The Security of Internet-Connected Massage Devices

career so one who's shaky she's wearing hat and said from West Point but he is ITT research specialist for a cyber Institute which is at West Point and has a lot of economic history behind him and we'll see how promising with seeing almost went home and he he's on spend much time both in IT customer service and also the key to Medical Center it was a pretty cool presentation I think the topical nature around the security of interconnected very connected massage devices I suppose he's dead my name is Shane this is Katie the topic for this project came from a graduate level research courses at the University Kansas that we took and we try to decide

we wanted to pick something that was something that is important to us as security researchers and to the public in general we feel like these devices are springing me up know we're vibrating out of nowhere and then they just pop into our lives so we want to make sure that everyone is aware of what's going on in this realm and this doesn't just apply to dogs it replies to any Bluetooth low-energy devices because you take what we're going to show you the area apply to almost anything so IOT buzzword like cyber and some kind of glass whatever else want to use yeah so what what were the things to think about when we're thinking about the

unthinkable and the things that came up when doing this specific project is can compromising these devices lead to sexual assault if there are proper security controls for sexual harassment is a vendor liable or can the information of the store be considered protected health information so we both were any medical center for a while - that was also important and these are some of the headlines that came up from all a lot of devices you can see that you're in feeling ones looking into this but the Internet is no longer just perform is now used for way more okay so an overview of what we're gonna do with this talk and we're going to cover our

inspiration for this project and then briefly go over another device just to show it like this is prevalent research that's going on and then go over our analysis of the personal massage device which is we looked at the act but due to analysis and then we have like mitigation is obviously and then we'll do a short demo and then if there's time go over our short thoughts on privacy and safety so our influence for this project came from a bigger project called the internet of dongs and their mission statements up here and it's to enhance the privacy and security for the IOT market by showing are telling manufacturers just like the CVE system if you find that machine error

vulnerability DVD and which is something that's really cool is like if you do find the DVD and they'll work with the vendor on your behalf just nice and then so common problems that we see today and T devices and also just general like phone apps are for access control over like obviously it's connected to the internet directly and then connectable connected via bluetooth have a lot of flaws especially with the elite there are security mechanisms that you can implement but for like I don't know many reasons people generally don't implement them and then just general a clause like mobile applause so hard-coded default credentials and API keys insecure fermentations of your API and then customer no aversion and so

here we had the Vikings which we're not talking about the Bundys today specifically this was just a governor I guess dog people death but people some other people have already done research on hey the prior so and they had coordinates to the vendor and the vendor fix it with a quick amount of time so in four months it was a pretty big deal but we found cuz this one was an era dog way or like you could control it remotely through the act as a partner and so they found a way for me like anyone to just control it through the end yeah and so here's just a peek at that we took to show that XMPP or the chat

protocol was encrypted okay and so here we'll just quickly talk about what we found in the eyeball app which is the Donald we analyzed and then these are just standard tools that we use so like we had to grab the if he came from our founding and then these the middle are just what you can use to read that or the apk file security community

okay and so this is how the eyeball that works basically so we can just demo we have a device here as you as you notice that this is not particularly vulgar it is not shaped like a phallic device but if yours does a quick this xs/s seeing a doctor it is a cable-access maybe it's a little bit more thick but so you pair this device here with your phone during that an app can be obtained from the Apple Store or the vendors website it just needs some goodness there's well there's security it's just with that do g1 he and then something interesting was so we did this project about a year ago and then came back and looked just to see if

anything had changed and we found that that was completely Rican Papa renamed and targeted towards different audience and so now it's advertised as a medical device that's been endorsed by medical professionals all over okay so there's just a diagram again to say so eivol connects to the phone the phone over then it has to have and then we send data back to like the iPhone servers and then these are just some screenshots that we took so this is an interesting one they have games that you can play to do your Kegel exercises and then the next screenshot said is something with you that's personal information that you can enter as a user so some interesting

dad stuck out to us instead ask the age it asks like with a child in this birth [Music] who's like how the child's birth so a little through small but I mean it's still not too bad and then okay so the previous slide message showing you've obviously had to have an account to store your data and that's totally fine but an issue that we found here was we took a peek half of the averages to see how it was communicating with consumers and they don't even went any encryption really I mean there must've sent back to the servers or just over clear text and in addition to that another nono is they include the username and password just

as URL parameters and so you can see here this is just an example of an account or like an example here the formatting button the password there's a lot of clear text if it is encrypted with them airman is hatched within d5 but that's easily crackable so like we have this patch right here but we know here in the Kraken and it's password one two three so here's just a peek you can see the request within I wish me the laser pointer so we did do you pal said and basically we found that the permissions of that canister export is there not bad basically although these are needed for the app to work however in the new

application or summaries that it collects user data which I don't know where I'm in user location I don't know why Kegel exercises are at location at all times and then just a few other things that we found when it quickly are they head over broad broadcast receivers under strict offender an activity who's and then also a hard-coded key in the app which are all things that shouldn't

until here we found also some packages that were unused so we think that maybe this app was like a template that was taken from something else because you think this is also not about to another gun but for example like this had an under package for Facebook in here and Alibaba both of which we're not in use and those are removed and so here we're not going to demo this but this is just like something that we were able to get it or just an example of what we found like from : users information so basically we send a request so basically we send a request to the eyeball summers here and get a session to it so like

your 500 millimeter package of username password I'm able to do that very easily and then here we were able to get like all the users information that they've inserted and saved and then another feature is something we're at the poll was so you're gonna start picture for your profile you're able to clear the users of photos - and this is our good job here a good friends cap period this is a some quick fixes that could be implemented our credentials and the account information shouldn't be saying that we're going to print as a perimeter in New York and then obviously should be sent over HTTPS instead of just clear text HTTP and then text which should be

salt to the police stuff so the next period with a Bluetooth analysis so has a standard Bluetooth has a better range of 10 meters or 30 feet for American people so the attack range here is very small however it's good one hotel there's a lot of people do and they bring their devices so if I got so lonely is they'll use them right and if you're in a hotel traveling down traveling up i-95 and you have dogs with you you can always stay at like four hotels and the walls are thinner than the toilet paper there so that's not a hindrance if you're anywhere in the building there's nothing stopping it so in order to carry off an

attack or you just want to look you used a couple different tools and devices so we use the Nordic semiconductor and r51 and our m51 Donald and we use the sniffer to connect at Wireshark and the other thing that you really need is patience so okay a second but if you thinking this is gonna work on your first try you going to be sad the stinking I think I want to do it anymore but there are some toys know better than others the one that we have listed up at the bullet point is it's worked well better than other ones so the to flow energy has several devices in simple security mechanisms so pairing there's three types there's just

works and you see it's a trademark because it doesn't just work at a man so animated by Paris is most security you have to have a we have that the keys ahead of time or use some other method to get them addressing is the MAC address on Bluetooth devices there's public which is when you can register to be urgently and it's static never changes and there's random where the MAC address will change every time most phones have a random one something genomic or Italy generating a random act for used to connection so in the third game is introduction so what makes a Bluetooth Bluetooth sniffing so difficult is there are 40 channels on the 2.4 gigahertz range it's the same

that wireless runs on and three of those channels you get your advertisement and the other ones the other 37 are used for data so you advertise on one of the three channels and don't worry to see it you'll have to be on that same channel you device so if it hops though there's a frequency hopping spread spectrum that uses that that algorithm they're sure to be people who like math to bath between the frequencies and if you're trying to track it on a cheap their job device they don't work too well so what you do get it working now here's an example of a Bluetooth advertisement and you'll see their advertisement packets and they're each different I'm not gonna bore you

with it cuz that's really boring so security procedures are in the parent bonding and then encryption area establishment so the first piece of the security comes out of the generic access profile that's what defines how the interconnection is going to work so you have two security modes encryption and data center and they're both optional and they're hard and why do it if you don't have to right so there's also one thing that requires the device have a name category type like phone watch add-on actually no polluters one listed in there but I think they need so the gap is what stores all of the data that the device has there's a UUID a long string that says one of the this

data lives on the stop watch your father whatever and it's requested by the master and the banks returned with a slave but the master and the slave in that case are interchangeable because the diamond can actually ask the phone for different information too so this is a wire trafficking cap of data stunner it into the doll and you'll see the things of value here let's say that becomes important in a second so overall the vulnerabilities we identified that can happen remain in the middle so you can essentially make your device act as a Dom can have the person or the person in the other of connect to your device and you can connect to their device

instead and issue commands so with session hijacking similar thing you spook the MAC address in the device and then the device that you're connecting to doesn't know who you are then the Nile of service with anything you send a bunch of packets to it and this thing as you might imagine can't handle that much so it just falls over really quickly or falls out whatever you data privacy security concerns like I said mentioned all just things they're all they're all issues and the thing with collecting ages child birth dates how I happened who was there is it circumcised that whatever had a ton of them lots of questions so some of the mitigations are the security modes like I said they're

not required to be enforced but enforcing them Ed's very little work but you get a lot of extra security out of the deal mac-address randomization so when this thing broadcast we'll show that in a second and tells you what it is so there's no guessing so you can just if you see it anywhere then probably should leave it alone and then the advertisement type for security so we'll have a live demonstration report of them so this one is a capture and so we clicked the device and then we're going to filter it down by the MAC address through the eyeball and you'll see it's a text instrument device we're gonna follow it and you'll see the C

here and exec of the connection a connection request is made after it's advertising and then a bunch of data handling happens and then when you turn on the app there'll be some right commands so then this is a replay attack just running the command ble replay with a file that was collected and I'll show you a video here of what it does

so see here that with the computer we're able to control the device for that anything the app and then in order to change your MAC address and this never works the first time you will have to run it twice so what should you get the device type or the device ID and get the mac address in the device and I take the Cleveland are there I go so right here is the address that we want to spoof we're at the command it'll fail and then it works down the line and then we go ahead and search again we reset the device and then we run the config again the MAC address has now changed all right so we're back to here

and these have some good things to think about mostly most important one is can compromising devices such as these lead to sexual assault or harassment especially since we just showed that it can be controlled from a computer possibly well so he was using it and then is the vendor liable for the data loss but happens like when they have been secured maybe I post and then it's the information that's stored here it's considered to be health information and then just future takeaways obviously we're going to continue to see more and more devices that are integrated into personal wipes that are Cantus the internet with that comes more information and more integrations with things that want your data to collect it

and lots of things happens with that data as we know and then this will eventually would call for a greater focus on security we're already starting to see all sorts of things about security in the news almost daily

yeah we didn't try to take down their stuff but you can't change that picture it's just a 64 encoded so you just take whatever you want right but whatever you want to put up there no it can be anything that's base64 encoded because I did try that I'm not see what it did to her I don't know what about a prison what we did here is on public and nothing malicious per se so I didn't wasn't able to upload something other than a picture and it didn't come back as something that wasn't a picture but we did not say it was just a text file but when you download me back through the API to drop

the file on a computer random ish it was mostly random there was some some ones with similar every timer in it I don't know what they were using as far as whatever they're out

like

as you say so good to make this thing do something that they have couldn't do not that we've tried so the app has several modes one is in the game like I said if you squeeze it it tests the hub stronger handus right that's what it does and it sends that data back to the phone as far as damage so what what the thing what we found was is that when you connect to the device and say you're not wanting to use the device for vibration you can turn it on without the users knowledge which was the main concern for us with these types of products is using it in a way that not necessary the device wasn't

intended to use that would the user to not want it to be intended to use so if you want the features to see how strong your hand is but you don't want it to vibrate in your hand then you can turn that off and not use it so turning it on without the users consent we consider it the bad thing so in the way yes anyway no we couldn't make it explode and if we did you don't have one I was about thing is he looked at this device a little bit like women looking at the key caps and any with the PM and there are like very specific vibration codes and I get static codes that this will accept

from a device of n device so we didn't try sending in anything random but like in quantum process we were trying to figure out what the vibration code was it didn't seem like it would accept anything that it didn't recognize ya know we didn't try any fuzzing as we learned last night something that most developers don't do and now they probably should and we probably should have to to see kinda what happened because maybe it gets hot and there is a battery which concerns me anyway could be a Samsung battery you never know yeah we realize that this talk is not the most you know child-friendly workplace friendly maybe that's something I'm not safe for work but you

know I probably would give this presentation at work but we hope that you can everyone learned something and that in the future you'll think about your purchases and like I said this one is what it's called so I'm not too concerned but they have updated it and maybe you'll find it maybe long not sure why they changed names because I happened about a month after we contacted them that means send them an email or around it - there's a weird email address and I didn't hear anything back and then a month later there's no longer on the App Store and the device that we thought of was it looks like a change of name or we could've just been

another knockoff of those we see that as a copyright issue or if there is copyright we don't know who originated so we couldn't let them know but okay we think this is yours yeah that's not actually for these types of devices they spring up in an hour get sold on Amazon yeah so someone has my questions thank you very much

you