DVID Writeup 06 - Bluetooth - Characteristics 2
If you’re not yet familiar with the Damn Vulnerable Iot Device (DVID) project, I encourage you to read the project presentation page.
Goal of this challenge
A confidential message is stored on the firmware but protected by a password. The goal is to provide a screenshot of the confidential message
Flashing the board
First things first, we are going to flash the firmware for this challenge onto the DVID board. In order to do this, we will use avrdude
and an USB AVR programmer. If you’re not familiar with avrdude
options I encourage you to read the flashing the board section of the first DVID writeup of this series. We will flash the board using this nice flash.sh script :
#!/bin/bash
if [[ ! -d "./DVID/" ]]; then
git clone https://github.com/vulcainreo/DVID
fi
pushd ./DVID/trainings/bluetooth/characteristics2/
avrdude -F -v -p atmega328p -P /dev/ttyUSB0 -c usbasp -u -U flash:w:characteristics2.ino.with_bootloader.arduino_standard.hex
popd
Now, we will connect the DVID board to our computer using the USB AVR programmer, and start the script. When the AVR programming has completed, the board should restart and you should see this :
Solving the challenge
In this challenge, the IoT device sends informations using bluetooth characteristics on 0000ffe1
. Firstly, we need to do a bluetooth scan to find the device. We can do this inside bluetoothctl
using scan on
command. (and scan off
to stop).
Now that we found the IoT device, we can connect to it by typing connect
followed by the device’s bluetooth address.
To use bluetooth characteristics, we need to use a specific menu, called gatt
. To access it in bluetoothctl
, type menu gatt
to enter the gatt menu and back
to exit this menu. In the gatt
menu we have access to many advanced features, such as listing attributes of a device, reading and writing data to bluetooth services :
We will now list attributes offered by the bluetooth device using list-attributes
command :
Looking at the screen of the DVID device, we can see a message “Something is leaking on 0000ffe1
”, therefore we will try to interact with the characteristic 0000ffe1-0000-1000-8000-00805f9b34fb
. To do this, we need to select the attribute using select-attribute <uuid>
command :
Then we need to acquire-write
to connect to the stream and be able to write the values from the service/characteristic :
Now we can use the write
command to send data to the service/characteristic. The syntax is write "0xaa 0xbb 0xcc ..."
with the hex values of the data you want to send. For example hello
is "0x68 0x65 0x6c 0x6c 0x6f"
. Therefore, the final command is write "0x68 0x65 0x6c 0x6c 0x6f"
:
We can now see the flag on the DVID screen :
Additional references
- DVID Project on Github : https://github.com/Vulcainreo/DVID
- DVID Project site : http://dvid.eu/