Exploiting BLE Smart Bulb Security using BtleJuice: A Step-by-Step Guide

. 5 min read

In this post, we are going to discuss how to exploit a Bluetooth Low Energy (BLE) smart bulb using BtleJuice by performing a Man-in-the-Middle (MiTM) attack. The techniques explored in this blog post equally applies to other BLE based smart devices.

The things that we are going to cover include:

  • Installing BtleJuice
  • Analyzing all the Intercepted GATT operations running on target device
  • Performing a Man-in-the-middle attack using GATT operations
  • Exporting data to a file

In order to get started, we shall need the following items:

Hardware

  • A BLE Based IoT Smart Bulb
  • Two Bluetooth Adapters

Software

  • Node.js > 4.3.2
  • Virtual Machine (VMware/Virtual Box)
  • BtleJuice

Installing BtleJuice

BtleJuice is a framework to perform MiTM attacks on BLE devices. BtleJuice is composed of two components - an interception proxy and a core. These two components are required to run separately on two systems each having a Bluetooth 4.0+ adapter attached. Rather than using two separate physical machines, we'll use one physical machine and another Virtual Machine(VM) running on the same host. One of the adapters will be attached to the host and the other to the VM. Install BtleJuice on both the host and the VM following the steps below.

Step 1: Btlejuice requires a fairly recent version of node(>=4.3.2) and npm. This can be installed using nvm (Node Version Manager) following this guide.

Step 2: Install the dependencies of BtleJuice using the package manager.

sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev

Step 3: Install Btlejuice.

npm install -g btlejuice

image19

Setting up BtleJuice proxy (in VM)

Step 1: Attach the bluetooth adapter to the VM and run service bluetooth start

image17

Step 2: Run hciconfig to ensure that the adapter is functioning as expected.

image18

Step 3: Launch btlejuice-proxy in the vm.

image7-1

Step 4: Find out the IP address of VM so that we can connect to it from the host. Alternatively run ifconfig in a terminal to know the IP.

image28

Picture6

Setting up BtleJuice core (on host)

Step 1: Open a terminal on the host and run hciconfig.

image13

Step 2: Stop the bluetooth service by running sudo service bluetooth stop.

image11-1

Step 3: Plug-in the bluetooth adapter on the host machine.

Picture9

Step 4: Ensure that the Bluetooth adapter attached to the host is working by running hciconfig.

image2-1

Step 5: Turn on the bluetooth adapter by running sudo hciconfig hciX up where X is bluetooth adapter number obtained in the previous step.

image8-1

Step 6: Now we need to run the BtleJuice core and connect with the virtual machine.

sudo btlejuice -u <VM IP address> -w

where u is the IP address of the VM where btlejuice-proxy is running and w means to start the web interface.

image21

Meanwhile btlejuice-proxy running in the VM, would display a client connected message.

image18-1

Step 7: Once BtleJuice core running on the host is successfully connected to bltjejuice-proxy, open a web browser and navigate to http://localhost:8080/

Untitled-1

Step 8: Click on the "Select Target" button represented by the Bluetooth icon. A dialog box will appear which will display all the available bluetooth devices detected by the core.

image4-1

Step 9: Double click on the desired target device and wait for the interface to be ready (the bluetooth button aspect will change).

Untitled77-1

Step 10: Connect the associated mobile application with the dummy device just created.

Picture17-2

Step 11: If the connection succeeds, a connected event would be displayed on the main interface.

image45

Performing Man-in-the-middle attack by replaying GATT operations

BtleJuice acts as a proxy between the mobile application and the BLE smart bulb. Any command sent to the bulb will be captured by BtleJuice and relayed to the Bulb. Let's interact with the bulb using the mobile application and try to decipher the way the commands are structured.

Step1: Change the bulb color to Blue using the android app. RGB value of Blue is 2, 0, 255.

image24

BtleJuice captures the corresponding packets.

Screenshot-from-2018-07-27-11-47-07

Now change the bulb color to red with RGB value 255, 8, 0.

image20

BtleJuice capture the packets corresponding to the command for changing the color to red.

Untitled9

Inspecting the packets, we can notice a pattern. The RGB value of the color as displayed on the app matches with the second, third, and fourth byte in the capture. Thus, if this packet is replayed after changing any of these bytes, we should be able to get a different color.

Step 2: From the list of captured packets, right click on a color change command and click replay.

Picture24

Step 3: Change the color bytes in the data value from 8c 86 ff to any other value say 8c 45 ff which is a color with a purple tinge.

image5-1

image6-1

Step 4: Click on the Write button. We'll notice that the bulb color changes to purple.

Picture27

Exporting the captured data

BtleJuice can export the captured data to a file so that it can be used later or analyzed in other tools. To start exporting, click on the export button and download a JSON (or text) version of the intercepted data.

Picture30

So far we've demonstrated the use of BtleJuice as a standalone tool. BtleJuice also offers NodeJS and Python bindings which we can use in our own tool for BLE attacks. For more information on these bindings visit here.



Vaibhav Bedi

Interested in Reverse Engineering ,penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram