Bluetooth Low Energy Sniffer

0x00 Preface

If you want to see something new when you open this article, I'm sorry this article isn't the one you're looking for. Because strictly speaking, this is just a finishing article. There was nothing in my discovery, nor in my actual case. Because I don't have a fun Bluetooth low-power device on hand yet. The whole story is based on what Mike Ryan has published over the years.

0x01 BLE

What is ble? BLE full name Bluetooth Low energy Chinese is also known as bluetooth® lower power consumption. It was first known to have appeared in Bluetooth4 's spec in 2010. Since it can control power consumption and cost more than traditional Bluetooth, it has been widely used since it was announced.

For example: Sports watch, Bluetooth Smart mouse, some ultra-expensive smart skateboard or some medical equipment. The word Bluetooth smart is almost everywhere. Because users like low-power, manufacturers like low-cost it becomes a very popular thing.

There are many differences between ble and traditional Bluetooth. They use different modulation parameters, use different channels (but still 2.4GHz), use different frequency jumps, use different package formats, and even data whitening are different. Of course, there are some things in common. They will still use the traditional master device-slave device mode. Although its ph layer link layer and traditional Bluetooth are different but the L2CAP layer att layer is the same.

0X02 Environment Construction

Because it's a wireless communication, it's easy to think of some of the attacks we can implement. If possible, we want to sniff, want to do the packet injection, and, when necessary, jamming to complete the rest of our attacks. It sounds like it's not that hard, and it's not that fresh. But in reality Bluetooth sniffing is not as simple as it might seem. For WiFi we can buy a network card that supports listening mode. But there is such a cheerful pattern for Bluetooth at all. This means that we need one of these devices. Two options, build one or buy one. Fortunately, there are already people out there, although there are a lot of problems with the functionality (mostly in controlling costs, I don't think Mike should have any technical difficulties.) ), but it's still up to you for BLE sniffing. So it is ubertooth one.

For the Ubertooth one environment, I think I have a very friendly article. So, if you after reading this article want to buy a or buy a do not know how to configure you can refer to this article.

If the above article is blocked by a mysterious force, you can directly refer to the following content.

First, you need to have a ubertooth one. Start from a treasure or buy from a dark cloud bazaar. A buletooth dongle is required for testing purposes. Your operating system can be Win,linux or Mac. This article will take Kali Linux as an example of the installation steps to tell.

Install these first

sudo apt-get install CMake libusb-1.0-0-dev make gcc g++ libbluetooth-Dev pkg- Config Libpcap-dev python-numpy python-pyside python-qt4

Complete the installation LIBBTBB

wget https://Github.com/greatscottgadgets/libbtbb/archive/2015-09-r2.tar.gz-o libbtbb-2015-09-r2.tar.gzTar xf libbtbb--LIBBTBB-R2.tar.gzcd -BUILDCD-r2mkdir buildcmake. Makesudo make install

Install the Ubertooth tool (Kali comes with the best remove, because the version is too old)

wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-09-r2/ Ubertooth-2015-09-r2.tar.xz-o ubertooth-2015-09-r2.tar.xzTar xf ubertooth--  R2.TAR.XZCD ubertooth--r2/hostmkdir buildcd buildcmake. Makesudo make Installsudo ldconfig

Install Kismet (same as remove system before installation)

 sudo apt-8 -dev libcap-dev pkg-config build-essential libnl-dev Libncurses-dev Libpcre3-dev libpcap-dev libcap-devwget https:   kismetwireless.net/code/kismet-2013-03-r1b.tar.xz  tar XF kismet-< Span style= "color: #800080;" >2013 -03 -r1b.tar.xzcd Kismet - Span style= "color: #800080;" >2013 -03 -r1bln -S. /ubertooth-2015 -ubertooth.:  /configuremake  && make Pluginssudo make Suidinstallsudo make plugins -install 

Add "PCAPBTBB" to the logtypes= of kismet.conf.

Installing Wireshark

sudo apt-get install Wireshark wireshark-dev libwireshark-Dev cmakecd libbtbb-09 -r2/wireshark/plugins/-dcmake_install_libdir=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/ plugins. Makesudo make install

Installing the Br/edr Plugin

sudo apt-get install Wireshark wireshark-dev libwireshark-Dev cmakecd libbtbb-09 -r2/wireshark/plugins/-dcmake_install_libdir=/usr/lib/x86_64-linux-gnu/wireshark/libwireshark3/ plugins. Makesudo make install

Finally, don't forget to update your firmware

Skip to the UBERTOOTH-2015-09-R2 directory you just unzipped.

Cd ubertooth-one-firmware-bin$ ubertooth-dfu-d bluetooth_rxtx.dfu-- attempting to find Ubertooth devices    1'ubertoothone'0x1d500x6002     Select a device to Flash (default:1, exit:0):

Press ENTER. Complete the firmware update. If it fails or there is an inexplicable USB error. Don't panic. Give it a try

Ubertooth-util-v

If it appears

r1$-ubertooth--util-The following: Ten:

That means there shouldn't be a lot of problems. The problem of setting up your environment is almost solved.

The basic theory concept of 0x03 sniffing

Let's go back to technology. What we want is not to be a reward. So let's try to understand BLE and see what the BLE stack looks like (1).

Figure 1 ble stack

The BLE stack should look like the IP packets you've seen. The top green part is the application layer, mainly GATT and ATT we can think of it as the same layer. SM is a security management layer responsible for managing security. The bottom link layer and PHY layer are basically some RF processing. Because this content is mainly focused on the sm,link layer and PHY layers, there is no relevant narrative or explanation for the application layer. Let's try to look up from the bottom up.

PHY layer uses GFSK for modulation if you are a fan of RF hacking, you should be no stranger to this thing. Unlike traditional Bluetooth, there are only 40 channels in the BLE world, which is half the traditional Bluetooth. There are 37 channels for data transmission, and unused channels will be replaced by Gap. Then there is hopping, the so-called frequency jump. and WiFi or ZigBee and other different. Bluetooth likes to shoot a gun for a different place. Only one data transfer will occur on each channel. A request and a response. After completion, the increment will jump to the next channel according to the Hope.

Fortunately, Ubertooth one's built-in cc2400 can help us do this. We don't have to write a program, we don't have to build a wheel, we just need to configure the relevant settings. Once setup is complete, we can use ubertooth one to get the bits we want.

Let's go up and look at the link layer. By looking at the BLE spec we can tell that the package format of the link layer looks like this:

It appears that the format of the link layer is not complex. It contains the preamble, access address, PDU, and CRC check code. But there seems to be a problem. Because what we mentioned earlier is bits, and all we need is bits, and that's octets. How do I get the bits we want? First we can intercept massive amounts of data through Ubertooth one. So we have a lot of data. But we need to partition what is what. How do you do it? All we need is to wait for our known amount of access address to appear. According to the Spec plus elementary math skills, before and after the introduction of the data are what. This way we have the bits data for the entire link later. With these two layers we can convert the RF into a packet.

So Ubertooth responsible for these two layers we have all done, the other layers can be handed to the PC to deal with, so the problem solved it?

Not yet. Because Btle likes to shoot a different place. So we also need to consider how to track connection (pairing time will randomly jump in the 37,38,39 three channels, the starting position is unknown.) Since Ubertooth one can only listen to a single channel at a time, it may take a few more tests to catch the 6 packets we need to hack tk. Tracking connection needs to know 4 things.

Access Addresscrcinittime slot Lengthhop increment

But how do you get this data? For AA We can wait for the data to flow, focus on checking for empty packets, because we know what the structure of the empty packet is, so we just need to jump 32bit in the intercepted packet to get our access address. Use LFSR to restore the crcinit. Wait for two consecutive packets to appear on a channel to calculate the time slot length =δt/37, and finally calculate the hop by our high school math skills Increment. (The original author is afraid that the audience is bored with a piece of too much math).

Anyway, after this series of tossing we now have the condition of tracking connection. That means we can sniff the ble.

Encryption for 0x04 BLE communication

But wait, is ble not encrypted? The answer is yes, it uses the famous AES-CCM (however there are still many devices where the communication is not encrypted.) I am not a Bluetooth developer, but this should be related to the security model used. Read the spec inside said Model0 and Model1 not encrypted) Maybe it reminds you of Wpa-aes because they are the same encryption. So write so much, is this kidding me? The answer is no. Because the playful BLE uses a custom key exchange protocol. What happened to the custom key exchange protocol? Let's take a look at how it matches, or it has several matching patterns.

Just Works 6 Digit Pinoob

One of the just works is just works. What do you say? Because it is always paired with 0 as Tk. 6 digit PIN. The name and content are similar, using numbers between 0-999999 to be used as TK. It is too fragile for demolition. In the actual test, blasting 6 digit pin is less than 1s. OOB full name out off band, will be used in a cumbersome way to match, temporarily no device in this mode. What can TK do with it? Let's take a look at an example.

Ming bought a cool, crazy-drag ble device. Start pairing with your other devices. Hackers are equipped with their own ubertooth to observe the entire pairing process. If pairing uses just works or 6 digit PIN hackers get TK by brute force hack seconds. The STK is restored based on TK and paired packets, and LTK is obtained based on STK and key exchange.

However, it is important to note that in order to have TK, you should at least catch the following 6 packages when pairing is in progress:

Pairing requestpairing responsepairing confirmpairing confirmpairing randompairing Random

Since pairing will be done on 37,38,39 three channels, plus ubertooth one can only listen on a single channel at a time, the most fortunate thing is that pairing starts with the Ubertooth-btle default channel 37. The following sections are Ubertooth to help you complete the rest of the connection tracking, to complete the entire 6-pack capture package. If you don't catch it, you need to try it a few more times. (It's a bargain.)

After enough 6 bags will you catch the package to the artifact crackle, Crackle will be for you to crack TK and our thoughts of the night ltk. With LTK, we can decrypt all the packets we sniff! Is there a ltk that we can directly replace the original slave device? I can't do that. Because connection also contains a random amount: That's not going to be fun? No, what we need to do is jam out the already connection take our LTK and the main control device to do something shameful.

0x05 Test

Test whether the device can work in the current environment, you can first try WiFi

[Email protected]:~/desktop# ubertooth-specan-ui

Don't have a Bluetooth smart device on hand? Let's simulate one. Download and install LightBlue from AppStore on iOS device 1 and iOS device 2, respectively. Device a analog master device, device B analog slave device

Here we dress up as a heart rate computing device. An attempt was made to match. At this point the attackers need to be prepared in advance. You can choose to use pipe to implement monitoring.

[Email protected]:~# mkfifo/tmp/pipe

Open Wireshark

Capture, Options, Manage Interfaces, New

Input/tmp/pipe

Click Start to start listening.

And don't forget to export the contents of the Ubertooth to the pipe.

[Email protected]:~# ubertooth-btle-f-c/tmp/pipe

Finally, don't forget this step. Or you can't see the bag you caught.

Edit→preferences→protocols→dlt_user→edit→new

Enter Btle in the payload protocol

Ok→ok

If you want to take your bag home slowly, you can simply wrap the contents of the crawl into a directory

Ubertooth-util-r; Ubertooth-btle-f-c/output.pcap

The problem we care about after catching the bag is whether we have enough bags to crack Tk. So in Wireshark you can add BTSMP to the filter to make sure we have the 6 bags we need.

OK, we'll download the artifact crackle after we've caught the bag.

Git clone https://github.com/mikeryan/crackle.gitcd cracklemakemake install

After the installation, we started to hack TK and LTK in turn with cracle and the package we caught.

From this we can see that we have not only cracked the TK, but also made use of TK and some other data to successfully restore the LTK.

Next, let's try to use the acquired LTK to crack other cryptographic packets. Let's say we've got it in the pairing process.

ltk=-l 7f62c053f104a5bbe68b1d896a2ed49c-i test44.pcap-o Test66.pcap

We can see that we have successfully cracked 7 packages.

0X06 Solutions

Using the OOB

[Email protected]:~/desktop# crackle-i heart.pcap warning:no output file specified. Won'T decrypt any packets.Warning:found multiple connects, onlyusingthe latest onewarning:found multiple ll_enc_req, onlyusinglatest Onewarning:found Multiple connects, onlyusingthe latest Onewarning:found multiple pairing requests, onlyusingThe latest Onewarning:found multiple connects, onlyusingthe latest Onewarning:found multiple pairing requests, onlyusingThe latest onewarning:already saw both random values, skippingwarning:found multiple ll_enc_req, onlyusinglatest ONETK not found, the connection isProbablyusingOOB pairingsorry d00d:(

Waiting for devices that support bluetooth4.2 to appear (resolved by ECDH)

0X07 Summary

In fact, I was very excited when I first discovered that through this device plus some software I could crack btle sniffing packets. Because I have never seen such an article before. But then I chatted with my little friends before realizing that all of this is conditional on you having to catch all the key packs at the first match (if you only have 1 ubertooth means you only have 1/3 chance). Unfortunately, many devices will remember each other after the first match has been completed. The next communication will not be re-matched again. So to make this kind of attack more realistic, perhaps studying how unpairing would be a direction. Finally, thanks to Somalia, the Ubertooth one sponsored by the Pirates.

Reference:

• https://lacklustre.net/
• http://www.security-sleuth.com/sleuth-blog/2015/9/6/ Now-i-wanna-sniff-some-bluetooth-sniffing-and-cracking-bluetooth-with-the-ubertoothone
• Https://www.bluetooth.org/en-us/specification/adopted-specifications

Bluetooth Low Energy Sniffer