Hello people, I am writing a blog post after a long time. Guess I should make it a worthy one. I have been working with Bluetooth for quite sometimes so I have decided to write about it.

I choose to reverse engineer a smart device just because I wanted to write a blog post and this proves how security is being implemented in these Smart devices. In this post, I will be showing you how I reverse engineered a Bluetooth based (Smart) Massager and how I could exploit it to make it lethal.

Now why is a massager lethal?

Massager works on a principle called as TENS — transcutaneous electrical nerve stimulation. Our entire nervous system works based on neural impulse, which are electric signals. Sense of pinch to the sense of orgasm is an electric impulse which is going to secrete different hormones in your brain and you feel pain or pleasure.

These TENS devices are attached to a region of our body using gel electrodes which needs to be massaged and it starts sending small electric signals with specific frequency which cancels the pain signal that’s going to reach your brain. These are mostly in the range of 50 to 300V at 10 to 500mA with 1 to 250HZ.

Problem is if any of these parameters are manipulated it could result in painful experience like sudden muscle reflex, skin burn or even damage to nerves.

Before I dig in the “Hows” let me first give you a short introduction on Bluetooth LE/4.0+. Nothing deep. Detailed information is already available here

Bluetooth LE/4.0+ is completely different than your Bluetooth Classic as the name says, it has very low power consumption of around 15–20 ma at transmission, Which makes it easier to build battery powered applications to last longer like smart watch, beacons and this smart massager.

Bluetooth works like server-client. where the client is called as “central” which are your mobile phones/laptop and server is called as “peripheral” which are your end devices like wearable, beacon and sensor networks.

Every device will have one or more “services” in it. Based on their functionality they have different services, for example Smart watch will have one service for device information, one for heart rate information and other for firmware update.

Inside these services you will see lot of parameters called as “characteristics”. these are basically the place where your application and the device sends and receives the data,. This is entire process is handled by generic attribute in the Bluetooth LE stack.

Next question will be are there any security mechanism if you want to access these data??

Yes. Bluetooth do offer an option to secure your communication. It is a three step process.

1. Connecting — The central device just connects to the device and can access all the data in the GATT.

2. Pairing — The central device needs to pair using any I/O so any new device that tries to connect to it needs physical access. This is where all the data is being encrypted with AES when transmitted into the thin air which also transmits the key in it.

3. Bonding — This allows the device to connect to the already paired device using the pre-exchanged key which happened during pairing.

The problem with pairing is that for these devices like smart bulb or smart beacon, it is becomes hard to keep a keypad or display to pair to it so the device just works on connection without any pairing. it becomes easier for anyone to connect to it and gain access to the GATT.

Now lets talk about how I reverse engineered the Bluetooth massager

I want to open the device and show you possible attack vectors on the hardware but i will keep it for the next blog, since JTAG is located in the device.

I downloaded the official mobile application and tried to understand the inputs and outputs in the UI aka functionality.

So the application allows me to change

1. Mode of massage.

2. Intensity of the massage.

3. Timer to stop the massage.

4. View Battery level and scan for devices.

Next step is to check if the device has any kind of pairing or any security mechanism.

I used an android application called as “nrf connect” which is a GATT explorer that can connect to the device and lists all the services and characteristics.

I turned my massager ON and tried connecting with the massager.

Tada! It got connected. Now I can read and receive data from its characteristics.