B-LE - GATT Architectural Overview

From Embedded Lab Vienna for IoT & Security
(Redirected from (Article title))
Jump to navigation Jump to search

Description

This article goes into detail about GATT architectural features and its usage in Bluetooth LE Security designs. The research for this article was initiated during writing the paper on hacking a bluetooth smartwatch. There is an entire documentation on the practical experiment in Setting Up Ubertooth on macOS for Bluetooth Hacking. The network topology of a B-LE GATT network contains so-called central devices and peripheral devices. One peripheral is only connected to only one central device at a time. A central device can connect to many peripheral devices. The peripheral is also acting as the GATT server. It contains the definitions for profiles, services and characteristics of a device. The central device always initiates the data exchange.

B-LE GATT Overview

GAP - Generic Attribute Profile

The Generic attribute profile takes care of discovery, security, connectivity and network technolgies of a device as well as it's role. These are examples of packages during pairing:

ADV_IND
SCAN_REQ
SCAN_RSP
CONNECT_IND
AUX_SCAN_REQ
AUX_SCAN_RSP
AUX_CONNECT_REQ
AUX_CONNECT_RSP
ADV_SCAN_IND

GATT - Generic Attribute Profile

As soon as two Bluetooth Low Energy devices establish a connection they can start transfering data back and forth. This data is formated into Services and Characteristics in a Server/Client relationship.

ATT - Attribute Protocol

GATT is based on ATT. Each attribute gets it’s own Unique Identifier (UUID) here. It takes care of the data exchange and error handling. These get categorized as characteristics and services with GATT.

Profiles

Each profile has a set of services according to its profile type. Example profiles are Basic audio profiles, Location and navigation profiles, weight scale profile, heart rate profile, etc...

Services

A Service can have multiple characteristics. It has it’s own UUID. It has a handle. UUID, permissions and a value.

Example services are [Bluetooth Specifications]:

Alert Notification Service 0x1811
Audio Input Control Service 0x1843
Authorization Control Service 0x183D
Battery Service 0x180F
Binary Sensor Service 0x183B
Blood Pressure Service 0x1810
Broadcast Audio Scan Service 0x184F
Common Audio Service 0x1853

Characteristics

The characteristics are the lowest-level of the GATT Profiles. They also each use their own UUID. These are relevant when it comes to protecting and enhancing security of a Bluetooth Low Energy device. The characteristics have a value, properties and human-readable descriptors.

Example UUIDs of a Polar Smartwatch

These captures are from: Setting Up Ubertooth on macOS for Bluetooth Hacking

Example Device UUID:

C6C36C4A-7F8F-52B2-2BD7-C4F6690424E7

Example Service UUIDs:

Service: 0000180a-0000-1000-8000-00805f9b34fb (Handle: 14): Device Information
Service: 0000feee-0000-1000-8000-00805f9b34fb (Handle: 29): Polar Electro Oy
Service: 0000180d-0000-1000-8000-00805f9b34fb (Handle: 38): Heart Rate
Service: 0000180f-0000-1000-8000-00805f9b34fb (Handle: 42): Battery Service

Example service and their characteristics UUIDs including handles, permissions, properties, values, descriptors:

Service: 0000180a-0000-1000-8000-00805f9b34fb (Handle: 14): Device Information
 Characteristic: 00002a29-0000-1000-8000-00805f9b34fb (Handle: 15) - Properties: ['read']
 Characteristic: 00002a24-0000-1000-8000-00805f9b34fb (Handle: 17) - Properties: ['read']
 Characteristic: 00002a25-0000-1000-8000-00805f9b34fb (Handle: 19) - Properties: ['read']
 Characteristic: 00002a27-0000-1000-8000-00805f9b34fb (Handle: 21) - Properties: ['read']
 Characteristic: 00002a26-0000-1000-8000-00805f9b34fb (Handle: 23) - Properties: ['read']
 Characteristic: 00002a28-0000-1000-8000-00805f9b34fb (Handle: 25) - Properties: ['read']
 Characteristic: 00002a23-0000-1000-8000-00805f9b34fb (Handle: 27) - Properties: ['read']
Service: 0000feee-0000-1000-8000-00805f9b34fb (Handle: 29): Polar Electro Oy
 Characteristic: fb005c51-02e7-f387-1cad-8acd2d8df0c8 (Handle: 30) - Properties: ['write-without-response', 'write', 'notify']
 Characteristic: fb005c52-02e7-f387-1cad-8acd2d8df0c8 (Handle: 33) - Properties: ['notify']
 Characteristic: fb005c53-02e7-f387-1cad-8acd2d8df0c8 (Handle: 36) - Properties: ['write-without-response', 'write']
Service: 0000180d-0000-1000-8000-00805f9b34fb (Handle: 38): Heart Rate
 Characteristic: 00002a37-0000-1000-8000-00805f9b34fb (Handle: 39) - Properties: ['notify']
Service: 0000180f-0000-1000-8000-00805f9b34fb (Handle: 42): Battery Service
 Characteristic: 00002a19-0000-1000-8000-00805f9b34fb (Handle: 43) - Properties: ['read', 'notify']

BLE Operations

Based on the characteristic's properties these operations can be executed on the target devices characteristics:

  • Read = Read the data of a characteristic
  • Write = Write data to a characteristic
  • Notify = Get notifications to value changes of a device by subscribing to it

Further Context

For further context and practical examples make sure to read:

  • Setting Up Ubertooth on macOS for Bluetooth Hacking [1]

Courses

Author

Are Maksimović

References