Hacking an Actual WiFi Toothbrush With An ESP32-C3
In a peculiar turn of events, Aaron Christophel stumbled upon a potentially exploitable electric toothbrush, reminiscent of the fictional DDoS botnet composed of similar devices. The device in question is the Evowera Planck Mini, a smaller variant aimed at children, equipped with a 0.96″ color LC display and features like a pressure sensor and motion sensors to gamify the toothbrushing experience. While its primary function is dental hygiene, it also boasts WiFi connectivity, ostensibly for firmware updates and parental monitoring via a smartphone app.
However, Aaron discovered that the security measures of the Planck Mini leave much to be desired, as detailed in a Twitter thread. The exploit is disarmingly simple: the toothbrush attempts to connect to a default WiFi network (SSID: evowera, password: 12345678), then proceeds to fetch and install firmware updates without authentication. This vulnerability exposes potential risks regarding data security and unauthorized access to personal information.

Moreover, Aaron delved into the device’s hardware, identifying the pin-out on the PCB, which could pave the way for further exploitation and hacking endeavors. The ease with which this toothbrush’s security can be compromised underscores broader concerns regarding the security of IoT devices, especially those marketed for children, where robust security measures are imperative to protect user privacy and safety.
The incident highlights the importance of rigorous security assessments and continuous monitoring in the design and deployment of IoT devices, emphasizing the need for manufacturers to prioritize security measures to safeguard users’ sensitive data and mitigate the risks of exploitation and unauthorized access.
Links you might need:
Read more: Hacking an Actual WiFi Toothbrush With An ESP32-C3