I have the Wyze version

"do they respond to my emails about security vulnerabilities in their products, ofcourse they dont" every IOT company ever 😂

Matt Brown. 28 years in look, 48 years of experience.

"S" in IoT stands for Security

Nice one, mate. Not only did you hack it, but you opened it up so people with that device can use it without the android app. That is genuinely useful and beneficial

You make such good videos, this is one of my new favorite channels. You look so genuinely stoked to be explaining what you've found and unraveled and it's definitely contagious. I get the same giddy feeling any time my digging unearths something interesting. That feeling of looking inside the black box and poking around is super unique and you capture it in all your vids. Appreciate you sharing, take care Matt

IoT thing has bad security = who could have know Chinese medical health IoT thing has bad security = who could have known They should have their license reviewed/revoked for not responding the security issues. :) Love your stuff!

The "S" in IoT stands for security. Great work, really interesting video.

To get BLE logs without the errors: `logcat -d | awk '{ if ($5!="E") print }' | grep -i ble` Just the errors: `logcat -d | awk '{ if ($5=="E") print }' | grep -i ble`

this man explains it so well. Learned so much in the past 3 months

Man very inspiring. But i noticed that is a bug in you decrypt script because at min 39:29 we can see body_bulding is 0.😊 Nice you are inspiring people and this kind of work is pushing companies to make better products and consumers to choose better products. Keep going.

Matt, thank you for being our eyes going through the Java packets to figure out the complete protocol paths. I am now on the edge of removing SmartTrack app that connects to my BT scale! Looking forward to the next episode after the IHealth binge! 😅🎉

I was just at my hackerspace yesterday where our primary volunteer dev was poking through our code and noticed that a path that really doesn't matter - the edge rfid controller telling the server 'hey I saw xyz card uuid' - was unauthenticated. In theory, someone could via wifi tell the server that a card was seen. It wouldn't unlock the door, it would only log that that card's user was seen recently. ...and it was immediately patched. (the doors were one of the first things built, and by someone else...so there is some sloppy security there. the rest is encrypted.

This is amazing Matt! I love watching your videos :)

I've been watching your video's non-stop since I discovered your channel. Very inspirational! I'm looking forward to future content. If I may ask: is there a device you'd recommend for a total beginner to get started with? I've even tried looking for purpose-built boards, but that doesn't really seem to be a thing.

Incredible! Thanks, both for the video and the large amount of work that it took to reverse engineer this. Well Done!

Super cool video! Will be sharing it with my colleagues 🎉 Ive often found that you can copy paste the jadx decompiled output to build your own client/server if for whatever reason rebuilding it in a different language would take too long.

Your videos are really interesting and informative and teach a lot about hardware hacking. The hardcoded credentials even in 2024 are a real problem... they could simply generate a hash from the name that the user creates, and then encrypt the traffic to send with the hash. By the way the 'double way' authentication is called mTLS, but I knew that it was used mainly in microservice architectures with kubernetes for example. Also, you are getting me more and more interested in actually giving a chance to Python. I really prefer to write in C, but when sending data over the network, python is less lines of code to write, and less time used overall.

This is a excellent video on reversing non-BT protocol level crypto via the mobile app. I was looking at a smart Bluetooth scale last year & found out it wasn't encrypting anything and sent stuff like Age, Gender, Height data in cleartext over the air

I don't think IoT and Health belong in the same sentence.

Comments about Wyze, woozy, and low Energy rainbow tables have become my favorite way to wake up Mondays. *That said nearly everything just edits a git repo and book diggity Shenjhau express* 🚂 SL SL SL

Learning a lot from these videos! They are probably using ”stroke” as a misnomer for "prime". As in R1' = enc(R1)

Man! This is really good video!

Hey Matt. thank you for your effort and videos. i really like to watch them and maybe also do a little bit of iot hacking when i have some time left. when you find some vulnerabilities are they new CVEs? i mean do you then register the CVEs in your name or is that not a topic of your hacking?

Keep it up!!! Love all these vids recently!!!

Great vid, did I spot a reference to the 1990s film Sneakers in the background on the phone at one point?

Masterbuilt? I just built mine! can't wait to see that video :D

R1_stroke likely refers to a way of writing that it's after the "encryption" round and is likely writen that way to write the " R1ʼ " or the R1 with a bar over both the R and 1 ways of writing the same thing. This is a common practice in the math/programming world for cryptography functions. The R1_stroke would then likely be named something closer to R1_prime but maybe there was a translation thing happening there or perhaps they didn't want to confuse themselves with the way a public key algorithm like RSA uses primes. Interesting video and the above are just my thoughts on something trivial in the video that ultimately doesn't matter for the reversing or security points made here.

Thanks Matt, I'm curious to see if someone will create some Home Assistant integration based upon your research.

LOVE YOUR VIDS MAN, REALLY GREAT STUFF

another great breakdown!

I just love this stuff. It tickles just the right spot without me having to actually spend the time myself 😅 ❤from The Netherlands.

You need to buff up :D Seriously tho, great video and as always, I hope everyone learned something :) I want to do something like this myself :P Maybe some series about other side - how to design secure IoT devices?

Hi Matt, great video about reverse engineering. I wonder whether it would be possible to do the same for the Piper Security Systems which have been becoming obsolete a couple of months ago after the company decommissioned their service. I guess a lot of people (me included) would be grateful if their would be a way to run those cameras without requiring Piper servers.

For now it's a personal data problem. If you can fake the scale, and feed erroneous data back to the app for potential use by a doctor, who then uses it for the prescribing of medication, then you have a more serious and potentially dangerous problem. It may be difficult to keep up consistent bad data for a set of scales, but not impossible. Thankfully it's not a critical to life medical device.

Lets hack it to weigh megabytes then show, in weight, your network throughput. :)

Definitely Collecting Data of Average Weight, Height, Age, Ethnicity, Gender of The American Citizen.

Bro, could you please try to hack an Amazon Echo show 5 2 Gen. These devices run on Android and if you could make a video how you find out what the bootloader code is or enable Adb that would be very helpful. The problem is that the Android is very locked down.

I'd imagine that you probably didn't just sit down in a single class to learn everything you know, so how did you come to know so much? Are you self-taught or did you take a small class, and it just grew from there over time?

Did you use Google's android emulator to run the app on your machine?

Is it 'stroke' as an analogue to a line being drawn through the plaintext?

I have a scale that looks exactly the same, but the center piece is round instead of square and the rectangular screen is vertical instead of horizontal. Wonder if this will work on mine too. The brand is Posture.

Most of the time its not their product, it just has their branding on it for this market. You gotta find the factory district that made it and try to get ahold of a dev there

Is it possible to do the same thing to a smart bracelet?

Is the Shopify website builder the new 5-minute wordpress templates for e-commerce sites? :D Also; you just put your feet on the Internet. So, yeah, that's going to be out there forever now.

Bro, how long the process of this RND. From start till end, took how many days? I just asking to see the feasible or standard timeline if this translate to the project.

Brilliant well done

Here we go again !

Is @mattbrown really 7 feet (213cm) tall?! 😲 (see 4:00 and 39:30)

See how the Japanese do it - Omron have app connected medical devices too. I know there are 3rd party apps (such as MedM health) which can interrogate them. But unofficially.

But the name starts with a lower case "i" so it MUST be good, right?

It would be wonderful if you show us a reverse engineering project that you failed because of good security practices

Can you do the same for the Chinese crap Deeper Network (Decentralized VPN) as per they claim. I was not able to do this

For the source code viewing using jadx-gui may be easier to track down xrefs definitions

that's insane.. now hack another IoT device and Modify to steal wifi password or another scary stuff. You can

I call BS on the 7' in the app.

Damn. I have the withings 😂

"Bluetooth logs sent over a wire" xdd

学习了

Wow