DEV Community

Safia Abdalla
Safia Abdalla

Posted on

What I learned when I tried to hack my smart vibrator

I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.

I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!

I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.

The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.

I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.

In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.

Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.

A screen capture of the services detected by the NRF Connect app on the Vibease vibrator.

I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!

A screencapture of the Battery Level characteristic on a Vibease.

I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.

A screencapture of the Device Information service on a Vibease.

All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.

A screencapture of the motor services on a Vibease.

Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.

I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.

Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!

Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!

A screencapture of writing 0x64 to a motor on a Vibease.

I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!

A screencapture of sending 0xffff to a Vibease.

So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.

I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.

Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!

The result of this diagnostic logging was a .tar.gz file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.

Too many files to look through.

Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.

I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.

A Bluetooth log opened in Wireshark

I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!

At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.

I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.

Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.

  • There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
  • Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
  • Reverse engineering is fun (and sometimes frustrating).

Until next time!

Top comments (327)

Collapse
 
peterjohnson427 profile image
peterjohnson427

When I tried to hack my smart vibrator, I learned how vulnerable IoT devices can be. Security flaws allowed unexpected access, raising privacy concerns. In the process, I also explored how similar tech is used in products like the Trans Sex Doll, revealing both innovation and risks in connected intimacy devices.

Collapse
 
hannah_chan_cbd78e4901127 profile image
Hannah Chan

There are lots of hackers online, but not all of them are as professional as this genius Vadim Albert who helped me hack into an iPhone16 within 6 hours without the owner knowing. I could see all messages, Texts, WhatsApp, Snapchat and Facebook. I honestly was amazed at the things I found out, but I am glad I was able to see the kind of person I was dating. I could see all these from my own phone without physical access to the target's phone. Take this opportunity if you need help, reach Vadim on EMA1L: VADIMWEBHACK@GMA1L C0M
He also helped a friend of mine fix his credit and got his score from low 500s to over 750 within 2 weeks. I hope you don't miss out on this opportunity.

Collapse
 
ruby_palmer_0486dcf44a1d5 profile image
Ruby Palmer

Through thick and tin , SILVERCRACKX CORP are my heroes . The investment platform I had trusted betrayed me and took away my funds all in the name of investment. Seeing their advertisements online, I delved into investing with them thinking I had seen a once in a lifetime opportunity to make more money. The investment platform seemed legit, I was added to a WhatsApp group chat with more than a hundred members sharing ideas, testifying of making grand profits and successful withdrawals from the investment platform which I really fall for. In a short period I had invested $60,000 worth of cryptocurrency and watched my investment funds grow, the moment I requested withdrawals, everything changed. They had it planned all along to scam individuals seeking greener pasture through crypto investment, SILVERCRACKX CORP made me understand that the WhatsApp group was operated by the scammers themselves , that it wasn't a real WhatsApp investment group chat. My dreams of financial freedom were shattered making life hard for me in the process, all thanks to SILVERCRACKX CORP I was able to make recovery. Even when I lost patience in the wait, SILVERCRACKX CORP reassured me that recovery was a possibility requesting little patience to do their work, the wait finally came to an end with the news that my funds have been retrieved. I don't know what I could have done without the help of SILVERCRACKX CORP and their super amazing hackers assigned to my recovery case which made recovery a possibility . All glory is to God and thank you "SILVERCRACKX CORP" for answering in time of my great need, anyone who wishes to recover lost funds from scam should contact ( SILVERCRACKX @ GMAIL DOT COM OR TELEGRAM CHANNEL @ SILVERCRACKX ) to address your situation immediately.

Collapse
 
emilia_lena_19ec671a3ed08 profile image
Emilia Lena

I recently experienced a significant turning point in my life when I discovered the contact information for an expert known as; Remotespyhacker [ AT ] gm ail c 0m. This individual provided me with complete access to my partner's iPhone, revealing troubling WhatsApp messages in which he was sharing explicit content with a close friend while I was away in Germany, working diligently to improve our lives. Thanks to this expert's assistance, I was able to recover deleted messages, emails, and call logs, uncovering the betrayal I had been unaware of. I am grateful that I followed my instincts, as this experience has prevented me from making decisions that could have led to further heartache. Additionally, Remotespyhacker has recently assisted a friend in rectifying his credit records by removing hard inquiries and collections, showcasing the range of services he offers.

Collapse
 
amelia_olivia_9a11eb0e075 profile image
Amelia Olivia

I tried them out as well and they did great !. Thanks for posting about their good works. They helped me recover my lost crypto funds

Collapse
 
dylan_marshall_b1a2b81a22 profile image
Dylan Marshall

My losses in crypto investments though me the hard way, $60,000 worth of cryptocurrency lost within a blink of an eye to scammers. Seeing their advertisements online, their website looked legitimate with testimonies from investors of making successful withdrawals from the investment platform, I thought I had seen a once in a lifetime opportunity to make more money. I jumped at the opportunity thinking it was the right decision and ended up losing my hard earned funds, from the moment I couldn't make withdrawals on my request, on reaching out to the support group to verify the issue I got only silence from the investment platform. My advice to anyone who may have invested unwisely or is considering an uncertain investment is to consult recovery experts like c o r e a s s e t i n c RECOVERY FIRM before proceeding, they helped recover my lost investment funds something I never believed was possible again. The best way to contact them is through their email (COREASSETTINC @ GMAIL DOT COM) , SAVE YOURSELF BY CONSULTING THEM TODAY - THE WHOLE PROCESS IS WORTH IT.

Collapse
 
adam_westend_517dfcce752c profile image
Adam Westend

DARKRECOVERYHACKS TEAM is World’s Leading provider of investment Asset recovery , advisory and risk management solutions. It’s easy for a beginning investor to make mistakes out of exuberance, impatience, or even ignorance. But those mistakes can be costly, making them well worth avoiding.
In order to increase your gains and decrease your losses, it’s important to get a little savvy before you start investing. By the time you’re done with this , you’ll have a better idea of what kind of temperament you’ll need, what expectations are reasonable to have, and what strategies will serve you best. The more you know, the better you can do. At first contacting DARKRECOVERYHACKS TEAM in 2023 was through the help of a friend who was in a wrong investment but somehow managed to get out of it unscathed which at that time I thought was impossible and in my case there are only a few of the many cases of lost bitcoin fortunes. As of 2021, 20% of all Bitcoin is either lost or in wallets that can no longer be accessed, sadly this was the category my case fell in which tell us that privacy and security are a double-edged sword.While the private key used to access Bitcoin keep them secure, if the user forgets their key, the wallet can become permanently inaccessible or so I thought “DARKRECOVERYHACKS DIGITAL ASSET RECOVERY TEAM” worked their Magic and unlocked my wallet back in 2023. Come 2024 my cousin’s social account got picked off by a scammer who introduced me to an investment company that nearly made away with my small fortune anyways if you are a frequent reader online/websites you would be familiar with how the crypto space has it’s fair share of hackers and cybercriminal. It’s in my best interest to use this opportunity to point you to a direction where you’d be met with less scam or fake investment company as many new investors put too much faith in talking heads on financial TV programs or in hot stock tips offered by a friend or colleague. Contact DARKRECOVERYHACKS TEAM today.
Email : DARKRECOVERYHACKS at gmail. Com

  • TELEGRAM: DARKRECOVERYHACKS
  • You do not have to make the same mistakes I made, DARKRECOVERYHACKS TEAM’s got you.

A great lost investment recovery company must have a great team at their disposal to assist their clients in solving different hacking issues, it's only when a recovery expert serves her clients with truthfulness and reliability that it may produce great results. This has been an awesome journey for me, making instant recovery of my long lost finances through the help DARKRECOVERYHACKS .

Collapse
 
ryan_wickel_2fc41251b810f profile image
Ryan Wickel
  • Email: Karmarecovers at gmail dot com
  • Telegram Channel: KarmaRecovers I owe “KARMA RECOVERY” my life for assisting with my case and delivering the save of the year on the 7th of Dec when they retrieved my frozen assets from an investment company that concentrates on trading digital assets or trading foreign currency or dollar-gold contracts (also known as “forex”). In cases like mine that involves digital assets, clueless of an imminent fraud we victims are asked to buy virtual currency and transfer it to the scammer’s digital wallet or to a fraudulent trading platform, while sometimes we are told to download their mobile apps and visit their forex trading websites.It’s almost heartbreaking when I recount the strenuous Months of hardwork and tight budget I Faced just to invest into this Forex Trading hoping it will change my life sooner or later.The money I earned working were all sent to an offshore company that manipulates the trading app & website to display winning trades and outsized returns, encouraging me at the time to keep going. “KARMA RECOVERY” explained it same way I experienced it and I bet it’s similar with your experience too, how we victims never realize we are being defrauded as we are encouraged to start small.Then these fraudsters would also walk us through a successful withdrawal process to demonstrate the fraudulent website can be trusted, Fully convinced, we victims are nudged to invest more,don’t let ignorance cost you all you’ve ever worked for because Investment fraud is a real and serious problem, and it happens more than you realize. The Internet's wide reach and supposed anonymity are two attractive features for scam artists,I Plead with you all to not be tempted or fall for outlandish returns, particularly when returns are promised within weeks or months Because when it all came down to the early days of December.My once meager portfolio is now worth $250,000 and I had branched out into all sorts of speculative and risky investments with this investment company, going all in on the exhilarating combination of leverage plus risk. “You should sell out”, a college friend who had also jumped into the same fraudulent Forex Trading market with me texted, Only if we knew !. But I felt competitive and infallible. I’ll race you to a million, I wrote back. I doubt I’d be here today if i insisted on going ahead with that idea but luckily for me “KARMA RECOVERY” got to me on time to reverse a Christmas I could have celebrated on the streets. So this is how I got spooked of an impending Fraud, following my significant investments, on the 1st day of Christmas I decided to initiate a small withdrawal for Christmas but my request became impossible to complete.Suddenly, there are taxes, commissions, or fees that must be paid. Customer service problems are another common ploy. Typically, the only way to resolve matters is to increase the investment and any talk of withdrawing money gets pushback.In the wake of all this all I can say is while Investing your money is a great way to prepare for retirement and help your financial goals some investment opportunities are actually scams designed to steal investors money. It is essential that you know how to spot one before you give them your money or as you try to recover them,Send a detailed complaint email/text to “KARMA RECOVERY” now and the rest is history “KARMA RECOVERY” a name that send meaning to the Recovery World…
Collapse
 
christian_banks_b96b1500f profile image
Christian Banks

Recover your lost/stolen crypto funds with the assistance of recovery experts equipped with the necessary tools to carry out funds recovery process, imagine your hard earned funds disappearing in a blink of an eye investing into cryptocurrency and recovering it back with the assistance of HACKERS.

Sharing my story is to highlight C O R E A S S E T I N C R E C O V E R Y F I R M's incredible assistance in funds recovery and service to humanity, They know how to navigate the intricacies of the crypto realm with their vast network of contacts.

They told me they had helped many people retrieve their LOST FINANCES and assurance that my funds will be recovered, I really didn't believe them at first because of what I had been through, with the information I was able to provide for their investigation, they worked relentlessly making it possible for me to get back my lost funds, which I am eternally indebted to them.

I am eternally grateful for their exceptional recovery service and I recommend them for anyone out there seeking retrieval of their lost funds, investing into cryptocurrency is something I advise against for cryptocurrency enthusiasts harbouring ideas of going into cryptocurrency investments.

C O R E A S S E T I N C R E C O V E R Y F I R M professionalism, transparency and unwavering commitment to helping victims of scams exceeded my expectations, I thought I had lost my funds forever, but C O R E A S S E T I N C R E C O V E R Y F I R M made it possible for me to get back my $299,000 worth of cryptocurrency which I had invested into the fake platform.

Whenever I remembered my ordeal with scammers investing into cryptocurrency, it comes to my mind that so many people had already given up hope on ever getting back their funds because they had no idea about the possibility of recovery and didn't know how to go about solving the predicament.

C O R E A S S E T I N C R E C O V E R Y F I R M is your solution for anything cryptocurrency recovery related and a wake up call for scam victims seeking retrieval of their lost funds in the fight against fraud, it wasn't an easy ride to recovery, they will help you recover back your money as they did for me after weeks and months of uncertainty.

They can be contacted through Email or Telegram
( Coreassettinc @ gmail.com /@ Coreassetinc)

Collapse
 
brad_buckner_602a5d297cf3 profile image
Brad Buckner
  • EMAIL: Karmarecovers at gmail dot Com
  • Telegram Channel: KarmaRecovers SOMETIMES I’M GLAD I GOT SCAMMED BECAUSE IT MADE ME WAKE UP TO REALITY & STOPPED blaming myself over the near loss of my invested assets with the fraudulent CoinproFx and this is all because of KARMA RECOVERY whom I bumped into on my search for a Professional Recovery company.KARMA RECOVERY made a huge difference towards Retrieving my frozen investment account & asset.TRY TO UNDERSTAND WHAT I MEAN FROM THIS ANGLE ABOUT BEING GLAD I GOT NICKED BY A FRAUDULENT INVESTMENT;“Let’s not pretend that things will change if we keep doing the same things or nothing at all (we all need to get off our *ss and journey to ends of the world if we need to just to right our wrongs or make our situation better ). A crisis can be a real blessing to any person, to any nation. For all crises bring progress. Creativity is born from anguish, just like the day is born from the dark night. It’s in crisis that inventiveness is born, as well as discoveries made and big strategies implemented (This here about discoveries made; is exactly how I landed with “KARMA RECOVERY” who exceeded my expectations about recovery companies. He who overcomes crisis, overcomes himself, without getting overcomed. He who blames his failure to a crisis neglects his own talent and is more interested in problems than in solutions. Incompetence is the true crisis.The greatest inconvenience of people and nations is the laziness with which they attempt to find the solutions to their problems.This underscores the importance of a crisis action plan & the reason I urge us all who are guilty of not seeking for help when it’s required or not being able to find a reliable source, to contact “KARMA RECOVERY” company now !, engagement alone equips you to face and overcome these inevitable downturns that comes with virtual assets and investment .Let’s face it POST-INVESTMENT LOSS a lot of us scammed victims decide to live with this crisis or try to sweep it all under the rug in an attempt to try to bounce back from the shock and sometimes even go on starting a whole new investment hoping to avoid their last mistakes.If you're one of them, ask yourself this will my current investment plan or next market crash/Fraudulent Investment make you stronger, or weaker?. Will you rise to the challenge, and use your creativity and persistence to overcome the current or next immense hardship? Or will you complain, play the blame game, and let the situation get the best of you?. If you made it this far then this review is definitely for you & you should scroll back up to send a complaint now to KARMA RECOVERY because it’s clear no one remains the same after realizing that an investment that they put so much hope on was all a big scam to steal their money, Take a Positive Step Today !.
Collapse
 
john_castro_1a64f06bb80dd profile image
John Castro

I would recommend the best recovery team available to anyone who has been a victim of scam like i was a few weeks ago. I was able to recover my fund that i got scammed of, $112k in total. All thanks to Darek Recovery Service, you can contact them via email;( recoverydarek @ gmail. com ) They are very reliable and trust worthy.

Some comments may only be visible to logged-in visitors. Sign in to view all comments.