Myself Mahendra Purbia , and i presenting you that how an attacker can hack Smart Watches easily. And do malicious activity and change the firmware.
And thanks to two person who help me to understand the encryption and authentication and provide me CLI tool
https://github.com/yogeshojha
Special thanks to Yogesh Ohja (sir)& Andrey Nikishaev(sir))
https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391
2. Mahendra Purbia
CERTIFIED IN ETHICAL HACKING & CYBER SECURITY
SECURITY RESEARCHER AT CYBER OCTET PRIVATE LIMITED
BUG HUNTER
WORKING WITH RAJASTHAN CYBER CELL
PENETRATION TESTER AT BEFOJJI COMMUNITY
TECHNICAL AUTHOR AT HACKINGVISION & UNIX
LISTED IN NCIIPC.GOV.IN FOR SECURING GOV.IN SITES
SECURED OVER 45+ MNC'S AND LISTED IN THIER SITES
10+ INDUSTRIAL VISITS & HAND ON EXPERIENCE
H A C K I N G O F M I B A N D 3 • 2 0 2 0
WHO AM I?
3. Details to Be Discussed
Bluetooth Overview
Bluetooth Classic vs Bluetooth Low Energy
Basic Overview of Bluetooth Low Energy
BLE Stack
Basic Process For Hacking The Band
Analyzing PAckets
Authentication
Practical
Conclusion
COVERED TODAY
H A C K I N G O F M I B A N D 3 • 2 0 2 0
4. H A C K I N G O F M I B A N D 3 • 2 0 2 0
BLUETOOTH?
Bluetooth Story...
Bluetooth is a short-range wireless communication
protocol and allows devices
such as smartphones, headsets, to transfer data and/or
voice wirelessly.
Developed in 1994 as a replacement for cables.
Uses 2.4GHz frequency and creates 10 meters radius called
piconet!
5. BLUETOOTH CLASSIC BLUETOOTH LOW ENERGY
Great for products that requires
continuous
streaming of data
High power consumption
Faster data rate
High application throughput
Best Suited for:
Headsets, Speakers
Bluetooth Hotspot etc
SATCHEL PAIGE
Great for products that do
not require
continuous streaming of
data.
Ultra low power consumption
Slower Data rate
Low application throughput
Best Suited for:
Home Automation
Fitness trackers etc
6. BLUETOOTH LOW
ENERGY(4.0)
Bluetooth low energy aka Bluetooth Smart
Designed to be power efficient
Low cost and easy to implement
Used in sensors, lightbulbs, medical devices, wearables and many other
“smart” products.
7. H A C K I N G O F M I B A N D 3 • 2 0 2 0
FITNESS TRACKER: MIBAND3
F I T N E S S T R A C K E R F O R U N D E R S T A N D I N G B L E
8. BLE is based on specification called General Attribute profile (GATT),
that defines how communication/data transfer between client and
server. These short piece of information that is being sent and received
are called attributes.
BLE has few key concepts, such as profiles, services & characteristics.
Services:
They are set of provided features and associated behaviors to interact
with the peripheral. Each service contains a collection of characteristics.
Characteristics: Characteristics are defined attribute types that contain
a single logical value.
H A C K I N G O F M I B A N D 3 • 2 0 2 0
GENERIC ATTRIBUTE
PROFILE (GATT)
9. Lets Start To Hack
1. Select the target
a. Install Bluez stack, hcitool & gattool
2. Enumerate the services and characteristics
a. Do the scan using hcitool
b. Connect using gatttool
c. List all the services and characteristics
3. Now use python script to control on MIBand3.
4. Finally do some cool stuff!
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
10. Selecting The Target
Goal: Finding the BLE devices near the vicinity
Tools Used: Bluez, hcitool, gatttool
Install Bluez: $ sudo apt-get install bluez
Install Hcitool: hcitool comes preinstalled with bluez
stack
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
11. Analyze Packets In Android
Now,
we need to know how exactly mobile application and mi band are
interacting with each other. For that we need to analyze the packets.In
android, there is an option available to capture all the Bluetooth
packets in a file.
For that go to Settings -
> Developer Settings. > Enable Bluetooth HCI snoop log.
Similarly for debugging BLE device, there is an app available in Google
Play Store, called nRF Connect, download & install the app.
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
12. Enumerate the services and
characteristics
sudo gatttool -b <BLE ADDRESS> -I
>connect
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
13. H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
List down all primary services
>primary
14. List down all characteristics
>characteristics
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
15. Authentication
Setting on auth notifications (to get a response) by
sending 2 bytes request x01x00 to the Des.
Send 16 bytes encryption key to the Char with a
command and appending to it 2 bytes x01x00 + KEY.
Requesting random key from the device with a
command by sending 2 bytes x02x00 to the Char.
Getting random key from the device response (last 16
bytes).
Encrypting this random number with our 16 bytes key
using the AES/ECB/NoPadding encryption algorithm
(from Crypto.Cipher import AES) and send it back to the
Char (x03x00 + encoded data)
H A C K I N G O F M I B A N D 3 • 2 0 2 0
BASIC PROCESS
Thanks To Andrey Nikishaev
16. H A C K I N G O F M I B A N D 3 • 2 0 2 0
First Two Byte is Notification Type
01 -> Email
03 -> Call
04 -> Missed Call
05 -> SMS/MMS
Next Two Byte is numbers of notification
And remaining is the hex value of the notification
title that you are sending.
Send some Notification? ;)
17. NOW WE USE THE
COMMAND-LINE TOOL TO
AUTOMATE ALL THESE
TASKS. SO LETS START.
Practical Time
Thanks to Yogesh Ohja
18. CONCLUSION
The problem here is hardware manufacturers do not cryptographically sign the
firmware embedded in their systems nor include authentication features in
their devices that can recognize if the firmware being pushed is signed by them or
not.
They literally accept the firmware from anyone! The solution for this could be that
hardware manufacturers should design firmware and firmware update they
distribute to be cryptographically signed.If they implement these security
measures,again the cost of the devices just increases. But these
companies have to sell a lotof them at low cost, and they just ignore it!
19. H A C K I N G O F M I B A N D 3 • 2 0 2 0
THANK YOU
Sir Falgun Rathod
Director of CyberOctet
Audience
Hakcers Meetup
Hackers Meetup
Organiser & Team
Mayankpurbiamahi_official mahendrapurbia19@gmail.com