B-LE - GATT Architectural Overview
Description
This article goes into detail about GATT architectural features and its usage in Bluetooth LE Security designs. The research for this article was initiated during writing the paper on hacking a bluetooth smartwatch. There is an entire documentation on the practical experiment in Setting Up Ubertooth on macOS for Bluetooth Hacking. The network topology of a B-LE GATT network contains so-called central devices and peripheral devices. One peripheral is only connected to only one central device at a time. A central device can connect to many peripheral devices. The peripheral is also acting as the GATT server. It contains the definitions for profiles, services and characteristics of a device. The central device always initiates the data exchange.
B-LE GATT Overview
GAP - Generic Attribute Profile
The Generic attribute profile takes care of discovery, security, connectivity and network technolgies of a device as well as it's role. These are examples of packages during pairing:
ADV_IND SCAN_REQ SCAN_RSP CONNECT_IND AUX_SCAN_REQ AUX_SCAN_RSP AUX_CONNECT_REQ AUX_CONNECT_RSP ADV_SCAN_IND
GATT - Generic Attribute Profile
As soon as two Bluetooth Low Energy devices establish a connection they can start transfering data back and forth. This data is formated into Services and Characteristics in a Server/Client relationship.
ATT - Attribute Protocol
GATT is based on ATT. Each attribute gets it’s own Unique Identifier (UUID) here. It takes care of the data exchange and error handling. These get categorized as characteristics and services with GATT.
Profiles
Each profile has a set of services according to its profile type. Example profiles are Basic audio profiles, Location and navigation profiles, weight scale profile, heart rate profile, etc...
Services
A Service can have multiple characteristics. It has it’s own UUID. It has a handle. UUID, permissions and a value.
Example services are [Bluetooth Specifications]:
Alert Notification Service 0x1811 Audio Input Control Service 0x1843 Authorization Control Service 0x183D Battery Service 0x180F Binary Sensor Service 0x183B Blood Pressure Service 0x1810 Broadcast Audio Scan Service 0x184F Common Audio Service 0x1853
Characteristics
The characteristics are the lowest-level of the GATT Profiles. They also each use their own UUID. These are relevant when it comes to protecting and enhancing security of a Bluetooth Low Energy device. The characteristics have a value, properties and human-readable descriptors.
Example UUIDs of a Polar Smartwatch
These captures are from: Setting Up Ubertooth on macOS for Bluetooth Hacking
Example Device UUID:
C6C36C4A-7F8F-52B2-2BD7-C4F6690424E7
Example Service UUIDs:
Service: 0000180a-0000-1000-8000-00805f9b34fb (Handle: 14): Device Information Service: 0000feee-0000-1000-8000-00805f9b34fb (Handle: 29): Polar Electro Oy Service: 0000180d-0000-1000-8000-00805f9b34fb (Handle: 38): Heart Rate Service: 0000180f-0000-1000-8000-00805f9b34fb (Handle: 42): Battery Service
Example service and their characteristics UUIDs including handles, permissions, properties, values, descriptors:
Service: 0000180a-0000-1000-8000-00805f9b34fb (Handle: 14): Device Information Characteristic: 00002a29-0000-1000-8000-00805f9b34fb (Handle: 15) - Properties: ['read'] Characteristic: 00002a24-0000-1000-8000-00805f9b34fb (Handle: 17) - Properties: ['read'] Characteristic: 00002a25-0000-1000-8000-00805f9b34fb (Handle: 19) - Properties: ['read'] Characteristic: 00002a27-0000-1000-8000-00805f9b34fb (Handle: 21) - Properties: ['read'] Characteristic: 00002a26-0000-1000-8000-00805f9b34fb (Handle: 23) - Properties: ['read'] Characteristic: 00002a28-0000-1000-8000-00805f9b34fb (Handle: 25) - Properties: ['read'] Characteristic: 00002a23-0000-1000-8000-00805f9b34fb (Handle: 27) - Properties: ['read'] Service: 0000feee-0000-1000-8000-00805f9b34fb (Handle: 29): Polar Electro Oy Characteristic: fb005c51-02e7-f387-1cad-8acd2d8df0c8 (Handle: 30) - Properties: ['write-without-response', 'write', 'notify'] Characteristic: fb005c52-02e7-f387-1cad-8acd2d8df0c8 (Handle: 33) - Properties: ['notify'] Characteristic: fb005c53-02e7-f387-1cad-8acd2d8df0c8 (Handle: 36) - Properties: ['write-without-response', 'write'] Service: 0000180d-0000-1000-8000-00805f9b34fb (Handle: 38): Heart Rate Characteristic: 00002a37-0000-1000-8000-00805f9b34fb (Handle: 39) - Properties: ['notify'] Service: 0000180f-0000-1000-8000-00805f9b34fb (Handle: 42): Battery Service Characteristic: 00002a19-0000-1000-8000-00805f9b34fb (Handle: 43) - Properties: ['read', 'notify']
BLE Operations
Based on the characteristic's properties these operations can be executed on the target devices characteristics:
- Read = Read the data of a characteristic
- Write = Write data to a characteristic
- Notify = Get notifications to value changes of a device by subscribing to it
Further Context
For further context and practical examples make sure to read:
- Setting Up Ubertooth on macOS for Bluetooth Hacking [1]
Courses
Author
Are Maksimović