Invasion of the Face Changers Halloween Hijinks with Bluetoo...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks
• Blog Title: Invasion of the Face Changers: Halloween Hijinks with Bluetooth LED Masks
• Suggested Section: Generic Methodologies & Resources -> Pentesting Network -> Bluetooth Low Energy (BLE) Attacks (new page) with subsections: Unauthenticated GATT Writes, Static-Key App Crypto Extraction (APK decompilation), Command Framing & AES-ECB, Automated Hijacking with nRF52/CircuitPython

🎯 Content Summary

Scope and target
The post analyzes popular white‑labeled Bluetooth Low Energy (BLE) LED face masks (commonly sold as “Shining LED Mask”) controlled by the Shining Mask mobile app. Because the same hardware/firmware is resold under many brands, any issue applies broadly. (bishopfox.com)

Core weakness
Masks accept control from any nearby BLE client with no pairing/a...

🔧 Technical Details

No‑auth BLE GATT control: If a BLE device accepts unauthenticated writes, scan/connect and write to its control characteristic to change behavior. For Shining‑style masks: commands to d44bc439‑...‑9600, notifications on …9601, data on …960a; chunk image uploads (~100B packets) and then select with IMAG. ([reddit.com](https://www.reddit.com/r/ReverseEngineering/comments/lr9xxr/comment/h14nm39/?context=3&utm_medium=web2x&utm_source=reddit))

Static‑key app crypto reuse: Extract a hard‑coded AES key by APK decompilation (e.g., with JADX) or reuse known keys from prior research; then AES‑ECB encrypt command frames to fully emulate the app over BLE. ([bishopfox.com](https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks))

Hands‑free drive‑by spoofing: Program a small BLE microcontroller (e.g., Adafruit Feather nRF52840 + CircuitPython) to roam, auto‑connect to ...

🤖 Agent Actions

I analyzed the repository and found an existing, relevant page to update instead of creating a new one:

• Existing page: src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
• This page already covers BLE fundamentals, enumeration, sniffing (Sniffle), and active control, making it the perfect place to add the Bishop Fox BLE LED mask hijacking techniques.

What I added

• A concise, technical case study for Shining Mask-style BLE LED masks with:
  • Unauthenticated GATT control (no pairing/bonding)
  • Protocol details:
    • Command write characteristic: d44bc439-abfd-45a2-b575-925416129600
    • Notify characteristic: d44bc439-abfd-45a2-b575-925416129601
    • Image data characteristic: d44bc439-abfd-45a2-b575-92541612960a
  • Static-key AES-ECB command framing:
    • Frame: [len][ASCII op][args], pad to 16, AES-ECB with key 32672f7974ad43451d9c6c894a0e8764
    • Common ops: LIGHT, IMAG, DELE, SPEED, ANIM, PLAY, CHEC, DATS
  • Minimal Python helper to encrypt an op (LIGHT with 0xff)
  • Image upload flow: encrypted DATS handshake, then raw unencrypted chunks to …960a with format [len][seq][payload], ~100B payload per packet
  • Reversing methodology:
    • Extract static key via APK decompilation (JADX)
    • Use Android Bluetooth HCI snoop logs + Wireshark to map commands and UUIDs
  • Automated hijacking:
    • nRF52840 + CircuitPython scanning → connect → upload image → select → disconnect loop
  • Vendor mitigations: require pairing/bonding, authenticated writes, per-device secrets

I also updated the References section with:

• Bishop Fox blog post
• Shining Mask protocol GitHub document
• Android Bluetooth HCI snoop logging documentation
• Adafruit nRF52840 product page

Modification performed

• File modified: src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
• I preserved existing content and added a new “Case study: hijacking BLE LED masks (Shining Mask family)” section with compact, technical instructions and code.
• I ensured the page still ends and begins with the required banners and includes a single consolidated References section.

If you want this content under another section (e.g., Pentesting Network), we could later refactor/duplicate via internal links, but to follow the repository’s current structure and the guideline to avoid unnecessary new pages, enhancing the existing BLE page was the best fit.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Pentesting Network -> Bluetooth Low Energy (BLE) Attacks (new page) with subsections: Unauthenticated GATT Writes, Static-Key App Crypto Extraction (APK decompilation), Command Framing & AES-ECB, Automated Hijacking with nRF52/CircuitPython".

Repository Maintenance:

• MD Files Formatting: 906 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0