Hacking A “Smart” Electric Toothbrush To Reset Its Usage Counter

The visible circuitry inside the brush head.
The visible circuitry inside the brush head.

Following the trend of stuffing more electronics in everyday devices, the new Philips Sonicare electric toothbrush that [Cyrill Künzi] purchased ended up having a ‘brush head replacement reminder’ feature that wasn’t simply a timer in the handle or base of the unit, but ended up involving an NFC chip embedded in every single brush head containing the usage timer for that particular head. Naturally, this asked for it to be solidly reverse-engineered and hacked.

The NFC chip inside the brush head turned out to be an NXP NTAG213, with the head happily communicating with the NFC reader in a smartphone and the NFC Tools app. This also revealed the memory layout and a few sections that had write access protected by a password, one of which was likely to be the counter. This turned out to be address 0x24, with a few experiments showing the 32-bit value at this address counting the seconds the brush head had been used.

Decoding the NFC data stream from a toothbrush using NFC-laboratory. (Credit: Cyrill Künzi)
Decoding the NFC data stream from a toothbrush using NFC-laboratory. (Credit: Cyrill Künzi)

Naturally, with this memory address password protected, the next step was to sniff the password using an SDR sniffer setup. After passing the resulting raw data with a gnuradio script through a lowpass filter, the resulting WAV file was decoded with the NFC-laboratory tool, allowing the traffic to be analyzed for clues. What this revealed was that the password is being passed as plaintext in the NFC data stream, making it a snap to use it to reset the counter to zero or any other desired value.

During this process, [Cyrill] came across a few gotchas, including that you only get three attempts to guess the password before the NFC chip permanently refuses new authentication attempts, and the password is unique with each brush head as it’s generated from the NFC chip’s 7-byte UID, per the NXP datasheet. Fortunately, it appears that this system is only being used as a complex reminder system, and you can still use an ‘expired’ head, but it does turn spent brush heads into e-waste, which is less ideal.

46 thoughts on “Hacking A “Smart” Electric Toothbrush To Reset Its Usage Counter

  1. It’s nice to go through with all of that I guess……but I was expecting to read that the point of hacking it was because the device would stop working.

    It is nice to see that, at least one, mfg hadn’t completely lost their mind and restored to screwing over the consumer.

    1. Unfortunately, I think, the reason for not disabling the functionality is not a sign of good faith or not wanting to screw the consumer.

      My guess would be, that this implementation is not considered stable enough to have a more “active” action as a “security feature”… I wouldn’t be surprised, if this changes…

          1. Uh… Your “insurance” company is billed $20-$50 for the “free” toothbrush you accepted.

            Ask to see the itemized bill sometime, Even if you believed everything was “free”.

      1. I’ve had a brush body’s NFC just flat out not work. Philips brushes are actually terrible quality and tend to die after a year or so, so I’m not surprised they don’t hard lock you out. Probably reduces the number of units they have to replace under warranty.

    2. As an engineer working on implementing an NFC usage tracker in a consumable health product I share your opinion. Some products, like tooth brushes, do degrade when use and become less effective and the user forgets to replace them, I always keep my tooth brush months too long out of laziness.
      I wouldn’t design a system that would hold our users hostage until they buy a new replacement, but once the tech is developed it becomes a marketing and business decision how to use it. I hope my product remains a reminder.

      1. The way to remind the user in a non hostile way would be for example, after the maximum usage number is reached, to insert a delay when the toothbrush is switched on that is proportional to the number of uses, so that the user is encouraged to put a new head without being prevented to use the old one.
        I’m pretty sure this wouldn’t be popular among manufacturers; it will end like printers and chipped cartridges, because the purpose is the same: maximize profits.

        1. I can see how customers would adapt to this. Turn your toothbrush on, start shaving, once the toothbrush powers up start using it. When finished brushing, continue shaving.

          I set a reminder every 3 months to replace the brush head, it does wear out. Also, don’t hold your electric toothbrush like a hammer, hold it more gently with your finger tips and pinky up.

        2. You call that non-hostile? Making me wait for MY toothbrush in the morning when I am already running late and stressed?
          You ill find that toothbrush in a thousand pieces in the yard.
          MY toothbrush does what I want when I want it. Because it is MY toothbrush. I say junp and the brush says how high.

    3. Although I’m not a fan of forced consumables having built in locks and timers (*glares at HP*), this particular product probably doesn’t need the DRM.

      Brushes tend to go bad and stop being as effective for brushing after around the same amount of usage (give or take), so a timer isn’t a bad way to do it. They’d store it on the brush head because it’s not uncommon for some to have two handles and multiple people swap on their head.

      My guess is that this is just a cheaper solution to produce and has the added benefit (to the producer) of doing some form of authenticity check. Many health consumables are counterfeited and this gives them the ability to combat that if they need to.

      I don’t necessarily mind it if it’s used to provide some value to the consumer and give a check on authenticity — it becomes anti-consumer when companies are requiring their authentic products (it should be a consumers choice), and disabling those off-brands that don’t match.

  2. it’s quite sad and amazing the amount of time and money hardware devs spend on controlling and spying on humanity to take more control away.
    almost as if there is money to be made off of robbing humanity of it’s freedom.

    1. I highly doubt hardware devs want to add these non-features, it’s management/higher ups at the companies they work at that “request” (read force) them to add these features to “bolster” the company’s bottom line.

  3. does the brush work with cheap 3rd party replacement heads or is the presence of an NFC chip mandatory for the brush to even start ?
    is the head more expensive due to the added “electronics” ?

    i like my cheap braun oral-b brush. i could use 3rd party heads without a problem.
    the wear level is indicated by simple the color change of the bristles. there are blue ones and the color fades with use.

      1. You also don’t get it automatically switching mode based on the type of head, FWIW.

        Honestly, this is a good feature. People use their toothbrushes long beyond them being worn out, and it means far less effective cleaning. Plus a sonicare bush and few years of full-price Phillips heads is vastly cheaper than a single intervention at the dentist. People are way too fast to assume evil motives.

        The counter is in the head because it’s the head which wears out, and many families share the same handle with a brush for each person, plus some people swap head types rather than using one consistently, or brush more/less frequently.

        Cheap 3rd party heads work fine (they’re just not as good), but we use them for the kids as they still chew them… middle child’s brush looks worse than the dog’s…

        1. People are fast to assume evil motives because 24 times ot of 10, it is.
          When it walks like a duck and quacks like a duck, you assume it’s a duck even when it’s a unicorn.

          That being said, I do appreciate this particular product’s use of counter. If it only serves to _help_ the user (In this case switching mode or giving a simple reminder), and not purely for profit (Locking the user till a fresh, over priced, non 3rd party head is installed).

          In today’s market, this almost warrents a Nobel prize nomination…

  4. The toothbrush turns on even when no head is attached, so it should work with 3rd party variants. The blue indicator bristles are also present, so I’m a bit surprised by this overengineered product and the effort from Philips to password protect the tags. I guess they can charge a premium for a product with “smart” in the name.

  5. It sounds like a pretty clever system to achieve their goals of making people buy new heads actually. The reverse engineering of it was impressive though – Cyrill has some good engineering know-how!

  6. Obviously i don’t like this (the manufacturers decision, not the RE work!). For one it produces way to complex systems if even a toothbrush needs some silicon (really little, i know, but still, how about recycling? used brushes are not going into e-waste but “standard” garbage). Complex means prone to failure (and security problems but yeah, it’s a toothbrush) and as i said too much e-waste. Second, people shouldn’t be forced to replace something because manufacturer wants to make more $$$. Yes, in some cases it is certainly needed for safety and so on, but for a toothbrush…?? All this has to stop. We don’t have unlimited ressources. Use an electric toothbrush ok, i don’t mind, but these things should be simple and made to last (for the electronic and mecanical part), as manufacturers did a long time ago. There is really no need for “smart”-nonsense, BT and stuff. Come on, it is a freaking toothbrush!

    1. I agree completely.

      Becoming disabled robbed me of the arm/hand strength, dexterity, & stamina to use a non electric toothbrush, but when I went searching for one all I found were these “smart” electric toothbrushes.

      They all had “timers for each quarter of the mouth”!

      I’m not a freaking robot (yet), & was really frustrated when trying to find just a simple electric toothbrush.

      They do exist (Colgate makes them – $5 on Amazon), & the battery lasts longer than the bristles, so at least for now there’s an alternative to those awful “smart (for greedy companies)” electric toothbrushes.

      I just hope the “smart for consumers”, simple, battery powered electric toothbrushes keep being made!

  7. How could the expired brush heads be repurposed. It is an NFC chip with some type of counter hardware or sensor. Seems like that would be a decent hack.

    The brush doesn’t stop you from using when it exceeds the optimum brush cycles. It seems like an unnecessary and wasteful solution more than a problem. How can someone re-use the electronics to make it less wasteful?

      1. That’s pretty sweet, I’ve been hoarding these tags ever since I have a sonicare and found out that I could just read them with any NFC reader. Thanks for the link.

    1. You should replace your toothbrush regularly, so assuming you’re doing so, it’s not generating any extra waste. Unfortunately they aren’t recyclable (though there are 3rd party alternatives which work with the brush, and claim to be biodegradable).

      How to reuse them? Mine go into the garage to clean up whatever needs it. Also trying to train the dog to use the electric toothbrush, with the intention to use old heads for the dog.

  8. Sidenote: if you have a Flipper Zero, it can capture the password authentication from the brush handle by emulating the tag in the brush head. The trick is trying to find a position where both sides can communicate.

    Through my experimentation the password is also based on some of the static data on the tag in addition to the UID. The brush handle also has somewhat tight timings around how long the authentication command can take to respond.

  9. I bought one of these mal-featured brushes at the dentist’s office to replace an old one with gross leaky seals. I wouldn’t have bought it if I’d known it had NFC as the very expensive heads are already designed to wear out too quickly and quite noticeably. NFC only adds unnecessary risks, for example a miscreant could use a mobile phone to set all the very expensive heads on the shelf at the store to be end-of-life in seconds. Also I activate the head under running water for a few seconds after brushing to clean it. This causes no additional wear but I suppose if I check, I’ll find those seconds are miscounted as brushing seconds.

  10. Wow! No wonder official toothbrush heads are so dad-gum expensive. A recent Consumers Report article consulted with several sources such as the ADA, and looked at research, and apparently electric toothbrushes don’t do a better job than manual ones. But for folks with limited dexterity they can be wonderful. One thing I like about the electric ones are the buzz-buzz every 30 seconds.

    1. Hey Mark, could you help me find this article? Im a dentist and this slightly contradicts my education and the consumer reports article I could find (linked below). I would summarize my current understanding as:

      For most people using toothpaste, a powered toothbrush is the most financially conservative investment to decrease the cost of keeping teeth over a lifetime. With strict attention to technique and brushing duration, a manual toothbrush can be equally effective.

  11. I have this toothbrush and it is indeed excellent, the best I’ve had. The brushes are axpensive and sometimes I get lazy using the last one in the package for one extra month. Sure I could use cheap third party ones that do not disturb me for the two seconds every session after I’ve overused the brush, but bottom line here is that these over priced brushes are doing better job than any electric or manual brushes I have ever tested when given the time limit of two minutes per session.
    Whether you use official or third party brushes change them regularly, it is a small price to pay for a healthy mouth.

  12. Hello Cyrill,

    what happens if you use a head with the counter not exhausted but with writing blocked for password attempts? Is there a strange blinking of the LED or is the error ignored?
    If the toothbrush is not designed to handle this exception, the hack could be to intentionally block the chip of a new head by sending 3 incorrect passwords with nfc tools, so that the counter remains 0 and is never incremented.

    1. I tested it for you, and it looks like the brush handle just ignores the tag contents if it can’t authenticate (which happens after you exceed the authentication attempts). While the handle extinguishes the other mode indicators, the mode selected is not the one programmed on the tag. Even if the usage counter is exhausted, the replacement light doesn’t blink if authentication fails.

  13. This may not be new for Philips. I have a decades old Norelco shaver that has a ‘replace blades’ light. No idea how it is triggered or how to reset.

    Why do some rechargeable tools have a battery soldered in place? Something that could be easily replaced. I have seen this in shavers and toothbrushes.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.