David Sopas – Web Security Researcher


08/12/18 IoT , My Events # , , , , ,

Exfiltrate all the things at BSidesLisbon18

Last week BSidesLisbon was legendary. More than 400 attendees, beer, “pastel de nata” and of course – amazing talks.
This was my third participation as a speaker and first time co-presenting a talk with my friend and colleague Pedro Umbelino.

We worked very hard on this topic during the last year and we wanted to show two live demos on the event. It wasn’t easy, specially when few hours earlier we scanned for BLE and NFC devices and there was so much noise 🙂

Credits: https://twitter.com/bsideslisbon

In the end, the smart bulb and NFC exfiltration demos went very well /* btw – we prayed a lot to the demo gods */ and we got nice feedback.
I would like to thank all the people that saw our presentation, which was packed as you can see on Coopers’ photo:

Credits: https://twitter.com/Ministraitor

You can see the all presentation here – https://www.youtube.com/watch?v=3UJBAkl8Y2A.

To be honest, I didn’t watch many talks because I was always on the hallway con, brainstorming with my friends – but the ones I saw they were very interesting.
Again the organization was on their top game and it’s pleasure for me to be there each year.

In the end I said goodbye to BSidesLisbon in an amazing Cantonese restaurant.
Cya next year!

no responses
17/10/18 Hardware , IoT # , , ,

Opening a fingerprint + BLE smartlock – the smart way!

I got my hands on a smartlock that costs around 35€ on Amazon which unlocks using the fingerprint or app (using BLE).
In reality I don’t know the brand and model but this is not something that I really care. What I wanted to check was – how hard was breaking this smartlock?

After a quick inspection I noticed that this lock had something covered below the USB port (which is used to power the battery). Using a sharp knife I scrubbed the thing up and… a screw appeared 🙂

C’mon… Really? I opened it and start disassembling the device.

I needed to scrub also some parts because this lock was supposed to be waterproof so they covered some wires.

In the end, we got a small PCB with a connected fingerprint sensor. Didn’t saw any spring like other locks and can’t manage to open it by shimming. But I saw a motor which was connected by a white and yellow wire to the PCB.

I already played with some motors and other devices like that on Arduino and they usually only need some power to rotate. In this case, I’m guessing that connecting the 3.7V battery to the PCB wires it will rotate (or open).

I grabbed a couple of wires to prevent soldering or damaging the lock and connected them to the lock battery. Than connected the wires to the PCB part that connected to the motor.

And the lock opened. No fingerprint or BLE needed.

Check out the small video that I did – https://www.youtube.com/watch?v=VEjwV3LsLJ0

So I guess you take around 5 second to open this lock using a direct connection to the motor.
The vendor claims its a strong lock… Anyone can break it in 5 seconds.

Screwdrivers rule! 🙂

no responses
30/09/17 Papers , Tips and Tricks # , , , , , ,

My notes on Hacking BLE – list of resources

My notes on Hacking BLE – list of resources

In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic.
There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with the community.

In a nutshell, what I did… Bought some cheap BLE devices and played around.

I start by scanning the device. Do some recon on it and then check what I can get from it. Sniffing, RE the mobile app, MiTM, etc.
At first I always scan for devices and enumerate the services and characteristics. BLEAH could be a good choice.

I tried different techniques but the one that I got better results was MiTM.
Sniffing in my opinion you need luck. Even if you have three Ubertooth covering all three advertisement channels – Uberteeth 🙂 you still need lots of luck and a faraday cage

For MiTM I use GATTacker. My lab is powered by a laptop with Kali installed and a Raspberry, with Raspbian installed. One is the central and the other is the peripheral. The rest is quite simple:

  1. Start the central
  2. Scan for devices
  3. Grab the device ID and scan the services and characteristics
  4. Send advertisements
  5. Turn on the bluetooth on your phone and run the mobile app
  6. Modify the dump file
  7. Replay
  8. Gameover

Eg of a smart lock showing the master key and my own key (in plaintext):

I’m still learning but I’m enjoying every step.

Some tips I learned along the way:

  • Start by reading specification (core and GATT) and learn how it works
  • Sometimes you need to change your bdaddr (MAC addr) to match the original device
  • Study the hardware and check what kind of approach is better (sniffing, MiTM, brute-forcing, etc)
  • You learn a lot by RE the mobile application
  • By reversing don’t forget to search for specific keywords – liked password, CMD, secret and stuff like (sometimes you get some low hanging fruits)
  • For alternative sniffing, use Android Bluetooth HCI snoop log
  • Be persistent, don’t give up on first sign of fail


Must read




I hope this article helps out newcomers in this BLE hacking and also help pros with a list of interesting material.
Feel free to send me more resources, I’ll keep updating.

Meanwhile follow me on Twitter – @dsopas to get the latest updates on my work.

no responses