David Sopas – Web Security Researcher

btlejack

10/10/18 Hardware # , , , ,

micro:bit password generator

So I got a new toy – micro:bit. I initially bought three of these devices so I can sniff BLE traffic using btlejack. After playing with it, I decided to learn more about this hardware.

It’s pretty simple to use, specially if you decide to use Microsoft MakeCode, but also support MicroPython. I went with this last one and created something that is still in testing because of hardware limitations.

I decided to create a simple password generator. You have two buttons. Button A (left side) and Button B (right side).
Button A generates “randomly” and displays on the small leds a 4 digit pin number. Button B generates a 12 length char password that will consist in numbers, some letters (some letters don’t display well on the leds) and a couple of symbols.

Why I did this? Well because usually you need something to generate a fast pin or password. Some of my clients NEED this. Nothing is recorded and if you don’t catch the pin or password, click to generate another one.

Next step… Battery. Implement a CR2032 battery with a on/off button. Also, improve the code a bit and share it on github.

Check the video here – https://www.youtube.com/watch?v=M3CO_OvSO4w

no responses
30/09/17 Papers , Tips and Tricks # , , , , , ,

My notes on Hacking BLE – list of resources

My notes on Hacking BLE – list of resources

In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic.
There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with the community.

In a nutshell, what I did… Bought some cheap BLE devices and played around.

I start by scanning the device. Do some recon on it and then check what I can get from it. Sniffing, RE the mobile app, MiTM, etc.
At first I always scan for devices and enumerate the services and characteristics. BLEAH could be a good choice.

I tried different techniques but the one that I got better results was MiTM.
Sniffing in my opinion you need luck. Even if you have three Ubertooth covering all three advertisement channels – Uberteeth 🙂 you still need lots of luck and a faraday cage

For MiTM I use GATTacker. My lab is powered by a laptop with Kali installed and a Raspberry, with Raspbian installed. One is the central and the other is the peripheral. The rest is quite simple:

  1. Start the central
  2. Scan for devices
  3. Grab the device ID and scan the services and characteristics
  4. Send advertisements
  5. Turn on the bluetooth on your phone and run the mobile app
  6. Modify the dump file
  7. Replay
  8. Gameover

Eg of a smart lock showing the master key and my own key (in plaintext):

I’m still learning but I’m enjoying every step.

Some tips I learned along the way:

  • Start by reading specification (core and GATT) and learn how it works
  • Sometimes you need to change your bdaddr (MAC addr) to match the original device
  • Study the hardware and check what kind of approach is better (sniffing, MiTM, brute-forcing, etc)
  • You learn a lot by RE the mobile application
  • By reversing don’t forget to search for specific keywords – liked password, CMD, secret and stuff like (sometimes you get some low hanging fruits)
  • For alternative sniffing, use Android Bluetooth HCI snoop log
  • Be persistent, don’t give up on first sign of fail

Resources

Must read

Hardware

Tools

Talks

I hope this article helps out newcomers in this BLE hacking and also help pros with a list of interesting material.
Feel free to send me more resources, I’ll keep updating.

Meanwhile follow me on Twitter – @dsopas to get the latest updates on my work.

no responses