Difference between revisions of "Bluetooth LE hacking"
m |
|||
Line 13: | Line 13: | ||
First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html | First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html | ||
Check if | NEVER OPERATE YOUR UBERTOOTH WITHOUT ATTACHED ANTENNA!! | ||
Check if Ubertooth one is recognized: | |||
lsusb | lsusb | ||
Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One | Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One | ||
Line 60: | Line 62: | ||
sudo wireshark -k -i /tmp/pipe & | sudo wireshark -k -i /tmp/pipe & | ||
sudo ubertooth-btle -f -c /tmp/pipe | sudo ubertooth-btle -f -c /tmp/pipe | ||
=== Bettercap sniffing === | |||
Installing bettercap on Ubuntu: | |||
sudo -s | |||
wget https://golang.org/dl/go1.17.3.linux-amd64.tar.gz | |||
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.17.3.linux-amd64.tar.gz | |||
export PATH=$PATH:/usr/local/go/bin | |||
export GOPATH=~/go/bin | |||
go version | |||
sudo apt install -y git build-essential \ | |||
libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev | |||
go get -u github.com/bettercap/bettercap | |||
cd ~/go/bin/src/github.com/bettercap/bettercap | |||
make | |||
sudo make install | |||
Now run bettercap and search for Bluetooth devices. | |||
sudo bettercap | |||
ble.recon.on | |||
For more details on a specific device use the enum command. | |||
In this case I used the MAC address of the smart bulb. | |||
ble.enum 6a:9b:4b:1b:ac:e6 | |||
To find out what characteristics the smartphone sends to the smart bulb to change the light colour, | |||
I used a MITM attack. | |||
=== MITM attack === | === MITM attack === | ||
To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a | To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a |
Revision as of 15:57, 30 November 2021
Summary
This page describes the basics steps of how a BLE device can be attacked.
Requirements
- Operating system: Ubuntu 18.04
- Elvis lab IoT devices
In order to complete these steps, you must have followed before.
Description
First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html
NEVER OPERATE YOUR UBERTOOTH WITHOUT ATTACHED ANTENNA!!
Check if Ubertooth one is recognized:
lsusb
Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One
sudo apt-get install -y ubertooth cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config python3-numpy python3-qtpy
Install libbtbb
wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz tar -xf libbtbb-2020-12-R1.tar.gz cd libbtbb-2020-12-R1 mkdir build cd build cmake .. make sudo make install sudo ldconfig
Install Ubertooth Tools
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz tar -xf ubertooth-2020-12-R1.tar.xz cd ubertooth-2020-12-R1/host mkdir build cd build cmake .. make sudo make install sudo ldconfig
Ubertooth One Firmware update
cd firmware sudo apt-get install -y gcc-arm-none-eabi make clean all make cd bluetooth_rxtx ubertooth-dfu -d bluetooth_rxtx.dfu -r
To show the Firmware use the command
ubertooth-util -v
Firmware version: git-7b656c1 (API:1.07)
Wireshark sniffing
The ubertooth one device is used for sniffing the bluetooth packets and wireshark is displaying the packets.
mkfifo /tmp/pipe sudo wireshark -k -i /tmp/pipe & sudo ubertooth-btle -f -c /tmp/pipe
Bettercap sniffing
Installing bettercap on Ubuntu:
sudo -s wget https://golang.org/dl/go1.17.3.linux-amd64.tar.gz rm -rf /usr/local/go && tar -C /usr/local -xzf go1.17.3.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin export GOPATH=~/go/bin go version
sudo apt install -y git build-essential \ libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev go get -u github.com/bettercap/bettercap cd ~/go/bin/src/github.com/bettercap/bettercap make sudo make install
Now run bettercap and search for Bluetooth devices.
sudo bettercap ble.recon.on
For more details on a specific device use the enum command. In this case I used the MAC address of the smart bulb.
ble.enum 6a:9b:4b:1b:ac:e6
To find out what characteristics the smartphone sends to the smart bulb to change the light colour, I used a MITM attack.
MITM attack
To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a MITM attack. For this the tool btlejuice was used.
Create 2 virtual machines with Ubuntu 18.04 and make sure that a bluetooth adapter is available on both machines. Make sure that the machines can reach each other over the network. It is also recommend to turn of the firewall.
sudo apt-get install -y nodejs npm bluetooth bluez libbluetooth-dev libudev-dev sudo npm install -g btlejuice sudo service ufw stop sudo ufw disable
One machine acts as proxy. On this machine enter the command:
sudo btlejuice-proxy
The second machine is the core unit and there you enter:
sudo btlejuice -u <ip proxy> -w
Gatttool
Used Hardware
All hardware is used from the Elvis Lab.
- Ubertooth One