Exploiting IoT enabled BLE smart bulb security

Written by | Internet of Things, Security

BLE sniffing with Ubertooth to exploit IoT devices

With the growing popularity of IoT and smart devices, the first thing that comes to mind when talking about IoT is smart homes. This includes a whole bunch of devices including smart refrigerators, smart bulbs, power adapters, kettles, toasters, egg trays and what not.  

In this post, we are going to discuss about how to take over a BLE based IoT smart bulb, interact with it, change colors, and in the process also look into security internals of BLE.

Some of the things we are going to cover in this post:

  • Getting started with Ubertooth sniffing of BLE
  • Active sniffing of traffic
  • Modifying BLE handlers and characteristic values
  • Taking control over devices

In case you are interested in a real-world version of the training class for your organization covering topics such as BLE sniffing, exploitation, Zigbee and more, feel free to contact us at  or have a look at Offensive IoT Exploitation.

In order to get started, we will need the below items:

Hardware

Software

  • hcitool
  • ubertooth-utils
  • Gatttool

Connect the bulb to the power connection. Make sure it’s working by turning it on and off using your smartphone. The first step now is to find the bluetooth address of the target device.

Step1: We will use hcitool to find all the available BLE device present near the host.

In the above image, we will find the bluetooth address of the multiple devices around us. Upon inspection, it looks like 88:C2:55:CA:E9:4A is our Bulb and the Bluetooth name of the device is cnligh.

Step 2: Now once we know the BD_ADDR (bluetooth address) of the target device, we can use gatttool to view the services running inside the target device. Use gatttool -I to switch to an interactive mode and connect to the target device using the particular BD_ADDR.

Using Gatttool to interact with BLE devices

Using Gatttool to interact with BLE devices

In the above image, there are three primary service running among the three UUIDs. 00001800 and 00001801 is Bluetooth SIG defined service and the UUID 0000f371 is not one of the service defined by Bluetooth SIG.

Step 3: Now we can use char-desc to list all the handle in a particular UUID (0000f371). it’s better to specify the attr and end group handles, which in this case is 0x0010 0xffff

If we look at the above image, we can see the complete list of handles, for the particular UUID 0xffff.

If we look it up, we will see that the service 0xfff1 to 0xfff9 is defined by the manufactures, other are services adopted by Bluetooth Special Interest group such as primary service, characteristic, characteristic user description. To know the Service and their paticular UUID value, refer  https://www.bluetooth.com/specifications/gatt/services .

Step 4: There are many handles and we are not sure to which handle we can write the data, so let’s try reading the handle with their handle value

when we try to read the handle we get an error message as shown in the above image. It’s a little complicated here because we don’t know that, to which handle we can should read/write data and we don’t even know the packet format. 

So to know the packet format and the handle, it’s better to sniff the BLE packets. Ubertooth is an effective tool which can be used to perform an active sniffing of BLE traffic.

Step 5: ubertooth-btle is used to sniff the BLE packets. We can simply use ubertooth-btle -f. In case you have multiple device, you can use ubertooth-btle -f -t <BD_ADDR> , with the Bluetooth address of the target device. In our case the BD_ADDR is 88:C2:55:CA:E9:4A

Step 6:  To capture packets, use the following command

-c is used to capture the packets in a pcap specified by the file name.

Now open your mobile app for the bulb and connect it. Once connected, perform an action such as changing the color of the bulb and ubertooth will capture all the packets.

Advertising packets identification with Ubertooth

Advertising packets identification with Ubertooth

The above image is advertising packet from the bulb and few points to be noted is

  • The Access address (AA) is 0x8e89bed6, this is used to manage link layer and it’s a random number.
  • It is on channel 37 which is one of the dedicated advertising channels
  • Packet PDU is ADV_IND, meaning it is connectable, unidirected and scannable.
  • AdvA id 88:c2:55:ca:e9:4a which is nothing but the BD_ADDR of the advertising device
  • Type 01 flag indicate the AdvA address is random

If we look into the above image, we will notice that it has both the values – scan response (SCAN_RSP) from the target device and scan request ( SCAN_REQ)  from the app

SCAN_REQ

  • ScanA is a 6 byte scanner address and TxAdd indicate  whether it is random or public address
  • AdvA is a 6 byte advertiser address, RxAdd in PDU indicate the whether the address is public or random

SCAN_RES

  • AdvA is a 6 byte advertise address, TxAdd indicate the type of address whether it is random or public
  • ScanRspData is a optional advertising data from the advertiser

Connec_REQ

The below image is sniffed data

Ubertooth sniffing for BLE traffic

Ubertooth sniffing for BLE traffic

Step 7: Let’s analyze the captured packets using wireshark, open wireshark and open the captured pcap file.

If you see here it will show all the captured packets.

Step 8: Now we need to find the ATT packets among these captured packets. The simplest way is to make use of the filter option in wireshark. Type btl2cap.cid==0x004

if we look into the above image there is only ATT packets and the info about the packet.

Step 9: Here we have captured packets while changing the color of the bulb, so let’s look for the write request packets.

BLE write packets

BLE write packets

Now we get to know that the data is written to handle 0x0012, which belong to a certain UUID which we need to figure out.

Step 10:  If we analyze the particular write request packet we are able to find the access address,CRC value, opcode, handle and the UUID

Wireshark showing write packets for BLE

Wireshark showing write packets for BLE

In the above image we can see the

  • access address:  0xaf9a9515
  • master and slave address
  • CRC: 0x6dcb5
  • handle:  0x0012
  • UUID: 0xfff1
  • value : 03c90006000a03000101000024ff000000006
BLE packet details

BLE packet details

  • Header is 2 bytes in length which comes along with the PDU
  • Mode selection is hardcoded for controlling the color of the lamp
  • The 6 Byte 0024ff is the RGB value, these 6 bytes can be changed accordingly to get your desired color

Step 11: We can use gatttool to write the value to the particular handle or UUID,

Step 12: Even it’s possible to Turn on and off the bulb, just change the on/off bit in the data

03c90006000a030101010000000000000000  will turn off your bulb and the RGB value should be made zero else the bulb won’t turn OFF

03c90006000a0300010100ff0000000000000 will turn ON your bulb and the RGB value is mandatory.

That is all for this blog post. In the upcoming blog posts, we will look into additional BLE exploitation, Zigbee exploitation and lot more. Additional information below:

  • Training requests:
  • Buy hardware to exploit IoT devices: https://attify-store.com

Last modified: January 17, 2017

8 Responses to :
Exploiting IoT enabled BLE smart bulb security

  1. Anonymous User says:

    Pretty! This was an extremely wonderful post. Thank you for providing these details.

  2. Makis says:

    Hello!
    Thanks a lot for your guide about exploiting BLE smart bulb security. I have one questions for now; how did you manage to understand which one are the RGB values?
    If the 6 byte value was for example set as 00 00 00 would be as easy to understand where its positioned?

    1. We understood it by changing the bulb color several times, and then notification which packet bytes changed. Also, completely turning the bulb white and off helped in confirming our hypothesis that those 6 bytes corresponds to RGB.

      1. Makis says:

        Thanks a lot for your reply 🙂

  3. Charan says:

    Does this happens with the latest bulbs? Or do I have to pick a specific version of the hue bulb?
    I want to buy the a bulb to replicate this.

    Thanks in Advance.

    1. Hello Charan,

      It has worked with a couple of Smart Bulbs we have tested. You can grab a bulb from a local store and test it out.
      We are not sure if it works on the latest version of Philips Hue.

      – Attify

      1. charan says:

        Thanks a lot for your reply.:-)

  4. Robert says:

    Thanks for taking the time to teach. Very nicely written!

Leave a Reply

Your email address will not be published. Required fields are marked *