Lego NXT Exploitation or Vulnerabilities?

Question

I originally posted this question on the Reverse Engineering site, but there were no answers. They told me to also post this question here. OK, my friends and I have Lego NXT sumo bot competitions for fun. Basically, you build a robot that waits five seconds and competes against a robot to stay on a board. We normally focus on the mechanical side to win against other robots (find them and push them off the board), but I had the idea to try a software attack. My idea was to:

1. Find some sort of Bluetooth vulnerability that I could exploit from another NXT (I write my programs in NXC).
2. Upload a malicious program that makes the robot drive backwards forever.
3. Somehow execute the program (and win)!

I have tried testing the NXT Bluetooth for vulnerabilities (I have knowledge of Windows/Linux exploitation and debugging) and I can't find anything. The main problem is that the NXT firmware handles Bluetooth connections, in other words you connect the devices with a pass code before running the program that requires Bluetooth. So, my questions are:

• Is this even slightly possible or is it just a waste of time?
• If there was a NXT Bluetooth vulnerability, could I even send it from another NXT that's not connected?
• Was this the right place to post this question?
• Would NXT debugging even be possible?

Update First, thanks for all of the ideas and answers. Secondly, several of the answers note about the legality of what I am trying to do. Yes, it is legal where I live. Third, I talked with main guy and judge of the competition and he said that he would love to see a software attack like this.

Where I'm at now I have Kali Linux and the mac address has been found. I also found a paper here on the control protocols. The main dilemma I am still facing is the fact that a Bluetooth passcode has to be entered on the device I intend to connect to. Any updates will be posted here!

Answer 1

Is this even slightly possible or a waste of time?

It might be possible but requires effort and probably a fair amount of research and hacking on your part. I'm not saying I know for sure if an exploit exists, either in the communications protocol or the BT firmware, but exploits are always possible. And it's not like LEGO is incentivized to look for obscure security issues in this stuff -- it just isn't that important.

Exploits come in different flavours, as do attacks. One place to start looking is the vendors that LEGO sourced for the various pieces of the NXT platform, and not just Bluetooth. We are looking for manufacturers that have released security notices for their hardware and drivers in the hopes that an exploit is still in the wild in an unpatched device used on NXT.

Another trick is to decide what sort of attack payloads are available. For example, even if you can't get debug access to the device, maybe you could keep the device so busy with bogus or specially crafted connection attempts that you gain some advantage. A denial-of-service attack is often just as effective as a direct hack.

You want to start looking at all the I/O that NXT uses, and then see how you can exploit it for direct access or some sort of leverage that gives you an advantage of some other sort.

And often exploits are leveraged in concert to get the access the hacker wants. So, you want to collect as much information as possible, and then start hacking your Kobayashi Maru solution.

---

Well, I recently ran across this answer, which shows that the LEGO Group sometimes patches security holes. The best part about knowing about patches is knowing some version has a security hole.

Answer 2

I think that most sumo bot competitions do not allow interchange of information between bricks. And you have to connect via Bluetooth with your opponent's bot, which requires your opponent's permission.