Hacking LED Halloween masks is frighteningly easy

Hacking makes the holidays so much more enjoyable, and nothing says trick or treat quite like pwning LED Halloween masks belonging to every neighborhood kid during candy-collection hours.

After purchasing a Bluetooth Low Energy (BLE) enabled mask with a programmable app for his family's "anything that glows" themed Halloween costumes, Bishop Fox senior security consultant Nathan Elendt discovered it was "shockingly easy" to load custom face images and control the mask with the app.

"I found the app automatically scanned for, found, and then controlled my brand new, out-of-the-box mask without so much as a single authentication check, giving me some insight into how these masks worked," he wrote in a Thursday blog. "It was fairly clear that there was no pairing or authentication checks happening, and so, in theory, any mask could be controlled via another BLE device, with or without the mask owner's permission."

The issue wasn't limited to one particular brand of LED mask, either. While these masks are all sold under various brand names at different online stores, one company designs and produces the bulk of these products, and they are all controlled by the Shining Mask app, according to Elendt. 

Because they all use the same BLE protocol, Elendt surmised that if he found a way to reverse-engineer that, he could build his own controller — and then hack every similar Shining Mask within Bluetooth range. 

"Luckily there's already been a fair bit of work done on reverse engineering the BLE protocol used by these masks," he wrote.

He also discovered that the Bluetooth communications between the app and masks are encrypted using AES-128 in ECB mode with a fixed key, and the key is publicly available on GitHub.

Using all of this info, plus code from other hackers and Bluetooth snoop logs, Elendt built his own mask controller. It's built on a $25 Adafruit BLE Feather board and publicly available code for controlling LED masks using a CircuitPython device.

• Former NSA cyberspy's not-so-secret hobby: Hacking Christmas lights
• Hack Nintendo's alarm clock to show cat pics? Let's-a-go!
• Hacking US crosswalks to talk like Zuck is as easy as 1234
• Smart homes may be a bright idea, just not for the dim bulbs who live in 'em

He then wrote a CircuitPython script to search for local Shining Masks, connect via the controller, upload an image of a fox, and change the face to the new image before disconnecting. 

The full code and instructions are available in Bishop Fox's GitHub repository.

What we really wanted to know: Does Elendt plan to use this device and create a neighborhood full of shining fox faces while trick-or-treating on Halloween night?

"I do not plan on running it as described, so I don't ruin some poor kid's Halloween costume since these masks are popular with kids," he told The Register. "However, I will be puppeteering my own mask in the same manner, which was my original idea and the catalyst for this finding and overall hack."

Meanwhile, your humble vulture has already shared the code with all of her friendly neighborhood teen hackers and can only hope that one of them tries it out while trick-or-treating. But instead of a fox, a vulture seems more in the spirit of spooky season. ®