Hack All The B00z3, Drink All The Things

A project log for AND!XOR DC25 Badge

We're going bigger, better, more Bender.

Hyr0n 06/11/2017 at 06:380 Comments

So when the world presents you with an internet of useless hack them. I mean, we bring burner phones to DC anyway, so why put apps on those phones when your badge can do the work for you? Actually, this IoT booze is pretty damn cool. Medea Vodka has a bottle which is decorated with circuitry and an IoT Bluetooth controlled flexible PCB LED Matrix. You typically download their app and it allows you to scroll messages on the bottle. The Medea phone app allows you to connect to anyone's bottle, but you are only supposed to connect to and scroll messages to bottles you own. Great party item. In fact, you should buy one and bring it with you to Vegas. ;)

We got some by just calling our local BevMo and special ordered it for just $32 (free shipping). Medea has a store locator too, but again, we've been successful going through BevMo and even seeing it at CostCo. The vodka isn't bad either, make some hacker mules or screwdrivers. We attribute our sudden lack of progress at times to having bottles of vodka all around the workshop.

Integrating with these bottles was actually quite easy. At first we were capturing traffic with an Ubertooth and a Bluefruit BLE Sniffer, combing through the PCAPs in Wireshark to see how the thing talks. As it turns out, it didn't even require that. It uses an unencrypted iBeacon. Simply load up the hand dandy nRF Connect App and you can view all of the bluetooth characteristics and attributes.

Turns out it has super sophisticated 4 factor authentication built in (the secret 4th factor of authentication, something you drink)....okay you just tell it you have a MEDEA Service UUID and you're in. So we authenticated with the device as the interface was designed.

MEDEA_SERVICE_UUID{0xfb,0x34,0x9b,0x5f,0x80,0x00,0x00,0x80,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00} /** Little endian **/

Our code will have the details in it, but in general, if you ever find yourself developing an IoT device, authenticating purely based on the value of service UUID is a little like this:

In fairness, this is transmitted in the clear and anyone can see it. And we only use it for bottles of Medea Vodka we own, which is why our function on the badge clearly lists which device you are connecting to and you dont make the mistake of connecting to someone else's bottle...(write down your MAC) More importantly, we are telling you to GO OUT AND BUY MEDEA VODKA CUZ THE BOTTLE IS F#*ING COOL AND THE BOOZ3 ACTUALLY TASTES GOOD. Now if you dont want to lug a bottle of booze around with you at a the CON (not sure why), here's a side project for the mechanical engineer in you: First get some elbow grease, a butter knife, garden pruners, and some clamps...

Now you have a nice flexible LED matrix. Get some velcro and attach it to yourself, your backpack, maybe you want some weird blinged out choker necklace. Who knows? You can never have enough bling. Makes a nice companion to the badge in addition to 750ml of booze.