Great article, the most interesting part of which is that you can lock your self out of your toothbrush head after three wrong password attempts. I didn't dig into the data sheet for the NFC chip very deeply, but I imagine that it's just the default that the chip ships with. Or maybe Philips really wants that $25 for a new toothbrush head. :-)
EDIT: nope, not the default. From the data sheet, last sentence:
"To prevent brute-force attacks on the password, the maximum allowed number of negative password verification attempts can be set using AUTHLIM. This mechanism is disabled by setting AUTHLIM to a value of 000b, which is also the initial state of NTAG21x."
So Philips went out of their way to secure that toothbrush head. That's reassuring.
How long's it going to be before "smart" toothbrushes become the only option? Should I start stockpiling "dumb" toothbrushes now while I still can?
The other day I was trying to buy a pair of bathroom scales and it took me far too long to find one that just, you know, weighed things without also demanding I connect it to the Wi-Fi and download a smartphone app. How is this an improvement?
I hope that this is a warning to time travelers from the past and not a friendly welcome to time travelers from the future that are looking back on simpler times.
Wouldn't this open them to an DoS attack? Set your flipper to fire off bad password attempts at the store and now the entire aisle of toothbrush heads are silently disabled.
It’s 5-something in the morning and I can’t stop laughing at the mental image of some guy cackling maniacally in the toiletry aisle while DoSing toothbrushes.
I think a better write up would have front loaded that aspect.
Even titling it "How I locked myself out of my smart brush" or similar. If he wanted to be creative it could have had a Film Noir start but even in a technical write up you should start with interesting aspects.
I kind hoped the conclusion would be that you could unlock hidden features in the brush head, increase the torque and reset the head so that you don't have to replace it.
But alternatively, since the head has an NFC tag, could you use it for stuff like a partnership with Marriott (open your hotel door with your toothbrush, so much convenience) or with transit companies to charge your monthly transit pass?
Possibilities of an NFC-enabled toothbrush head are infinite. The future truly is fascinating.
Right!?! NSFW features like the Oral-B brush has, where you can order a special brush that helps you relieve certain stress in the bedroom. With the modified Sonicare firmware, the brush won't stop after 2 minutes but keeps "brushing" until, well, you're 'done'...
Reminds me of the time I bought a lamp plug-in dimmer on Amazon, and I noticed that my "personal massager" was one of the "frequently bought with" items.
My wife and I had a lot of fun that night! Turns out the "personal massagers" work a lot better that way.
Mine doesn’t just blink; it keeps doing this annoying fast vibrate/noise whenever I stop brushing. So I was reading the article really hoping for an easy jailbreak at the end.
The tag is used to change the cleaning mode of the toothbrush automatically, to match the type of head you inserted. This makes very easy to change heads durring the same session.
It is also used to register how long you used that head. A warning is shown when the head should be replaced. After a few warnings you will no longer get them, just the led to replace the head remains on. You can continue to brush your teeth without any problems. What I've found is that the warning comes at the right time, you really feel a decrease in cleaning efficiency around that time.
You can use heads without the cip and they work. You just have to select the proper mode from the handle manually. Or not.
The early versions have a defect where when you push to insert the head, you also push to open the handle. With time, water will get in and the toothbrush will stop working. Not sure about the latest versions.
The bristles wear out. Their heads wear out but they also become soft from all the vibration so they dont't push as hard on the teeth. Also gunk might accumulate depending on how careful you rinse it.
Still better than a manual brush even in that state.
No, it doesn't appear so. It seems the bristles do wear out somehow, to me it appears that they simply become less stiff over time. The change to a new brush head is noticeable.
This should be relatively easy to verify. One could take a new brush head and forward its counter to the limit, directly comparing it to a new unmodified brush.
This is a good question, but people are pretty sensitive to pitch changes, I think we would detect the motor slowing down.
It would be super easy to reveal as well. A family member with the same toothbrush, your head finishes first. Motor slows down, pitch goes down. Compare the two. Replace the old head, now they're the same. Scummy practice revealed. Scandal.
That said. I'm not totally sure on the mechanism that all electric toothbrushes use.
It's much harder to detect subtle amplitude changes.
A few years ago I reverse engineered my Oral-B (Braun) toothbrush in order to change the color of the brush (handle) to one of my liking, without being constrained by the pre-set colors available in smartphone app. (Which I think now also requires you to log in)
I'd like to skip the whole "smart" toothbrush phase and go straight to the "smart ass" toothbrush, which razzes me about my sugar intake and gossips with the toaster behind my back.
As a bachelor who lives alone, it would actually be very motivating if I overheard my appliances making hushed comments about how I "look a little more plump than usual."
It's a toothbrush. Why does it need all this tech and an app?
It's better to think about sustainability.
I had an Oral B IO electric toothbrush. The retail price is nuts and the brushes are expensive and can't really be recycled. Imagine millions of these out there slowly rotting.
I gave up on the IO and bought this one instead. Simple design and battery lasts longer too.
Analogue/manual toothbrush is like 1-2 Euro. Product You are promoting is 85Euro. Assuming my normal toothbrush lasts 3 months for 85 Euro I have backup for 21 YEARS. Spare ones are for ~5.6 EUR piece.
I will stay with using my hand ;-)
Electric toothbrushes are more efficient at removing plaque and help to avoid gum disease.
If your immune system doesn't react so aggressively to plaque then yes manual tooth brushes are cheaper and you have many sustainable options in this space, i.e. toothbrushes with a wood handle etc.
This is a nice idea. The problem is longevity. I'd be willing to bet this product disappears after a few years (best case scenario) and you are left with no ability to buy new heads and end up binning the brush. So net net you probably waste more than buying a Philips/Oral-B brush that likely has 10+ years of support for brush heads, which have a far lower environmental impact than replacing the brush. In terms of cost, if you buy the well known brands when they are on sale, they're generally pretty cheap. I'll admit they do try to sting you if you buy at RRP.
Some electric toothbrushes really are better than a manual one. Very light pressure and let the super high cyclic rate do the job.
I love my sonicare. The only thing I would change is the 2 minute shutoff. I have all of my wisdom teeth and never had braces, so I need more time for a good job, but the actual cleaning performance is great. I literally had a hygenist say "Your home care is excellent".
I don't know if it needs this much tech, but if people will buy it, they're gonna make it.
I guess this is one of the downsides of ubiquitous cheap electronics --- DRM everywhere. A similar thing happened relatively recently with label printers: https://news.ycombinator.com/item?id=30420918
All my tries to guess to one-way function for generating the passwords failed.
In case anyone else wants to try having a go at this (without inspecting the firmware): ignoring the first and last two bytes of the UID, we see that 79 is farther from EC and D7 in a similar way that FF is far from 61 and 67, and EC and D7 look closer together too. I wonder if they used "real" crypto or just a simple XOR/shift/add/sub cipher.
(Unfortunately they've requested the schematics/block diagram/functional description to be kept "permanently"[1] confidential, and the inside photos are difficult for me to make out the part numbers on the MCU and other components.)
[1] I wish those who have been leaking secrets about our government would've gone after stuff like this instead of things like the NSA...
I’ll never forget when my damn sonicare toothbrush app warned me about my iPhone being jailbroken. Had to have been a troll by the creators of the app since not even some of my banking apps had that warning.
When I rooted my android phone a few years back, all of my banking apps worked (I had to use magisk hide for some I think) but the only app that would not work was the Macdonalds app... Not that I needed it, I never go there, but I thought it was funny that their app was more "secure" than some banking apps.
As a security professional, I often get asked whether adding a root check is advisable. My general recommendation is to go ahead and implement it, but with a focus on data collection rather than taking action. For instance, you can log if a user is using a jailbroken or rooted device, without interfering with their experience. The responsibility for running a secure operating system lies with the users themselves, not the application. Applications that attempt to restrict how users utilize the app can be likened to malware.
Now, there might be instances where a business executive argues in favor of DRM or ensuring that certain coupons are limited to specific regions. In such cases, its sometimes suggested as a requirement to verify if the app is running in a simulated environment or is rooted. However, I can assure you that if you lock some kind of value behind this check and then rely solely on the operating system to provide this level of security, there will eventually be clever hackers who find ways to bypass the protection. The same principle applies to business-to-business apps that demand extensive control. In such situations, you need to rely on other software solutions or provide dedicated hardware. It's important to refrain from attempting to take ownership of my device, considering it's already under the control of Apple or Google anyway... /sarc. If you require stronger guarantees, I suggest reaching out to them.
I wouldn't be surprised if the apps did notice, but didn't take any action because it might be a hairy legal problem if they get between you and your money.
Readit News
EDIT: nope, not the default. From the data sheet, last sentence:
"To prevent brute-force attacks on the password, the maximum allowed number of negative password verification attempts can be set using AUTHLIM. This mechanism is disabled by setting AUTHLIM to a value of 000b, which is also the initial state of NTAG21x."
So Philips went out of their way to secure that toothbrush head. That's reassuring.
The other day I was trying to buy a pair of bathroom scales and it took me far too long to find one that just, you know, weighed things without also demanding I connect it to the Wi-Fi and download a smartphone app. How is this an improvement?
https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-...
The absolute personification of Chaotic Neutral
Deleted Comment
(just kidding)
I think a better write up would have front loaded that aspect.
Even titling it "How I locked myself out of my smart brush" or similar. If he wanted to be creative it could have had a Film Noir start but even in a technical write up you should start with interesting aspects.
https://www.reddit.com/r/UnusualVideos/comments/13uv1ym/forr...
But alternatively, since the head has an NFC tag, could you use it for stuff like a partnership with Marriott (open your hotel door with your toothbrush, so much convenience) or with transit companies to charge your monthly transit pass?
Possibilities of an NFC-enabled toothbrush head are infinite. The future truly is fascinating.
My wife and I had a lot of fun that night! Turns out the "personal massagers" work a lot better that way.
The tag is used to change the cleaning mode of the toothbrush automatically, to match the type of head you inserted. This makes very easy to change heads durring the same session.
It is also used to register how long you used that head. A warning is shown when the head should be replaced. After a few warnings you will no longer get them, just the led to replace the head remains on. You can continue to brush your teeth without any problems. What I've found is that the warning comes at the right time, you really feel a decrease in cleaning efficiency around that time.
You can use heads without the cip and they work. You just have to select the proper mode from the handle manually. Or not.
The early versions have a defect where when you push to insert the head, you also push to open the handle. With time, water will get in and the toothbrush will stop working. Not sure about the latest versions.
Still better than a manual brush even in that state.
This should be relatively easy to verify. One could take a new brush head and forward its counter to the limit, directly comparing it to a new unmodified brush.
It would be super easy to reveal as well. A family member with the same toothbrush, your head finishes first. Motor slows down, pitch goes down. Compare the two. Replace the old head, now they're the same. Scummy practice revealed. Scandal.
That said. I'm not totally sure on the mechanism that all electric toothbrushes use.
It's much harder to detect subtle amplitude changes.
Turned it into a Go library: https://github.com/raqbit/goralb
It's better to think about sustainability.
I had an Oral B IO electric toothbrush. The retail price is nuts and the brushes are expensive and can't really be recycled. Imagine millions of these out there slowly rotting.
I gave up on the IO and bought this one instead. Simple design and battery lasts longer too.
https://www.trysuri.com/
If your immune system doesn't react so aggressively to plaque then yes manual tooth brushes are cheaper and you have many sustainable options in this space, i.e. toothbrushes with a wood handle etc.
have to use your hands?? that's like a baby's toy!
That's why I bought this toothbrush to support them.
But if everyone thinks that this startup is not going to make it then yes they'll probably won't exist in a few years time.
I love my sonicare. The only thing I would change is the 2 minute shutoff. I have all of my wisdom teeth and never had braces, so I need more time for a good job, but the actual cleaning performance is great. I literally had a hygenist say "Your home care is excellent".
I don't know if it needs this much tech, but if people will buy it, they're gonna make it.
(...and people have come up with a "modchip" to bypass that restriction already: https://www.eevblog.com/forum/reviews/dymo-550-thermal-print... )
All my tries to guess to one-way function for generating the passwords failed.
In case anyone else wants to try having a go at this (without inspecting the firmware): ignoring the first and last two bytes of the UID, we see that 79 is farther from EC and D7 in a similar way that FF is far from 61 and 67, and EC and D7 look closer together too. I wonder if they used "real" crypto or just a simple XOR/shift/add/sub cipher.
There's more info about the device itself here: https://device.report/philips-oral-healthcare/hx68
(Unfortunately they've requested the schematics/block diagram/functional description to be kept "permanently"[1] confidential, and the inside photos are difficult for me to make out the part numbers on the MCU and other components.)
[1] I wish those who have been leaking secrets about our government would've gone after stuff like this instead of things like the NSA...
Deleted Comment
Now, there might be instances where a business executive argues in favor of DRM or ensuring that certain coupons are limited to specific regions. In such cases, its sometimes suggested as a requirement to verify if the app is running in a simulated environment or is rooted. However, I can assure you that if you lock some kind of value behind this check and then rely solely on the operating system to provide this level of security, there will eventually be clever hackers who find ways to bypass the protection. The same principle applies to business-to-business apps that demand extensive control. In such situations, you need to rely on other software solutions or provide dedicated hardware. It's important to refrain from attempting to take ownership of my device, considering it's already under the control of Apple or Google anyway... /sarc. If you require stronger guarantees, I suggest reaching out to them.