Difference between revisions of "Bluetooth LE hacking"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
m
Line 13: Line 13:
First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html
First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html


Check if ubertooth one is recognized:
NEVER OPERATE YOUR UBERTOOTH WITHOUT ATTACHED ANTENNA!!
 
Check if Ubertooth one is recognized:
  lsusb
  lsusb
Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One
Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One
Line 60: Line 62:
  sudo wireshark -k -i /tmp/pipe &
  sudo wireshark -k -i /tmp/pipe &
  sudo ubertooth-btle -f -c /tmp/pipe
  sudo ubertooth-btle -f -c /tmp/pipe
=== Bettercap sniffing ===
Installing bettercap on Ubuntu:
sudo -s
wget https://golang.org/dl/go1.17.3.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.17.3.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
export GOPATH=~/go/bin
go version
sudo apt install -y git build-essential \
libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
go get -u github.com/bettercap/bettercap
cd ~/go/bin/src/github.com/bettercap/bettercap
make
sudo make install
Now run bettercap and search for Bluetooth devices.
sudo bettercap
ble.recon.on
For more details on a specific device use the enum command.
In this case I used the MAC address of the smart bulb.
ble.enum 6a:9b:4b:1b:ac:e6
To find out what characteristics the smartphone sends to the smart bulb to change the light colour,
I used a MITM attack.
=== MITM attack ===
=== MITM attack ===
To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a
To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a

Revision as of 15:57, 30 November 2021

Summary

This page describes the basics steps of how a BLE device can be attacked.

Requirements

  • Operating system: Ubuntu 18.04
  • Elvis lab IoT devices

In order to complete these steps, you must have followed before.

Description

First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html

NEVER OPERATE YOUR UBERTOOTH WITHOUT ATTACHED ANTENNA!!

Check if Ubertooth one is recognized:

lsusb

Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One

sudo apt-get install -y ubertooth cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config python3-numpy python3-qtpy

Install libbtbb

wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz
tar -xf libbtbb-2020-12-R1.tar.gz
cd libbtbb-2020-12-R1
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

Install Ubertooth Tools

wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz
tar -xf ubertooth-2020-12-R1.tar.xz
cd ubertooth-2020-12-R1/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

Ubertooth One Firmware update

cd firmware
sudo apt-get install -y gcc-arm-none-eabi
make clean all
make
cd bluetooth_rxtx
ubertooth-dfu -d bluetooth_rxtx.dfu -r

To show the Firmware use the command

ubertooth-util -v

Firmware version: git-7b656c1 (API:1.07)

Wireshark sniffing

The ubertooth one device is used for sniffing the bluetooth packets and wireshark is displaying the packets.

mkfifo /tmp/pipe
sudo wireshark -k -i /tmp/pipe &
sudo ubertooth-btle -f -c /tmp/pipe

Bettercap sniffing

Installing bettercap on Ubuntu:

sudo -s
wget https://golang.org/dl/go1.17.3.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.17.3.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
export GOPATH=~/go/bin
go version
sudo apt install -y git build-essential \
libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
go get -u github.com/bettercap/bettercap
cd ~/go/bin/src/github.com/bettercap/bettercap
make
sudo make install

Now run bettercap and search for Bluetooth devices.

sudo bettercap
ble.recon.on

For more details on a specific device use the enum command. In this case I used the MAC address of the smart bulb.

ble.enum 6a:9b:4b:1b:ac:e6

To find out what characteristics the smartphone sends to the smart bulb to change the light colour, I used a MITM attack.

MITM attack

To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a MITM attack. For this the tool btlejuice was used.

Create 2 virtual machines with Ubuntu 18.04 and make sure that a bluetooth adapter is available on both machines. Make sure that the machines can reach each other over the network. It is also recommend to turn of the firewall.

sudo apt-get install -y nodejs npm bluetooth bluez libbluetooth-dev libudev-dev
sudo npm install -g btlejuice
sudo service ufw stop
sudo ufw disable

One machine acts as proxy. On this machine enter the command:

sudo btlejuice-proxy

The second machine is the core unit and there you enter:

sudo btlejuice -u <ip proxy> -w

Gatttool

Used Hardware

All hardware is used from the Elvis Lab.

  • Ubertooth One

Courses

References