance to the owner of this brush
From the wireshark logs analysis I figured out sending 1101 to above GATT Service I can power on brush remotely
From the wireshark logs analysis I figured out sending 15000064022c011027 to above GATT Service I can make brush LED blink
From the wireshark logs analysis I figured out sending 5000 to above GATT Service I can program brush to vibrate in normal mode and I figured out sending 5001 to above GATT Service I can program brush to vibrate in sensitive mode.
I also was able enable DFU Mode in brush remotely and push malicious firmware update
Demo Video
In this demo , I demonstrated on Hacking a colgate smart brush using NRF Connect application
Conclusion:
We conclude that we can easily hack into any BLE powered IOT device using methods I explored in above the research
Thank you for reading my article
Try hacking LLM : https://github.com/harishsg993010/DamnVulnerableLLMProject
Hacking into Bard : https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455
Hacking into Facial Recognition system : https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e
Hacking into tesla : https://medium.com/bugbountywriteup/how-i-hacked-1000-tesla-cars-using-osint-4cd837b8c530
Follow me on twitter: https://twitter.com/CoderHarish
Follow me on linkedin :https://www.linkedin.com/in/harish-santhanalakshmi-ganesan-31ba96171/
