SlideShare a Scribd company logo

Hacking Of MIBand 3

Mahendrs Purbia
Mahendrs Purbia

Myself Mahendra Purbia , and i presenting you that how an attacker can hack Smart Watches easily. And do malicious activity and change the firmware. And thanks to two person who help me to understand the encryption and authentication and provide me CLI tool https://github.com/yogeshojha Special thanks to Yogesh Ohja (sir)& Andrey Nikishaev(sir)) https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391

Technology
1 of 19
Download to read offline
HACKING OF MIBAND 3 S T A R T I N G W I T H I O T BY MAHENDRA PURBIA
Mahendra Purbia CERTIFIED IN ETHICAL HACKING & CYBER SECURITY SECURITY RESEARCHER AT CYBER OCTET PRIVATE LIMITED BUG HUNTER WORKING WITH RAJASTHAN CYBER CELL PENETRATION TESTER  AT  BEFOJJI COMMUNITY  TECHNICAL  AUTHOR AT HACKINGVISION  & UNIX LISTED IN NCIIPC.GOV.IN FOR SECURING GOV.IN SITES SECURED OVER 45+ MNC'S AND LISTED IN THIER SITES 10+ INDUSTRIAL VISITS & HAND ON EXPERIENCE   H A C K I N G O F M I B A N D 3 • 2 0 2 0 WHO AM I?
Details to Be Discussed Bluetooth Overview Bluetooth Classic vs Bluetooth Low Energy Basic Overview of Bluetooth Low Energy BLE Stack Basic Process For Hacking The Band Analyzing PAckets Authentication Practical Conclusion COVERED TODAY H A C K I N G O F M I B A N D 3 • 2 0 2 0
H A C K I N G O F M I B A N D 3 • 2 0 2 0 BLUETOOTH? Bluetooth Story... Bluetooth is a short-range wireless communication protocol and allows devices such as smartphones, headsets, to transfer data and/or voice wirelessly. Developed in 1994 as a replacement for cables. Uses 2.4GHz frequency and creates 10 meters radius called piconet!
BLUETOOTH CLASSIC BLUETOOTH LOW ENERGY Great for products that requires continuous streaming of data High power consumption Faster data rate High application throughput Best Suited for: Headsets, Speakers Bluetooth Hotspot etc SATCHEL PAIGE Great for products that do not require continuous streaming of data. Ultra low power consumption Slower Data rate Low application throughput Best Suited for: Home Automation Fitness trackers etc
BLUETOOTH LOW ENERGY(4.0) Bluetooth low energy aka Bluetooth Smart Designed to be power efficient Low cost and easy to implement Used in sensors, lightbulbs, medical devices, wearables and many other “smart” products.
H A C K I N G O F M I B A N D 3 • 2 0 2 0 FITNESS TRACKER: MIBAND3 F I T N E S S T R A C K E R F O R U N D E R S T A N D I N G B L E
BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. These short piece of information that is being sent and received are called attributes. BLE has few key concepts, such as profiles, services & characteristics. Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. H A C K I N G O F M I B A N D 3 • 2 0 2 0 GENERIC ATTRIBUTE PROFILE (GATT)
Lets Start To Hack 1. Select the target a. Install Bluez stack, hcitool & gattool 2. Enumerate the services and characteristics a. Do the scan using hcitool b. Connect using gatttool c. List all the services and characteristics 3. Now use python script to control on MIBand3. 4. Finally do some cool stuff! H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Selecting The Target Goal: Finding the BLE devices near the vicinity Tools Used: Bluez, hcitool, gatttool Install Bluez: $ sudo apt-get install bluez Install Hcitool: hcitool comes preinstalled with bluez stack H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Analyze Packets In Android Now, we need to know how exactly mobile application and mi band are interacting with each other. For that we need to analyze the packets.In android, there is an option available to capture all the Bluetooth packets in a file. For that go to Settings - > Developer Settings. > Enable Bluetooth HCI snoop log. Similarly for debugging BLE device, there is an app available in Google Play Store, called nRF Connect, download & install the app. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Enumerate the services and characteristics sudo gatttool -b <BLE ADDRESS> -I >connect H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS List down all primary services >primary
List down all characteristics >characteristics H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Authentication Setting on auth notifications (to get a response) by sending 2 bytes request x01x00 to the Des. Send 16 bytes encryption key to the Char with a command and appending to it 2 bytes x01x00 + KEY. Requesting random key from the device with a command by sending 2 bytes x02x00 to the Char. Getting random key from the device response (last 16 bytes). Encrypting this random number with our 16 bytes key using the AES/ECB/NoPadding encryption algorithm (from Crypto.Cipher import AES) and send it back to the Char (x03x00 + encoded data) H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS Thanks To Andrey Nikishaev
H A C K I N G O F M I B A N D 3 • 2 0 2 0 First Two Byte is Notification Type 01 -> Email 03 -> Call 04 -> Missed Call 05 -> SMS/MMS Next Two Byte is numbers of notification And remaining is the hex value of the notification title that you are sending. Send some Notification? ;)
NOW WE USE THE COMMAND-LINE TOOL TO AUTOMATE ALL THESE TASKS. SO LETS START. Practical Time Thanks to Yogesh Ohja
CONCLUSION The problem here is hardware manufacturers do not cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize if the firmware being pushed is signed by them or not. They literally accept the firmware from anyone! The solution for this could be that hardware manufacturers should design firmware and firmware update they distribute to be cryptographically signed.If they implement these security measures,again the cost of the devices just increases. But these companies have to sell a lotof them at low cost, and they just ignore it!
H A C K I N G O F M I B A N D 3 • 2 0 2 0 THANK YOU Sir Falgun Rathod Director of CyberOctet Audience Hakcers Meetup Hackers Meetup Organiser & Team Mayankpurbiamahi_official mahendrapurbia19@gmail.com

Recommended

Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesKeerati Torach
 
Miniaturizing Space: Small-satellites
Miniaturizing Space: Small-satellitesMiniaturizing Space: Small-satellites
Miniaturizing Space: Small-satellitesX. Breogan COSTA
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
NTC 3631 2011 (Segunda Actualización)).pdf
NTC 3631 2011 (Segunda Actualización)).pdfNTC 3631 2011 (Segunda Actualización)).pdf
NTC 3631 2011 (Segunda Actualización)).pdfLuisGabrielForero1
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESA LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESIRJET Journal
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 

Recommended

Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesKeerati Torach
 
Miniaturizing Space: Small-satellites
Miniaturizing Space: Small-satellitesMiniaturizing Space: Small-satellites
Miniaturizing Space: Small-satellitesX. Breogan COSTA
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
NTC 3631 2011 (Segunda Actualización)).pdf
NTC 3631 2011 (Segunda Actualización)).pdfNTC 3631 2011 (Segunda Actualización)).pdf
NTC 3631 2011 (Segunda Actualización)).pdfLuisGabrielForero1
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESA LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESIRJET Journal
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyIRJET Journal
 
Resume
ResumeResume
ResumeNainesh Doriwala
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
IoT on azure
IoT on azureIoT on azure
IoT on azureJoanna Lamch
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...degarden
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEric Larcheveque
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairingGuy Vinograd ☁
 
Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Mick Motion-Wise
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceAnaren, Inc.
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfJasonCravens
 
Bluetooth
BluetoothBluetooth
BluetoothTejaswa Jain
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
 
Embedded Linux dev
Embedded Linux devEmbedded Linux dev
Embedded Linux devMOHD SHAHRUKH KHAN
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?Istanbul Tech Talks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

More Related Content

Similar to Hacking Of MIBand 3

HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyIRJET Journal
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...degarden
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEric Larcheveque
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Mick Motion-Wise
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceAnaren, Inc.
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfJasonCravens
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
 
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?Istanbul Tech Talks
 

Similar to Hacking Of MIBand 3 (20)

HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain Technology
 
Resume
ResumeResume
Resume
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSM
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contracts
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
 
Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile device
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdf
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
 
Embedded Linux dev
Embedded Linux devEmbedded Linux dev
Embedded Linux dev
 
Iot Security
Iot SecurityIot Security
Iot Security
 
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
ITT 2015 - Hugo Domenech-Juarez - What's All That Hype About BLE?
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Hacking Of MIBand 3

  • 1. HACKING OF MIBAND 3 S T A R T I N G W I T H I O T BY MAHENDRA PURBIA
  • 2. Mahendra Purbia CERTIFIED IN ETHICAL HACKING & CYBER SECURITY SECURITY RESEARCHER AT CYBER OCTET PRIVATE LIMITED BUG HUNTER WORKING WITH RAJASTHAN CYBER CELL PENETRATION TESTER  AT  BEFOJJI COMMUNITY  TECHNICAL  AUTHOR AT HACKINGVISION  & UNIX LISTED IN NCIIPC.GOV.IN FOR SECURING GOV.IN SITES SECURED OVER 45+ MNC'S AND LISTED IN THIER SITES 10+ INDUSTRIAL VISITS & HAND ON EXPERIENCE   H A C K I N G O F M I B A N D 3 • 2 0 2 0 WHO AM I?
  • 3. Details to Be Discussed Bluetooth Overview Bluetooth Classic vs Bluetooth Low Energy Basic Overview of Bluetooth Low Energy BLE Stack Basic Process For Hacking The Band Analyzing PAckets Authentication Practical Conclusion COVERED TODAY H A C K I N G O F M I B A N D 3 • 2 0 2 0
  • 4. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BLUETOOTH? Bluetooth Story... Bluetooth is a short-range wireless communication protocol and allows devices such as smartphones, headsets, to transfer data and/or voice wirelessly. Developed in 1994 as a replacement for cables. Uses 2.4GHz frequency and creates 10 meters radius called piconet!
  • 5. BLUETOOTH CLASSIC BLUETOOTH LOW ENERGY Great for products that requires continuous streaming of data High power consumption Faster data rate High application throughput Best Suited for: Headsets, Speakers Bluetooth Hotspot etc SATCHEL PAIGE Great for products that do not require continuous streaming of data. Ultra low power consumption Slower Data rate Low application throughput Best Suited for: Home Automation Fitness trackers etc
  • 6. BLUETOOTH LOW ENERGY(4.0) Bluetooth low energy aka Bluetooth Smart Designed to be power efficient Low cost and easy to implement Used in sensors, lightbulbs, medical devices, wearables and many other “smart” products.
  • 7. H A C K I N G O F M I B A N D 3 • 2 0 2 0 FITNESS TRACKER: MIBAND3 F I T N E S S T R A C K E R F O R U N D E R S T A N D I N G B L E
  • 8. BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. These short piece of information that is being sent and received are called attributes. BLE has few key concepts, such as profiles, services & characteristics. Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. H A C K I N G O F M I B A N D 3 • 2 0 2 0 GENERIC ATTRIBUTE PROFILE (GATT)
  • 9. Lets Start To Hack 1. Select the target a. Install Bluez stack, hcitool & gattool 2. Enumerate the services and characteristics a. Do the scan using hcitool b. Connect using gatttool c. List all the services and characteristics 3. Now use python script to control on MIBand3. 4. Finally do some cool stuff! H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 10. Selecting The Target Goal: Finding the BLE devices near the vicinity Tools Used: Bluez, hcitool, gatttool Install Bluez: $ sudo apt-get install bluez Install Hcitool: hcitool comes preinstalled with bluez stack H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 11. Analyze Packets In Android Now, we need to know how exactly mobile application and mi band are interacting with each other. For that we need to analyze the packets.In android, there is an option available to capture all the Bluetooth packets in a file. For that go to Settings - > Developer Settings. > Enable Bluetooth HCI snoop log. Similarly for debugging BLE device, there is an app available in Google Play Store, called nRF Connect, download & install the app. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 12. Enumerate the services and characteristics sudo gatttool -b <BLE ADDRESS> -I >connect H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 13. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS List down all primary services >primary
  • 14. List down all characteristics >characteristics H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 15. Authentication Setting on auth notifications (to get a response) by sending 2 bytes request x01x00 to the Des. Send 16 bytes encryption key to the Char with a command and appending to it 2 bytes x01x00 + KEY. Requesting random key from the device with a command by sending 2 bytes x02x00 to the Char. Getting random key from the device response (last 16 bytes). Encrypting this random number with our 16 bytes key using the AES/ECB/NoPadding encryption algorithm (from Crypto.Cipher import AES) and send it back to the Char (x03x00 + encoded data) H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS Thanks To Andrey Nikishaev
  • 16. H A C K I N G O F M I B A N D 3 • 2 0 2 0 First Two Byte is Notification Type 01 -> Email 03 -> Call 04 -> Missed Call 05 -> SMS/MMS Next Two Byte is numbers of notification And remaining is the hex value of the notification title that you are sending. Send some Notification? ;)
  • 17. NOW WE USE THE COMMAND-LINE TOOL TO AUTOMATE ALL THESE TASKS. SO LETS START. Practical Time Thanks to Yogesh Ohja
  • 18. CONCLUSION The problem here is hardware manufacturers do not cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize if the firmware being pushed is signed by them or not. They literally accept the firmware from anyone! The solution for this could be that hardware manufacturers should design firmware and firmware update they distribute to be cryptographically signed.If they implement these security measures,again the cost of the devices just increases. But these companies have to sell a lotof them at low cost, and they just ignore it!
  • 19. H A C K I N G O F M I B A N D 3 • 2 0 2 0 THANK YOU Sir Falgun Rathod Director of CyberOctet Audience Hakcers Meetup Hackers Meetup Organiser & Team Mayankpurbiamahi_official mahendrapurbia19@gmail.com