David Sopas – Web Security Researcher


01/03/19 IoT # , , , , , , ,

BLE Surfing an Orienteering event

BLE Surfing an Orienteering event

It was 2pm and more than 1500 individuals were getting ready to start an international Orienteering event. To me it was opportunity to test my new BLE tool and at the same time, know more about the number of sports wearable’s people use nowadays – to know what to break next 🙂

So I positioned my crappy Android phone on the center of the event and just hit play.

After a couple of hours, I decided to check it out and I got a 701 devices detected – crazy number. Just by curiosity I made the Top5 brands and devices:

  1. Garmin – 542 devices
  2. Polar – 86 devices
  3. Fitbit – 28 devices
  4. TomTom – 21 devices
  5. Samsung – 17 devices

Around 77% of the devices detected were Garmin. Huge market share.

With that percentage, the Top5 devices were all Garmin:

  1. Forerunner 235 – 180 devices
  2. Forerunner 735 XT – 67 devices
  3. Forerunner 35 – 46 devices
  4. Forerunner 920 – 43 devices
  5. Fenix 3 HR – 30 devices

I already did some research on Garmin and TomTom, also played with someForerunner models and they show the real bd_addr (Bluetooth Address) which could be used to… track people. But this wasn’t the case.
My real goal was to test large data into my app and see how it handles on rendering them on a map. No information or connection was made to any device.

Just by curiosity, you know that only the Garmin watches had a value of around 180k?

no responses
08/12/18 IoT , My Events # , , , , ,

Exfiltrate all the things at BSidesLisbon18

Last week BSidesLisbon was legendary. More than 400 attendees, beer, “pastel de nata” and of course – amazing talks.
This was my third participation as a speaker and first time co-presenting a talk with my friend and colleague Pedro Umbelino.

We worked very hard on this topic during the last year and we wanted to show two live demos on the event. It wasn’t easy, specially when few hours earlier we scanned for BLE and NFC devices and there was so much noise 🙂

Credits: https://twitter.com/bsideslisbon

In the end, the smart bulb and NFC exfiltration demos went very well /* btw – we prayed a lot to the demo gods */ and we got nice feedback.
I would like to thank all the people that saw our presentation, which was packed as you can see on Coopers’ photo:

Credits: https://twitter.com/Ministraitor

You can see the all presentation here – https://www.youtube.com/watch?v=3UJBAkl8Y2A.

To be honest, I didn’t watch many talks because I was always on the hallway con, brainstorming with my friends – but the ones I saw they were very interesting.
Again the organization was on their top game and it’s pleasure for me to be there each year.

In the end I said goodbye to BSidesLisbon in an amazing Cantonese restaurant.
Cya next year!

no responses
23/11/18 IoT , My Events # , ,

Part of my research shown on DEFCON 26

Part of my research shown on DEFCON 26

The video got public and I needed to share this with all my followers.

It was, that I know of, the first time my research was presented on DEFCON. It was presented on the IoT Village by Erez Yalon, who I have the pleasure to work with.
It covers Privacy on IoT devices and that any user is vulnerable to that.

Personally it was another thing I can take from my bucket list… Checked!

no responses
17/10/18 Hardware , IoT # , , ,

Opening a fingerprint + BLE smartlock – the smart way!

I got my hands on a smartlock that costs around 35€ on Amazon which unlocks using the fingerprint or app (using BLE).
In reality I don’t know the brand and model but this is not something that I really care. What I wanted to check was – how hard was breaking this smartlock?

After a quick inspection I noticed that this lock had something covered below the USB port (which is used to power the battery). Using a sharp knife I scrubbed the thing up and… a screw appeared 🙂

C’mon… Really? I opened it and start disassembling the device.

I needed to scrub also some parts because this lock was supposed to be waterproof so they covered some wires.

In the end, we got a small PCB with a connected fingerprint sensor. Didn’t saw any spring like other locks and can’t manage to open it by shimming. But I saw a motor which was connected by a white and yellow wire to the PCB.

I already played with some motors and other devices like that on Arduino and they usually only need some power to rotate. In this case, I’m guessing that connecting the 3.7V battery to the PCB wires it will rotate (or open).

I grabbed a couple of wires to prevent soldering or damaging the lock and connected them to the lock battery. Than connected the wires to the PCB part that connected to the motor.

And the lock opened. No fingerprint or BLE needed.

Check out the small video that I did – https://www.youtube.com/watch?v=VEjwV3LsLJ0

So I guess you take around 5 second to open this lock using a direct connection to the motor.
The vendor claims its a strong lock… Anyone can break it in 5 seconds.

Screwdrivers rule! 🙂

no responses