Difference between revisions of "BLE-Berry Project"
Line 36: | Line 36: | ||
==== Radio Jamming ==== | ==== Radio Jamming ==== | ||
Radio jamming aims to perform a Denial of Service (DoS) by disrupting sent data with interfering signals. Radio jamming can be performed on all channels at the same time (called full band jamming) or selective on a single channel. Furthermore, can be differentiated into persistent and reactive jamming. Persistent full band jamming can be detected easily because it interferes with all sent messages. Selective reactive jamming on the other hand is hard to detect because it only jams specific messages. | |||
==== Spoofing ==== | ==== Spoofing ==== |
Revision as of 19:26, 2 October 2023
Summary
This Project is the result of a master’s thesis that created a Threat Model of the Bluetooth Low Energy (BLE) Standard and developing a tool called BLE Berry to enable easier BLE Development and to perform basic pentesting operations.
Threat Model
The Threat Model was performed by analyzing the BLE portion of the BLE Standard and gathering further information's from numerous white papers and scientific papers. The gathered Threats and Vulnerabilities got mapped to the Layer/Protocol they are performed on, as shown in the figure below.
Some of the Threats have use other Threats as an entry vector, e.g., a machine-in-the-middle attack relies on address spoofing and can benefit from Radio Jamming. The dependencies of the Threat is shown in the figure below.
The STRIDE method was used to categorize the discovered Threats, as shown in the following table. STRIDE separates the Threats in the following six categories:
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of Service
- Elevation of Privilege
Threat Vectors
Sniffing / Eavesdropping
Sniffing or eavesdropping is performed with BLE by scanning the Radio for messages. This results in an information disclosure, but can be countered if encryption is used to provide confidentiality. The BLE standard itself provides AES-CCM encryption with message authentication by a key created with the usage of P256 ECDH. The commercial market provides some affordable USB Sniffing Accessories, which output pacap files that can be analyzed with wireshark:
Radio Jamming
Radio jamming aims to perform a Denial of Service (DoS) by disrupting sent data with interfering signals. Radio jamming can be performed on all channels at the same time (called full band jamming) or selective on a single channel. Furthermore, can be differentiated into persistent and reactive jamming. Persistent full band jamming can be detected easily because it interferes with all sent messages. Selective reactive jamming on the other hand is hard to detect because it only jams specific messages.
Spoofing
IRK Stealing
Battery Draining Attacks
DoS due to Spoofed Connection
Fuzzing
Downgrade Attacks
Bruteforcing Legacy Pairing Encryption Key
DoS due to Key replacement
Machine in the Middle
Step 2
Make sure to read
- War and Peace
- Lord of the Rings
- The Baroque Cycle
Used Hardware
Device to be used with this documentation Maybe another device to be used with this documentation
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)