You'd better secure your BLE devices or we'll kick your butts !


@virtualabs | DEFCON 26

Who am I ?


  •   Head of R&D @ Econocom Digital Security

  •   Studying Bluetooth Low Energy for 3 years

  •   Developer & maintainer of BtleJuice

  •   Having fun with Nordic's nRF51822 😉

Agenda

  • BLE sniffing 101
  • Improving the BLE arsenal
    • Sniffing BLE connections in 2018
    • Introducing BtleJack, a flexible sniffing tool
  • BtleJacking: a brand new attack
    • How it works
    • Vulnerable devices & demos
  • Recommendations

BLE sniffing 101

Much cheap tools,
(not) wow results


  • Sniffing existing/new connections with an Ubertooth One

  • Sniffing new connections with an Adafruit's Bluefruit LE Sniffer

  • Sniffing BLE packets with gnuradio

Ubertooth One


  • Sniffs existing and new connections

  • Does not support channel map updates

  • Costs $120

Bluefruit LE Sniffer


  • Up-to-date software (Nov. 2017)

  • Proprietary firmware from Nordic Semiconductor

  • Sniffs only new connections

  • Costs $30 - $40

Software Defined Radio


  • Sniffs only BLE advertisements

  • Unable to follow any existing/new connection

  • Latency

  • Requires 2.4GHz compatible SDR device

BLE sniffing 101


  • BLE is designed to make sniffing difficult:
    • 3 separate advertising channels
    • Uses Frequency Hopping Spread Spectrum (FHSS)
    • Master or slave can renegotiate some parameters at any time
  • Sniffing BLE connections is either hard or expensive

Man in the Middle

How BLE MitM works


  • Discover the target device (advertisement data, services & characteristics)

  • Connect to this target device, it is not advertising anymore (connected state)

  • Advertise the same device, await connections and forward data

Btlejuice

https://github.com/DigitalSecurity/btlejuice

GATTacker

https://github.com/securing/gattacker
  • Pros:
    • Get rid of the 3 advertising channels issue
    • You see every BLE operation performed
    • You may tamper on-the-fly the data sent or received
  • Cons:
    • Complex to setup: 1 VM & 1 Host computer
    • Only capture HCI events, not BLE Link Layer
    • Does not support all types of pairing
    • Only compatible with 4.0 adapters

We are doing it wrong !


  • Ubertooth-btle is outdated and does not work with recent BLE stacks
  • Nordic Semiconductor' sniffer is closed source and does not allow active connection sniffing and may be discontinued
  • The MitM approach seems great but too difficult to use and does not intercept link-layer packets

Let's build our own !

The ideal tool


  • Able to sniff existing and new connections

  • Uses cheap hardware

  • Open-source

Improving Mike Ryan' sniffing technique


(or how to sniff active
BLE connections in 2018)

Mike's technique

  1. Identify Access Address (32 bits)
  2. Recover the CRCInit value used to compute packets CRC
  3. Recover hop interval (time spent on each channel)
  4. Recover hop increment (channel hopping increment)

Mike's assumption (2013)


All 37 data channels are used

Data channels in 2018

  • Not all channels are used to improve reliability
  • Some channels are remapped to keep a 37 channels hopping sequence


0, 4, 8, 12, 16, 20, 24, 0, 4, 8, 3, 7, 11, 15, 19, 23, 27, 3, 7, 2, 6, 10, 14, 18, 22, 26, 2, 6, 1, 5, 9, 13, 17, 21, 25, 1, 5

Mike's technique does not work anymore !

How to deduce channel map and hop interval

  • Channel map
    • Listen for packets on every possible channels
    • May take until 4 x 37 seconds to determine !

  • Hop interval
    • Find a unique channel
    • Measure time between 2 packets and divide by 37

Deduce hop increment


  • Pick 2 unique channels
  • Generate a lookup table
  • Measure time between two packets on these channels
  • Determine increment value


More details in PoC||GTFO 0x17

"Instant" matters


  • Defines when a parameter update is effective

  • Used for:
    • Channel map updates
    • Hop interval updates

We don't care at all


We don't care at all


We don't care at all


We don't care at all


We don't care at all


Multiple sniffers for the ultimate sniffing tool


A brand new tool ...

... Based on a Micro:Bit

BtleJuice


BtleJuiceJack


No live demo :(


Sniffing a new connection

Sniffing an existing connection

BtleJacking

a new attack on BLE

Selective precise jamming


Supervision timeout


  • Defined in CONNECT_REQ PDU

  • Defines the time after which a connection is considered lost if no valid packets

  • Enforced by both Central and Peripheral devices

Jamming FTW

Supervision timeout vs. jamming


Supervision timeout vs. jamming


Supervision timeout vs. jamming


Supervision timeout vs. jamming


Supervision timeout vs. jamming


Supervision timeout vs. jamming


Supervision timeout vs. jamming


Btlejacking


  • Abuse BLE supervision timeout to take over a connection

  • Works with BLE v4.x and v5, if using legacy CSA and 1 Mbps

  • Requires proximity (2 to 10 meters from target)

Example of a vulnerable device

https://fr.lovense.com/sex-toy-blog/lovense-hack

Counter-measures


  • Use BLE Secure Connections (to avoid injection)
  • Authenticate data at application layer (detection)
  • Use BLE version 5 with CSA #2

BtleJack


https://github.com/virtualabs/btlejack

Features


  • Already established BLE connection sniffing
  • New BLE connection sniffing
  • Selective BLE jamming
  • BLE connection take-over (btlejacking)
  • PCAP export to view dumps in Wireshark
  • Multiple sniffers support

Conclusion


  • BLE hijacking is possible and should be considered
  • It might get worse with further versions of BLE
  • Secure your BLE connections !

Questions ?




Contact
@virtualabs
damien.cauquil@digital.security