The document discusses hacking a BLE smartwatch. It begins with an introduction of the speaker as an independent security researcher. It then covers relevant research on authenticating Mi Band 2 and reverse engineering BLE from Android apps. The rest of the document discusses the speaker's process of discovering the authentication procedure of a smartwatch by using tools like GATTACKER, Android hcidump, and FRIDA to actively sniff the communication and map out the characteristic UUIDs and handles. It concludes with a proof-of-concept script to demonstrate altering the authentication by adjusting a recent proof-of-concept from another researcher.

1. Hacking
BLE SmartWatch
IDSECCONF 2019, Cirebon
SMRX86

2. #whoami
Independent security researcher.
My job is doing trick to impress client.
Speaker Idsecconf 2013, 2014, 2015, etc.

3. Relevant Research
Leo Soares. “Mi Band 2, Part 1: Authentication.”, Internet: https://
leojrfs.github.io/writing/miband2-part1-auth/, Nov. 25, 2017.
David Lodge, “Reverse Engineering BLE from Android apps with Frida”,
Internet: https://www.pentestpartners.com/security-blog/reverse-engineering-
ble-from-android-apps-with-frida/, Feb 23, 2018.

4. BASIC BLE
IDSECCONF 2019, Cirebon
SMRX86

5. BLE Communication Layer

6. Characteristic & Handle

7. Characteristic & Handle

8. Characteristic & Handle

9. Trial & Error/Success
IDSECCONF 2019, Cirebon
SMRX86

10. GATTACKER (active sniffing)

11. (Unseccessfull) GATTACKER

12. Android_hcidump
(/data/misc/bluetooth/logs/btsnoop_hci.log)

13. Android_hcidump

14. (Active Sniffing) FRIDA
(mifit ver 3.3.2)

15. (Active Sniffing) FRIDA
(mifit ver 3.3.2)

16. (Active Sniffing) FRIDA

17. (Active Sniffing) FRIDA

18. (Active Sniffing) FRIDA
WHERE IS
CHAR UUID
& HANDLE

19. FRIDA + Android_hcidump

20. Mapping
Authentification
IDSECCONF 2019, Cirebon
SMRX86

21. Authentification Procedure

22. POC

23. POC script is adjustment of recent
@leojrs (0x08 > 0x00)

24. POC

25. Thanks…