I’ve owned a smart vibrator for a little over a year now. For those of you who might not be familiar, smart vibrators are vibrators that can be controlled by an app via a Bluetooth connection. Often times, the app is connected to the Internet so a remote user can control the vibrator via the app. In that case, the remote user sends a message to the app and the app relays that message to the vibrator via Bluetooth.
I don’t do a lot of interesting projects with hardware or Internet connected devices, so I figured it would be fun to hack into my vibrator to learn a bit more about IoT devices. In this specific case, by "hack" I mean "reverse engineer the communication protocols that the vibrator and app used to communicate with each other.“ The particular vibrator I’ll be reverse engineering is the Vibease. Note to those of you who might be in an office, public library, or next to a nosy person on the train: that link will take you to an e-commerce page that sells sex toys. Hopefully, I saved you some unwanted awkwardness!
I started by doing a bit of research into Internet of Things devices that use Bluetooth in general. I figured, or I should say hoped, that there would be some sort of standardization or protocols around how Internet of Things devices utilize Bluetooth.
The first thing I figured out was the distinction between Bluetooth and Bluetooth Low Energy. Bluetooth Low Energy (sometimes referred to as Bluetooth 4.0) is a version of Bluetooth that uses less energy that prior versions. This is particularly advantageous for Internet of Things devices because it means they can run off battery for long periods of time. I can confirm this. I was pretty surprised by the number of uses that I could get out of my vibrator after a single full charge. This "low energy" distinction is a result of BLE modules remaining in "sleep mode" when not in use and thus using less energy. You can read a bit more about the differences at this link.
I decided to look around and see if there were any other articles written about reverse engineering Internet of Things devices and chanced upon this post. In the post, the author reverse engineers a smart light bulb. At this point, I don’t have the knowledge to brag, but I get the sense that what I’m trying to do might be a bit more difficult. For one, while an app that controls the color of light bulb only need to modify the color presented by the LED, a vibrator consists of several motors that sometimes need to be activated in tandem. Despite this, the post gave me some pretty good insights into BLE devices in general.
In particular, the article outlined how a peripheral device (like a vibrator) uses BLE to connect to services that represent different aspects of the device (like the battery or the motors of a vibrator) to read and write certain characteristics (like the battery level of the device or the rotations per minute on a motor). The article mentioned using an app called NRF Connect to interface with the Bluetooth device. I headed over to the App Store on my iPhone, downloaded the app, turned on my vibrator, and connected to it using the app.
Once I connected to the vibrator, the app detected three different services. The first was the Battery Service and the second was the Device Information service. It was pretty obvious to deduce what each of these services were for from their names. I figured that they were both read-only services that allowed the app (and snoopy critters like me) to read information about the battery level and details about the vibrator. The third service was labeled as "Unknown" by the NRF Connect tool. I figured this is the service that is responsible for reading and writing the state of the motors on the vibrator.
I decided to navigate over the "Battery Service" to see what information I could find there. As I suspected, the "Battery Service" contains a single "Battery Level" characteristic that is "Read Notify" and contains a value of ‘0x64’. This is a hex (base 16) number that translates to 100 in decimal. It’s fully charged and ready to go!
I navigated to the "Device Information" service and noticed that it had several "Read" characteristics that pertained to the Serial Number, Model Number, and other details of the device. Here’s a screenshot of what that screen looked like with certain details obfuscated.
All this was fairly easy, but I still needed to figure out how the app interfaced with the motors. I navigated to the ominously named "Unknown Service" to see if I could figure anything out.
Interesting! This service contains a mix of "Read Notify" and "Write Without Response" characteristics. There are two "Read Notify" characteristics and two "Write Without Response" characteristics. I presume that each of those characteristics lines up with a motor on the vibrator. That is to say, the vibrator has two motors, each of which you can read data from and write data too. This was in line with the physical characteristics of the vibrator. It has a motor on each end, and they both operate independently of one another.
I noticed something a little strange with the two "Read Notify" characteristics that were associated with the motors. One characteristic read a value of '0x0000’ (The screen-capture above shows a value of '0x0100’ because I took it a while after I gathered the initial reading. I’m not sure why the value changed in the hour between me seeing it for the first time and me remembering to take the screenshot. More mysteries. Wow, this parenthetical is getting a little long…) which corresponded to a motor that was off (or, so I guess) and the other read a value of 'N/A’. At that point in time, the vibrator was on but not vibrating, so I found it strange that one motor would send a zero value and the other would send a null value. I decided to do a quick Google to see if this was a common issue with characteristic on BLE devices but couldn’t come up with anything useful.
Side note: Effective Googling is very difficult when you are learning something new, so I might not be formulating my queries in a way that brings up good responses. If you know something about BLE and why this might be happening, do let me know!
Anyways, I noticed that the NRF Connect app provided an option to write to characteristics that were writable. At this point, I did what any good engineer would do, I tested out random values. I tried sending '0x64’ which corresponded with the decimal value 100 to see if the characteristic was setting the power level on the motor. No dice!
I noticed that the zero value being read by one of the characteristics was a hex number with 4 places, so I tried sending '0xffff’ but that didn’t work either. Bother!
So at this point, I figured I would try something else. Instead of guessing values, I would open up the Vibease app on my phone, set the vibration on the app, and see what values the "Read Notify" characteristic emitted. The tricky thing was that I couldn’t use the NRF Connect and the Vibease app on my phone at the same time, so I had to figure out some way to connect to the vibrator from my laptop. I found an app called LightBlue on the Mac App Store and figured I could try to use that to read the values on each of the characteristics while I was controlled the vibrator from the app. For some strange reason, I couldn’t connect to the vibrator from my laptop while I was connected to it via the app on my phone. This actually isn’t strange, it makes total sense. If I were building a smart vibrator, I wouldn’t want multiple devices connected to it at the same time.
I decided to see if there were any Bluetooth sniffers for iOS. I wanted something that could run in the background and log all the messages sent over BLE from my phone. Knowing Apple’s focus on security, I figured that an app like this might not be available on an un-jailbroken iPhone but I tried my luck on it anyways. Some Googling led me to this StackOverflow post that provided some details about running Bluetooth in "Diagnostics Mode" on iOS. I wasn’t sure what kind of information I would be able to get out of the logs provided by Apple but I figured it was worth a shot. I ended up following the official instructions for Bluetooth logging on iOS linked to in the StackOverflow post to generate my log.
Side-note: What is it with Apple and all the outrageous key/button combinations they make you press to access diagnostic features on their products? I mean, I understand why they make it difficult for users to get to those features but geez I’m going to get arthritis by the end of all this!
The result of this diagnostic logging was a .tar.gz
file located at the directory specified in the instructions referenced above. I unzipped the directory and discovered that it consisted of several diagnostics files.
Oh boy, what did I get myself into now? At this point, I decided to utilize one of the most time-tested and expert-recommended problem solving techniques. It is called "click a bunch, read a bunch" and consists of opening and reading lots of files until you find one that makes sense.
I found a few files that seemed to be related to Bluetooth logging but opening them in Wireshark rendered some truly nonsensical data.
I also found some files that referenced the Vibease app that I was using to control my vibrator. They ended up just being crash report files. It turns out that whenever I would try to connect to the vibrator from another device while the app was connected to it, the Vibease app would crash. Fun!
At this point, I’ve tried enough options to go back to the drawing board one more time. From doing some research, I discovered that sniffing BLE signals and getting a log that is fairly easy to parse in Wireshark was pretty trivial in Android. It felt like the Apple ecosystem was really limiting me here, then again I am new to this and might just be unaware of the right tools to use. I did some more Googling to see if there were any other Bluetooth sniffers available for iOS or Mac but didn’t run into anything. Most solutions recommended purchasing a device like the Ubertooth One, which is designed to help with Bluetooth experimentation. But this device has quite a hefty price tag. It retails for anywhere from 120 USD to 200 USD, a little out of my college student budget. I couldn’t find a way to sniff BLE signals on iOS from the phone the way it was done in Android.
I figure I would pause this little experiment here and post this blog post as is. If you consider yourself an expert in the Internet of Things and have some advice on how I should move forward, do let me know.
Although I didn’t reach my ultimate goal of reverse engineering the communication protocols used between my vibrator and its app, I learned quite a bit in this little adventure.
- There is a lot going on under the hood when we use devices with BLE connectivity. It reminds me a little bit of those pictures showing what the world would look like if we could see WiFi signals. There is so much information constantly being transmitted that we are figuratively and literally blind too.
- Running diagnostics on iOS apps yields a plethora of information. This is the first time I’ve profiled and logged my iPhone and it was interesting to see all the information available. I might end up doing something similar to diagnose issues with apps that I use that crash frequently. I might draft a blog post for it on here if I have the time.
- Reverse engineering is fun (and sometimes frustrating).
Until next time!
Top comments (27)
RECOVER YOUR LOST/STOLEN BITCOIN WITH THE HELP OF HACKERONE975
Hackerone975 @ gm ail. c om, a wonderful team, they helped me recover my lost money from scammers, I had just lost my husband at the time I was scam med $80,000 ,I felt like it was over for me, I was depressed and almost committed suicide but thanks to Hackerone975 @ gm ail. c om for coming to my rescue, deep thanks to Hackerone975 @ gm ail. c om for the good work, you guys are the best
After downloading some spy app which none worked on my cell phone, I almost gave up on finding out why my spouse keeps late at night and also receives calls at odd hours. Someone recommended a professional hacker so I thought I should give it a trial.OMG! It worked like magic! To cut the long story short, all thanks to fredvalcyberghost@gmail.com and you can text,call or whatsapp him on +15177981808 who hacked into my husband's cell phone. Now I read all his text messages without his knowing about it. I also listen to all his phone calls now. Thanks
At this point, I have come to the conclusion that men will always cheat no matter what, they might love and respect you and still cheat on you. My husband has made me believe that he can never cheat on me but he did. Most times at home his phone is the new best friend, always chatting, flirting and making secret calls. When I noticed all these, I went online to search for ways to track him down, as I was checking the comment section of a particular article, I came across this professional hacker and private investigator, I have doubt at first so I decided to drop him a mail on fredvalcyberghost@gmail.com after which I decided to give him a try and to my surprise, he tracked and spyed my husband’s device and I was convinced that he was cheating on me, i was able to monitor his device myself with the help of the Fred hacker. The hacker left an email address which can be contacted in case anyone needs help which is fredvalcyberghost@gmail.com and you can text,call and whatsapp him on +15177981808
Remotespywise specializes in providing reliable and efficient monitoring services to meet all your needs. Whether you're looking to keep an eye on your home, office, or any other space, Remotespywise team of experts is here to help. With Remotespywise, you can trust that your security and peace of mind are their top priorities. Their user-friendly interface and advanced features make monitoring easy and convenient for everyone. Don't wait any longer to secure your valuables and loved ones – book with Remotespywise today and experience the difference for yourself. Join countless satisfied customers just as myself who have already chosen Remotespywise as their go-to monitoring solution. All lost bitcoin, litecoin, ethereum wallets can be recovered through our well developed powerful wallet solutions already yielding great solutions. Contact REMOTESPYWISE @ GM AIL C OM.
The most reliable way to gain access to your partners phone without them knowing is through this guru Antonfasthack100@gmail.com. This man has successfully done different jobs for me since I got his contact 3 months ago. He helped me gain access to all my girl’s phone messages when I left the country on a business trip. I could see every chat in real time without her knowledge. This man also helped my best friend recover over 47,000 USDworth of bitcoins which he had lost to fake investments. I have never met anyone with such talent. His name is Anton and his contact information are below if you need him;
EMAIL: Antonfasthack100@gmail.com
WhatsApp: +.1..814..329..3675
TELEGRAM: +.1..254..251..0647
Cheating is the new trend of nowadays people find it difficult to be faithful to their spouse’s prolly due to lack of self respect or contentment but the good news here is you can keep tab on your cheating spouse to know if truly they worth giving your love and treasure before you lose them all. No other person than Hackerone975 Contact via hackerone975 @gmail com” is the real deal that can help you spy on your spouse’s phone to retrieve vivid cheat proof to clarify your claim and doubts. Write Hackerone975 now and be glad you did hackerone975 @gmail com
Few days ago I came online in search of a hacker that I could hire to do a spy job for me, it was very important so I needed a strong hacker for my job. I came across several reviews but I figured hackerone975 @ gmail com was well praised for doing similar jobs that I needed. I decided to give this hacker on google mail the job, he gave me 4 hours to wait for results and then he came in. I was more surprised when I was informed I could see everything like a website. I'm Grateful , everyone please reach out to him hackerone975 @ gmail com ; he is top notch
I caught my husband so many times through his chats and all about cheating on me and when i told him he always claims that he has changed and all. right now he hides his phone from me and i still guess he is cheating cause i could not break into his phone any more so i was referred to a hacker named FRED who i ran to for help and this hacker was able to break into his phone and proved me with the access to my husband phone without my spouse knowing about the hack. Right in my phone I have all my husband's daily activities . I got to read all his chats, texts, calls, WhatsApp, Facebook, and many more. This hacker is really great, thank you. Did you find this review helpful? contact him via Gmail fredvalcyberghost@gmail.com and you can text,call him on +15177981808
I had lost about £836,000 pounds worth of Crypto to a fake investment trading platform that tricked me into investing on their platform with the intent of earning a 16% daily profit. I was losing it all to a point that I couldn’t afford to take care of my bills and my Family. I was so ashamed of myself and was drowning in shame. I had to do a google search and came across RECOVERYBUREAUC Hacker, a Cryptocurrency Recovery Expert who has Special cyber skills in recovering stolen and lost crypto funds. I immediately reached the Expert out and explained my problem and RecoveryBureauC was able to recover 100% of my funds. I will recommend the Expert to any victim out there trying to recover their funds back.
Contact Info
Email: RecoveryBureauC @ gmail, c0m
WhatsApp: +1 835 227 9489
All my life I have been hearing about hackers but I never thought they were real until I was literally saved by this genius Alberto Vadim when I was being blackmailed by someone I met on a dating site. He helped me hackk into 2 iPhones within 5 hours and granted me access to them. I deleted the videos myself and had enough evidence to arrest them. IF YOU NEED HELP, I SUGGEST YOU CONTACT ALBERT VIA EMAIL: ANTONFASTHACK100@GMAIL.COM
I was constantly extorted because they had my n**de pictures. I lost over 27,000 grand because they threatened to post them on Facebook and tag all my friends and business associates, which I couldn't let happen. Alberto was introduced to me by a cousin of mine whom he had helped recover lost btc.
The most reliable way to gain access to your partners phone without them knowing is through this guru Antonfasthack100@gmail.com. This man has successfully done different jobs for me since I got his contact 3 months ago. He helped me gain access to all my man’s phone messages when he left the country on a business trip. I could see every chat in real time without his knowledge. This genius also helped my best friend recover over $47,000 worth of bitcoins which he had lost to fake investments. I have never met anyone with such talent. His name is Anton and his contact information are below if you need him;
EMAIL: Antonfasthack100@gmail.com
WhatsApp: +1 (814) 329‑3675
TELEGRAM: +1 254 251 0647
Contact Daniel for your crypto wallet recovery or credit repair, this is my testimony as a result of his service earlier this year, I contacted Daniel when I forgot the password to my wallet with over $860,000 worth of btc, I was on the verge of depression when I came across a review about Daniel on Quora and I reached out to him, for a fair price my account was recovered, I don’t even know how he managed to pull that off cause I’m still mind blown by it, I also introduced my friend Lisa to him for credit repair and he helped boost her credit score from 488 to 710, do reach out to Daniel via Danielkencyberservices@gmail.com and his phone number is 3213480606 if you need help.
When it comes to social media spying,he is the best, thats why i call him king of spying,facebook,skpe,instagram,whatsapp, telegram,icloud, and email hacking are so easy with him. i dont really care if you believe me or not, but one thing i am sure of is the fact that you will thank me for this information later, here is his gmail account. cyberdemoncracker@ gmailcom
Some comments may only be visible to logged-in visitors. Sign in to view all comments.