In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic.
There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with the community.
In a nutshell, what I did… Bought some cheap BLE devices and played around.
I start by scanning the device. Do some recon on it and then check what I can get from it. Sniffing, RE the mobile app, MiTM, etc.
At first I always scan for devices and enumerate the services and characteristics. BLEAH could be a good choice.
I tried different techniques but the one that I got better results was MiTM.
Sniffing in my opinion you need luck. Even if you have three Ubertooth covering all three advertisement channels – Uberteeth 🙂 you still need lots of luck and a faraday cage…
For MiTM I use GATTacker. My lab is powered by a laptop with Kali installed and a Raspberry, with Raspbian installed. One is the central and the other is the peripheral. The rest is quite simple:
- Start the central
- Scan for devices
- Grab the device ID and scan the services and characteristics
- Send advertisements
- Turn on the bluetooth on your phone and run the mobile app
- Modify the dump file
- Replay
- Gameover
Eg of a smart lock showing the master key and my own key (in plaintext):
I’m still learning but I’m enjoying every step.
Some tips I learned along the way:
- Start by reading specification (core and GATT) and learn how it works
- Sometimes you need to change your bdaddr (MAC addr) to match the original device
- Study the hardware and check what kind of approach is better (sniffing, MiTM, brute-forcing, etc)
- You learn a lot by RE the mobile application
- By reversing don’t forget to search for specific keywords – liked password, CMD, secret and stuff like (sometimes you get some low hanging fruits)
- For alternative sniffing, use Android Bluetooth HCI snoop log
- Be persistent, don’t give up on first sign of fail
Resources
Must read
- Exploiting IoT enabled BLE smart bulb security (perfect step-by-step hacking BLE)
- Introduction to Bluetooth Low Energy
- Security Analysis of Wearable Fitness Devices (Fitbit)
- Nike+ FuelBand SE BLE Protocol Reversed
- Blue picking – hacking Bluetooth Smart Locks
- GATTacking Bluetooth Smart Devices
- Locating and exploiting smart adult toys
- Hexiwear Bluetooth Low Energy Packet Sniffing with Wireshark
- Hack a BT Low Energy (BLE) butt plug
- How to pick a BLE smart lock and cause cancer using just a mobile phone
- BlueSteal: Popping GATT Safes
- How I Reverse Engineered and Exploited a Smart Massager
- BLE Driving 101
- My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE
- Exploiting Bluetooth Low Energy using Gattacker for IoT – Step-by-Step Guide
- Totally Pwning the Tapplock Smart Lock
- The Practical Guide to Hacking Bluetooth Low Energy NEW
Hardware
- Ubertooth One
- CSR 4.0 Bluetooth dongle (I have two which are cheap – 7€ – and work just fine)
- Ellisys Bluetooth Explorer 400
- ComProbe BPA® 600 Dual Mode Bluetooth
- Adafruit nRF51822 (cheaper than Ubertooth)
- Sena UD100 Long Range Bluetooth 4.0 Class1 USB Adapter
- micro:bit BBC (around 20€)
Tools
- nRF Connect (Android or iOS)
- Lightblue (Android or iOS)
- BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework
- GATTacker MiTM (my favourite)
- Wireshark (nothing like the shark to check the packets)
- crackle (crack and decrypt BLE encryption)
- BLEAH (great BLE scanner)
- Bluetooth Python extension module (I use it to write my own PoCs)
- bettercap (it has a BLE module)
- RaMBLE – Bluetooth LE Mapper (Android)
- btlejack (sniff, jam and hijack – BLE swiss army tool)
Talks
- DEF CON 24 Wireless Village – Jose Gutierrez and Ben Ramsey – How Do I BLE Hacking
- DEF CON 24 – Anthony Rose, Ben Ramsey – Picking Bluetooth Low Energy Locks a Quarter Mille Away
- Hack.lu 2016 BtleJuice: the Bluetooth Smart Man In The Middle Framework by Damiel Cauquil
- Bluetooth Smart: The Good, the Bad, the Ugly, and the Fix!
- Hack-a-ble (SHA2017)
- Gattacking Bluetooth Smart Devices – Introducing a New BLE Proxy Tool
- Battle of the Smarts: Hacking Smartphones with Bluetooth Smart
- DEF CON 26 – Damien virtualabs Cauquil – You had better secure your BLE devices NEW
- BSides Lisbon 2018: Exfiltrate All The Things! – David Sopas And Pedro Umbelino NEW
- DEF CON 26 IoT VILLAGE – Erez Yalon – Your Smart Scale is Leaking More than Your Weight NEW
I hope this article helps out newcomers in this BLE hacking and also help pros with a list of interesting material.
Feel free to send me more resources, I’ll keep updating.
Meanwhile follow me on Twitter – @dsopas to get the latest updates on my work.