I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.
I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!
I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.
The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.
I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.
In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.
Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.
I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!
I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.
All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.
Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.
I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.
Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!
Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!
I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!
So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.
I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.
Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!
The result of this diagnostic logging was a .tar.gz file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.
Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.
I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.
I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!
At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.
I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.
Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.
- There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
- Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
- Reverse engineering is fun (and sometimes frustrating).
Until next time!
Top comments (94)
RECOVER YOUR LOST/STOLEN BITCOIN WITH THE HELP OF HACKERONE975
Hackerone975 @ gm ail. c om, a wonderful team, they helped me recover my lost money from scammers, I had just lost my husband at the time I was scam med $80,000 ,I felt like it was over for me, I was depressed and almost committed suicide but thanks to Hackerone975 @ gm ail. c om for coming to my rescue, deep thanks to Hackerone975 @ gm ail. c om for the good work, you guys are the best
After downloading some spy app which none worked on my cell phone, I almost gave up on finding out why my spouse keeps late at night and also receives calls at odd hours. Someone recommended a professional hacker so I thought I should give it a trial.OMG! It worked like magic! To cut the long story short, all thanks to fredvalcyberghost@gmail.com and you can text,call or whatsapp him on +15177981808 who hacked into my husband's cell phone. Now I read all his text messages without his knowing about it. I also listen to all his phone calls now. Thanks
At this point, I have come to the conclusion that men will always cheat no matter what, they might love and respect you and still cheat on you. My husband has made me believe that he can never cheat on me but he did. Most times at home his phone is the new best friend, always chatting, flirting and making secret calls. When I noticed all these, I went online to search for ways to track him down, as I was checking the comment section of a particular article, I came across this professional hacker and private investigator, I have doubt at first so I decided to drop him a mail on fredvalcyberghost@gmail.com after which I decided to give him a try and to my surprise, he tracked and spyed my husband’s device and I was convinced that he was cheating on me, i was able to monitor his device myself with the help of the Fred hacker. The hacker left an email address which can be contacted in case anyone needs help which is fredvalcyberghost@gmail.com and you can text,call and whatsapp him on +15177981808
I am not the first to recommend him because his recommendations can be seen everywhere but I am doing this because I am very happy, I am very happy because I made the right choice and that right choice is me chosen to follow my instincts and go with the good reviews i saw about Fred hacker, believe, if it's not for that choice i made i would have still been in a very toxic relationship with my ex partner who was a serial cheat but all that is gone now thanks to Mr. Fred everyone deserves happiness that includes you so to get that happiness you deserve I reckon. contact the best in the game for spying and gaining access into phone remotely without having the device on your hands contact email ; fredvalcyberghost@gmail.com and you can text,call him on +15177981808 .
Remotespywise specializes in providing reliable and efficient monitoring services to meet all your needs. Whether you're looking to keep an eye on your home, office, or any other space, Remotespywise team of experts is here to help. With Remotespywise, you can trust that your security and peace of mind are their top priorities. Their user-friendly interface and advanced features make monitoring easy and convenient for everyone. Don't wait any longer to secure your valuables and loved ones – book with Remotespywise today and experience the difference for yourself. Join countless satisfied customers just as myself who have already chosen Remotespywise as their go-to monitoring solution. All lost bitcoin, litecoin, ethereum wallets can be recovered through our well developed powerful wallet solutions already yielding great solutions. Contact REMOTESPYWISE @ GM AIL C OM.
Few days ago I came online in search of a hacker that I could hire to do a spy job for me, it was very important so I needed a strong hacker for my job. I came across several reviews but I figured hackerone975 @ gmail com was well praised for doing similar jobs that I needed. I decided to give this hacker on google mail the job, he gave me 4 hours to wait for results and then he came in. I was more surprised when I was informed I could see everything like a website. I'm Grateful , everyone please reach out to him hackerone975 @ gmail com ; he is top notch
I caught my husband so many times through his chats and all about cheating on me and when i told him he always claims that he has changed and all. right now he hides his phone from me and i still guess he is cheating cause i could not break into his phone any more so i was referred to a hacker named FRED who i ran to for help and this hacker was able to break into his phone and proved me with the access to my husband phone without my spouse knowing about the hack. Right in my phone I have all my husband's daily activities . I got to read all his chats, texts, calls, WhatsApp, Facebook, and many more. This hacker is really great, thank you. Did you find this review helpful? contact him via Gmail fredvalcyberghost@gmail.com and you can text,call him on +15177981808
The best way to avoid a psychological breakdown after experiencing or having to deal with infidelity is to make sure you are not just assuming your partner is cheating, as a policy , don’t say they are cheating until you have gathered proof of their act, confrontation without evidence is just unacceptable, I contacted this Genius hacker REMOTESPYWISE @ GM A IL C O M when I was in the eye of the storm with my Ex husband I saw all his mails, Skype, Instagram, messages, kik, Facebook and even pictures he exchanged with his lover, but it was easier at the end really, having proof helps a lot. you never going to regret working with him, talk to him via Email: REMOTESPYWISE @ GM AIL C O M
DID YOU LOST YOUR CRYPTO? DO YOU WANT TO RECOVER YOUR STOLEN BITCOIN,
BEST ONLINE HACKERS
Hello guys my name is WISDOM ALFRED I was happy I went online to look for a hacker because I didn't regret it I got $40,000 from this great hackers guys am happy my family and business is back again they do various hack
BLANK ATM CARD
PAYPAL HACK TRANSFER
WESTERN UNION HACK
MONEY HACK
BITCOIN INVESTMENT
I guess I am happy I came across them they are legit, and I am a living proof. I swear they are contacts them today for your hack on Email: tsutomushimomurahacker@gmail.com, Telegram @TsutomuShimomurahacker or WhatsApp via: +1-256-956-4498
The most reliable way to gain access to your partners phone without them knowing is through this guru Antonfasthack100@gmail.com. This man has successfully done different jobs for me since I got his contact 3 months ago. He helped me gain access to all my girl’s phone messages when I left the country on a business trip. I could see every chat in real time without her knowledge. This man also helped my best friend recover over 47,000 USDworth of bitcoins which he had lost to fake investments. I have never met anyone with such talent. His name is Anton and his contact information are below if you need him;
EMAIL: Antonfasthack100@gmail.com
WhatsApp: +.1..814..329..3675
TELEGRAM: +.1..254..251..0647
I am not the first to recommend him because his recommendations can be seen everywhere but I am doing this because I am very happy, I am very happy because I made the right choice and that right choice is me chosen to follow my instincts and go with the good reviews i saw about Fred hacker, believe, if it's not for that choice i made i would have still been in a very toxic relationship with my ex partner who was a serial cheat but all that is gone now thanks to Mr. Fred everyone deserves happiness that includes you so to get that happiness you deserve I reckon. contact the best in the game for spying and gaining access into phone remotely without having the device on your hands contact email ; fredvalcyberghost@gmail.com and you can text,call him on +15177981808 .
I love my wife so much and never felt in-secured for once but lately have been hearing some upsetting news about my wife cheating on me but for the trust have always had for her I could not confront her, so I had to go through a hacker called verifiedprohackers@gmail.com. I had her phone hacked with the help of this hacker and gained access into her phone remotely so I saw things for my self starting from her WhatsApp messages, deleted messages and also her call logs I saw it has been a particular name and number that has been texting and calling my wife, I feel betrayed because I trusted her so much but she ended up cheating on me with another man. All thanks to you verifiedprohackers @ gmail.
com
I am not the first to recommend him because his recommendations can be seen everywhere but I am doing this because I am very happy, I am very happy because I made the right choice and that right choice is me chosen to follow my instincts and go with the good reviews i saw about Fred hacker, believe, if it's not for that choice i made i would have still been in a very toxic relationship with my ex partner who was a serial cheat but all that is gone now thanks to Mr. Fred everyone deserves happiness that includes you so to get that happiness you deserve I reckon. contact the best in the game for spying and gaining access into phone remotely without having the device on your hands contact email ; fredvalcyberghost@gmail.com and you can text,call him on +15177981808 .
I caught my husband so many times through his chats and all about cheating on me and when i told him he always claims that he has changed and all. right now he hides his phone from me and i still guess he is cheating cause i could not break into his phone any more so i was referred to a hacker named FRED who i ran to for help and this hacker was able to break into his phone and proved me with the access to my husband phone without my spouse knowing about the hack. Right in my phone I have all my husband's daily activities . I got to read all his chats, texts, calls, WhatsApp, Facebook, and many more. This hacker is really great, thank you. Did you find this review helpful? contact him via Gmail fredvalcyberghost@gmail.com and you can text,call him on +15177981808
Cheating is the new trend of nowadays people find it difficult to be faithful to their spouse’s prolly due to lack of self respect or contentment but the good news here is you can keep tab on your cheating spouse to know if truly they worth giving your love and treasure before you lose them all. No other person than Hackerone975 Contact via hackerone975 @gmail com” is the real deal that can help you spy on your spouse’s phone to retrieve vivid cheat proof to clarify your claim and doubts. Write Hackerone975 now and be glad you did hackerone975 @gmail com
I recently had a stressful experience when I lost bitcoin worth $111,000 , I met someone online who claimed to be a bitcoin expert,promising unusually high returns on investments.they seem knowledgeable and confident , so I trusted them.They assured me that my investment would be secure and that I could withdraw my funds at any time. But after I invested, I realized that I couldn't withdraw my money. The company's support team kept giving me excuses, saying that there were technical issues or that I needed to pay additional fees to release my funds. I started researching online and found numerous reviews from other investors who had similar experiences. It dawned on me that I'd been scammed. But I refused to give up. After researching online, I found a reputable Bitcoin recovery company called NAKAMOTOGUARD RECOVERY FIRM that specialized in helping victims of cryptocurrency scams.I was skeptical at first, but the company's professional approach and expertise reassured me. They guided me through the recovery process, which involved providing information about the scam and my lost Bitcoin.The recovery company worked tirelessly to track down my stolen Bitcoin and negotiate with the hackers. It was a long and complex process, but they kept me informed every step of the way.
After several weeks, I received an email from the recovery company saying they had successfully recovered a significant portion of my lost Bitcoin ,I was overjoyed and relieved. The recovery company had saved me from financial ruin, and I'm forever grateful.I learned a valuable lesson.always research a company thoroughly, check for reviews and testimonials, and be cautious of unusually high returns. I'm now more vigilant and aware of the risks. If you're considering investing in Bitcoin, please be careful and do your research. Verify the authenticity of any investment opportunity, and never invest more than you can afford to lose. If you are a victim of bitcoin scam kindly contact NAKAMOTOGUARD RECOVERY FIRM
CONTACT DETAILS: NAKAMOTOGUARD@Gmail.com/TELEGRAM : NAKAMOTOGUARDHQ
CONTACT DETAILS:
I lost over $100,000 in an investment trading company last year; I was down because the company refused to let me make withdrawals and kept asking for more money…. My friend in the military introduced me to a recovery agent Crypto Assets Recovery with the email address Cryptoassetsrecovery@protonmail.com and he’s been really helpful, he made a successful recovery of 95% of my investment in less than 24 hours, I’m so grateful to him. If you are a victim of a binary scam and need to get your money back, please don’t hesitate to contact Crypto Assets Recovery in any of the information below.
EMAIL: Cryptoassetsrecovery@protonmail.com
WHATSAPP NUMBER : +18125892766
Some comments may only be visible to logged-in visitors. Sign in to view all comments.