Flogging a dead smart horse

Connected stuff is getting everywhere, even in to managing the health of your connected horse. Yes, really.

One Friday afternoon after PTP lunchtime drinks in the pub, we bought an ‘Orscana’ horse tracking device. It sat on the shelf for 13 months until (after another session in the pub over lunch today) we decided to reverse engineer it.

Guess what, it features pretty much zero security.

This is it:

The device is hung under a horse rug, designed to measure the temperature around the hip socket area. A bit like an equine Fitbit, it’s supposed to measure what your horse has been up to. Assess your horse comfort…

It also appears to be possible to store horse data in the app. I wonder if horse privacy is covered by GDPR?

Bluetooth

This is the Nordic Bluetooth controller’s firmware update service, and it’s configured to allow an update without a phone. Yes really: buttonless DFU mode. Are they nuts?

So we can upload our own firmware, or, maybe we could steal the current firmware.

Popping the cover (with a fingernail), we can see the MCU:

And next two it are some test pads, labelled SWDIO and SWDCLK

That’ll be serial wire debug then. Time for some careful soldering.

We’ll update once we’ve pulled the firmware and had a look at the API.

Hacking your horse

So, anyone can push a firmware update to your horse tracker, unauthenticated.

What would they do?

Report your horse as being still and motionless? Panic sets in as you think Dobbin has died!

Or maybe report that horse as being super active and fit. You enter the horse for a race, thinking it’s the latest version of Seabiscuit?

Or maybe even load malware to it? Lots of possibilities. Advice? DFU mode should require authentication or at least a button push. Is this a major security issue? No, but it does underline the poor state of consumer IoT security.