Hacking a Chinese Medical Device via Bluetooth - iHealth Nexus Pro Scale

Поделиться
HTML-код
  • Опубликовано: 30 ноя 2024

Комментарии • 86

  • @PunkrockNoir-ss2pq
    @PunkrockNoir-ss2pq 3 месяца назад +16

    I have the Wyze version

    • @mattbrwn
      @mattbrwn  3 месяца назад +22

      HOLY CRAP. just decompiled the wyze android app. There are references to ihealth and I found that same R1, R2 encryption/authentication thing. I think they are LITERALLY the same device under the hood.

    • @ytadmin
      @ytadmin 3 месяца назад +1

      @@mattbrwn Get that wyze bug bounty money!

    • @mattbrwn
      @mattbrwn  3 месяца назад +21

      @@ytadmin LOL you got me excited for a second. Unfortunately, they only have one device in scope for their BB program and its not their scale. Just ordered the Wyze scale and will do a video on it 😁

    • @exshenanigan2333
      @exshenanigan2333 3 месяца назад +1

      ​@@mattbrwn we have a brand called etekcity, I wouldn't be surprised if they're ALL exactly the same. I remember we used to buy LiPo chargers from China, the same exact charger, but probably I had 20 different brands. At this point, they're out of naming ideas so Amazon is full of brands like XUIKLUIFII, FAKFAKLING, BALPOVER, etc. 🤓

  • @gametec_live
    @gametec_live 3 месяца назад +62

    "do they respond to my emails about security vulnerabilities in their products, ofcourse they dont" every IOT company ever 😂

  • @muratkabilov
    @muratkabilov 3 месяца назад +69

    "S" in IoT stands for Security

  • @SanityIT
    @SanityIT 3 месяца назад +41

    Matt Brown. 28 years in look, 48 years of experience.

    • @mattbrwn
      @mattbrwn  3 месяца назад +21

      LOL I might have lied on some of that data... I also might not be 7 foot tall

    • @SanityIT
      @SanityIT 3 месяца назад +4

      @@mattbrwn Just exceptional work Matt. Very few even with 20 years of experience in engineering can explain things as you do. Just love it.

  • @ColinMcCormack
    @ColinMcCormack 3 месяца назад +12

    Nice one, mate. Not only did you hack it, but you opened it up so people with that device can use it without the android app. That is genuinely useful and beneficial

  • @voidpale
    @voidpale 3 месяца назад +21

    You make such good videos, this is one of my new favorite channels. You look so genuinely stoked to be explaining what you've found and unraveled and it's definitely contagious. I get the same giddy feeling any time my digging unearths something interesting. That feeling of looking inside the black box and poking around is super unique and you capture it in all your vids. Appreciate you sharing, take care Matt

  • @I_hu85ghjo
    @I_hu85ghjo 3 месяца назад +4

    this man explains it so well. Learned so much in the past 3 months

  • @HandFromCoffin
    @HandFromCoffin 3 месяца назад +7

    IoT thing has bad security = who could have know
    Chinese medical health IoT thing has bad security = who could have known
    They should have their license reviewed/revoked for not responding the security issues.
    :) Love your stuff!

  • @pwrdwnsys
    @pwrdwnsys 3 месяца назад +5

    The "S" in IoT stands for security. Great work, really interesting video.

  • @skywalker781
    @skywalker781 3 месяца назад +6

    Man very inspiring. But i noticed that is a bug in you decrypt script because at min 39:29 we can see body_bulding is 0.😊 Nice you are inspiring people and this kind of work is pushing companies to make better products and consumers to choose better products. Keep going.

    • @mattbrwn
      @mattbrwn  3 месяца назад +4

      body_bulding = 0
      yeah clearly a flawed device.

  • @SlinkyD
    @SlinkyD 3 месяца назад +15

    To get BLE logs without the errors:
    `logcat -d | awk '{ if ($5!="E") print }' | grep -i ble`
    Just the errors:
    `logcat -d | awk '{ if ($5=="E") print }' | grep -i ble`

    • @SlinkyD
      @SlinkyD 3 месяца назад +1

      @@vextech I saw a few comments that looked like they supported it. Must be their "special" format I have no interest of researching or learning.
      We got standards for a reason but they wanna be a difficult kind of special cuz "bunch'o overpriced paper professionals work here & we makin $£€₿¥, so we right no matter how stupid it is".

    • @SlinkyD
      @SlinkyD 3 месяца назад +1

      @@vextech The amount of paid professional programmers I know that can't make their way thru a 400 line project on git is too damn high. One got me into crypto because he was having problems compiling & configuring his mining rig. He majored in Computer Science with a minor in Mathematics.
      He stuck on a paycheck when he could code up one of his ideas and make a few $milli. I saw a few of his ideas done by someone else and they ran the money up like their name was Bigboy Baggit.

  • @ApolloPwnsYou
    @ApolloPwnsYou 3 месяца назад +1

    This is amazing Matt! I love watching your videos :)

  • @wasabinow
    @wasabinow 2 месяца назад

    Matt, thank you for being our eyes going through the Java packets to figure out the complete protocol paths. I am now on the edge of removing SmartTrack app that connects to my BT scale!
    Looking forward to the next episode after the IHealth binge! 😅🎉

  • @frollard
    @frollard 3 месяца назад +4

    I was just at my hackerspace yesterday where our primary volunteer dev was poking through our code and noticed that a path that really doesn't matter - the edge rfid controller telling the server 'hey I saw xyz card uuid' - was unauthenticated. In theory, someone could via wifi tell the server that a card was seen. It wouldn't unlock the door, it would only log that that card's user was seen recently. ...and it was immediately patched. (the doors were one of the first things built, and by someone else...so there is some sloppy security there. the rest is encrypted.

  • @asassdsdd
    @asassdsdd 3 месяца назад +1

    Man! This is really good video!

  • @TheDanielsherer
    @TheDanielsherer 3 месяца назад

    Incredible! Thanks, both for the video and the large amount of work that it took to reverse engineer this. Well Done!

  • @hedgehogform
    @hedgehogform 3 месяца назад

    Keep it up!!! Love all these vids recently!!!

  • @ConnorDuPlooy
    @ConnorDuPlooy 3 месяца назад

    Super cool video! Will be sharing it with my colleagues 🎉
    Ive often found that you can copy paste the jadx decompiled output to build your own client/server if for whatever reason rebuilding it in a different language would take too long.

  • @actuator
    @actuator 2 месяца назад

    This is a excellent video on reversing non-BT protocol level crypto via the mobile app. I was looking at a smart Bluetooth scale last year & found out it wasn't encrypting anything and sent stuff like Age, Gender, Height data in cleartext over the air

  • @4megii
    @4megii 3 месяца назад +13

    I don't think IoT and Health belong in the same sentence.

    • @TankR
      @TankR 2 месяца назад

      Hilariously thats what PANs are for. Personal Area Network. Literally expressly meant to centralize your 'medical' and 'personal accessories' like year buds under one relatively secure roof. Of course, even though its based on a bluetooth layer for communication, none of the companies have figured out a way to trick people into a faux walled garden of proprietary sounding software, so they just copy paste the same old BT libraries and its off to the races....
      The protocols exist, they're just either bastardized or ignored because they cant squeeze a profit channel from it....

  • @BobertV702
    @BobertV702 3 месяца назад +1

    Your videos are really interesting and informative and teach a lot about hardware hacking. The hardcoded credentials even in 2024 are a real problem... they could simply generate a hash from the name that the user creates, and then encrypt the traffic to send with the hash. By the way the 'double way' authentication is called mTLS, but I knew that it was used mainly in microservice architectures with kubernetes for example. Also, you are getting me more and more interested in actually giving a chance to Python. I really prefer to write in C, but when sending data over the network, python is less lines of code to write, and less time used overall.

  • @Vincent-db2ug
    @Vincent-db2ug 2 месяца назад +1

    I've been watching your video's non-stop since I discovered your channel. Very inspirational! I'm looking forward to future content.
    If I may ask: is there a device you'd recommend for a total beginner to get started with? I've even tried looking for purpose-built boards, but that doesn't really seem to be a thing.

  • @daze8410
    @daze8410 3 месяца назад

    another great breakdown!

  • @DaveThompson1
    @DaveThompson1 3 месяца назад +1

    Great vid, did I spot a reference to the 1990s film Sneakers in the background on the phone at one point?

  • @Marco_Ris
    @Marco_Ris 3 месяца назад +1

    Hey Matt. thank you for your effort and videos. i really like to watch them and maybe also do a little bit of iot hacking when i have some time left. when you find some vulnerabilities are they new CVEs? i mean do you then register the CVEs in your name or is that not a topic of your hacking?

    • @mattbrwn
      @mattbrwn  3 месяца назад +2

      I don't think its bad for researchers to register CVEs but I personally think that system is largely broken.

    • @minirop
      @minirop 3 месяца назад +2

      @@mattbrwn and it's getting worse with all those script kiddies finding non-issues (like CVE-2023-34585) or those now using AI that hallucinate things.

  • @RealBrotherGG
    @RealBrotherGG 3 месяца назад

    LOVE YOUR VIDS MAN, REALLY GREAT STUFF

  • @MichaelGrigoriev
    @MichaelGrigoriev 3 месяца назад

    Learning a lot from these videos! They are probably using ”stroke” as a misnomer for "prime". As in R1' = enc(R1)

  • @derrekvanee4567
    @derrekvanee4567 3 месяца назад +4

    Comments about Wyze, woozy, and low Energy rainbow tables have become my favorite way to wake up Mondays. *That said nearly everything just edits a git repo and book diggity Shenjhau express* 🚂 SL SL SL

  • @guusverbeek2853
    @guusverbeek2853 3 месяца назад +1

    Thanks Matt, I'm curious to see if someone will create some Home Assistant integration based upon your research.

  • @DaKink
    @DaKink 3 месяца назад

    Masterbuilt? I just built mine! can't wait to see that video :D

    • @mattbrwn
      @mattbrwn  3 месяца назад

      Solid smoker, but I'm guessing the tech might have some vulns...

  • @zoes17
    @zoes17 3 месяца назад

    R1_stroke likely refers to a way of writing that it's after the "encryption" round and is likely writen that way to write the " R1ʼ " or the R1 with a bar over both the R and 1 ways of writing the same thing. This is a common practice in the math/programming world for cryptography functions. The R1_stroke would then likely be named something closer to R1_prime but maybe there was a translation thing happening there or perhaps they didn't want to confuse themselves with the way a public key algorithm like RSA uses primes. Interesting video and the above are just my thoughts on something trivial in the video that ultimately doesn't matter for the reversing or security points made here.

  • @Zetornator
    @Zetornator 2 месяца назад +2

    Did you use Google's android emulator to run the app on your machine?

    • @mattbrwn
      @mattbrwn  2 месяца назад +1

      No. I was running that app on a real phone (emulator can't do BLE). Was using a program called scrcpy to view the phone on my computer.

    • @Zetornator
      @Zetornator 2 месяца назад

      @@mattbrwn i actually saw it a few minutes in the video when you started using the phone but for sure thank you for sharing the name of the program, you are awesome! 🙌

  • @nkusters
    @nkusters Месяц назад

    I just love this stuff. It tickles just the right spot without me having to actually spend the time myself 😅
    ❤from The Netherlands.

  • @Tongchai-Farang
    @Tongchai-Farang 3 месяца назад +1

    Hi Matt, great video about reverse engineering. I wonder whether it would be possible to do the same for the Piper Security Systems which have been becoming obsolete a couple of months ago after the company decommissioned their service. I guess a lot of people (me included) would be grateful if their would be a way to run those cameras without requiring Piper servers.

    • @mattbrwn
      @mattbrwn  3 месяца назад

      I actually LOLed at this. Can't help because of reasons... Look me up on LinkedIn and you'll see ;)

    • @Tongchai-Farang
      @Tongchai-Farang 3 месяца назад

      @@mattbrwn ups, I understand - actually that wouldn't be a reverse engineering as you probably have all the info needed

  • @d3stinYwOw
    @d3stinYwOw 3 месяца назад

    You need to buff up :D
    Seriously tho, great video and as always, I hope everyone learned something :)
    I want to do something like this myself :P
    Maybe some series about other side - how to design secure IoT devices?

  • @peytonk7367
    @peytonk7367 3 месяца назад +1

    I'd imagine that you probably didn't just sit down in a single class to learn everything you know, so how did you come to know so much? Are you self-taught or did you take a small class, and it just grew from there over time?

  • @TESTA-CC
    @TESTA-CC 3 месяца назад +1

    Definitely Collecting Data of Average Weight, Height, Age, Ethnicity, Gender of The American Citizen.

  • @threeMetreJim
    @threeMetreJim 3 месяца назад

    For now it's a personal data problem. If you can fake the scale, and feed erroneous data back to the app for potential use by a doctor, who then uses it for the prescribing of medication, then you have a more serious and potentially dangerous problem. It may be difficult to keep up consistent bad data for a set of scales, but not impossible. Thankfully it's not a critical to life medical device.

  • @Jeff-ss6qt
    @Jeff-ss6qt 3 месяца назад

    Is it 'stroke' as an analogue to a line being drawn through the plaintext?

  • @abdulhareez1827
    @abdulhareez1827 2 месяца назад

    Bro, how long the process of this RND. From start till end, took how many days? I just asking to see the feasible or standard timeline if this translate to the project.

    • @mattbrwn
      @mattbrwn  2 месяца назад

      Solid 3 days of focused RE.

  • @philc787
    @philc787 3 месяца назад

    Brilliant well done

  • @TankR
    @TankR 2 месяца назад

    Most of the time its not their product, it just has their branding on it for this market. You gotta find the factory district that made it and try to get ahold of a dev there

  • @LokiCDK
    @LokiCDK 27 дней назад

    Is the Shopify website builder the new 5-minute wordpress templates for e-commerce sites? :D
    Also; you just put your feet on the Internet. So, yeah, that's going to be out there forever now.

  • @ZombieLurker
    @ZombieLurker 3 месяца назад

    I have a scale that looks exactly the same, but the center piece is round instead of square and the rectangular screen is vertical instead of horizontal. Wonder if this will work on mine too. The brand is Posture.

  • @replikvltyoutube3727
    @replikvltyoutube3727 3 месяца назад

    Is it possible to do the same thing to a smart bracelet?

  • @noxos.
    @noxos. 3 месяца назад +1

    Bro, could you please try to hack an Amazon Echo show 5 2 Gen. These devices run on Android and if you could make a video how you find out what the bootloader code is or enable Adb that would be very helpful. The problem is that the Android is very locked down.

  • @mikehensley78
    @mikehensley78 3 месяца назад +3

    Lets hack it to weigh megabytes then show, in weight, your network throughput. :)

  • @StubbyPhillips
    @StubbyPhillips 3 месяца назад

    But the name starts with a lower case "i" so it MUST be good, right?

  • @UNcommonSenseAUS
    @UNcommonSenseAUS 3 месяца назад

    Here we go again !

  • @UnCoolDad
    @UnCoolDad 3 месяца назад

    See how the Japanese do it - Omron have app connected medical devices too. I know there are 3rd party apps (such as MedM health) which can interrogate them. But unofficially.

  • @0xshaheen
    @0xshaheen 3 месяца назад +1

    It would be wonderful if you show us a reverse engineering project that you failed because of good security practices

  • @rmichaeldeutsch
    @rmichaeldeutsch 3 месяца назад +1

    Is @mattbrown really 7 feet (213cm) tall?! 😲 (see 4:00 and 39:30)

  • @Real_MiLiTeK
    @Real_MiLiTeK 3 месяца назад

    that's insane.. now hack another IoT device and Modify to steal wifi password or another scary stuff. You can

  • @r00ts3c0x1
    @r00ts3c0x1 3 месяца назад

    Can you do the same for the Chinese crap Deeper Network (Decentralized VPN) as per they claim.
    I was not able to do this

  • @namesurname201
    @namesurname201 3 месяца назад

    For the source code viewing using jadx-gui may be easier to track down xrefs definitions

  • @replikvltyoutube3727
    @replikvltyoutube3727 3 месяца назад

    "Bluetooth logs sent over a wire" xdd

  • @dwarf365
    @dwarf365 3 месяца назад

    I call BS on the 7' in the app.

  • @Krishell
    @Krishell 3 месяца назад +1

    Damn. I have the withings 😂

    • @mattbrwn
      @mattbrwn  3 месяца назад +2

      that scale looks VERY similar to the one I have...

  • @xianyukong-r1m
    @xianyukong-r1m 2 месяца назад

    学习了

  • @Billy-mu8yu
    @Billy-mu8yu 3 месяца назад

    Wow