"After purchasing a Bluetooth Low Energy (BLE) enabled mask with a programmable app for his family's "anything that glows" themed Halloween costumes, Bishop Fox senior security consultant Nathan Elendt discovered it was "shockingly easy" to load custom face images and control the mask with the app. "I found the app automatically scanned for, found, and then controlled my brand new, out-of-the-box mask without so much as a single authentication check, giving me some insight into how these masks worked," he wrote in a Thursday blog."
"Because they all use the same BLE protocol, Elendt surmised that if he found a way to reverse-engineer that, he could build his own controller - and then hack every similar Shining Mask within Bluetooth range. He also discovered that the Bluetooth communications between the app and masks are encrypted using AES-128 in ECB mode with a fixed key, and the key is publicly available on GitHub."
A senior security consultant purchased a BLE-enabled programmable LED Halloween mask and found the companion app automatically scanned for and controlled the new mask without requiring any authentication. Multiple mask brands share a common design and use the Shining Mask app and the same BLE protocol, enabling universal control of devices within Bluetooth range. The app-to-mask communications use AES-128 in ECB mode with a fixed key that is publicly available on GitHub. Using reverse-engineered protocol details, public code, and Bluetooth logs, the consultant built a custom controller on a low-cost Adafruit BLE Feather board capable of commanding nearby masks.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]