Hacking into colgate smart tooth brush for fun!

I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP
我是Harish SG，一名安全研究员，在UT达拉斯大学攻读网络安全硕士学位，在思科大学实习AI，之前曾在Microsoft漏洞赏金计划和Google VRP上被猎杀

I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco
我分享这篇文章只是为了安全意识和教育目的，我只分享个人意见，这些都与我在思科的工作无关

In this article, I am gonna share how I hacked BLE powered Smart tooth brush and how can an attacker can cause nuissance remotely by draining battery and attacker can remotely control vibration motor of the brush.
在本文中，我将分享我如何入侵 BLE 供电的智能牙刷，以及攻击者如何通过耗尽电池电量远程造成滋扰，攻击者可以远程控制牙刷的振动电机。

Disclaimer: I am not responsible if someone abuses this information in this blog against someone and I wrote this article to bring awareness among those app devs and people using those application and devices
免责声明：如果有人在本博客中滥用此信息来对付某人，我不负责，我写这篇文章是为了提高这些应用程序开发人员以及使用这些应用程序和设备的人的认识

Reverse Engineering android application
逆向工程 android 应用程序

Initially , I Reverse Engineered the app to understand how application works internally and what kind of permission it has to understand about data it collects from users. but unfortunately I did not able to reverse engineer application fully due to usage of Android native functions for sending and receiving GATT commands to brush via BLE then instead of reverse engineering .so native files using ARM supported binary reverse engineering tool such as IDA64 , ghidra etc I enabled btsnoop or bluetooth logging option in developer options in Android to log all bluetooth packets sent and received from the phone.
最初，我对应用程序进行了逆向工程，以了解应用程序在内部是如何工作的，以及它必须了解从用户那里收集的数据的权限。但不幸的是，由于使用了 Android 本机函数来发送和接收 GATT 命令以通过 BLE 刷屏，我无法完全对应用程序进行逆向工程，然后使用 ARM 支持的二进制逆向工程工具（如 IDA64、ghidra 等）对 .so 原生文件进行逆向工程我在 Android 的开发人员选项中启用了 btsnoop 或蓝牙日志记录选项，以记录从手机发送和接收的所有蓝牙数据包。

I collected log using adb utility from android phone into PC and I analysed the logs to find values of each Bluetooth Service (GATT) which manipulated to control brush and basically any device supports BLE can connect to this brush without any pin or password and bluetooth module of this always power on so anyone in range of brush can connect and control it without knowledge of its owner
我使用 adb 实用程序将日志从 android 手机收集到 PC 中，并分析了日志以找到每个蓝牙服务 （GATT） 的值，这些服务可以操纵以控制刷子，基本上任何支持 BLE 的设备都可以连接到此刷子，而无需任何引脚或密码和蓝牙模块，因此刷子范围内的任何人都可以在不了解其所有者的情况下连接和控制它

Technically attacker can make this brush work overnight and drain its charge to create nuisance to the owner of this brush
从技术上讲，攻击者可以使这把刷子在一夜之间工作，并耗尽其电量，从而对这把刷子的所有者造成滋扰

From the wireshark logs analysis I figured out sending 1101 to above GATT Service I can power on brush remotely
从 wireshark 日志分析中，我发现将 1101 发送到上面的 GATT 服务，我可以远程打开刷子

From the wireshark logs analysis I figured out sending 15000064022c011027 to above GATT Service I can make brush LED blink
从 wireshark 日志分析中，我发现将 15000064022c011027 发送到上述 GATT 服务，我可以让刷子 LED 闪烁

From the wireshark logs analysis I figured out sending 5000 to above GATT Service I can program brush to vibrate in normal mode and I figured out sending 5001 to above GATT Service I can program brush to vibrate in sensitive mode.
从 wireshark 日志分析中，我发现将 5000 发送到 GATT 服务以上，我可以将刷子编程为在正常模式下振动，我想出将 5001 发送到 GATT 服务以上，我可以将刷子编程为在敏感模式下振动。

I also was able enable DFU Mode in brush remotely and push malicious firmware update
我还能够在刷子中远程启用DFU模式并推送恶意固件更新

Demo Video 演示视频

In this demo , I demonstrated on Hacking a colgate smart brush using NRF Connect application
在这个演示中，我演示了使用 NRF Connect 应用程序破解高露洁智能刷子

Conclusion: 结论：

We conclude that we can easily hack into any BLE powered IOT device using methods I explored in above the research
我们得出的结论是，我们可以使用我在上面的研究中探索的方法轻松入侵任何BLE供电的物联网设备

Thank you for reading my article
感谢您阅读我的文章

Try hacking LLM : https://github.com/harishsg993010/DamnVulnerableLLMProject
尝试黑客攻击 LLM ： https://github.com/harishsg993010/DamnVulnerableLLMProject

Hacking into Bard : https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455
入侵吟游诗人：https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455

Hacking into Facial Recognition system : https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e
入侵面部识别系统：https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e

Hacking into tesla : https://medium.com/bugbountywriteup/how-i-hacked-1000-tesla-cars-using-osint-4cd837b8c530
入侵特斯拉：https://medium.com/bugbountywriteup/how-i-hacked-1000-tesla-cars-using-osint-4cd837b8c530