Bluetooth LE hacking
Summary
This page describes the basics steps of how a BLE device can be attacked.
Requirements
- Operating system: Ubuntu 21.10, Ubuntu 18.04
- Elvis lab IoT devices
In order to complete these steps, you must have followed before.
Description
First install ubertooth one and all libraries. A full documentation is available on: https://ubertooth.readthedocs.io/en/latest/build_guide.html
Check if ubertooth one is recognized:
lsusb
Bus 001 Device 003: ID 1d50:6002 OpenMoko, Inc. Ubertooth One
sudo apt-get install -y ubertooth cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config python3-numpy python3-qtpy
Install libbtbb
wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz tar -xf libbtbb-2020-12-R1.tar.gz cd libbtbb-2020-12-R1 mkdir build cd build cmake .. make sudo make install sudo ldconfig
Install Ubertooth Tools
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz tar -xf ubertooth-2020-12-R1.tar.xz cd ubertooth-2020-12-R1/host mkdir build cd build cmake .. make sudo make install sudo ldconfig
Ubertooth One Firmware update
cd firmware sudo apt-get install -y gcc-arm-none-eabi make clean all make cd bluetooth_rxtx ubertooth-dfu -d bluetooth_rxtx.dfu -r
To show the Firmware use the command
ubertooth-util -v
Firmware version: git-7b656c1 (API:1.07)
Wireshark sniffing
The ubertooth one device is used for sniffing the bluetooth packets and wireshark is displaying the packets.
mkpipe /tmp/pipe sudo wireshark -k -i /tmp/pipe & sudo ubertooth-btle -f -c /tmp/pipe
MITM attack
To find out what GAT messages between a BLE device and a smartphone are being exchanged, I used a MITM attack. For this the tool btlejuice was used.
Create 2 virtual machines with Ubuntu 18.04 and make sure that a bluetooth adapter is available on both machines. Make sure that the machines can reach each other over the network. It is also recommend to turn of the firewall.
sudo service ufw stop sudo ufw disable
One machine acts as proxy. On this machine enter the command:
sudo btlejuice-proxy
The second machine is the core unit and there you enter:
sudo btlejuice -u <ip proxy> -w
Gatttool
Used Hardware
All hardware is used from the Elvis Lab.
- Ubertooth One