SlideShare a Scribd company logo

Hacking Of MIBand 3

Mahendrs Purbia
Mahendrs Purbia

Myself Mahendra Purbia , and i presenting you that how an attacker can hack Smart Watches easily. And do malicious activity and change the firmware. And thanks to two person who help me to understand the encryption and authentication and provide me CLI tool https://github.com/yogeshojha Special thanks to Yogesh Ohja (sir)& Andrey Nikishaev(sir)) https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391

Technology
1 of 19
Download to read offline
HACKING OF MIBAND 3 S T A R T I N G W I T H I O T BY MAHENDRA PURBIA
Mahendra Purbia CERTIFIED IN ETHICAL HACKING & CYBER SECURITY SECURITY RESEARCHER AT CYBER OCTET PRIVATE LIMITED BUG HUNTER WORKING WITH RAJASTHAN CYBER CELL PENETRATION TESTER  AT  BEFOJJI COMMUNITY  TECHNICAL  AUTHOR AT HACKINGVISION  & UNIX LISTED IN NCIIPC.GOV.IN FOR SECURING GOV.IN SITES SECURED OVER 45+ MNC'S AND LISTED IN THIER SITES 10+ INDUSTRIAL VISITS & HAND ON EXPERIENCE   H A C K I N G O F M I B A N D 3 • 2 0 2 0 WHO AM I?
Details to Be Discussed Bluetooth Overview Bluetooth Classic vs Bluetooth Low Energy Basic Overview of Bluetooth Low Energy BLE Stack Basic Process For Hacking The Band Analyzing PAckets Authentication Practical Conclusion COVERED TODAY H A C K I N G O F M I B A N D 3 • 2 0 2 0
H A C K I N G O F M I B A N D 3 • 2 0 2 0 BLUETOOTH? Bluetooth Story... Bluetooth is a short-range wireless communication protocol and allows devices such as smartphones, headsets, to transfer data and/or voice wirelessly. Developed in 1994 as a replacement for cables. Uses 2.4GHz frequency and creates 10 meters radius called piconet!
BLUETOOTH CLASSIC BLUETOOTH LOW ENERGY Great for products that requires continuous streaming of data High power consumption Faster data rate High application throughput Best Suited for: Headsets, Speakers Bluetooth Hotspot etc SATCHEL PAIGE Great for products that do not require continuous streaming of data. Ultra low power consumption Slower Data rate Low application throughput Best Suited for: Home Automation Fitness trackers etc
BLUETOOTH LOW ENERGY(4.0) Bluetooth low energy aka Bluetooth Smart Designed to be power efficient Low cost and easy to implement Used in sensors, lightbulbs, medical devices, wearables and many other “smart” products.
H A C K I N G O F M I B A N D 3 • 2 0 2 0 FITNESS TRACKER: MIBAND3 F I T N E S S T R A C K E R F O R U N D E R S T A N D I N G B L E
BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. These short piece of information that is being sent and received are called attributes. BLE has few key concepts, such as profiles, services & characteristics. Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. H A C K I N G O F M I B A N D 3 • 2 0 2 0 GENERIC ATTRIBUTE PROFILE (GATT)
Lets Start To Hack 1. Select the target a. Install Bluez stack, hcitool & gattool 2. Enumerate the services and characteristics a. Do the scan using hcitool b. Connect using gatttool c. List all the services and characteristics 3. Now use python script to control on MIBand3. 4. Finally do some cool stuff! H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Selecting The Target Goal: Finding the BLE devices near the vicinity Tools Used: Bluez, hcitool, gatttool Install Bluez: $ sudo apt-get install bluez Install Hcitool: hcitool comes preinstalled with bluez stack H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Analyze Packets In Android Now, we need to know how exactly mobile application and mi band are interacting with each other. For that we need to analyze the packets.In android, there is an option available to capture all the Bluetooth packets in a file. For that go to Settings - > Developer Settings. > Enable Bluetooth HCI snoop log. Similarly for debugging BLE device, there is an app available in Google Play Store, called nRF Connect, download & install the app. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Enumerate the services and characteristics sudo gatttool -b <BLE ADDRESS> -I >connect H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS List down all primary services >primary
List down all characteristics >characteristics H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
Authentication Setting on auth notifications (to get a response) by sending 2 bytes request x01x00 to the Des. Send 16 bytes encryption key to the Char with a command and appending to it 2 bytes x01x00 + KEY. Requesting random key from the device with a command by sending 2 bytes x02x00 to the Char. Getting random key from the device response (last 16 bytes). Encrypting this random number with our 16 bytes key using the AES/ECB/NoPadding encryption algorithm (from Crypto.Cipher import AES) and send it back to the Char (x03x00 + encoded data) H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS Thanks To Andrey Nikishaev
H A C K I N G O F M I B A N D 3 • 2 0 2 0 First Two Byte is Notification Type 01 -> Email 03 -> Call 04 -> Missed Call 05 -> SMS/MMS Next Two Byte is numbers of notification And remaining is the hex value of the notification title that you are sending. Send some Notification? ;)
NOW WE USE THE COMMAND-LINE TOOL TO AUTOMATE ALL THESE TASKS. SO LETS START. Practical Time Thanks to Yogesh Ohja
CONCLUSION The problem here is hardware manufacturers do not cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize if the firmware being pushed is signed by them or not. They literally accept the firmware from anyone! The solution for this could be that hardware manufacturers should design firmware and firmware update they distribute to be cryptographically signed.If they implement these security measures,again the cost of the devices just increases. But these companies have to sell a lotof them at low cost, and they just ignore it!
H A C K I N G O F M I B A N D 3 • 2 0 2 0 THANK YOU Sir Falgun Rathod Director of CyberOctet Audience Hakcers Meetup Hackers Meetup Organiser & Team Mayankpurbiamahi_official mahendrapurbia19@gmail.com

Recommended

Python_ 3 CheatSheet
Python_ 3 CheatSheetPython_ 3 CheatSheet
Python_ 3 CheatSheetDr. Volkan OBAN
 
Memory Management C++ (Peeling operator new() and delete())
Memory Management C++ (Peeling operator new() and delete())Memory Management C++ (Peeling operator new() and delete())
Memory Management C++ (Peeling operator new() and delete())Sameer Rathoud
 
Html formatting
Html formattingHtml formatting
Html formattingWebtech Learning
 
Input and output in C++
Input and output in C++Input and output in C++
Input and output in C++Nilesh Dalvi
 
Presentation on HTML
Presentation on HTMLPresentation on HTML
Presentation on HTMLsatvirsandhu9
 
Data Types In C
Data Types In CData Types In C
Data Types In CSimplilearn
 
Implementation of c string functions
Implementation of c string functionsImplementation of c string functions
Implementation of c string functionsmohamed sikander
 
What is Modular CSS?
What is Modular CSS?What is Modular CSS?
What is Modular CSS?Scott Vandehey
 

Recommended

Python_ 3 CheatSheet
Python_ 3 CheatSheetPython_ 3 CheatSheet
Python_ 3 CheatSheetDr. Volkan OBAN
 
Memory Management C++ (Peeling operator new() and delete())
Memory Management C++ (Peeling operator new() and delete())Memory Management C++ (Peeling operator new() and delete())
Memory Management C++ (Peeling operator new() and delete())Sameer Rathoud
 
Html formatting
Html formattingHtml formatting
Html formattingWebtech Learning
 
Input and output in C++
Input and output in C++Input and output in C++
Input and output in C++Nilesh Dalvi
 
Presentation on HTML
Presentation on HTMLPresentation on HTML
Presentation on HTMLsatvirsandhu9
 
Data Types In C
Data Types In CData Types In C
Data Types In CSimplilearn
 
Implementation of c string functions
Implementation of c string functionsImplementation of c string functions
Implementation of c string functionsmohamed sikander
 
What is Modular CSS?
What is Modular CSS?What is Modular CSS?
What is Modular CSS?Scott Vandehey
 
Unit ii ppt
Unit ii pptUnit ii ppt
Unit ii pptANJALAI AMMAL MAHALINGAM ENGINEERING COLLEGE
 
ჯრუჭის ოთხთავი
ჯრუჭის ოთხთავიჯრუჭის ოთხთავი
ჯრუჭის ოთხთავიmziaegiashvili
 
ქრისტეფორე დე კასტელი
ქრისტეფორე დე კასტელიქრისტეფორე დე კასტელი
ქრისტეფორე დე კასტელილეილა მუშამბაძე
 
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"ნიტა მაისურაძე (98-საჯარო სკოლა) https://nitamaisuradze.blogspot.com/
 
ფრაზეოლოგიზმები
ფრაზეოლოგიზმებიფრაზეოლოგიზმები
ფრაზეოლოგიზმებიlela64
 
Arrays in c language
Arrays in c languageArrays in c language
Arrays in c languagetanmaymodi4
 
Ak procedural vs oop
Ak procedural vs oopAk procedural vs oop
Ak procedural vs oopAbhishek Kumar
 
B tree
B treeB tree
B treeTech_MX
 
Python Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG ManiaplPython Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG ManiaplAnkur Shrivastava
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESA LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESIRJET Journal
 
Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesKeerati Torach
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyIRJET Journal
 
Resume
ResumeResume
ResumeNainesh Doriwala
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
IoT on azure
IoT on azureIoT on azure
IoT on azureJoanna Lamch
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...degarden
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 

More Related Content

What's hot

ჯრუჭის ოთხთავი
ჯრუჭის ოთხთავიჯრუჭის ოთხთავი
ჯრუჭის ოთხთავიmziaegiashvili
 
ფრაზეოლოგიზმები
ფრაზეოლოგიზმებიფრაზეოლოგიზმები
ფრაზეოლოგიზმებიlela64
 
Arrays in c language
Arrays in c languageArrays in c language
Arrays in c languagetanmaymodi4
 
Python Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG ManiaplPython Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG ManiaplAnkur Shrivastava
 

What's hot (9)

Unit ii ppt
Unit ii pptUnit ii ppt
Unit ii ppt
 
ჯრუჭის ოთხთავი
ჯრუჭის ოთხთავიჯრუჭის ოთხთავი
ჯრუჭის ოთხთავი
 
ქრისტეფორე დე კასტელი
ქრისტეფორე დე კასტელიქრისტეფორე დე კასტელი
ქრისტეფორე დე კასტელი
 
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"
ნიკოლოზ ბარათაშვილის ბიოგრაფია და "ფიქრნი მტკვრის პირას"
 
ფრაზეოლოგიზმები
ფრაზეოლოგიზმებიფრაზეოლოგიზმები
ფრაზეოლოგიზმები
 
Arrays in c language
Arrays in c languageArrays in c language
Arrays in c language
 
Ak procedural vs oop
Ak procedural vs oopAk procedural vs oop
Ak procedural vs oop
 
B tree
B treeB tree
B tree
 
Python Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG ManiaplPython Workshop Part 2. LUG Maniapl
Python Workshop Part 2. LUG Maniapl
 

Similar to Hacking Of MIBand 3

iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESA LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESIRJET Journal
 
Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesKeerati Torach
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyIRJET Journal
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...degarden
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMIRJET Journal
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEric Larcheveque
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Mick Motion-Wise
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceAnaren, Inc.
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfJasonCravens
 

Similar to Hacking Of MIBand 3 (20)

iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICESA LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
A LIGHTWEIGHT PAYMENT VERIFICATION USING BLOCKCHAIN ALGORITHM ON IoT DEVICES
 
Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy Devices
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
Fake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain TechnologyFake Product Identification using Blockchain Technology
Fake Product Identification using Blockchain Technology
 
Resume
ResumeResume
Resume
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSM
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contracts
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
 
Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]Blockchain Technology - Application and Benefits [17 May 2016]
Blockchain Technology - Application and Benefits [17 May 2016]
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile device
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdf
 
Bluetooth
BluetoothBluetooth
Bluetooth
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 

Hacking Of MIBand 3

  • 1. HACKING OF MIBAND 3 S T A R T I N G W I T H I O T BY MAHENDRA PURBIA
  • 2. Mahendra Purbia CERTIFIED IN ETHICAL HACKING & CYBER SECURITY SECURITY RESEARCHER AT CYBER OCTET PRIVATE LIMITED BUG HUNTER WORKING WITH RAJASTHAN CYBER CELL PENETRATION TESTER  AT  BEFOJJI COMMUNITY  TECHNICAL  AUTHOR AT HACKINGVISION  & UNIX LISTED IN NCIIPC.GOV.IN FOR SECURING GOV.IN SITES SECURED OVER 45+ MNC'S AND LISTED IN THIER SITES 10+ INDUSTRIAL VISITS & HAND ON EXPERIENCE   H A C K I N G O F M I B A N D 3 • 2 0 2 0 WHO AM I?
  • 3. Details to Be Discussed Bluetooth Overview Bluetooth Classic vs Bluetooth Low Energy Basic Overview of Bluetooth Low Energy BLE Stack Basic Process For Hacking The Band Analyzing PAckets Authentication Practical Conclusion COVERED TODAY H A C K I N G O F M I B A N D 3 • 2 0 2 0
  • 4. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BLUETOOTH? Bluetooth Story... Bluetooth is a short-range wireless communication protocol and allows devices such as smartphones, headsets, to transfer data and/or voice wirelessly. Developed in 1994 as a replacement for cables. Uses 2.4GHz frequency and creates 10 meters radius called piconet!
  • 5. BLUETOOTH CLASSIC BLUETOOTH LOW ENERGY Great for products that requires continuous streaming of data High power consumption Faster data rate High application throughput Best Suited for: Headsets, Speakers Bluetooth Hotspot etc SATCHEL PAIGE Great for products that do not require continuous streaming of data. Ultra low power consumption Slower Data rate Low application throughput Best Suited for: Home Automation Fitness trackers etc
  • 6. BLUETOOTH LOW ENERGY(4.0) Bluetooth low energy aka Bluetooth Smart Designed to be power efficient Low cost and easy to implement Used in sensors, lightbulbs, medical devices, wearables and many other “smart” products.
  • 7. H A C K I N G O F M I B A N D 3 • 2 0 2 0 FITNESS TRACKER: MIBAND3 F I T N E S S T R A C K E R F O R U N D E R S T A N D I N G B L E
  • 8. BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. These short piece of information that is being sent and received are called attributes. BLE has few key concepts, such as profiles, services & characteristics. Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. H A C K I N G O F M I B A N D 3 • 2 0 2 0 GENERIC ATTRIBUTE PROFILE (GATT)
  • 9. Lets Start To Hack 1. Select the target a. Install Bluez stack, hcitool & gattool 2. Enumerate the services and characteristics a. Do the scan using hcitool b. Connect using gatttool c. List all the services and characteristics 3. Now use python script to control on MIBand3. 4. Finally do some cool stuff! H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 10. Selecting The Target Goal: Finding the BLE devices near the vicinity Tools Used: Bluez, hcitool, gatttool Install Bluez: $ sudo apt-get install bluez Install Hcitool: hcitool comes preinstalled with bluez stack H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 11. Analyze Packets In Android Now, we need to know how exactly mobile application and mi band are interacting with each other. For that we need to analyze the packets.In android, there is an option available to capture all the Bluetooth packets in a file. For that go to Settings - > Developer Settings. > Enable Bluetooth HCI snoop log. Similarly for debugging BLE device, there is an app available in Google Play Store, called nRF Connect, download & install the app. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 12. Enumerate the services and characteristics sudo gatttool -b <BLE ADDRESS> -I >connect H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 13. H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS List down all primary services >primary
  • 14. List down all characteristics >characteristics H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS
  • 15. Authentication Setting on auth notifications (to get a response) by sending 2 bytes request x01x00 to the Des. Send 16 bytes encryption key to the Char with a command and appending to it 2 bytes x01x00 + KEY. Requesting random key from the device with a command by sending 2 bytes x02x00 to the Char. Getting random key from the device response (last 16 bytes). Encrypting this random number with our 16 bytes key using the AES/ECB/NoPadding encryption algorithm (from Crypto.Cipher import AES) and send it back to the Char (x03x00 + encoded data) H A C K I N G O F M I B A N D 3 • 2 0 2 0 BASIC PROCESS Thanks To Andrey Nikishaev
  • 16. H A C K I N G O F M I B A N D 3 • 2 0 2 0 First Two Byte is Notification Type 01 -> Email 03 -> Call 04 -> Missed Call 05 -> SMS/MMS Next Two Byte is numbers of notification And remaining is the hex value of the notification title that you are sending. Send some Notification? ;)
  • 17. NOW WE USE THE COMMAND-LINE TOOL TO AUTOMATE ALL THESE TASKS. SO LETS START. Practical Time Thanks to Yogesh Ohja
  • 18. CONCLUSION The problem here is hardware manufacturers do not cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize if the firmware being pushed is signed by them or not. They literally accept the firmware from anyone! The solution for this could be that hardware manufacturers should design firmware and firmware update they distribute to be cryptographically signed.If they implement these security measures,again the cost of the devices just increases. But these companies have to sell a lotof them at low cost, and they just ignore it!
  • 19. H A C K I N G O F M I B A N D 3 • 2 0 2 0 THANK YOU Sir Falgun Rathod Director of CyberOctet Audience Hakcers Meetup Hackers Meetup Organiser & Team Mayankpurbiamahi_official mahendrapurbia19@gmail.com