bettercap Bluetooth hacking
<p>Bluetooth Low Energy (BLE) is a part of the Bluetooth 4.0 specification which additionally also includes Classic Bluetooth and Bluetooth High Speed Protocols. Compared to classic Bluetooth, BLE is intended to use lesser power while maintaining a similar communication range. BLE is an 'always off' technology and only transmits short amounts of data when required. This significantly reduces power consumption, making it ideal to use in cases where a persistent long-term connection is required with a low data rate. BLE is perfect for a TV remote but not for a wireless media streaming device which needs a large amount of data to transmit.</p>
<h2>How to Hack Bluetooth Low Energy (BLE)</h2>
<p>By its concept, BLE is a simplified version of Bluetooth, which does not hop channels (does not change frequencies operating on), which facilitates sniffing and a man-in-the-middle attack. BLE does not have a built-in security protocol. The implementation of BLE security is entrusted to manufacturers of end devices that do not always approach this in good faith. For this reason, many BLE devices can be easily discovered at almost any time during their operation. However, often they do not contain any mechanisms to limit reading and even writing to them, that is, they are open to anyone to connect and modify.</p>
<p>The essence of the Bluetooth Low Energy hacking process can be described in the following stages:</p>
<ol>
<li>Device discovery</li>
<li>Reading its Services and Characteristics</li>
<li>Detection Writable Characteristics</li>
<li>Mapping Characteristics ID to its functions</li>
<li>Change Characteristic Values</li>
</ol>
<p>The fourth stage is the most creative and the most difficult. Sometimes the meaning of Characteristics IDs can be found in the documentation for developers. Sometimes you have to perform Fuzzing against the values and see what will change. The most difficult way is reverse engineering the intercepted Bluetooth traffic or reverse engineering of the device management application.</p>
<p>I will show an example of changing BLE Characteristics on a device using bettercap.</p>
<p>First, run bettercap:</p>
<pre><code>sudo bettercap</code></pre>
<p>Type the command to enable the module for detecting BLE devices:</p>
<pre><code>ble.recon on</code></pre>
<p>When new devices are detected, messages like the following will be displayed:</p>
<pre><code>[06:49:29] [ble.device.new] new BLE device JBL Flip 3 detected as B8:D5:0B:E2:21:88 (Sunitec Enterprise Co., Ltd) -77 dBm.
[06:50:35] [ble.device.new] new BLE device detected as 7C:F1:1F:E7:B1:C1 (Apple, Inc.) -82 dBm.
[06:57:55] [ble.device.new] new BLE device Oral-B Toothbrush detected as C8:DF:84:1A:9F:26 (Texas Instruments) -64 dBm.</code></pre>
<p>To display devices that are currently within reach, run the command:</p>
<pre><code>ble.show</code></pre>
<p>[Image: Screenshot of bettercap terminal showing the output of the 'ble.show' command, listing discovered BLE devices with their MAC, Vendor, Name, and other details.]</p>
<p>To show the characteristics of a specific device, run the following command, replacing MAC with the address of the target device:</p>
<pre><code>ble.enum MAC</code></pre>
<p>For example, to enumerate the Oral-B toothbrush with MAC C8:DF:84:1A:9F:26:</p>
<pre><code>ble.enum C8:DF:84:1A:9F:26</code></pre>
<p>[Image: Screenshot of bettercap terminal showing a large table with columns for Handles, Service/Characteristic, Properties, and Data for the enumerated BLE device.]</p>
<h2>Common Attributes Protocol (GATT)</h2>
<p>Using a common data protocol, known as an attribute protocol, GATT determines how two BLE devices communicate with each other using concepts such as service and characteristic. This protocol saves all services and features in a lookup table using 16-bit identifiers, as indicated in the Bluetooth SIG. It is important to note that the GATT is initiated only after the GAP-regulated Advertising process is completed.</p>
<h3>Services</h3>
<p>Services can be represented simply as a cabinet in which there can be many boxes, which in turn are called characteristics. A service can have many characteristics. Each service is unique in itself with a universally unique identifier (UUID), which can be 16 bits for official adapted services or 128 bits for custom services.</p>
<h3>Characteristics</h3>
<p>Characteristics are the most fundamental concept in the GATT transaction. Characteristics contain one data point and are similar to services; each characteristic has a unique identifier or UUID. For example, the official UUID of transmit power (TX power) in accordance with the SIG mandate is 0x1804. For 16-bit services and characteristics, identification is simple using the official values. As for 128-bit services and characteristics, each vendor may have their own ID, which requires effort to map to its function.</p>
<p>You can map these IDs using two approaches:</p>
<ul>
<li>Analysis of the device management application (e.g., Android apps).</li>
<li>Fuzzing: entering various data and monitoring the device to see what changes.</li>
</ul>
<p>The <b>Properties</b> column shows what you can do with a characteristic:</p>
<ul>
<li><b>READ</b></li>
<li><b>WRITE</b> - we can alter the value of this characteristic</li>
<li><b>NOTIFY</b></li>
<li><b>INDICATE</b></li>
</ul>
<p>The <b>Data</b> column contains the current value of the characteristic.</p>
<p>To write HEX_DATA to a BLE device with a specified MAC address and UUID:</p>
<pre><code>ble.write MAC UUID HEX_DATA</code></pre>
<p>Command example:</p>
<pre><code>ble.write C8:DF:84:1A:9F:26 a0f0ff2350474d5382084f72616c2d42 11</code></pre>
<p>[Image: Screenshot of bettercap terminal showing the execution of the `ble.write` command.]</p>
<h2>Program to hack Bluetooth Low Energy (BLE) from a mobile phone</h2>
<p>Since all modern phones have Bluetooth, you can use applications for working with surrounding BLE devices. An example of such an application is nRF Connect, a free program for Android that can scan for BLE devices, connect to them, and change the value of characteristics.</p>
<p>[Image: Screenshot of the nRF Connect app showing a scan that has discovered an "Oral-B Toothbrush" device.]</p>
<p>[Image: Screenshot of the nRF Connect app showing the list of services for the connected toothbrush.]</p>
<p>[Image: Screenshot of the nRF Connect app showing the properties (READ, WRITE) of various characteristics.]</p>
<p>[Image: Screenshot of the nRF Connect app showing the "Write value" dialog box, allowing a user to send new data to a characteristic.]</p>
<h2>Working with Bluetooth Low Energy (BLE) on Linux</h2>
<p>On Linux, you can work with devices that support BLE directly without programs such as Bettercap. The software is typically compiled in the <b>bluez</b> package. However, after a recent update, the authors declared many important programs as "deprecated".</p>
<p>Deprecated tools include:</p>
<ul>
<li>gatttool</li>
<li>hciattach</li>
<li>hciconfig</li>
<li>hcidump</li>
<li>hcitool</li>
<li>rfcomm</li>
<li>ciptool</li>
<li>sdptool</li>
</ul>
<p>Since they may one day be permanently deleted, consider a few simple options for using their replacements to search for BLE devices and get data from them.</p>
<h3>Using btmgmt</h3>
<p>If you run the btmgmt program:</p>
<pre><code>sudo btmgmt</code></pre>
<p>And in it execute the `find` command, it will list detected devices:</p>
<pre><code>[mgmt]# find
Discovery started
hci0 type 7 discovering on
hcio dev_found: C8:DF:84:1A:9F:26 type LE Public rssi -60 flags 0x0000
AD flags 0x05
name Oral-B Toothbrush</code></pre>
<h3>Using bluetoothctl</h3>
<p>This tool can also search for BLE devices.</p>
<pre><code>sudo bluetoothctl</code></pre>
<p>Inside the tool, start a scan:</p>
<pre><code>scan on</code></pre>
<p>Connect to the device using its MAC address:</p>
<pre><code>connect C8:DF:84:1A:9F:26</code></pre>
<p>Get device information:</p>
<pre><code>info C8:DF:84:1A:9F:26</code></pre>
<p>[Image: Screenshot of a terminal showing the output of `bluetoothctl info` command, which lists the Name, Alias, UUIDs, and other details for the device.]</p>
<p>You can also go to the GATT menu to list attributes:</p>
<pre><code>menu gatt
list-attributes C8:DF:84:1A:9F:26</code></pre>
<p>[Image: Screenshot of a terminal showing the output of `list-attributes`, which lists all Primary Services, Characteristics, and Descriptors.]</p>
<h2>Conclusion</h2>
<p>Linux system utilities for working with Bluetooth deserve a closer look. With their help, you can find out more detailed information about your system and fine-tune the Bluetooth adapter. They can also be used to implement scanners of BLE and Bluetooth devices and/or write or adapt fuzzers to find out the purpose of the characteristics of BLE devices.</p>
<h2>Bibliography</h2>
<ul>
<li><a href="https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/">The Practical Guide to Hacking Bluetooth Low Energy</a></li>
<li><a href="https://www.evilsocket.net/2017/09/23/This-is-not-a-post-about-BLE-introducing-BLEAH/">This-is-not-a-post-about-BLE-introducing-BLEAH</a></li>
<li><a href="https://wiki.archlinux.org/index.php/Bluetooth#Troubleshooting">Arch Linux Wiki - Bluetooth Troubleshooting</a></li>
<li><a href="https://www.esp-forum.de/index.php/forum/hacking-und-tear-down/101-oral-b-zahnbuers">Oral-B Toothbrush Hacking Forum (German)</a></li>
</ul>
Comments
Post a Comment