Smart Vaporizer Leaves Bluetooth Connection Open

Vaporizers have grown in popularity lately, with some modern variants controlled through a dedicated mobile app. Not all of them, however, uphold basic security mechanisms to protect the configuration from unwanted, and even dangerous, changes that could put owners at risk or brick the device.

Italian security researcher Simone Margaritelli discovered that he could connect to his Crafty herb vaporizer from a laptop and change its maximum heat value to a temperature hotter than the sun’s surface. The vaping product uses Bluetooth Low Energy technology to communicate with compatible devices and accept and execute commands from them, but lacks defenses against remote access to its configuration.

To understand how the product worked, the researcher first reversed-engineered Crafty’s mobile app and identified the configuration descriptors for each function available. He then tried to connect to the product from a Linux-powered laptop with the help of a specialized tool that wirelessly accessed the services running on a Bluetooth gadget.

Margaritelli found he could read and write the limits for Crafty’s target temperature, a setting that lets the vaporizer heat up to a level indicated by the user, but not exceeding 210 degrees Celsius or 410 Fahrenheit. This is the maximum vaporization temperature permitted by the device.

The device has no authentication procedure to stop tampering with any of the options, so he tried to elevate the targeted temperature to the highest value allowed by the hexadecimal system used in the configuration: 6553.5°C / 11,828.3°F. Steel melts at about 1,510°C / 2750°F; the surface of the sun is 5,505°C / 9,941°F.

To repeat Margaritelli’s feat, a remote attacker would have to be within Bluetooth range of a Crafty. Theoretically, this would be up to 100m in an open field. In reality, the distance is drastically shortened, in part by physical obstructions and radio interference. It could be increased, though, with a directional antenna that can capture the Bluetooth signal from greater distances.

It is unclear what precautions Crafty has to prevent the heat coil from getting dangerously hot. The researcher did not test this limit: “BOOM BABY!!! I have no idea what happens if I turn it on now…it’s the only Crafty I have, and it’s not cheap” However, he surmised that there could be three possible outcomes, all disheartening:

1. Hopefully some firmware security measure blocks the device from melting.

2. Device melts in your hands.

3. Battery just dies before it melts.

How likely is 1 given there’s no security at all at the BTLE [Bluetooth connection] layer?” Margaritelli writes in a blog post.

Obviously, the battery would die well before Crafty got as hot as the sun but, depending on the resistance of the heat coil and the materials around it, the heat could damage the device to the point of becoming unusable. An attack of this type is unlikely to attract perpetrators, but Margaritelli’s research shows the frailty of internet-of-things devices.