Get data from IoT device *without using phone app*

Question

I often find myself in a situation of wanting to get data out of an IoT device without having to use a phone app.

Example1: My blood pressure monitor (Omron 654) has a bluetooth-based android app that is low quality (no graphs, for example). I would like an AUTOMATED way of getting the data out (for graphing and storage and backup) rather than their convoluted scheme that involves manually emailing the data to myself.

Example2: A Wifi or bluetooth weight scale that requires a phone app to get the data out. If it had a web server and an IP address getting the data would be so much easier. Heck, a simple ftp server on the scale would be even better.

This must be a common problem. How does one get around such problems? Waiting for manufacturers to see the light and provide some easy interface (http, ftp , whatnot) to get at the data is not realistic.

Question: Are there any good hacks and methods for bypassing the phone apps and get to IoT data from a pc (linux or otherwise)? Do such Wifi/BT devices have any standard vulnerabilities that can be used to access device data? I'm open to all kinds of suggestions. Could not find anything via search.

PS: I set the tag remote-access, for lack of a better tag. Please tell me any better tags to set.

---

UPDATE: Following suggestion from @jcaron below, I have acquired the following info from the omron 654, via the bluetooth scanner app called com.pzolee.bluetoothscanner

Start scan produces the following:

• Name: HEMT-6320T-Z
• Bluetooth address: CF:07:xx:xx:xx:xx
• Services: Unknown
• Signal strength (RSSI): -58dBm
• Protocol: Low Energy (BLE)
• Vendor (bt card): Unknown

"More" button produces the following:

• Device Major class code: 7936
• Device class code: 7936
• Device group: UNKNOWN

Also the message: "No BLE GATT characteristics are available, or could not connect to the device (signal strength may be too weak)". NOTE: Given that RSSI=-58dBm, signal strength is not weak.

Answer 1

For BLE, the first thing to do is to scan for the device, connect to it, and list all the services and characteristics. You can use ready-made apps for that, or you can find many examples out there (especially for ESP32-based devices, for some reason).

Some devices will use standard services and characteristics (you’ll find the details in the kilometre-long Bluetooth specs on the Bluetooth website). Others will use their own scheme.

There may be complications with authentication schemes. This is especially likely for health- or security-related devices.

Note that some devices don’t allow connections, they just broadcast data in their advertisements, but that’s quite limited and used mostly by very simple devices.

If a first exploration does not yield results, you could always write some form of BLE proxy to intercept traffic. There’s probably existing software out there to do that.

For WiFi, the approach is similar: find open ports, check if they’re standard protocols, poke around. If the device doesn’t use TLS (https) then you can likewise intercept traffic.

In some cases the app doesn’t actually talk to the device directly: both connect to a server on the Internet (“in the cloud”) and communicate through that. Capturing the traffic will yield the exchanges.

Of course, before all that, the best option is to Google for the info: type the name of the device and “api” or “protocol” or “hack” or the like. Someone may have already done the legwork for you. In some cases it may even be the manufacturer providing the info!