If you’re not yet familiar with the Damn Vulnerable Iot Device (DVID) project, I encourage you to read the project presentation page.
Goal of this challenge
One time password bluetooth device. This IoT device should work with an android application, but you don’t have it. The goal is to provide a screenshot of the password
Something is leaking on
Flashing the board
First things first, we are going to flash the firmware for this challenge onto the DVID board. In order to do this, we will use
avrdude and an USB AVR programmer. If you’re not familiar with
avrdude options I encourage you to read the flashing the board section of the first DVID writeup of this series. We will flash the board using this nice flash.sh script :
#!/bin/bash if [[ ! -d "./DVID/" ]]; then git clone https://github.com/vulcainreo/DVID fi pushd ./DVID/trainings/bluetooth/characteristics/ avrdude -F -v -p atmega328p -P /dev/ttyUSB0 -c usbasp -u -U flash:w:characteristics.ino.with_bootloader.arduino_standard.hex popd
Now, we will connect the DVID board to our computer using the USB AVR programmer, and start the script. When the AVR programming has completed, the board should restart and you should see this :
Solving the challenge
In this challenge, the IoT device sends informations using bluetooth characteristics on
0000ffe1. Firstly, we need to do a bluetooth scan to find the device. We can do this inside
scan on command. (and
scan off to stop).
Now that we found the IoT device, we can connect to it by typing
connect followed by the device’s bluetooth address.
To use bluetooth characteristics, we need to use a specific menu, called
gatt. To access it in
menu gatt to enter the
gatt menu and
back to exit the menu. In the
gatt menu we have access to many advanced features, such as listing attributes of a device, reading and writing data to bluetooth services :
We will now list attributes offered by the bluetooth device using
list-attributes command :
Looking at the screen of the DVID device, we can see a message “Something is leaking on
0000ffe1”, therefore we will try to interact with the characteristic
0000ffe1-0000-1000-8000-00805f9b34fb. To do this, we need to select the attribute using
select-attribute <uuid> command :
Then we need to
acquire-notify to connect to the stream and be able to read the values from the service/characteristic. We can then type
read to read the stream of values comming from the service/characteristic.
And we have the flag !