Exploiting BLE Smart Bulb Security using BtleJuice: A Step-by-Step Guide

. 5 min read

In this post, we are going to discuss how to exploit a Bluetooth Low Energy (BLE) smart bulb using BtleJuice by performing a Man-in-the-Middle (MiTM) attack. The techniques explored in this blog post equally applies to other BLE based smart devices.

The things that we are going to cover include:

  • Installing BtleJuice
  • Analyzing all the Intercepted GATT operations running on target device
  • Performing a Man-in-the-middle attack using GATT operations
  • Exporting data to a file

In order to get started, we shall need the following items:

Hardware

  • A BLE Based IoT Smart Bulb
  • Two Bluetooth Adapters

Software

  • Node.js > 4.3.2
  • Virtual Machine (VMware/Virtual Box)
  • BtleJuice

Installing BtleJuice

BtleJuice is a framework to perform MiTM attacks on BLE devices. BtleJuice is composed of two components - an interception proxy and a core. These two components are required to run separately on two systems each having a Bluetooth 4.0+ adapter attached. Rather than using two separate physical machines, we'll use one physical machine and another Virtual Machine(VM) running on the same host. One of the adapters will be attached to the host and the other to the VM. Install BtleJuice on both the host and the VM following the steps below.

Step 1: Btlejuice requires a fairly recent version of node(>=4.3.2) and npm. This can be installed using nvm (Node Version Manager) following this guide.

Step 2: Install the dependencies of BtleJuice using the package manager.

sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev

Step 3: Install Btlejuice.

npm install -g btlejuice

image19

Setting up BtleJuice proxy (in VM)

Step 1: Attach the bluetooth adapter to the VM and run service bluetooth start

image17

Step 2: Run hciconfig to ensure that the adapter is functioning as expected.

image18

Step 3: Launch btlejuice-proxy in the vm.

image7-1

Step 4: Find out the IP address of VM so that we can connect to it from the host. Alternatively run ifconfig in a terminal to know the IP.

image28

Picture6

Setting up BtleJuice core (on host)

Step 1: Open a terminal on the host and run hciconfig.

image13

Step 2: Stop the bluetooth service by running sudo service bluetooth stop.

image11-1

Step 3: Plug-in the bluetooth adapter on the host machine.

Picture9

Step 4: Ensure that the Bluetooth adapter attached to the host is working by running hciconfig.

image2-1

Step 5: Turn on the bluetooth adapter by running sudo hciconfig hciX up where X is bluetooth adapter number obtained in the previous step.

image8-1

Step 6: Now we need to run the BtleJuice core and connect with the virtual machine.

sudo btlejuice -u <VM IP address> -w

where u is the IP address of the VM where btlejuice-proxy is running and w means to start the web interface.

image21

Meanwhile btlejuice-proxy running in the VM, would display a client connected message.

image18-1

Step 7: Once BtleJuice core running on the host is successfully connected to bltjejuice-proxy, open a web browser and navigate to http://localhost:8080/

Untitled-1

Step 8: Click on the "Select Target" button represented by the Bluetooth icon. A dialog box will appear which will display all the available bluetooth devices detected by the core.

image4-1

Step 9: Double click on the desired target device and wait for the interface to be ready (the bluetooth button aspect will change).

Untitled77-1

Step 10: Connect the associated mobile application with the dummy device just created.

Picture17-2

Step 11: If the connection succeeds, a connected event would be displayed on the main interface.

image45

Performing Man-in-the-middle attack by replaying GATT operations

BtleJuice acts as a proxy between the mobile application and the BLE smart bulb. Any command sent to the bulb will be captured by BtleJuice and relayed to the Bulb. Let's interact with the bulb using the mobile application and try to decipher the way the commands are structured.

Step1: Change the bulb color to Blue using the android app. RGB value of Blue is 2, 0, 255.

image24

BtleJuice captures the corresponding packets.

Screenshot-from-2018-07-27-11-47-07

Now change the bulb color to red with RGB value 255, 8, 0.

image20

BtleJuice capture the packets corresponding to the command for changing the color to red.

Untitled9

Inspecting the packets, we can notice a pattern. The RGB value of the color as displayed on the app matches with the second, third, and fourth byte in the capture. Thus, if this packet is replayed after changing any of these bytes, we should be able to get a different color.

Step 2: From the list of captured packets, right click on a color change command and click replay.

Picture24

Step 3: Change the color bytes in the data value from 8c 86 ff to any other value say 8c 45 ff which is a color with a purple tinge.

image5-1

image6-1

Step 4: Click on the Write button. We'll notice that the bulb color changes to purple.

Picture27

Exporting the captured data

BtleJuice can export the captured data to a file so that it can be used later or analyzed in other tools. To start exporting, click on the export button and download a JSON (or text) version of the intercepted data.

Picture30

So far we've demonstrated the use of BtleJuice as a standalone tool. BtleJuice also offers NodeJS and Python bindings which we can use in our own tool for BLE attacks. For more information on these bindings visit here.



Vaibhav Bedi

Interested in Reverse Engineering ,penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch attify attify badge attify training binwalk blackberry pentesting blackhat ble BLE hacking and exploitation BLE sniffing box brut Exception chroot cloud based mobile application security scanner consulting CTF Damn Vulnerable iOS App devops dumping memory embedded hacking exploitation exploiting smart devices Firmware hacking frida hackfest hacking smart devices how to secure iot device IDA internet of things Internet of Things Security ios application security ios security iot iot device IoT Exploitation iot hacking iot pentest iot pentesting iot security iot security training iotsecurity jtag jtag debugging mobile app mobile application security mobile application security testing mobile security ninja recon technique offensive iot exploitation ola cabs owasp owasp appsec penetration testing pentesting pentesting mobile apps powerofcommunity PrinterSecurity qemu quizup radio communication protocol radio coomunication Reversing sdr secure coding guidelines security security issue security services security training security vulnerability smart devices social networking spi threat modeling training uart vulnerability writeups xposed hooking zigbee zigbee exploitation zigbee security zwave firmware reverse engineering firmware emulation firmware analysis toolkit firmadyne getting started with firmware hacking iot penetration testing iot attacks recent iot attacks cyber attacks iot hacks biggest iot attacks of all time hacked smart devices iot bots, malwares latest iot attacks BtleJuice bleah retail iot challenges in iot retail security issues faced by e-retailers network security in retail DDoS attacks phishing attacks how retail can prevent cyber attacks security challenges in retail IoT Flare-on radio waves hacking arduino nano how to hack radio waves analog modulation digital modulation capture radio traffic bluetooth technology BLE vulnerabilities BLE attacks BLE dangers BLE security issues exploiting ble how to exploit ble tools to exploit ble privacy protection iot threats protect against iot threats dangers of iot smart user security how to protect iot devices monitor iot devices internet security safety measures to protect privacy healthcare iot iot threats to healthcare industry how can healthcare fight iot threats healthcare cyber security prevent cyber attacks on healthcare measures to prevent cyber attacks on healthcare organisations steps to prevent iot attacks on healthcare healthcare business protection against iot threats security in healthcare iot recent cyber attacks recent ARM attacks ARM course ARM Training ARM binaries Exploit ARM devices IoT hacks on ARM devices ARM gadgets learn ARM exploitation Mirai Botnet vulnerable ARM devices arm

Instagram