Run Mert Run

  • 5 minute read

Starting in 2020, due to the increasing impact of the Covid-19 pandemic in our country, I began doing sports with my sports coach through WhatsApp instead of going to the gym. Over time, my coach directed me to purchase various sports equipment such as a pull-up bar, weight set, and bench, and due to the ongoing pandemic, I had to expand to include a treadmill. Finally, the Voit Active treadmill with Bluetooth function took its place among my sports equipment.

Hacking Treadmill

As a security researcher who has tried to hack various electronic devices that I have purchased (such as “Don’t Just Say Printer!“, “It’s a Bird… It’s a Plane… It’s Drone!“, “and you, CPCR-505?“, “Spy Mouse“, “Escape from Imprisonment“), it did not occur to me to apply disproportionate power to the innocent treadmill. However, as the time I spent walking on the treadmill increased, the QR code on the treadmill’s panel began to catch my attention.

Hacking Treadmill

When I scanned the QR code with an app, I was directed to the address http://www.artiwares.com/app/treadmill/spax/, and from there to the page of the Gfit.INTL application on Google Play, which had many negative reviews and was developed by an unknown Chinese company. Since the treadmill supports Bluetooth, I decided to install the app, examine what commands could be sent, and identify potential malicious use scenarios.

Hacking Treadmill
Hacking Treadmill

During this research, I was aware that I would not be able to benefit from emulator-based dynamic analysis and various resources, as my favorite tool, the Genymotion emulator, does not support Apple M1 processors with macOS, as I mentioned in my article “Hooking on Android”

After installing the Gfit application on my phone and pairing it with my RunnerT treadmill, which has Bluetooth name, I saw that I could easily perform the basic functions of the treadmill, such as starting, increasing speed, decreasing speed, and stopping, through the app.

Hacking Treadmill
Hacking Treadmill

To learn about the commands sent to the treadmill by the app, I had to choose static code analysis or use the phone on which the app was installed. Since static code analysis seemed more practical, I started to examine the Gfit app with the jadx tool.

Hacking Treadmill

Since the code is hidden (obfuscated) throughout the app and I had no chance of doing dynamic code analysis on the emulator under the current conditions, I immediately gave up and saw what I could do with the phone.

I began to follow the steps in response to a message from someone experiencing a problem with Bluetooth packet sources on Samsung’s support page.

When I reached step 6, I sent start, increase speed, decrease speed, and stop commands to the treadmill through the Gfit application, and then moved on to the other steps and began analyzing the btsnoop_hci.log file with Wireshark.

Hacking Treadmill

When I looked at the first command that reached the treadmill using the filter btle.advertising_address == 62:00:a1:18:b5:22 on WireShark, I saw the value 01000000002603, which is the command to start the treadmill.

Hacking Treadmill

Next, I sent the treadmill the commands Hold/Pause (05000000002a07), set speed to 9 km/h (035a000000825b), set speed to 5.2 km/h (03340000005c39), and Stop (02000000002704) and saw the other values in parentheses on WireShark.

First, I decided to find out if the treadmill was vulnerable to a replay attack. To do this, I had to decide on the USB device and tool that would send the Bluetooth packets that I had obtained for the BLE-supported treadmill. For the USB device, the Parani-UD100 came to my aid, as I had used it in my article titled “The Blue Threat

It was time to find a tool to send packets, and I decided to proceed with bleah among the gatttool, bleah, and nRF Connect tools.

On the Kali operating system, I quickly listed the Services and Characteristics that I would need to send packets to the treadmill using the Generic Attribute Protocol (GATT) with the bleah -b “62:00:xx:xx:xx:xx” -e command.

Hacking Treadmill

After seeing the WRITE feature in the e54eaa57-371b-476c-99a3-74d267e3edae characteristic information, I sent the bleah -b “62:00:xx:xx:xx:xx” -u “e54eaa57-371b-476c-99a3-74d267e3edae” -d “0x01000000002603” command to the treadmill using bleah and saw that the treadmill started!

At this point, after learning that the treadmill was vulnerable to replay attacks, I decided to find out how these commands were constructed. Since the source code was hidden using the obfuscation technique and I was unable to perform dynamic code analysis, I downloaded and examined older versions of the Gfit application, and soon found that the obfuscation technique was not used in the 2017 version. When I compared the source code from 2020 and 2017 side by side, it was very easy for me to learn how the commands sent from the Gfit application to the treadmill were constructed.

Hacking Treadmill
Hacking Treadmill

When I quickly looked at the source code, the startTreadmill(long delayMillis) function was called to start the treadmill, then the mBleHelper.writeCommand(getControlCommand(1, 0, 0), delayMillis) function was called, and finally, the getControlCommand(int mode, int speed, int slope) function was called, which creates the 7-byte packet to be sent to the treadmill.


private byte[] getControlCommand(int mode, int speed, int slope) {
byte[] cmd = new byte[7];
cmd[0] = (byte) (mode & 255);
cmd[1] = (byte) (speed & 255);
cmd[2] = (byte) (slope & 255);
cmd[3] = 0;
cmd[4] = 0;
cmd[5] = (byte) (((cmd[0] + cmd[1]) ^ cmd[2]) + cmd[3] + 37);
cmd[6] = (byte) ((cmd[0] ^ cmd[1]) + cmd[2] + cmd[3] + 2);
return cmd;
}

I was able to create the output 01000000002603 by using the getControlCommand function with the variables mode = 1, speed = 0, and slope = 0 using Python. This way, I was able to generate all the commands from starting the treadmill (getControlCommand(1, 0, 0)) to increasing speed (getControlCommand(3, 5, 0)) using Python and send them to the treadmill using the Parani-UD100 and the bleah tool without the Gfit application.

Hacking Treadmill
Hacking Treadmill

When I came to try out the malicious use scenarios that came to mind,

  • I tried to increase the speed of the treadmill, which is 14 km/h, to 20 km/h (bleah -b “62:00:xx:xx:xx:xx” -u “e54eaa57-371b-476c-99a3-74d267e3edae” -d “0x03c8000000f0cd”) and found that it could only be set to a maximum of 14 km/h. (good news)
  • In the second scenario, when I sent the command to stop the treadmill while it was running at a speed of 14 KM per hour (bleah -b “62:00:xx:xx:xx:xx” -u “e54eaa57-371b-476c-99a3-74d267e3edae” -d “0x02000000002704”), I saw that the treadmill slowed down to 0 KM in the time it took to reach its current speed (if it was running at 14 KM per hour, it stopped in 14 seconds). However, when I sent the same packet twice in a row, it slowed down in 4-5 seconds and I thought that such a sudden drop in speed while running at high speeds could lead to an accident for the runner. (bad news)
  • Finally, when I sent a command to the treadmill to increase the speed of a person walking or running at low speed to 14 KM per hour in an infinite loop, as shown in the video below, I saw that the person tried to decrease the speed in a panic but failed, and therefore the possibility of an accident occurred. And when I think about a malicious person going to a gym that has purchased and made these treadmills available for use and sending this command to all the treadmills in order, I didn’t even want to imagine the crisis that would occur. (bad news)


    • In conclusion, I highly recommend considering the risks before purchasing or using this treadmill developed by an unknown Chinese company that cannot turn off its Bluetooth function. Hope to see you in the following articles.

    image_pdfShow this post in PDF formatimage_printPrint this page
    Total
    0
    Shares
    Tweet 0
    Share 0
    Share 0
    Share 0
    Share 0
    Related Tags

    Mert is a well-known and respected Cyber Security Researcher, Speaker and Blogger. He has been living and pursuing his career in the United States with an Alien of Extraordinary Ability visa (EB-1A), an employment-based green card, since October 2022.

    As of February 2023, Mert has been working at SOCRadar® Extended Threat Intelligence as the Head of Security Research & Operations. SOCRadar is a cybersecurity company committed to democratizing threat intelligence and providing superior cybersecurity solutions to thousands of companies in hundreds of countries. SOCRadar's mission is to provide organizations of all sizes with the tools to counter cyber threats.

    In his current position, Mert has been advising the CEO on strategic decisions that align with the company's mission, objectives, and overall goals.

    He has often overseen strategic initiatives by working closely with various departments, such as product development, sales, and marketing. Also, he has been managing the day-to-day operations of the Security Analyst, Support, and Professional Services teams to ensure efficiency, quality, service, and cost-effective management of resources.

    In addition, he has been driving innovation across the product by promoting new ideas and features.

    Besides that, he has been managing, mentoring, and supporting a cadre of threat researchers, threat hunters, security analysts, and technical content writers who research cyber threats, vulnerabilities, and trends.

    From October 2020 to September 2022, Mert demonstrated his expertise as an Executive Vice President / CISO of IT Security & Risk Management Group which incorporates Cyber Defense Center, Cyber Security Technologies, Cyber Security Architecture, Information Security & Risk Management teams (40 HCs) at Intertech. Intertech is an Information Technology subsidiary of DenizBank, owned by Emirates NBD

    From January 2018 to September 2020 as the Vice President, Mert was responsible for the management of Akbank's Cyber Defence Center (CDC) which incorporates Vulnerability Management, Threat Detection, Threat Response & Intel, and Security Engineering teams. (26 HCs)

    From 2007 to 2017 Mert was responsible for performing and managing penetration tests, malware analysis, security incident detection, and response as a Technical Lead in the Threat & Vulnerability Management team at IBTech. (Information Technology subsidiary of QNB Finansbank)

    From 2014 – 2016 Mert instructed Malware Analysis course in Cyber Security Graduate Program at Bahcesehir University.

    In 2003 Mert’s career journey began by discovering a security vulnerability on the e-portal web application of the Yeditepe University where he was studying at that time. After sharing his findings with the executives of the university, he was awarded an achievement grant and recruited as an Ethical Hacker. Mert graduated from Yeditepe University, Information Systems and Technologies in 2006 and Yeditepe University, Master of Business Administration program in 2010.

    From the beginning of 2011, Mert spoke at more than 30 technical cyber security conferences. In addition, he was invited as a guest speaker to more than 40 universities to share his cyber security career journey and his profession “Ethical Hacker” to the students as a role model.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like
    Read More

    Antimeter Tool

    Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
    Read More
    0
    0
    0
    0
    0
    Read More

    WhatsApp Scammers

    Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
    Read More
    0
    0
    0
    0
    0