The Practical Guide to Hacking Bluetooth Low Energy

Bluetooth, as we know, is one of the most popular and widely used wireless technologies in today’s world. With the rapid growth of IoT accelerating development in Bluetooth technology, constant efforts are being taken by the Bluetooth Special Interest Group (SIG) to increase the transfer speed with a maximum focus on beacons, healthcare entertainment, and fitness.

Bluetooth Low Energy (BLE) is a part of the Bluetooth 4.0 specification which additionally also includes Classic Bluetooth and Bluetooth High Speed Protocols. Compared to classic Bluetooth, BLE is intended to use lesser power while maintaining similar communication range. BLE is an "always off" technology and only transmits short amounts of data when required. This significantly reduces power consumption making it ideal to use in cases where a persistent long term connection is required with a low data rate. BLE is perfect for a TV remote but not for a wireless media streaming device which needs a large amount of data to transmit.

Bluetooth Low Energy is built into many of the gadgets that we use today. From smartphones, smart televisions, advanced technologies such as medical equipment to a basic devices such as our coffee machines, all use BLE.

Nokia originally developed BLE for an in-house project called ‘WIBREE,’ which was later on, taken over by the Bluetooth SIG. BLE was conceived with an emphasis on better pairing speed and energy efficiency. .

What makes BLE stand out?

  • Enables multi-platformed communication: Can easily communicate via a large number of devices that run on Android, iOS, Linux, Windows Phone, Windows 8, and OS X
  • Better pairing speed
  • Helps maintain a connection for longer periods of time
  • Significantly lower implementation costs
  • Energy efficient

BLE does sound good but, is it really all that good?

That’s a good question from a security standpoint. The fact is - BLE is just a protocol. It’s up to the manufacturers to implement BLE securely in their device. Even the strongest cryptographic protocol has been known to fail due to the random number generator not being "random enough." The same applies to BLE. Thus, it can be said that the security of BLE lies in the hands if its implementers.

While all Bluetooth Low Energy devices were developed with the principal motive of enhancing user experience, did security take a backseat during the process?

Let us have a look at the three main vulnerabilities that BLE may expose its users to:

  1. Eavesdropping: As the name suggests, eavesdropping refers to a third party device listening in on the data that’s being exchanged between two paired devices. A connection between two paired devices signifies a chain of trust. The chain gets broken when one of the device is removed. An attacker may use the device unit number for getting access to other Bluetooth connected devices. Even if the encryption/ decryption keys on the device were to be deleted, the attacker may brute force the PIN number offline using a Bluetooth Sniffer (using the ID of the device). Once the PIN is derived, the device can easily be hijacked.
  2. Man in the Middle Attacks (MITM): Man in the middle attacks involve a third party device impersonating a legitimate device, tricking two legitimate devices into believing that they’re connected to each other, when in reality, the legitimate devices are connected to the impersonator. This sort of an attack enables the attacker/impersonator to access all the data that is being exchanged between the devices and also, manipulate data by deleting it or changing it, before it reaches the respective device.
  3. Denial of Service & Fuzzing Attack: Since most wireless devices these days work on inbuilt battery packs, these devices run the risk of being exposed to Denial of Service Attacks (DoS). DoS attacks expose a system to the possibility of frequent crashes leading to a complete exhaustion of its battery. Fuzzing attacks too lead to systems crashing as an attacker may send malformed or non-standard data to a device’s Bluetooth radio and check its response, ultimately overwhelming it.

Core concepts in BLE

There are two basic concepts in BLE.

  • GAP - Generic Access Profile
  • GATT - Generic Attribute Protocol

Generic Access Profile (GAP)

This is responsible for the connections and advertising in BLE. GAP is responsible for the visibility of a device to the external world and also plays a major role in determining how the device interacts with other devices.
The following two concepts are integral to GAP:

Peripheral devices : These are small and low energy devices that can connect with complex, more powerful central devices. Heart rate monitor is an example of a peripheral device.

Central devices : These devices are mostly cell phones or gadgets that have an increased memory and processing power.

Advertising process

This illustrates how the advertisement and scan response payload work.

The peripheral device will send an advertising data once every 2 seconds. If the central device is ready to listen to the advertisement packets, it will respond with a scan response request.

In response to this request, the peripheral device will send a scan response data. Thus, the central and peripheral device gets advertised and connected with each other.

Generic Attribute Protocol (GATT)

Making use of a generic data protocol known as Attribute Protocol, GATT determines how two BLE devices exchange data with each other using concepts - service and characteristic. This protocol stores all the service and characteristic in a lookup table using a 16 bit IDs as specified by the Bluetooth SIG. It’s vital to note that GATT gets initiated only after the advertising process governed by GAP has been completed.

The two main concepts that form GATT are

  • Services
  • Characteristics

Services
Services are simply defined as a cabinet which can hold many drawers in it, which in turn are called as characteristics. A service can have many characteristics. Each service is unique in itself with a universally unique identifier (UUID) that could either be 16 bit in size for official adapted services or 128 bit for custom services.

Characteristics
Characteristics are the most fundamental concept within a GATT transaction. Characteristics contain a single data point and akin to services, each characteristic has a unique ID or UUID that distinguishes itself from the other characteristic. For example HRM sensor data from health bands etc.

Here are the SIG specifications for the characteristics and services for BLE devices. Any BLE device which has officially adopted UUID’s by SIG must use the ID specified by them in their applications.

For example the official TX power UUID as mandated by the SIG is 0x1804.

TX power UUID

A beacon which is scanned by the nRF Connect app (more on this later) must have the same TX power UUID as per the specifications of SIG.

TX power id scanned by nrf connect app

Tools for exploiting BLE

Linux offers the best support for BLE. In order to use BLE, we need to install the bluetooth stack (blueZ). It can be installed by running

sudo apt-get install bluez

We will use a PC/Laptop running Ubuntu with bluez installed. This device will work as the central gateway for communicating with other peripheral devices. BlueZ’s goal is to program and implement Bluetooth wireless standards specifications. After installing this, we need two tools to scan, connect, and read/write data.

  1. hcitool
  2. gatttool

Before starting, we need to scan for BLE devices in our vicinity. If there's one we need to find out how to connect to it, read/write the data and hopefully discover a vulnerability in it which can later be used for exploitation. For these purposes, the hcitool is indispensible.

hcitool

It makes use of the host controller interface in a laptop to communicate and read/write changes to BLE devices. hcitool is therefore, useful in finding out the available victim BLE device that advertises, and then in changing the values after connection.

The values/data can only be changed if one knows the service and characteristic the data is coming from. In order to find out the relevant services and characteristics, one may use a gatttool.

gatttool

As mentioned in the previous paragraph, gatttool is mainly helpful in finding out the services and characteristics of an available BLE device so that the victim’s data can be read/written according to the attacker.

Command cheatsheet

General purpose commands

Command Function
hciconfig Used to configure Bluetooth devices.  We can run this command to list the BLE dongles connected to our computer  along with basic information about them.
hciconfig hciX up Turns on the Bluetooth device named hciX

More commands: https://helpmanual.io/man1/hciconfig/

Hcitool commands

hcitool is used to configure Bluetooth connections and send some special command to Bluetooth devices.

Command Function
hcitool -i hciX Use the interface hciX for the command. If not specified, defaults to the first available interface
hcitool scan Scans for classic Bluetooth devices which are in discoverable mode
hcitool lescan Scans for BLE devices

More commands: https://helpmanual.io/man1/hcitool/

Gattool commands

GATT stands for Generic Attribute and defines a data structure for organizing characteristics and attributes. We can discover, read, and write characteristics using gatttool.

Command Function
gatttool -I Launch gatttool in interactive mode
gatttool -t random -b [adr] -I Launch gattool in interactive mode using a random LE address. Connect to the remote Bluetooth device having address adr.
primary Check for available services of the connected BLE device
characteristic Check for available characteristics of the connected BLE device from where we can read data
char-desc Characteristics Descriptor Discovery. Check for n no of handles
char-read-hnd Read characteristic by their handle
char-write-req Write values to the handle

More commands: https://helpmanual.io/man1/gatttool/

Example usage

hciconfig : Used to list all the attached BLE adapters.

List of BLE adapters

hciconfig hciX up : Enable the BLE adapter named hciX.

Enabling a BLE adapter

hciconfig hciX down : Disable the BLE adapter named hciX.

Disabling a BLE adaptor

hcitool lescan : Scan for BLE devices in the vicinity.

Scanning for BLE devices

After obtaining the address of the BLE device we need to connect to it and this is when we use gatttool.

gatttool -I : Launches gatttool in an interactive REPL like mode where the user can various issue commands as listed below.

gatttool running in interactive mode

connect <addr> : Connect to the BLE device with the specified address.

Connecting with a BLE device

In case of devices that only connect with phones and not to a computer, the above steps might not work. In order to connect with such devices, we need to use a random address.

gatttool -t random -b <addr> -I : Connect to the device using a random address.

Connect using a random address

After successful connection, we can see the services and characteristics of the device using the commands.

Primary

Services

Characteristics

Characteristics

After finding services and characteristics, we need to know the handles by which we can read/write data using the char-desc command.

Available handles

We can also filter the displayed handles to a particular range using a command like char-desc 01 05 which displays 5 handles from 1 to 5.

Filter displayed handles

After finding the handle, we need to read the data from it using the command char-read-hnd <handle>.

Reading a handle value

In order to write to a specific handle, we need to know which one is a write handle. For this, we can go for a hit and try method and try reading all the handles one by one until we encounter a read error. A read error means the specific handle is a write handle (write handles cannot be read). Alternatively, apps like such as nrf connect can automatically figure out the write handles.

Error reading handle 0x000b which is a write handle

The handle 0x000b has a UUID as in the image below

UUID of handle 0x000b

Using nRF Connect, we get the following output which confirms handle 0x000b is indeed a write handle. The UUIDs of handle 0x000b in the above image and below in nrf connect matches.

Write handle in nrf connect app

After connecting to the bulb, we can write random value to the different characteristics. In most cases, writing random values will not work as expected. To write the correct values in the handle, we need to decipher the data protocol, which can be found out using sniffing tools like wireshark and ubertooth.

After deciphering the data protocol, we can write the values in the handle using the command char-write-req <handle> <value>

Value / data written successfully to the device

If the char-write-req reports an error we can use char-write-cmd instead.

Value / data written

Bluetooth hci snoop log

Android starting from version 4.4 onwards has an option to record all bluetooth packets going in/out from the device. To enable capture of bluetooth traffic follow the steps below. Ensure that the android app is installed.

Step 1 : Go to mobile Settings and enable the developer option.

Step 2 : Go to "developer option" and enable Bluetooth HCI snoop log.

Enabling Bluetooth HCI snoop log

Step 3 : Run the android app (magic blue) app and send some commands to the bulb to change its color. Repeat this several times.

Step 4 : Corresponding to our commands we can find the captured file of the Bluetooth traffic at /sdcard/btsnoop_hci.log or /internal Storage/btsnoop_hci.log

Note - In some devices, btsnoop_hci.log is created in a different location like /sdcard/Android/data/btsnoop_hci.log.

Transfer the captured log file to a computer/laptop using Email, Google Drive or you can connect the android device to your laptop via USB cable.

Phone connected to laptop using a USB cable

Step 4 : Analyze the capture packets in Wireshark. Wireshark is a free and open source packet analyzer tool and can be installed by running

sudo apt install wireshark-qt

For more information on how to use Wireshark for analysis refer to our blog GHOST_URL/exploiting-iot-enabled-ble-smart-bulb-security/

Alternatively, you can open this capture file in a text editor like nano.

Viewing the captured file in nano

Using nRF Connect

The nRF connect app from Nordic Semiconductor can also be used BLE hacking. It can both sniff as well as write data just like gatttool.

Step 5: Open the nRF Connect app and connect with the BLE bulb.

Using nRF Connect

Step 6 : Once connected, write the payload value 56b0306000f0aa. Click on send. The bulb color will change to a shade of burgundy.

Writing a value in nRF Connect

This is because the color has a RGB value of 176, 48, 96 or B03060 in hexadecimal. The command we sent to the bulb was 56 b0 30 60 00 f0 aa. Note the second, third and fourth byte correspond to the RGB value in hex.

We can figure out the protocol by manually analyzing the traffic and trying to find a pattern in it.

The RGB value of the color

Using Bleah for BLE attacks

Bleah is a BLE scanner. It's based on the bluepy python library. In this section, we are going to see how we can "hack" BLE devices using Bleah.

To get started, we will need

Hardware

  • A Laptop running Linux preferably Ubuntu
  • A Smart BLE bulb or any other Bluetooth Smart Device
  • A Bluetooth Adapter

Software

  • Python 2.7 (Installed by default on Ubuntu)
  • Bluepy library
  • Bleah

First ensure, Bluepy is working as expected.

Go to bluepy directory. Open a terminal and type
sudo ./bluepy-helper 0 followed by le on as shown below

(Note: For finding the path where Bluepy is installed simply run which bluepy-helper)

Checking if Blueby is functioning correctly

A success message indicates Bluepy is functioning correctly. Now, lets see how we can use Bleah for BLE hacking.

Step 1: In the same terminal type Scan to scan for BLE devices in the vicinity.

Scanning in Bleah

Our BLE device address is F81D78607184

Step 2: Open another terminal and run sudo bleah -t0 where t0 means to scan continuously.

Running Bleah in continuous scan mode
Continuous scanning results

Step 3: We can connect to the specific device and enumerate all the Services and Characterstics using.

sudo bleah -b "aa:bb:cc:dd:ee:ff" -e

where,
aa:bb:cc:dd:ee:ff stands for device address
-b means to filter by device address
-e means to connect to the device and perform enumeration

Connect to a device and perform enumeration
Bleah enumerates all the services and characteristics

Step 4: For writing data to a specific characteristics run.

sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "0000ffe9-0000-1000-8000-00805f9b34fb" -d "data"
Using Bleah to write data to a characteristic
Writing in Bleah was successful

As we just saw, Bleah is a powerful tool for conducting attacks on BLE devices. It automates many of the steps which otherwise we need to do manually.

With this, we come to an end to this blog post where we learnt various tools and techniques for performing attacks on Bluetooth Low Energy Devices. Hope you find this post useful. For any queries, suggestions, or improvements feel free to leave a comment below. Your ideas are always welcome.