Hacking a Herb Vaporizer to Set Its Temperature Limit From 190C to 6553.5C Remotely



Tonight my brain decided, instead of sleeping (why even bother trying, right?), to start a new short adventure in the Bluetooth Low Energy world. I’m a happy Crafty vaporizer owner and as I discovered by chance, I can access it using my laptop.

ble_1

BTLE is conceptually easy, you’ve got “descriptors”, each one with an unique identifier and each one is arbitrarily used by the vendor for configuration purposes, control of the device, etc by read or write operations. So, first thing first, let’s reverse their mobile application in order to identify interesting descriptors!

ble_2

Here it is, we can read and write stuff with no authentication whatsoever … so, let’s get evil, shall we? :)

How about writing to:

public static final UUID characteristicTargetTemperatureUUID = UUID.fromString("00000021-4C45-4B43-4942-265A524F5453");

The target temperature ( 190 C in my case ) is multiplied by 10 (don’t ask as someone vigorously pointed out, that’s “pretty common when you don’t have/want floating-point arithmetic, or you want to represent exact values for a certain precision” … it doesn’t really matter for the scope of this blog post, but now we’re all happy) and stored as two bytes, so let’s try to overwrite it with the maximum! -put evil laugh here-

ble_temp

Which should be a limit of 6553.5 Celsius degrees.

pew pew

BOOM BABY!!! I have no idea what happens if I turn it on now … it’s the only Crafty I have, and it’s not cheap, I’m not going to try, but the options are:

  1. Hopefully some firmware security measure blocks the device from melting.
  2. Device melts in your hands.
  3. Battery just dies before it melts.

How likely is 1 given there’s no security at all at the BTLE layer? Maybe some hardware security device? If anyone has a spare Crafty to try, let me know …

Disclosure

I can hear people screaming and what about responsible disclosure ?! … I don’t know why people give responsible disclosure for granted to be honest … I do this stuff for fun, if I need to start searching for contacts and wait for replies it becomes a job and it’s not fun anymore … ¯\_(ツ)_/¯

Bonus Level

On the info screen of the app, if you tap 5 times on the serial number and put the correct password, it’ll unlock some nice diagnostic menu … this is SHA256(password) :)

ble_3

Diagnostic menu options (also controllable via BTLE):

ble_3