Sniffing and attacking Bluetooth Low Energy devices has always been a real pain. Proprietary tools do the job but cannot be tuned to fit our offensive needs, while open source tools work sometimes, but are not reliable and efficient. Even the recently released Man-in-the-Middle BLE attack tools have their limits, like their complexity and lack of features to analyze encrypted or short connections. Furthermore, as vendors do not seem inclined to improve the security of their devices by following the best practices, we decided to create a tool to lower the ticket: BtleJack. BtleJack not only provides an affordable and reliable way to sniff and analyze Bluetooth Low Energy devices and their protocol stacks, but also implements a brand new attack dubbed "BtleJacking" that provides a way to take control of any already connected BLE device. We will demonstrate how this attack works on various devices, how to protect them and avoid hijacking and of course release the source code of the tool. Speakers: Damien Cauquil Head of R&D @ Econocom Digital Security Studying Bluetooth Low Energy for 3 years Developer & maintainer of BtleJuice

1. YOU'D BETTER SECURE YOURYOU'D BETTER SECURE YOUR
BLE DEVICES OR WE'LL KICKBLE DEVICES OR WE'LL KICK
YOUR BUTTS !YOUR BUTTS !
| DEF CON 26, Aug. 12th 2018@virtualabs

2. WHO AM I ?WHO AM I ?
 Head of R&D @ Econocom Digital Security
 Studying Bluetooth Low Energy for 3 years
 Developer & maintainer of BtleJuice
 Having fun with Nordic's nRF51822 😉

3. AGENDAAGENDA
BLE sniffing 101
Improving the BLE arsenal
Sniffing BLE connections in 2018
Introducing BtleJack, a flexible sniffing tool
BtleJacking: a brand new attack
How it works
Vulnerable devices & demos
Recommendations

4. BLE SNIFFING 101BLE SNIFFING 101

5. MUCH CHEAP TOOLS,MUCH CHEAP TOOLS,
(NOT) WOW RESULTS(NOT) WOW RESULTS
Sniffing existing/new connections with an
Ubertooth One
Sniffing new connections with an Adafruit's
Bluefruit LE Sniffer
Sniffing BLE packets with gnuradio

6. Sniffs existing and new connections
Does not support channel map
updates
Costs $120
UBERTOOTH ONEUBERTOOTH ONE

7. Up-to-date so ware (Nov. 2017)
Proprietary firmware from Nordic
Semiconductor
Sniffs only new connections
Costs $30 - $40
BLUEFRUIT LE SNIFFERBLUEFRUIT LE SNIFFER

8. Sniffs only BLE advertisements
Unable to follow any
existing/new connection
Latency
Requires 2.4GHz compatible SDR
device
SOFTWARE DEFINED RADIOSOFTWARE DEFINED RADIO

9. BLE SNIFFING 101BLE SNIFFING 101
BLE is designed to make sniffing difficult:
3 separate advertising channels
Uses Frequency Hopping Spread Spectrum
(FHSS)
Master or slave can renegotiate some
parameters at any time
Sniffing BLE connections is either hard or
expensive

10. MAN IN THE MIDDLEMAN IN THE MIDDLE

11. HOW BLE MITM WORKSHOW BLE MITM WORKS
Discover the target device (advertisement data,
services & characteristics)
Connect to this target device, it is not advertising
anymore (connected state)
Advertise the same device, await connections and
forward data

12. BTLEJUICEBTLEJUICE
https://github.com/DigitalSecurity/btlejuice

13. GATTACKERGATTACKER
https://github.com/securing/gattacker

14. Pros:
Get rid of the 3 advertising channels issue
You see every BLE operation performed
You may tamper on-the-fly the data sent or
received

15. Cons:
Complex to setup: 1 VM & 1 Host computer
Only capture HCI events, not BLE Link Layer
Does not support all types of pairing
Only compatible with 4.0 adapters

16. WE ARE DOING IT WRONG !WE ARE DOING IT WRONG !
Ubertooth-btle is outdated and does not work with
recent BLE stacks
Nordic Semiconductor' sniffer is closed source and
does not allow active connection sniffing and may
be discontinued
The MitM approach seems great but too difficult to
use and does not intercept link-layer packets

17. IMPROVINGIMPROVING
THE BLE ARSENALTHE BLE ARSENAL

18. THE IDEAL TOOLTHE IDEAL TOOL
Able to sniff existing and new connections
Uses cheap hardware
Open-source

19. SNIFFING ACTIVE CONNECTIONSSNIFFING ACTIVE CONNECTIONS

20. MIKE RYAN'S TECHNIQUEMIKE RYAN'S TECHNIQUE
1. Identify Access Address (32 bits)
2. Recover the CRCInit value used to compute CRC
3. hopInterval = time between two packets / 37
4. hopIncrement = LUT[time between channel 0 & 1]

21. MIKE'S ASSUMPTION (2013)MIKE'S ASSUMPTION (2013)
All 37 data channels are used

22. DATA CHANNELS IN 2018DATA CHANNELS IN 2018
Not all channels are used to improve reliability
Some channels are remapped to keep a 37 channels
hopping sequence
0, 4, 8, 12, 16, 20, 24, 0, 4, 8, 3, 7, 11, 15, 19, 23, 27, 3, 7,
2, 6, 10, 14, 18, 22, 26, 2, 6, 1, 5, 9, 13, 17, 21, 25, 1, 5
Mike's technique does not work anymore !

23. HOW TO DEDUCE CHANNEL MAP ANDHOW TO DEDUCE CHANNEL MAP AND
HOP INTERVALHOP INTERVAL
Channel map
Listen for packets on every possible channels
May take until 4 x 37 seconds to determine !
Hop interval
Find a unique channel
Measure time between 2 packets and divide by 37

24. DEDUCE HOP INCREMENTDEDUCE HOP INCREMENT
Pick 2 unique channels
Generate a lookup table
Measure time between two packets on these
channels
Determine increment value
More details in PoC||GTFO 0x17

25. SNIFFING NEW CONNECTIONSSNIFFING NEW CONNECTIONS

26. CONNECT_REQ PDUCONNECT_REQ PDU
Every needed information are in this packet
Sniffer must listen on the correct channel

27. "INSTANT" MATTERS"INSTANT" MATTERS
Defines when a parameter update is effective
Used for:
Channel map updates
Hop interval updates

28. WE DON'T CARE AT ALLWE DON'T CARE AT ALL

29. WE DON'T CARE AT ALLWE DON'T CARE AT ALL

30. WE DON'T CARE AT ALLWE DON'T CARE AT ALL

31. WE DON'T CARE AT ALLWE DON'T CARE AT ALL

32. WE DON'T CARE AT ALLWE DON'T CARE AT ALL

33. MULTIPLE SNIFFERS FOR THE ULTIMATEMULTIPLE SNIFFERS FOR THE ULTIMATE
SNIFFING TOOLSNIFFING TOOL

34. A BRAND NEW TOOL ...A BRAND NEW TOOL ...

35. ... BASED ON A MICRO:BIT... BASED ON A MICRO:BIT
$15$15

36. BTLEJUICEBTLEJUICE

37. BTLEBTLEJUICEJUICEJACKJACK

38. NO LIVE DEMO, I KNOW YOU.NO LIVE DEMO, I KNOW YOU.

39. SNIFFING A NEW CONNECTIONSNIFFING A NEW CONNECTION

40. SNIFFING AN EXISTING CONNECTIONSNIFFING AN EXISTING CONNECTION

41. PCAP EXPORTPCAP EXPORT
Supports Nordic and legacy BTLE formats

42. BTLEJACKINGBTLEJACKING
A NEW ATTACK ON BLEA NEW ATTACK ON BLE

43. SUPERVISION TIMEOUTSUPERVISION TIMEOUT
Defined in CONNECT_REQ PDU
Defines the time a er which a connection is
considered lost if no valid packets
Enforced by both Central and Peripheral devices

45. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

46. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

47. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

48. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

49. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

50. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

51. SUPERVISION TIMEOUT VS. JAMMINGSUPERVISION TIMEOUT VS. JAMMING

52. JAMMING FTWJAMMING FTW

53. BTLEJACKINGBTLEJACKING
Abuse BLE supervision timeout to take over a
connection
BLE versions 4.0, 4.1, 4.2 and 5 are vulnerable
Requires proximity (about 5 meters away from
target)

54. EXAMPLE OF VULNERABLE DEVICESEXAMPLE OF VULNERABLE DEVICES

57. SEXTOYS TOO !SEXTOYS TOO !

59. https://fr.lovense.com/sex-toy-blog/lovense-hack

62. IMPACTIMPACT
Unauthorized access to a device, even if it is already
connected
Bypass authentication, if authentication is
performed at the start of connection
Keep the device internal state intact: this may leak
valuable information

63. COUNTER-MEASURESCOUNTER-MEASURES
Use BLE Secure Connections (see specifications)
At least authenticate data at application layer

64. BTLEJACKBTLEJACK
https://github.com/virtualabs/btlejack

65. FEATURESFEATURES
Already established BLE connection sniffing
New BLE connection sniffing
Selective BLE jamming
BLE connection take-over (btlejacking)
PCAP export to view dumps in Wireshark
Multiple sniffers support

66. CONCLUSIONCONCLUSION
Btlejack is an all-in-one solution for BLE sniffing,
jamming and hijacking
BLE hijacking works on all versions
Insecured BLE connections are prone to sniffing and
hijacking
It might get worse with further versions of BLE
(greater range)
Secure your BLE connections FFS (really, do it)

67. CONTACTCONTACT
THANKS ! QUESTIONS ?THANKS ! QUESTIONS ?
@virtualabs
damien.cauquil@digital.security

68. WHY DIDN'T YOU IMPROVEWHY DIDN'T YOU IMPROVE
UBERTOOTH-BTLEUBERTOOTH-BTLE CODE ?CODE ?
I am a lot more familiar with nRF51 SoCs than LPC
microcontrollers
Buying 3 Ubertooth devices ($360) is not cheap

69. HOW DID YOU MAKE YOUR CLUSTER ?HOW DID YOU MAKE YOUR CLUSTER ?
From a modified ClusterHat v2 ($30)
https://shop.pimoroni.com/products/cluster-hat