About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hacking My "Smart" ToothBrush- 1186

Cyrill KunziPosted 2 Years Ago
  • The author of this post had recently bought a Phillips Sonicare toothbrush. When reviewing the documentation, it says that the product operates at 13.56MHz, which indicates this uses NFC. The communicate happens from the toothbrush handle to the toothbrush head to tell you that a new one is needed.
  • Using the NFC tools app, there is a lot we can learn about the tag. Some interesting notes from this:
    • The tag is NTAG213 and uses NfcA.
    • The device is password protected.
    • Address 0x24 contains the total brush time.
    • Various other fields such as checksums, IDs, links and more.
  • The goal of the attack is to overwrite the brushed time of the device. Reversing engineering the format is easy: observe the value, brush your teeth and observe again. However, it's password protected. So, what do we do?
  • Software Defined Radio (SDR) time! The author pulled out a HackRF (which goes down to 1MHz for listening). Then, they used Gnu Radio to take the raw IQ signals and convert the data into a WAV file. The WAV file is composed of a seris of complex numbers, which is why the author pulled out the real and imaginary portions to convert it to a WAV.
  • The tool NFC-laboratory takes in a WAV file and decoding the bytes manually for us. By cross-referencing the data being sent and the stored data, we can learn what's being sent from the WAV file.
    • Lines 0-6: Establish communication between the systems.
    • Lines 7: Send password - 0x1B command.
    • Lines 9: The counter is updated to a new value - 0xA2 command.
  • Reading line 7 shows that the password is 67:B3:8B:98! Woah, that's awesome. It's super crazy to me that the data is sent in plaintext over NFC; I figured some type of encryption would be done by default.
  • Using NFC tools, we can set the password of the field then attempt to edit the field like we tried before. Since the password is set, it works! We've got a NEW toothbrush as far as the device thinks.
  • Through the post, the password changes. What gives? Attempting the password incorrectly 3 times will permanently disable write access. Additionally, the passwords are unique per toothbrush. NXP recommends that the password should be generated from the UID but the author couldn't find the transformation function.
  • Overall, an amazing post! I learned all about WAV files and NFC hacking.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed