This document summarizes a presentation about hacking an Amazfit BIP smartwatch. It includes an agenda that covers basic BLE concepts, relevant research on BLE authentication, and exploiting the authentication of the Amazfit BIP. The speaker is introduced as an independent security researcher who enjoys challenging clients. Research papers on Mi Band 2 authentication and reversing BLE from Android apps are referenced. The presentation covers BLE communication layers, using GATTACKER and Android hcidump for active sniffing, and Frida to find the characteristic UUID and handle for authentication mapping. A proof of concept script is shown that adjusts a recent approach to change the authentication value.

1. Hacking
BLE SmartWatch
IDSECCONF 2019, Cirebon
SMRX86

2. Agenda
Basic BLE
Relevan Research
Amazfit BIP Authentification
Exploitation

3. #whoami
Independent security researcher.
My job is doing trick to impress client.
Speaker Idsecconf 2013, 2014, 2015, etc.

4. Relevan Research
Leo Soares. “Mi Band 2, Part 1: Authentication.”, Internet: https://
leojrfs.github.io/writing/miband2-part1-auth/, Nov. 25, 2017.
David Lodge, “Reverse Engineering BLE from Android apps with Frida”,
Internet: https://www.pentestpartners.com/security-blog/reverse-engineering-
ble-from-android-apps-with-frida/, Feb 23, 2018.

5. BASIC BLE
IDSECCONF 2019, Cirebon
SMRX86

6. BLE Communication Layer

7. Characteristic & Handle

8. Characteristic & Handle

9. Trial & Error/Succes
IDSECCONF 2019, Cirebon
SMRX86

10. GATTACKER (active sniffing)

11. (Unseccesful) GATTACKER

12. Android_hcidump

13. Android_hcidump

14. (Active Sniffing) FRIDA

15. (Active Sniffing) FRIDA

16. (Active Sniffing) FRIDA

17. (Active Sniffing) FRIDA

18. (Active Sniffing) FRIDA
WHERE IS
CHAR UUID
& HANDLE

19. FRIDA + Android_hcidump

20. Mapping
Authentification
IDSECCONF 2019, Cirebon
SMRX86

21. Authentification Procedure

22. POC

23. POC script is adjustment of recent
@leojrs (0x08 > 0x00)

24. POC