Aaron Wangugi - Hacking Hypebeasts: Threat Modeling & Reverse Engineering Nike’s Self-Lacing Shoes

okay it is time to go back to the future who wanted self-lacing shoes when they were in the 80s yes great idea and here instead explain why Aaron why he is a security agent snapper those tools to help developers write more secure code and security reviews when he's not working he's hacking around on random things like shoes that have Bluetooth ladies and gentlemen and everyone in between please welcome Aaron okay okay this is better okay great great my name is Aaron or you can call me Judy this is hacking height beasts so we're going to talk about first I'll talk a little bit myself and then why I kind of started to do this little project we'll

talk about the shoes we'll look at the Android app just a little reverse engineering and talk about account management and threat modeling so about me my name my name is Erin I'm a security engineer I've been in the business for seven years six of years here in Portland for last year I lived at in LA and I worked at Snap previously which I didn't tell for fun oh actually in this picture over here is me and the stage at Def Con looking us like definitely afraid for fun I like to draw here's a little doodle of the sad the sad Jordan and I sometimes play basketball I'm not very good but I like to play for fun so that brings me to why

this I like basketball I'm not a high peace for sure I don't like by every shooter that ever comes out but I do the occasional like dub sneaker right now I'm wearing the LeBrons I know if you can see them so the other thing is I really wanted to give a quick shout out to Topher because he kind of encouraged me to try to get give a talk here at b-sides and if it wasn't for him give me that encouragement of try to do this at all so again why hack sneakers well they're off the top my head there's not like a direct attack I guess someone could run up real quick and connect to

your sneakers and then like loosen or tighten them so it's kind of annoying but it's really cool and just to look at it and try to understand it I was always a fan of Back to the Future and I was going to be cool to have these kind of shoes and now I'm gonna adult and I guess and I'm a hacker it'd be cool to like try to take them apart and understand how they work and I guess it's interesting that like why Nike decided to build these shoes there was a marketing gimmick in the movie so and in the movie was successful so now when it comes time when the movie said they were real they just had to build

them and then there's also been a couple of tear down videos actually look at how the interior of these ones and the ones before them how they work and there's encourage you to take a look at them it's kind of cool to see someone just like burn money so that's kind of what I did this is the right shoe this is all this left of the left shoe I got him for $300 off on stock ex the Nike BB adapts actually on my least favourite one so that's why I was easy for me to decide to just tear them apart I like to use a lot more the way they look and then the the Nike mags are pretty much

unobtainium you see right here $250,000 that's pretty ridiculous so and these are extras that there's a generation between the Nike mags in these ones which are $750 which actually I think may be nicer because it gives you easier access to the internals of it there's a couple of videos where people just like open them up and like pull out the device so but I didn't have access to those loans in addition to the shoes of course there's an app which you used to communicate with it over Bluetooth you can see here there's these two buttons which actually if you're physically touching the shoes you can use them to like sell flaysome you can hear this on

there and then you can do the same thing with the app we first reconnected to talk about a little bit but you can't use the app without first off thinking Nike calm once you do that you can log into your account and just you bring them up close and there's a Bluetooth RSSI action that goes on before the session and once you do that your shoes are kind of like tied to your account I just get this and then once you hear you can use the app to say yeah so you basically have so the first thing I did actually tracking I decided to decompile so first if you haven't done before kind of like little instructions here you

mean my my phone is rooted but you need to be rooted in developer mode you can connect it to your phone to your laptop over USD and you can use ADB and JDX to decompile happening actually gives you a pretty readable Java code there was a whole lot of effort put by Nike into the off you station which is nice because it made it easy to understand and read since the app doesn't really have like a ton of functionality it's pretty easy to read through and see what all the different things is it does I'd smell all the time looking at the firmware update because Nike actually had an issue where on the Android app the firmware update

would breakfast use to create some pretty expensive brick but I was mostly interested in how the self-lacing works the when in the code it's just a few skated you could basically see all the the strings that Nike actually used to refer to everything Nike refers to the shoe is a big foot which i think is is great for the b-side its mascot there's a big foot device but most of the logic with actually communicating with the shoe itself is in corner or half big foot so core I have a big foot Java Festa Titan no loosen and then also they have foot press detection basically like it knows when your foot is inside the shoe and can like

automatically tighten and loosen if you wanted to so this is just a snippet from the source code it's pretty cool here the actual lifeline of where it's like issuing the servo command via bluetooth to tighten and loosen the shoe so here is for tighten to tighten function and here is like the loosen function so this is cool there's a code that the Titan Marty McFly shoes there's interesting it was like this is a code from Back to the Future so the servo let's talk a little bit about like getting into the guts of this shoe so inside here and in this hole is actually where this device is and it's kind of cool basically I had to

cut it out and ruin the shoe and it's always contained inside this like plastic here and then this right here this little circle the string goes into here and it's connected to a servo that turns and that's actually performs the tightening and loosening function so as I mentioned the previous version of these shoes all of this I believe wasn't contained inside like a plastic container so it was kind of easier to get access but I wanted to actually look at the board itself so I had to bust out my dremel which I bought three years ago thinking that I would Dremel a lot of things but this is the first thing that I ever used it for

and had to be there's one moment where I was doing it and I nicked the battery I got a little scared and actually just put it down like left it there for a day and then came back who's really small and you gotta kind of cut around the battery so once you get in you can see that it's not shown here but basically there is like a connector that attaches to the board that corresponds to these two buttons and then a connector to the servo and the battery and they were working with I think it's like a cortex and for like a kind of a low power and ship battery and one other thing I was

really wanted to look at the board is because I wanted to see if it was using a Nordic chip for a Bluetooth but it's not so it was cool to do so going back to the code one of the interesting things that I noticed when I was looking at it was I was looking at the network handling code basically the code that takes her on the app takes the responses from the network and like I'm parses it one of the things that I saw in there that was interesting was that is taken from the JSON Bluetooth discovery key and also the identifier for the shoes itself so this kind of ain't got me thinking and some

kind of like a test I did was like got my iPhone and installed then the adapt app and I logged into my Nike comm account and basically didn't have to jump through the hoops of pairing with the shoe I I didn't have to like get close to it to pair it it just sends that information to the app itself so you can like you're automatically paired as soon as you log in which is pretty neat but it's a little interesting functionality because I'm just really curious if it's ever possible for someone to do off bypass two broken ankles someone could hijack your Nike comm account and while you're playing basketball and you get crossed I

suddenly unlacing you shoes and then broken ankles so I didn't actually get this exploit though so but that was interesting attack factor from a throttling perspective so this diagram is conic describes like the different types of attacks you could kind of perform against tissue if you get on Bluetooth access it's time to trust behind you and then there's the app and then just kind of looking at the Nike cloud so I spent a little more time looking at the Nike Club I wanted to look at the connections between the app and the backend itself so for that I needed the man in the middle yet for this I used man the middle proxy I enjoyed I think

home if you need to be in developer mode but you just double tap or hard press SSID you can tell you point to a different IP address and a proxy and the nykeya happened it didn't work so that means that there were certificate pinning in place so certificate pinning is basically a mitigation against someone snooping in your traffic these are going over TLS basically literally pinning a certificate hash in the app and that's why I needed to bypass in order to analyze the traffic so there's a lot of Google around there's a lot of articles on doing this will help me as I had access to the source code and I knew that Nikes using okay HTTP 3 a popular

there's a popular tool for handling HTTP requests so there's like articles for bypassing this particular library on the Internet the first thing I try to do is since I already had the Java code from Jade jad X I just try to modify the code so that even if the certificate that it was being given the hash didn't match the bag of certificates that I had penned they would still just say yes perform that connection that didn't really work so the next thing I tried was just dealing with the small e code itself small e is kind of an in-between Dex in Java it's more readable than Dex but you can't compile directly to Java you can compile it back to the app so I

modified this small in code here's an example a small I could explaining the same functionality I was talking about earlier it's basically comparing the hash the certificate against all of the pins it has and then seeing if they're equal and if it doesn't move to this condition so here as if equals I just changed it to if nez hoping that I would go to the condition that I wanted but that didn't work either so I ended up using a protection of freedom definitely a much easier solution for previously freedom basically allows you to hook certain functions in your application and it actually provides a command to disable SSL paying an objection is a tool that automates

setting up freedom the freedom house within the application itself so yeah you just run objection on the BBK and then you'll get an objection apk and install the apk and then started the app and verify that the gadget was there from frita and going back an objection I just run a salting disable really straightforward and easy definitely suggest using obstruction all the time you can use objection to to debug an application and just run through it if you have so okay now that we actually have access looking at the traffic between the app and the nikes back in kind of started to look at the off dance we have a post the Nike CDN where you

actually put your creds and then a response to get an access second a refresh token so we know we're dealing with OAuth which I kind of already knew because when you login to the app it gives you the option to login with Facebook [Music] once you do that you get some user data and then you can get the shoe data giving an access token from a API key calm and then if there's any extra data that's on the app that you want to send up to Nikes back in users another post for that so then here I was a JSON you get back when you're actually getting the shoe data from Nike and you see here you have the key for my

left shoe which is now destroyed but I get in the Device Identifier and the discovery key so basically everything you need in order to attack the app I mean to connect to the issue it's pretty cool and now with this we kind of have like just new threat model where you have kind of a potential from an olaf attack here and facebook on the app in addition to to be all in connection and attack in the aki cloud so yeah dang any questions how can you come to the mic

you were you were saying something about a certain type of chip that it wasn't I was curious what that was oh yeah it's um I can pull this up I've pulled up the datasheet for it and I'm not I pulled up the you know I can actually I'll post that information you hit me up on Twitter and I'll reply attack because I have the datasheet and I have the pin outs to I don't I can't remember I take the low-power cortex m4 I think I'm not sure so did you have to go through and ask Nike for conditional permissions to get all that that or how did you get around the ula to do one

thing I didn't do you'll notice during this talk they didn't disclose any exploits I think the biggest concern would be like disclosing an exploit without talking to Nike first but I mean it's I just bought the shoe and install the app and then it you know from my perspective it's mine now so I can do whatever I want with it so hey GUI so I got a question what's next like what what are you gonna do with this shoe or what's the next thing with this so I think I'm glad you asked that question I think the next step is I for this was mostly just trying to understand how this shoe works and seeing all that I think the next step is

trying to actually do more attacking I'm really interested in like the hoff dance for the shoe and also I think we're on here I think there's some debug ports on the chip so I want to try to miss it that tail

[Applause] thank you