Bluetooth, as we know, is one of the most popular and widely used wireless technologies in today’s world. With the rapid growth of IoT accelerating development in Bluetooth technology, constant efforts are being taken by the Bluetooth Special Interest Group (SIG) to increase the transfer speed with a maximum focus on beacons, healthcare entertainment, and fitness.
Bluetooth Low Energy (BLE) is a part of the Bluetooth 4.0 specification which additionally also includes Classic Bluetooth and Bluetooth High Speed Protocols. Compared to classic Bluetooth, BLE is intended to use lesser power while maintaining similar communication range. BLE is an "always off" technology and only transmits short amounts of data when required. This significantly reduces power consumption making it ideal to use in cases where a persistent long term connection is required with a low data rate. BLE is perfect for a TV remote but not for a wireless media streaming device which needs a large amount of data to transmit.
Bluetooth Low Energy is built into many of the gadgets that we use today. From smartphones, smart televisions, advanced technologies such as medical equipment to a basic devices such as our coffee machines, all use BLE.
Nokia originally developed BLE for an in-house project called ‘WIBREE,’ which was later on, taken over by the Bluetooth SIG. BLE was conceived with an emphasis on better pairing speed and energy efficiency. .
What makes BLE stand out?
- Enables multi-platformed communication: Can easily communicate via a large number of devices that run on Android, iOS, Linux, Windows Phone, Windows 8, and OS X
- Better pairing speed
- Helps maintain a connection for longer periods of time
- Significantly lower implementation costs
- Energy efficient
BLE does sound good but, is it really all that good?
That’s a good question from a security standpoint. The fact is - BLE is just a protocol. It’s up to the manufacturers to implement BLE securely in their device. Even the strongest cryptographic protocol has been known to fail due to the random number generator not being "random enough." The same applies to BLE. Thus, it can be said that the security of BLE lies in the hands if its implementers.
While all Bluetooth Low Energy devices were developed with the principal motive of enhancing user experience, did security take a backseat during the process?
Let us have a look at the three main vulnerabilities that BLE may expose its users to:
- Eavesdropping: As the name suggests, eavesdropping refers to a third party device listening in on the data that’s being exchanged between two paired devices. A connection between two paired devices signifies a chain of trust. The chain gets broken when one of the device is removed. An attacker may use the device unit number for getting access to other Bluetooth connected devices. Even if the encryption/ decryption keys on the device were to be deleted, the attacker may brute force the PIN number offline using a Bluetooth Sniffer (using the ID of the device). Once the PIN is derived, the device can easily be hijacked.
- Man in the Middle Attacks (MITM): Man in the middle attacks involve a third party device impersonating a legitimate device, tricking two legitimate devices into believing that they’re connected to each other, when in reality, the legitimate devices are connected to the impersonator. This sort of an attack enables the attacker/impersonator to access all the data that is being exchanged between the devices and also, manipulate data by deleting it or changing it, before it reaches the respective device.
- Denial of Service & Fuzzing Attack: Since most wireless devices these days work on inbuilt battery packs, these devices run the risk of being exposed to Denial of Service Attacks (DoS). DoS attacks expose a system to the possibility of frequent crashes leading to a complete exhaustion of its battery. Fuzzing attacks too lead to systems crashing as an attacker may send malformed or non-standard data to a device’s Bluetooth radio and check its response, ultimately overwhelming it.
There are two basic concepts in BLE.
- GAP - Generic Access Profile
- GATT - Generic Attribute Protocol
Generic Access Profile (GAP)
This is responsible for the connections and advertising in BLE. GAP is responsible for the visibility of a device to the external world and also plays a major role in determining how the device interacts with other devices.
The following two concepts are integral to GAP:
Peripheral devices : These are small and low energy devices that can connect with complex, more powerful central devices. Heart rate monitor is an example of a peripheral device.
Central devices : These devices are mostly cell phones or gadgets that have an increased memory and processing power.
This illustrates how the advertisement and scan response payload work.
The peripheral device will send an advertising data once every 2 seconds. If the central device is ready to listen to the advertisement packets, it will respond with a scan response request.
In response to this request, the peripheral device will send a scan response data. Thus, the central and peripheral device gets advertised and connected with each other.
Making use of a generic data protocol known as Attribute Protocol, GATT determines how two BLE devices exchange data with each other using concepts - service and characteristic. This protocol stores all the service and characteristic in a lookup table using a 16 bit IDs as specified by the Bluetooth SIG. It’s vital to note that GATT gets initiated only after the advertising process governed by GAP has been completed.
The two main concepts that form GATT are
- Services
- Characteristics
Services
Services are simply defined as a cabinet which can hold many drawers in it, which in turn are called as characteristics. A service can have many characteristics. Each service is unique in itself with a universally unique identifier (UUID) that could either be 16 bit in size for official adapted services or 128 bit for custom services.
Characteristics
Characteristics are the most fundamental concept within a GATT transaction. Characteristics contain a single data point and akin to services, each characteristic has a unique ID or UUID that distinguishes itself from the other characteristic. For example HRM sensor data from health bands etc.
Here are the SIG specifications for the characteristics and services for BLE devices. Any BLE device which has officially adopted UUID’s by SIG must use the ID specified by them in their applications.
For example the official TX power UUID as mandated by the SIG is 0x1804.
A beacon which is scanned by the nRF Connect app (more on this later) must have the same TX power UUID as per the specifications of SIG.
Linux offers the best support for BLE. In order to use BLE, we need to install the bluetooth stack (blueZ). It can be installed by running
sudo apt-get install bluezWe will use a PC/Laptop running Ubuntu with bluez installed. This device will work as the central gateway for communicating with other peripheral devices. BlueZ’s goal is to program and implement Bluetooth wireless standards specifications. After installing this, we need two tools to scan, connect, and read/write data.
- hcitool
- gatttool
Before starting, we need to scan for BLE devices in our vicinity. If there's one we need to find out how to connect to it, read/write the data and hopefully discover a vulnerability in it which can later be used for exploitation. For these purposes, the hcitool is indispensible.
It makes use of the host controller interface in a laptop to communicate and read/write changes to BLE devices. hcitool is therefore, useful in finding out the available victim BLE device that advertises, and then in changing the values after connection.
The values/data can only be changed if one knows the service and characteristic the data is coming from. In order to find out the relevant services and characteristics, one may use a gatttool.
gatttool
As mentioned in the previous paragraph, gatttool is mainly helpful in finding out the services and characteristics of an available BLE device so that the victim’s data can be read/written according to the attacker.
General purpose commands
| Command | Function |
|---|---|
| hciconfig | Used to configure Bluetooth devices.We can run this command to list the BLE dongles connected to our computeralong with basic information about them. |
| hciconfig hciX up | Turns on the Bluetooth device named hciX |
More commands: https://helpmanual.io/man1/hciconfig/
hcitool is used to configure Bluetooth connections and send some special command to Bluetooth devices.
| Command | Function |
|---|---|
| hcitool -i hciX | Use the interface hciX for the command. If not specified, defaults to the first available interface |
| hcitool scan | Scans for classic Bluetooth devices which are in discoverable mode |
| hcitool lescan | Scans for BLE devices |
More commands: https://helpmanual.io/man1/hcitool/
Gattool commands
GATT stands for Generic Attribute and defines a data structure for organizing characteristics and attributes. We can discover, read, and write characteristics using gatttool.
| Command | Function |
|---|---|
| gatttool -I | Launch gatttool in interactive mode |
| gatttool -t random -b [adr] -I | Launch gattool in interactive mode using a random LE address. Connect to the remote Bluetooth device having address adr. |
| primary | Check for available services of the connected BLE device |
| characteristic | Check for available characteristics of the connected BLE device from where we can read data |
| char-desc | Characteristics Descriptor Discovery. Check for n no of handles |
| char-read-hnd | Read characteristic by their handle |
| char-write-req | Write values to the handle |
More commands: https://helpmanual.io/man1/gatttool/
Example usage
hciconfig : Used to list all the attached BLE adapters.
hciconfig hciX up : Enable the BLE adapter named hciX.
hciconfig hciX down : Disable the BLE adapter named hciX.
hcitool lescan : Scan for BLE devices in the vicinity.
After obtaining the address of the BLE device we need to connect to it and this is when we use gatttool.
gatttool -I : Launches gatttool in an interactive REPL like mode where the user can various issue commands as listed below.
connect <addr> : Connect to the BLE device with the specified address.
In case of devices that only connect with phones and not to a computer, the above steps might not work. In order to connect with such devices, we need to use a random address.
gatttool -t random -b <addr> -I : Connect to the device using a random address.
After successful connection, we can see the services and characteristics of the device using the commands.
Primary
Characteristics
After finding services and characteristics, we need to know the handles by which we can read/write data using the char-desc command.
We can also filter the displayed handles to a particular range using a command like char-desc 01 05 which displays 5 handles from 1 to 5.
After finding the handle, we need to read the data from it using the command char-read-hnd <handle>.
In order to write to a specific handle, we need to know which one is a write handle. For this, we can go for a hit and try method and try reading all the handles one by one until we encounter a read error. A read error means the specific handle is a write handle (write handles cannot be read). Alternatively, apps like such as nrf connect can automatically figure out the write handles.
The handle 0x000b has a UUID as in the image below
Using nRF Connect, we get the following output which confirms handle 0x000b is indeed a write handle. The UUIDs of handle 0x000b in the above image and below in nrf connect matches.
After connecting to the bulb, we can write random value to the different characteristics. In most cases, writing random values will not work as expected. To write the correct values in the handle, we need to decipher the data protocol, which can be found out using sniffing tools like wireshark and ubertooth.
After deciphering the data protocol, we can write the values in the handle using the command char-write-req <handle> <value>
If the char-write-req reports an error we can use char-write-cmd instead.
Android starting from version 4.4 onwards has an option to record all bluetooth packets going in/out from the device. To enable capture of bluetooth traffic follow the steps below. Ensure that the android app is installed.
Step 1 : Go to mobile Settings and enable the developer option.
Step 2 : Go to "developer option" and enable Bluetooth HCI snoop log.
Step 3 : Run the android app (magic blue) app and send some commands to the bulb to change its color. Repeat this several times.
Step 4 : Corresponding to our commands we can find the captured file of the Bluetooth traffic at /sdcard/btsnoop_hci.log or /internal Storage/btsnoop_hci.log
Note - In some devices, btsnoop_hci.log is created in a different location like /sdcard/Android/data/btsnoop_hci.log.
Transfer the captured log file to a computer/laptop using Email, Google Drive or you can connect the android device to your laptop via USB cable.
Step 4 : Analyze the capture packets in Wireshark. Wireshark is a free and open source packet analyzer tool and can be installed by running
sudo apt install wireshark-qtFor more information on how to use Wireshark for analysis refer to our blog GHOST_URL/exploiting-iot-enabled-ble-smart-bulb-security/
Alternatively, you can open this capture file in a text editor like nano.
The nRF connect app from Nordic Semiconductor can also be used BLE hacking. It can both sniff as well as write data just like gatttool.
Step 5: Open the nRF Connect app and connect with the BLE bulb.
Step 6 : Once connected, write the payload value 56b0306000f0aa. Click on send. The bulb color will change to a shade of burgundy.
This is because the color has a RGB value of 176, 48, 96 or B03060 in hexadecimal. The command we sent to the bulb was 56 b0 30 60 00 f0 aa. Note the second, third and fourth byte correspond to the RGB value in hex.
We can figure out the protocol by manually analyzing the traffic and trying to find a pattern in it.
Bleah is a BLE scanner. It's based on the bluepy python library. In this section, we are going to see how we can "hack" BLE devices using Bleah.
To get started, we will need
Hardware
- A Laptop running Linux preferably Ubuntu
- A Smart BLE bulb or any other Bluetooth Smart Device
- A Bluetooth Adapter
Software
- Python 2.7 (Installed by default on Ubuntu)
- Bluepy library
- Bleah
First ensure, Bluepy is working as expected.
Go to bluepy directory. Open a terminal and typesudo ./bluepy-helper 0 followed by le on as shown below
(Note: For finding the path where Bluepy is installed simply run which bluepy-helper)
A success message indicates Bluepy is functioning correctly. Now, lets see how we can use Bleah for BLE hacking.
Step 1: In the same terminal type Scan to scan for BLE devices in the vicinity.
Our BLE device address is F81D78607184
Step 2: Open another terminal and run sudo bleah -t0 where t0 means to scan continuously.
Step 3: We can connect to the specific device and enumerate all the Services and Characterstics using.
sudo bleah -b "aa:bb:cc:dd:ee:ff" -ewhere,aa:bb:cc:dd:ee:ff stands for device address-b means to filter by device address-e means to connect to the device and perform enumeration
Step 4: For writing data to a specific characteristics run.
sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "0000ffe9-0000-1000-8000-00805f9b34fb" -d "data"
As we just saw, Bleah is a powerful tool for conducting attacks on BLE devices. It automates many of the steps which otherwise we need to do manually.
With this, we come to an end to this blog post where we learnt various tools and techniques for performing attacks on Bluetooth Low Energy Devices. Hope you find this post useful. For any queries, suggestions, or improvements feel free to leave a comment below. Your ideas are always welcome.
FAQs
How easily can Bluetooth be hacked? ›
Bluetooth technology operates by having devices discover each other when they are within close range. This means that hackers can usually only take advantage of security vulnerabilities if Bluetooth is enabled on your device. Keeping Bluetooth active all the time makes your device more discoverable.
How can I make my Bluetooth Low Energy? ›...
This is how users enable the feature:
- Go to Settings > Security & Location > Location.
- Check that the Location On/Off toggle is in the On position.
- Go to Mode.
- Select either High accuracy or Battery saving mode.
It is a form of hacking that lets attackers access a device through its discoverable Bluetooth connection. Once a device or phone is bluebugged, a hacker can listen to the calls, read and send messages and steal and modify contacts. It started out as a threat for laptops with Bluetooth capability.
How do you detect BLE devices? ›To find BLE devices, you use the startScan() method. This method takes a ScanCallback as a parameter. You must implement this callback, because that is how scan results are returned.
What is Bluetooth eavesdropping? ›Eavesdropping allows a malicious user to listen to or intercept data intended for another device. Bluetooth uses a frequency-hopping spread spectrum to prevent this attack.
How is bluesnarfing done? ›Active bluesnarfing involves the attacker trying to pair their device with the victim's device. Passive bluesnarfing occurs when the attacker simply listens to the victim's Bluetooth connection. They can gather data such as text messages, phone calls, and emails. Passive bluesnarfing is also called bluesniffing.
What frequency is Bluetooth Low Energy? ›The Bluetooth Low Energy (LE) radio is designed for very low power operation. Transmitting data over 40 channels in the 2.4GHz unlicensed ISM frequency band, the Bluetooth LE radio provides developers a tremendous amount of flexibility to build products that meet the unique connectivity requirements of their market.
What is BLE code? ›Android provides built-in platform support for Bluetooth Low Energy (BLE) in the central role and provides APIs that apps can use to discover devices, query for services, and transmit information. Common use cases include the following: Transferring small amounts of data between nearby devices.
Is Bluetooth Low Energy frequency hopping? ›Bluetooth divides the frequency band into smaller channels (e.g. 40 channels in the case of Bluetooth Low Energy) and rapidly hops between those channels when transmitting packets. To further reduce the chance of interference, Bluetooth adapts its hopping sequence.
Can someone remotely turn on my Bluetooth? ›Yes, Bluetooth can be hacked. While using this technology has offered a lot of creature comforts, it has also exposed people to cyberattacks. Almost all devices are Bluetooth enabled—from smartphones to cars. People are surrounded by this technology every single day.
How is bluebugging done? ›
Bluebugging manipulates a target phone into compromising its security, this to create a backdoor attack before returning control of the phone to its owner. Once control of a phone has been established, it is used to call back the hacker who is then able to listen in to conversations, hence the name "bugging".
How is bluejacking done? ›Bluejacking involves sending unsolicited business cards, messages, or pictures. The bluejacker discovers the recipient's phone via doing a scan of Bluetooth devices. He would then select any device, craft a message as is allowed within the body of the phone's contact interface.
Can BLE go through walls? ›Bluetooth works flawlessly when there's nothing to impede it's path. But when the signal needs to pass through heavy building materials and multiple walls, the effectiveness of the signal could be impacted. Bluetooth is more likely to travel through drywall than concrete or metal, for example.
What is virtual Bluetooth? ›Virtual Bluetooth LE (vBLE) builds on BLE. It's a patented technology for indoor location-based services that uses virtual beacons rather than physical beacons to more precisely and affordably locate devices containing BLE sensors.
How do I identify a unique Bluetooth device? ›Every single Bluetooth device has a unique 48-bit address, commonly abbreviated BD_ADDR. This will usually be presented in the form of a 12-digit hexadecimal value. The most-significant half (24 bits) of the address is an organization unique identifier (OUI), which identifies the manufacturer.
What does a Bluetooth sniffer do? ›A Bluetooth® sniffer (or protocol analyzer) is one of the most useful tools that a Bluetooth developer can't do without. The difference between a Bluetooth sniffer and the Client emulator apps mentioned previously is that sniffers can spy on the communication between your central and peripheral devices.
What bluebugging means? ›A cyberattack that seeks to infiltrate the victim's device through a discoverable Bluetooth connection. The hacker's machine pairs with the target device and installs malware on it. Once the device has been bluebugged, the hacker is able to make and listen to calls, read and send messages, and modify or steal contacts.
How does a Bluetooth sniffer work? ›A BLE sniffer (aka Bluetooth protocol analyzer) acts as a passive listening device that captures BLE packets sent over the air from various devices within the direct radio range.
Is bluesnarfing illegal? ›While bluesnarfing is illegal information theft, bluejacking is simply sending unauthorized messages to a Bluetooth device. These signals themselves steal no information.
Can bluesnarfing be done through Wi-Fi? ›Keeping it off is recommended as a device in non-discoverable mode has little chance of being attacked as a hacker can still Bluesnarf it by guessing the victim's MAC address via a brute force attack. Do not accept any connection requests from strangers or ones you don't recognize.
What is the difference between bluesnarfing and Bluebugging? ›
Both Bluesnarfing and Bluejacking exploit others' Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device.
Is Bluetooth Low Energy encrypted? ›Bluetooth Low Energy was designed with an AES-128 encryption for security.
What are examples of BLE devices? ›- Peripheral devices are typically low-power devices like heart rate sensors, body weight scales, thermometers, proximity tags, etc.. ...
- Central devices are things like mobile phones and tablets that communicate with peripheral devices.
BLE operates in the license-free 2.4 GHz ISM band. In BLE, this ISM band is divided into 40 communication channels, having a bandwidth of 2 MHz each. Those 40 channels include 3 advertising channels and 37 connection channels. The two different types of BLE channels are used for different BLE communication modes.
What devices use Bluetooth Low Energy? ›Bluetooth low energy technology is primarily used for novel applications, such as access control and door entry, blood pressure monitors, smart watches and wearables, public transportation apps, etc. 56/128-bit and application layer user defined. 128-bit AES in CCM mode and application layer user defined.
Can BLE connect to the Internet? ›BLE Beacons
They broadcast to nearby Bluetooth Low Energy devices, but they do not receive data. BLE beacons do not require an internet connection to do this broadcasting. Typically this would look like a single beacon broadcasting data to smart devices (cell phones, smart watches, etc.)
Today, most smartphones and tablets are BLE compatible, which means they can seamlessly communicate with Bluetooth-enabled wireless headphones, digital signage, car stereos, fitness trackers, smartwatches, and hardware devices like beacons.
Which is better ant or Bluetooth Low Energy? ›Both are good choices for very low-power applications. ANT has the simplest protocol with minimum overhead, and it supports more different types of network topologies. BLE is a star-only format, while ANT supports all types including mesh.
Does Bluetooth use a lot of energy? ›A BLE connection may use between 1-3% of a phone's battery over a 24 hour span, whereas Bluetooth may use between 5-8% of a phone's battery over the same period (depending on what sort of data was being passed between the two devices).
Why does my HP printer say Bluetooth Low Energy? ›Bluetooth Smart, or Bluetooth Low Energy (BLE), is used by the HP Smart app to discover the printer during the setup process. Bluetooth Smart does not enable Bluetooth printing. It is only used as an aid for setting up a printer.
Is Bluetooth Low Energy the same as Bluetooth? ›
The difference lies in how they distribute data for energy savings. Bluetooth can handle a lot of data but quickly consumes battery life and costs a lot more. Bluetooth Low Energy is used for applications that do not need to exchange large amounts of data and can run on battery power for years at a cheaper cost.
Is all Bluetooth Low Energy? ›Bluetooth is a wireless technology that uses low-energy radio waves to send wireless data between Bluetooth-enabled devices. It's similar to Wi-Fi in that it operates over radio waves.
Why you shouldn't leave your Bluetooth on? ›Bluetooth technology offers convenience - from hands-free phone calls to wireless file-sharing to playing music on a vehicle's speakers. But leaving your Bluetooth on all the time can be dangerous, and hackers are exploiting the technology to access private information, spread malicious software and more.
How does low energy Bluetooth work? ›BLE devices are discovered through the broadcasting of advertising packets over 3 separate frequencies to reduce interference. A BLE device sends out a repetitive packet of information over one of three channels with random delays of up to 10 milliseconds.
What devices use Bluetooth low energy? ›Bluetooth low energy technology is primarily used for novel applications, such as access control and door entry, blood pressure monitors, smart watches and wearables, public transportation apps, etc. 56/128-bit and application layer user defined. 128-bit AES in CCM mode and application layer user defined.
How secure is Bluetooth Low Energy? ›Bluetooth Low Energy is a secure wireless communication protocol, but only if you implement it properly. The only serious vulnerability it has is during the second phase of pairing, but you can always secure this phase with an appropriate pairing method.
How accurate is Bluetooth Low Energy? ›The accuracy of the beacons we get varies from the highest accuracy with 0.07 meters at one meter measurement, and the most inaccurate result with 7.81 meters at 10 meters measurement. The average accuracy of distance measured on a user's smartphone is between 0.79 meters to 2.28 meters.
Does iPhone have BLE? ›...
Bluetooth security.
| Support | Bluetooth Classic | Bluetooth Low Energy |
|---|---|---|
| Bluetooth 4.2 or later | iPhone 6 or later | iOS 9 or later iPadOS 13.1 or later macOS 10.12 or later tvOS 9 or later watchOS 2.0 or later |
cpp already told you in his answer pairing (the exchange of keys) and bonding (saving of said keys) is not required for the communication with BLE devices and only needed if the device requires a secured connection.
Does Bluetooth 5.0 have BLE? ›Nearly all of the big improvements in Bluetooth 5 are exclusively for its Low Energy mode (BLE). First introduced in Bluetooth 4.0 and then improved in the v4. 1 and v4. 2 releases, BLE is a whole separate protocol from “classic” Bluetooth.