Exploiting IoT enabled BLE smart bulb security

With the growing popularity of IoT and smart devices, the first thing that comes to mind when talking about IoT is smart homes. This includes a whole bunch of devices including smart refrigerators, smart bulbs, power adapters, kettles, toasters, egg trays and what not.  

In this post, we are going to discuss about how to take over a BLE based IoT smart bulb, interact with it, change colors, and in the process also look into security internals of BLE.

Some of the things we are going to cover in this post:

  • Getting started with Ubertooth sniffing of BLE
  • Active sniffing of traffic
  • Modifying BLE handlers and characteristic values
  • Taking control over devices

In case you are interested in a real-world version of the training class for your organization covering topics such as BLE sniffing, exploitation, Zigbee and more, feel free to contact us at secure@attify.com or have a look at Offensive IoT Exploitation.

In order to get started, we will need the below items:

Hardware

Software

  • hcitool
  • ubertooth-utils
  • Gatttool

Connect the bulb to the power connection. Make sure it’s working by turning it on and off using your smartphone. The first step now is to find the bluetooth address of the target device.

Step1: We will use hcitool to find all the available BLE device present near the host.

hcitool lescan

In the above image, we will find the bluetooth address of the multiple devices around us. Upon inspection, it looks like 88:C2:55:CA:E9:4A is our Bulb and the Bluetooth name of the device is cnligh.

Step 2: Now once we know the BD_ADDR (bluetooth address) of the target device, we can use gatttool to view the services running inside the target device. Use gatttool -I to switch to an interactive mode and connect to the target device using the particular BD_ADDR.

gatttool -I connect 88:C2:55:CA:E9:4A primary

In the above image, there are three primary service running among the three UUIDs. `00001800` and `00001801` is Bluetooth SIG defined service and the UUID `0000f371` is not one of the service defined by Bluetooth SIG.

Step 3: Now we can use char-desc to list all the handle in a particular UUID (0000f371). It’s better to specify the attr and end group handles, which in this case is 0x00100xffff

char-desc 0x0010 0xffff

If we look at the above image, we can see the complete list of handles, for the particular UUID 0xffff.

If we look it up, we will see that the service 0xfff1 to 0xfff9 is defined by the manufactures, other are services adopted by Bluetooth Special Interest group such as primary service, characteristic, characteristic user description. To know the Service and their paticular UUID value, refer https://www.bluetooth.com/specifications/gatt/services .

Step 4: There are many handles and we are not sure to which handle we can write the data, so let’s try reading the handle with their handle value

char-read-hnd 0x0012

When we try to read the handle we get an error message as shown in the above image. It’s a little complicated here because we don’t know that, to which handle we can should read/write data and we don’t even know the packet format. 

So to know the packet format and the handle, it’s better to sniff the BLE packets. Ubertooth is an effective tool which can be used to perform an active sniffing of BLE traffic. In case you would like to get all the items used in this tutorial along with additional labs, consider purchasing our BLE Exploitation Learning Kit

Step 5: ubertooth-btle is used to sniff the BLE packets. We can simply use ubertooth-btle -f in this case to follow connections for our target device. In case you have multiple device, you can use ubertooth-btle -f -t <BD_ADDR> , with the Bluetooth address of the target device. In our case the BD_ADDR is 88:C2:55:CA:E9:4A

ubertooth-btle -f -t88:C2:55:CA:E9:4A

Step 6:  To capture packets, use the following command

ubertooth-btle -f -t88:C2:55:CA:E9:4A -c smartbulb_dump.pcap

-c is used here to capture the packets in a pcap specified by the file name. In case you would like to perform an active traffic interception of the BLE device, you can also create a pipe by doing a mkfifo /tmp/pipe and then using it in Wireshark as the capture interface.

Now open your mobile app for the bulb and connect it. Once connected, perform an action such as changing the color of the bulb and ubertooth will capture all the packets.

Advertising packets identification with Ubertooth

Advertising packets identification with Ubertooth

The above image is advertising packet from the bulb and few points to be noted is

  • The Access address (AA) is 0x8e89bed6, This is used to manage the link layer.
  • It is on channel 37 which is one of the dedicated advertising channels
  • Packet PDU is ADV_IND, meaning it is connectable, uni-directional and scannable.
  • AdvA is 88:c2:55:ca:e9:4a which is nothing but the BD_ADDR of the advertising device
  • Type 01 flag indicates that the AdvA address is random

If we look into the above image, we will notice that it has both the values – scan response (SCAN_RSP) from the target device and scan request( SCAN_REQ)  from the app

SCAN_REQ

  • ScanA is a 6 byte scanner address and TxAdd indicate  whether it is random or public address
  • AdvA is a 6 byte advertiser address, RxAdd in PDU indicate the whether the address is public or random

SCAN_RES

  • AdvA is a 6 byte advertise address, TxAdd indicate the type of address whether it is random or public
  • ScanRspData is a optional advertising data from the advertiser

Connec_REQ

The below image is sniffed data


Ubertooth sniffing for BLE traffic

Step 7: Let’s analyze the captured packets using wireshark, open wireshark and open the captured pcap file.

If you see here it will show all the captured packets.

Step 8: Now we need to find the ATT packets among these captured packets. The simplest way is to make use of the filter option in wireshark. Type btl2cap.cid==0x004

if we look into the above image there is only ATT packets and the info about the packet.

Step 9:  Here we have captured packets while changing the color of the bulb, so let’s look for the write request packets.

BLE write packets
BLE write packets

Now we get to know that the data is written to handle 0x0012, which belong to a certain UUID which we need to figure out.

Step 10:  If we analyze the particular write request packet we are able to find the access address,CRC value, opcode, handle and the UUID

Wireshark showing write packets for BLE
Wireshark showing write packets for BLE

In the above image we can see the

  • access address: 0xaf9a9515
  • master and slave address
  • CRC: 0x6dcb5
  • handle: 0x0012
  • UUID: 0xfff1
  • value : 03c90006000a03000101000024ff000000006

BLE packet details
BLE packet details

  • Header is 2 bytes in length which comes along with the PDU
  • Mode selection is hardcoded for controlling the color of the lamp
  • The 6 Byte 0024ff is the RGB value, these 6 bytes can be changed accordingly to get your desired color

Step 11: We can use gatttool to write the value to the particular handle or UUID,

char-write-req 0x0012 03c90006000a03000101000024ff00000000 // Bluish green 
char-write-req 0x0012 03c90006000a0300010100ff000000000000 // Red 
char-write-req 0x0012 03c90006000a030001010000ff0000000000 // Green 
char-write-req 0x0012 03c90006000a03000101000000ff00000000 // Blue

Step 12: It's even possible to Turn on and off the bulb, just change the on/off bit in the data

char-write-req 0x0012 03c90006000a030101010000000000000000 : Turns the bulb OFF
char-write-req 0x0012 03c90006000a0300010100ff000000000000 : Turns the bulb ON

It was found using a simple method that the RGB Values of 0 will turn the bulb off, thus the value 03c90006000a030101010000000000000000 and any value of RGB would turn the bulb on, such as a value of 03c90006000a0300010100ff0000000000000. This was also validated using the sniffed pcap.

That is all for this blog post. In the upcoming blog posts, we will look into additional BLE exploitation, Zigbee exploitation and lot more. Additional information below:



comments powered by Disqus

mounish

IoT Hacker and Ninja

Tags
Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch attify attify badge attify training binwalk blackberry pentesting blackhat ble BLE hacking and exploitation BLE sniffing box brut Exception chroot cloud based mobile application security scanner consulting CTF Damn Vulnerable iOS App devops dumping memory embedded hacking exploitation exploiting smart devices Firmware hacking frida hackfest hacking smart devices how to secure iot device IDA internet of things Internet of Things Security ios application security ios security iot iot device IoT Exploitation iot hacking iot pentest iot pentesting iot security iot security training iotsecurity jtag jtag debugging mobile app mobile application security mobile application security testing mobile security ninja recon technique offensive iot exploitation ola cabs owasp owasp appsec penetration testing pentesting pentesting mobile apps powerofcommunity PrinterSecurity qemu quizup radio communication protocol radio coomunication Reversing sdr secure coding guidelines security security issue security services security training security vulnerability smart devices social networking spi threat modeling training uart vulnerability writeups xposed hooking zigbee zigbee exploitation zigbee security zwave firmware reverse engineering firmware emulation firmware analysis toolkit firmadyne getting started with firmware hacking iot penetration testing iot attacks recent iot attacks cyber attacks iot hacks biggest iot attacks of all time hacked smart devices iot bots, malwares latest iot attacks BtleJuice bleah

Instagram