Hack a BT Low Energy (BLE) butt plug

Few weeks ago I bought a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol.

This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design.

The great Simone evilsocket Margaritelli wrote a BLE scanner called BLEAH (get it on github) and a wonderful post on how to use it to hack BLE devices. I strongly suggest you to read the post before moving on.

Everything started as a joke between me and Simone before going to HackInBo (the best free security event in Italy) when Simone said to me “if you buy it we  pentest it in Bologna“.

I bought it 🙂 and during HackInBo we hacked the butt plug using BLEAH (Lovense Hush model). Simone deserves all the creditis for this, I just learned from him.

This is the final result. I paired to the BLE butt plug device without authentication or PIN from my laptop and sent the vibrate command.

How get the command? The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here).
With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration (Vibrate:20;).

So we have all the elements to hack the sex toy with BLEAH (read evilsocket post before) as follow:

// scan for the device
$ sudo bleah -t0

// get device services and characteristics
$ sudo bleah -b "< DEVICE MAC >" -e

// send the vibrate command to the writable charateristic
$ sudo bleah -b "< DEVICE MAC >" -u < CHARATERISTIC UUID > -d "Vibrate:20;"

At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017.