David Sopas – Web Security Researcher

bluetooth

29/12/17 Papers # , , , ,

BLE Driving 101

I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.

Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.

I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.

I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.

We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂

This was the final result.

On the left you have a original dongle and in the right the mean mother f*cker dongle!

What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.

Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm

Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm

Now that I have a better dongle 😀 I had it to my portable configuration:

1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank

Devices found

Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co

Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:

Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.

2 responses
30/09/17 Papers , Tips and Tricks # , , , , ,

My notes on Hacking BLE – list of resources

My notes on Hacking BLE – list of resources

In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic.
There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with the community.

In a nutshell, what I did… Bought some cheap BLE devices and played around.

I start by scanning the device. Do some recon on it and then check what I can get from it. Sniffing, RE the mobile app, MiTM, etc.
At first I always scan for devices and enumerate the services and characteristics. BLEAH could be a good choice.

I tried different techniques but the one that I got better results was MiTM.
Sniffing in my opinion you need luck. Even if you have three Ubertooth covering all three advertisement channels – Uberteeth 🙂 you still need lots of luck and a faraday cage

For MiTM I use GATTacker. My lab is powered by a laptop with Kali installed and a Raspberry, with Raspbian installed. One is the central and the other is the peripheral. The rest is quite simple:

  1. Start the central
  2. Scan for devices
  3. Grab the device ID and scan the services and characteristics
  4. Send advertisements
  5. Turn on the bluetooth on your phone and run the mobile app
  6. Modify the dump file
  7. Replay
  8. Gameover

Eg of a smart lock showing the master key and my own key (in plaintext):

I’m still learning but I’m enjoying every step.

Some tips I learned along the way:

  • Start by reading specification (core and GATT) and learn how it works
  • Sometimes you need to change your bdaddr (MAC addr) to match the original device
  • Study the hardware and check what kind of approach is better (sniffing, MiTM, brute-forcing, etc)
  • You learn a lot by RE the mobile application
  • By reversing don’t forget to search for specific keywords – liked password, CMD, secret and stuff like (sometimes you get some low hanging fruits)
  • For alternative sniffing, use Android Bluetooth HCI snoop log
  • Be persistent, don’t give up on first sign of fail

Resources

Must read

Hardware

Tools

Talks

I hope this article helps out newcomers in this BLE hacking and also help pros with a list of interesting material.
Feel free to send me more resources, I’ll keep updating.

Meanwhile follow me on Twitter – @dsopas to get the latest updates on my work.

no responses