Cyrill Künzi Finds a Security Flaw in an Unlikely "Smart" Product: an Electric Toothbrush

Finding an NFC tag in the disposable heads of a new electric toothbrush set off a challenge: capture its password over-the-air.

Electrical engineer Cyrill Künzi has reverse engineered a "smart" consumer device's in-built usage counter, revealing a surprisingly complex yet undeniably insecure system built into the most unlikely of devices: a toothbrush.

"After buying a new Philips Sonicare toothbrush I was surprised to see that it reacts to the insertion of a brush head by blinking an LED," Künzi explains. "A quick online search reveals that the head communicates with the toothbrush handle to remind you when it’s time to buy a new one. Looking at the base of the head shows that it contains an antenna and a tiny black box that is presumably an IC [Integrated Circuit]."

A scan of the accompanying documentation revealed a built-in radio operating at 13.56MHz, hinting that each locked-down head features an integrated Near-Field Communication (NFC) tag. "Indeed," Künzi notes," "when holding the brush head to my phone it opens a link to a product page."

Running the NFC Tools app on said phone revealed plenty about the tag built into the toothbrush head, including its type, storage capacity, data format, and that it's protected by a password with selected data blocks writeable only if the correct password is supplied. Investigating multiple different heads narrowed down what some of the memory locations store: unique IDs with a checksum, information on the color of the head's outer plastic casing, and the total time a brush head has spent brushing.

"Trying to overwrite the stored time is unfortunately unsuccessful, as this memory address is password protected," Künzi notes. "Luckily it turns out that the required password is sent over plain text! So all I need to do is to sniff the communication between the toothbrush and the head. When opening gqrx and tuning [a HackRF One software-defined radio] to 13.736MHz while holding the toothbrush close to the antenna, it is visible that the head gets polled multiple times a second. While brushing, the NFC polling takes a brief pause and the first burst of packets that follows updates the time counter. The first packets […] contain the password in plain text."

Decoded, the captured radio signal reveals the password — allowing the protected blocks of memory to be overwritten, including resetting the brush-time counter should you decide there's more life in a head than Philips would have you believe. "Unfortunately, the password of every brush head is unique," Künzi notes, "and this process of extracting it with an SDR is quite involved and requires special hardware. All my tries to guess to one-way function for generating the passwords failed."

Künzi's full write-up is available on his blog.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles