Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Hacking Christmas Gifts: Brushing with Bluetooth
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Hacking Christmas Gifts: Brushing with Bluetooth

5 years ago Craig Young
Hacking Christmas Gifts: Brushing with Bluetooth

If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye toward their possible security implications. Some of the risks discussed in this series may be over the top and even comical, while others may highlight realistic problems you may not have considered.

Over the years, I have seen quite a few seemingly absurd Bluetooth integrations into everyday products. Whether it is the “smart” hairbrush that listens to your hair or the toaster which gives a phone notification when the toast is ready, these inventions are a good reminder that not every household item needs to be connected. The toothbrush is definitely one of these devices that doesn’t need more computing power.

At least that’s what I thought until I accidentally bought some. After deciding it was time for the kids to have rechargeable electric toothbrushes, I ordered the Philips Sonicare for Kids on a whim and was rather surprised when they arrived sporting a Bluetooth logo.

Although I must admit I initially considered returning them unopened, my curiosity got the better of me, and I decided to have a closer look. The first and most obvious question, of course, is: what in the world does a toothbrush need with Bluetooth? It turns out that the brush is tied to a smartphone app that adds a game on top of brushing teeth. Within the game, the child is the adoptive parent of a cuddly creature who needs help brushing.

When the brush is activated, the app displays an animation to help the child learn how to brush and properly pace themselves. The child is rewarded with in-game presents and periodic achievement awards. The app also gradually increases the duration and intensity of brushing sessions as time goes on until the child is used to a full 2-minutes at the full strength of the brush.

The next day, I loaded the app on a spare Android device I tend to use for product testing. The first thing that happens when loading the Android app is that it asks for access to your local device file system; if the permission is rejected, the app will fail to start. If the permission is accepted, the user is prompted to create a kid profile.

You can upload a photo from your device or capture an image from the camera, but using the camera will require allowing the app access to take pictures and record video. It is unclear whether the shared storage access is required simply for finding photos on the SD card or if there may be some other functionality requiring this.

After a few days of use, my concerns with the permissions model grew to a new level when the app asked my child to allow the app access to the microphone. It turns out that the Sonicare for Kids app unlocks new features as rewards for continued brushing. One of these features is a mode where the creature will listen to the child and repeat what it hears in a funny voice.

A megaphone icon appears to control this feature, and when it is enabled for the first time, Android prompts the user about whether the microphone should be allowed. This is a typical Android behavior, but it definitely doesn’t sit well with me in this type of kid-focused app. A parent must set up the app for the child, and there is a PIN-protected parent dashboard within the app, yet the app inexplicably leaves this privacy decision to the child.

Application permission decisions should not be left for the kids to decide but rather the parent. On first load, apps like this should explain how each permission is used and give parents permission to accept or deny each ahead of time. Changes to these settings should be done in the PIN-protected parent mode and not during playtime.

Moving past that and ignoring the inevitable problems that come from a child looking down toward a screen while brushing teeth, I have to admit that it did help get the kids more excited about brushing. While using the device, I made a couple observations about the way it operates including some possible technical flaws:

  • The app is flaky.
    • It frequently loads the wrong kid profile.
    • It often thinks you got a new toothbrush.
    • It does not work when two toothbrushes are on and nearby.
  • Information flows in all directions.
    • Running the brush before the app is connected decrements the brush timer.
    • The app seems to specify the brush duration and intensity when connected.
    • The toothbrush sends observable BLE beacons if either button is pressed.

These limitations open the door for a rather trivial denial-of-service attack. An attacker could prevent someone from using the app with their brushing by simply having another toothbrush nearby.

Even without the toothbrush, the Bluetooth Low Energy (BLE) device itself can likely be spoofed using readily available tools. That being said, I’m not sure how many “attackers” there are out there (besides a bratty sibling or two) with an interest in interfering with a kids’ tooth brushing.

The greater risk I see, stemming from the toothbrush’s Bluetooth interface, is that of information disclosure. Each time the toothbrush is used, whether with the app or without, it is transmitting Bluetooth beacons for anyone nearby to observe.

These beacons act as an information disclosure weakness, allowing someone outside the home to know when teeth are being brushed. A simple Bluetooth logging device left outside a home can easily recognize if a household has a regular routine. Although this isn’t exactly top-secret information, it definitely could hold value to a criminal performing reconnaissance before a break-in.

Further inspection of the toothbrush’s Bluetooth services may also reveal other sensitive information, but from what I can tell, it is unlikely that anything of interest is really stored on the device itself.

Beyond the risk of information disclosure, the app permissions along with the Bluetooth interface certainly raises the possibility (although unlikely) of a further device compromise through the toothbrush. If the app does not safely handle all incoming data, it could become trivial for an adversary to spoof a toothbrush that sends malicious responses.

The likelihood of this largely depends on what, if any, data is being transmitted from the toothbrush back to the app. Because of the broad permissions described above, a compromise of the toothbrush app would also allow the attacker to access the phone’s local storage and possibly also the camera and microphone.

Android app permissions can potentially be hijacked by other apps on the device through unintentionally exposed Intents or operating system weaknesses. Based on a quick monitoring of the app’s traffic (using HttpCanary), it is also sharing advertisement tracking details with Facebook. This is not generally something I like to see, especially in an app made for kids, but that’s a matter for another post.

Overall, I’m still of the mindset that toothbrushes really don’t need apps or Bluetooth, but at the same time, I also can’t say that I didn’t find some value in my children being more motivated to brush.

While I don’t see this device as a large security or privacy problem, it does have its share of smaller ones. Some of the problems are fundamental to the design, while others can be mitigated or eliminated through relatively simple changes. From my perspective, the most basic step the vendor could take to improve this situation would be to simply restructure and clarify the permissions requested.

They may have a very good reason for needing access to the shared device storage, and if so, they should make this clear to the user before requesting the permission. Further, permissions which may not be needed until the child is using the app for playtime should be requested up front along with information for parents. At the end of the day, though, I rate this product in the category of “questionable need” more so than “questionable security.”

Related ArticLes

Hacking Christmas Gifts: Artie Drawing Robot

Hacking Christmas Gifts: Putting IoT Under the Microscope

The post ” Hacking Christmas Gifts: Brushing with Bluetooth” appeared first on TripWire

Source:TripWire – Craig Young

Tags: Android, Facebook, High Severity, Low Severity, Privacy, TripWire

Continue Reading

Previous Coming to Life: A Detailed Tutorial on Building Your First ATT&CK Procedure
Next U.S. Charges 3 North Korean Hackers Over $1.3 Billion Cryptocurrency Heist

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

11 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

11 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

16 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

18 hours ago [email protected] (The Hacker News)

Recent Posts

  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
  • Securing the Mid-Market Across the Complete Threat Lifecycle

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT