Hacking the brush head of an electric toothbrush can rewrite the usage time
Some electric toothbrushes have a function that recognizes that the brush part is attached and notifies you when it is time to replace the brush. A person who saw this function and hacked the toothbrush appeared.
Hacking my “smart” toothbrush - The Twenty Percent
Engineer Cyril Kunj buys a Philips Sonicare electric toothbrush. I learned that the brush head and handle communicate with each other to let you know when it's time to replace the head when it gets old.
An NFC chip is embedded in the head, and various information can be acquired. The head information acquired by Mr. Kunji looks like this.
Furthermore, Mr. Kunji, who checked the contents of the memory using the NFC tool, said that, for example, addresses 0x00 to 0x02 are unique IDs and
When I read the NFC of the unused brush head, the value at address 0x24 was '00:00:02:00'. This value does not change just by attaching the brush head to the handle, but increases with actual use. When I checked the value after using it for 5 seconds, it was '05:00:02:00'. When it exceeds 255 seconds, the value of the second bit increases, for example, it is '02:01:02:00' for 258 seconds. Kunji tried to overwrite this value, but it failed because the address was password protected.
However, knowing that the required password was sent in plaintext, Kunji decided to read the communication between the brush head and the handle.
A picture of Mr. Kunji trying to read the RF signal.
Mr. Kunji used the open source wireless reception software gqrx to receive the signal that was output at 13.736 MHz, record and decode it, and succeeded in obtaining the password. You can now freely change the usage time of the brush head.
According to Mr. Kunji, the brush head is set to permanently disable all writing if the password is incorrect three times, so this verification forced him to buy a new brush head.
Also, passwords were set individually for all brush heads, and he tried to figure out how they were generated, but he did not know. Mr. Kunji calls out, 'If you can solve this puzzle, please contact me by email.'
Related Posts:
