 Hey everyone, good morning. I know it's Saturday so I really appreciate you all being here. I can't tell you what a pleasure it is to be here. If you're here that means you want to learn more about what it is that you're hacking and hopefully I get to answer some of the questions at the end of this session. But before that I want to ask something. How is the FOSACI are going on? So for me it's the first time I met FOSACI and the first time I met Singapore. I'm really enjoying it. So I hope you're having a good time here as well. So let's get started. A quick introduction about me. My name is Yogesh and I'm from Nepal. I work as a cybersecurity analyst at TCS, cybersecurity in India. And I spend a lot of time working on IoT and mobile application security. Apart from that, I love to build and play with robots and break them very often. And today I'm here to talk about Bluetooth low-energy exploitation and how to hack them. A quick overview of what I'm going to speak here today and what can you expect from this talk. I'll be talking about a very basic overview of what exactly is Bluetooth and what's the difference between the Bluetooth classic as well as Bluetooth low-energy. I'm going to talk about the BLE stack, what exactly makes the BLE. After that I'm going to speak about what exactly, how exactly do you do the Bluetooth man and the middle attack and how do you sniff the tools and hardware you're sniffing the BLE packets. After that I'm going to talk a little bit about reverse engineering the mobile application for these fitness trackers. Or maybe if you have any other smart applications like a Bluetooth log or maybe anything, talking about the reverse engineering of that. And at the end of the day I'm going to talk about how exactly uploading the firmware over the smart devices of your fitness tracker works. So let's get started. First thing first, let's talk about Bluetooth. Trust me, it has got nothing to do with the teeth. It's a wireless technology standard for extending data over the short distance. Bluetooth is a wireless communication protocol that allows devices such as your smart phones, smart headset, your fitness tracker to transmit data and a wireless thing. It was developed somewhere in 1994 at Erikson. The standard was developed by Erikson as a replacement for cable. It uses 2.4 gigahertz frequency and creates a 10 meter radius called piconite. And it has continuous data transmission. And you know continuous data transmission means a lot of power uses. So for many years these Bluetooth applications suffered a lame battery life just because of continuous data transmission and a lot of power uses. Until a few years ago, Bluetooth 4.0, Bluetooth smart came into the scene. It's basically the power efficient version of Bluetooth that has made many amazing devices possible. Like your fitness tracker, your coffee maker, your bulbs, your medical devices. There are a lot of devices out there. You name it, it's out there. This version of Bluetooth smart is simply called Bluetooth low-energy and designed to be power efficient and low cost. And that's the reason why you can find these BLE devices for as low as 7 to 8 dollars. But yes, BLE is an awesome technology. It enables us to connect to everything that we thought 10 years back would be crazy to do. Like suppose 10 years back it would be crazy to think your smart, like connecting your shoes with a mobile application. But thanks to BLE right now, smart shoes are out there in the wild. And if you see the application, it's out there everywhere. Your medical devices, your smart home appliances is everywhere. But before we move on, let me draw a clear distinction between the Bluetooth, what we generally call Bluetooth classic and the Bluetooth low-energy. Your Bluetooth classic is designed for product that requires the continuous streaming of data. Like maybe your headset, maybe your smart speaker that has to do the continuous streaming of your music, maybe anything. Because it has to have the continuous data transmission, it has to have higher power consumption. On the other hand, we have Bluetooth low-energy, which is known as BLE or maybe your Bluetooth 4.0. This is great for a product that does not require the continuous streaming of data and maybe just to send on or off to a smart bulb or maybe sending your heart rate data to your mobile application. The main advantage of BLE over the classic is that the ultra low power consumption. Since it's designed to operate in the sleep mode and wake up only when the connection is initiated. Like maybe only when light is on or off, you understand the stateful. So, this is useful for those applications. Not only the fitness tracker, but now many of your IOT and smart BLE, just because it is easy to implement and low cost. But, say that it is not perfect, it has some flaws. Almost all the time, it's discoverable. It's like, hey, I'm here, you send me anything and I'm going to spit out the information to you. And also, almost all the time, it works on the same frequency and same channel always. And almost at any time, it allows any device to connect to it. And on top of that, most of the hardware manufacturers do not take the benefit of linkless encryption. But, there are few devices out there like the smart wars, which implement the linkless encryption. But, at the end of the day, you can sniff the packets, but then it would be encrypted. You can decrypt it anyways. But, now let's go back to the fitness tracker that I talked earlier. I decided to focus on the fitness tracker because it's just that I saw many people using that. And I thought, why not hack it? And I decided to get myself a fitness tracker, but not to stay fit, but to hack it. But, before we move on, we need to understand the few terminologies that I'm going to... that you need to understand in this BLE stack. If you see here carefully, there are two things out here, the generic attribute profile and the generic access profile. These are the two things that I'm going to use it very often. So, let's see what exactly are these. Let's first talk about generic attribute profile, a simple called GAT. GAT defines the way these BLE devices communicate with each other with something called service and characteristics. Remember this term service and characteristics, I'm going to use it very often. It makes use of GAT protocol, which is called the ATT, which in turn is used to show the service and characteristics. The most important thing to keep in mind is that GAT and connections, the connections are exclusive. That means BLE peripherals can be only connected to one device at a time. As soon as the peripheral connects to a central device, it will stop advertising itself and saying that, hey, I'm no longer available. It stops advertising itself. And other device will no longer be able to connect to it as long as the existing connection is broken. So, I think that's enough of theory and we can finally do some cool stuff. Let's first see the very basic process of before doing the exploitation of BLE device. The very first step that you want to do is, of course, getting more information about the device, but that there is nothing much better than a hardware manufacturer's manual and specification. You would want to hit them always. There are a few tools that you don't want to miss. That's Bluezy Stack, HCA Tool and GAT Tool. These are the tools that anybody uses very often if you want to walk on BLE. We'll look into these tools in the coming slide. The next step would be to animate the service and characteristics, either by using the tools like HCA Tool or maybe using your mobile application. If we're going to get more information about the service, we're going to animate more information about the service and characteristics. And the next step would be to reverse engineer the mobile application if they have any. A lot of information could be gathered by reverse engineering the mobile application. Many times these smart device manufacturers forget to harden the reverse engineering process. And many times you would find the entire logic how these smart applications, smart devices connect to your mobile application. Like I was working a couple of minutes back. I was working on a smart lock. So that smart lock, anything that you would need to unlock that smart lock without the password was there once you reverse engineer the mobile application. I would be surprised if you didn't find anything useful out of that. At the end of this, and the final step would be doing some really cool stuff and hacking the smart lock and smart ball and a fitness tracker and uploading the format over the years. At the end, yes, I'm going to talk about uploading the format over the year and how I was able to upload the format over the fitness trackers. So step number zero is selecting the target. This is the very first step that you want to do. You want to find out the Bluetooth low-energy devices near you for that if you're in Kali or any version of Linux distribution, you can use HCHL. You might have to install the Bluezy stack. Bluezy is as simple as it should have get install Bluezy. So once you install the Bluezy, this HCHL and Gattel comes pre-installed with the Bluezy stack. And if you're an Android, you can use NRF Connect. Or if you're an iOS, you can use Light Blue or even NRF Connect. You can right now go to the play store. You have to download these two apps, NRF Connect and Light Blue. You can install these apps right now. And then you can scan the BLE devices, all these smart devices near you. If a device is advertising, you must see them. And if you see using HCHL, if you want to see how does that work. If I do HCHL, I'm going to see all the devices that are near my vicinity. And this is how we see all the devices nearby me. As you can see all the fitness trackers that somebody is using, all these fitness trackers are going to show here. Now we know that device is advertising. We know it can be connected. The next step would be to listing down the service and characteristics. To do this, we need to connect our BLE device. Use the Gattel if you want to do it actively. You can use this NRF Connect application. You can download it from the play store. You can scan all the nearby devices you. And then step number zero is selecting the target. Step number one is animating the service and characteristics. Here we are trying to figure out what kind of service and characteristics the device is running. You can do this actively as well as passively. If you want to do it actively, then you can connect your device to your phone. And you can use apps like NRF Connect to do this. Once you're connected, it's going to tell you what characteristic and service is running. Super easy. Or maybe you can use tools like Gattel on your Kali machine installed with the Bluezy stack. Once you're connected, you can list down all the primary services and characteristics using primary and characteristic commands. You must have UID and handle for the service to perform any kind of reader, right? Like reading the sensor data and writing the sensor data. But if you want to do it passively, this can be done by sniffing someone's connection. At the very beginning when these smart applications connect with the mobile application, they are like, hey, I've got these many services and characteristics. And this is how I advertise myself. So anytime that you want to scan all this stuff, you can go to here and you can do Gattel minus B, your MAC address of your smart application, and then after minus I is for interactive. So once you do that, you would be able to list down all the primary and characteristic services. So at this point of time, you must be wondering, what could be this service and characteristic? A profile actually doesn't exist in BLE, but it's a collection of predefined collection of service and characteristic. Service in turn is just a collection of characteristics. It provides a set of features with associated behaviors to interact with the peripheral. Like in the fitness tracker, the device information could be something like, you know, device service. And inside that characteristic could be something like, you know, software revision number, hardware revision number, and could be anything. I think I made it clear for you. Now you might be wondering why in the planet I would be interested in talking about service and characteristic. It is because that's the lowest main entry point in the BLE device that you would be interacting with. Anytime you do any interaction has to go through characteristics. Now if I have to show you the same thing for my fitness tracker, these are the few services that you could observe. If you see there isn't something called device information out there. If I expanded the device information, I could see my former number, former revision number, I could see the software revision number, and a lot more. To do this, I use this screen studies from Anarch Connect. You can download it right away from the Play Store and you can have light blue in the Apple App Store. Once you're connected, you might be wondering, hey, you guys, I'm connected to the BLE device, but I don't know how things works down the packet level. Is it possible to capture the packets of communication that is happening between a smartphone and a low energy device? The answer to that question is yes. If you're interested in learning how Bluetooth low energy works down the packet level, Ubertooth is a perfect choice. Ubertooth is really smart sniffer, and by the way, it's open source as well. So if you're wondering how to capture the packets down to the level, packet level, Ubertooth is a solution. And you could know how these smart applications and mobile applications are communicating with each other. And I prefer not to use any sniffers at all because sniffers do drop a lot of packets. And if somebody like me who doesn't want to spend any money on sniffers, there's an alternative on Android phones. So what I do is if there is an app available in the Android, I do install that. And then after that, I let it communicate with it. But before that, if you go to your device about settings, you could find there is something called build number. If you tap the build number five times, you would enable the developer option. Once you enable the developer option, you'll enable Bluetooth ACI snook lock. Once you enable that, any communication that is happening between your smart application and your mobile application would be locked there. And you could transfer this lock file to your computer, and you can open it up in WSR. It's super easy. Now, since I have UIDs and characteristic, I got services. I was super excited to send the notification on my fitness tracker. I wanted to prank my friends saying that, hey, Trump is calling you, right? But to my bad, whatever I do, the fitness tracker was getting disconnected in every 30 seconds. Because I was missing out something really important, that was authentication. Now, not every device would have authentication for the BLE devices. Not every device that I have worked has authentication. Like the one I talked earlier was a smart ball. The hardware manufacturer thought it would be super cool and super interesting, not into the authentication. And they thought it would be super cool to let your neighbor next door to turn on or off your light, right? So they didn't have any authentication. Then I happened to read the article by Andre, thanks to Andre, by the way, very well how this device is fitness tracker and smart BLE applications do authenticate with the mobile application. I'm not going to go in depth about how this is working, because I already have working process here. You may feel free to take the pictures. If you want to know more about this, you can reverse engineer the mobile application for this fitness tracker. Or maybe you can go to this link, medium.com, slash A dot, that link you can go there. And then what I did was, once I had authentication, I connected my BLE application to BLE fitness tracker to my computer. And once I did that, I wanted to send something, a really cool notification. Remember, I told you something about ANF Connect, right? So this is a log from the ANF Connect. So the beauty of this ANF Connect is that any communication that is happening, you could see what exactly the values are being sent. And you could always reverse engineer that and find out what exactly is happening. So you could start writing Python scripts to do this authentication. There is a library called BluePy, which enables you to communicate your Python applications with your smart devices. I don't care what language that you use, but all you need to do is send your data to the service and characteristics. That's what we need to do. Using the ANF Connect, you can see the logs. It's basically used to see what is happening behind the scene. As you can see here, this particular values, when I send some particular notification, this particular value is way being sent to the, some characteristics. If you see the characteristic name, the last book digits, it's way 3, 4, FB. So to this particular characteristic, there were some values that were being sent. And when I started doing the review since then, I found out something really cool. The first two bytes was the notification type. The GO1 is for e-mail, GO3 is for call. If you wanted to send, prank your friends saying that, hey, somebody is calling you, you could use these values to send them. And the next two bytes is the number of notification that you wanted to send. And the last few, last hex bytes were the notification types and notification message that you were trying to send. You could send pretty much anything, like call notification, smart notification and whatnot. So this was a simple Python script that I wrote. Many of you would be a Python fan here. So just go to my github.github.com so that the whole tool is out there on how I was able to hack these fitness trackers. If you see here the last three lines, I'm writing some value to that particular characteristics. If you remember a long time back, I told you we're going to do any sort of communication that is we're going to do to the smart devices is going to happen through these particular characteristics. A lot of things you could do. You could even reshape the date and time. You could send any SMS notification or a lot more. And if you see here, I was able to send any call notification to the smart ones without needing to toss it physically. This was just an example. And the next thing that I wanted to do was I saw many people using the fitness tracker and I thought, why not put this skull icon to the fitness trackers? Since I saw many people using that, I thought it would be super fun and super cool to do that. So I started focusing on the former. So the next question was, where do I get the former? As I told you, let's talk about the former first. So former is a piece of software that runs on an embedded CPU. That's written in C. And it's combined to run on your embedded devices and transferred either via a programmer or using any wire tools. But the next question is, how do I get the former? One option could be engineering the mobile applications if they have any or else you could capture this you could capture the former during the DFA update. So what I did was, if you wanted to do the reverse engineering, there is a tool in Kali, any version of Linux distribution that you use, you could install this tool called apk tool, apk tool D and then after that, your cool smart application apk if you do, you would be able to see all the decompiled version of that apk and you could see a lot of information out there. And you could see here, once I did the reverse engineering, I found out two important files here. That was our FW file and RES file. The reason why I started doing the reverse engineering is because when I was disconnected to my fitness tracker and I do something wrong, the fitness tracker would update, even though if I'm not connected to the internet, the fitness tracker was uploading with the official application. So I thought maybe they should have something inside that. So once you go to the asset directory, once you decompile the application, there are a lot of folders, one among them which you really want to look at asset directory. So asset directory is going to have all the formwares, all the resources and all those stuff. So I found these files and once you find these files, you can pretty much change almost anything. And once you make any changes to the formwares, you have to hunt for the formware upload service. And I started hunting for the formware upload service because I had to upload the formwares to some characteristics. If you remember, I had mentioned a powerful tool called Anafconic that allows you to scan and explore your low energy devices and even communicate with them. So I used Anafconic to look for the device, formware upload service, DFU. Many hardware manufacturers, they have DFU written there, but then many times this is where expectation versus reality comes in. A lot of times it is going to be all unknown services, unknown services. But at the end of the day, if you know how to use Google, Google is the best way to do all sort of things. If you just look for that particular characteristics, if you just do the Google search, you would find what exactly is the DFU service. So there could be many services with the unknown services and it could be really difficult for you to find out. You can use Google for that and then you can find out what exactly characteristic is using to do the DFU update, device formware update. And the next thing is, how do I upload the formware? When I revise the mobile application, I find that it is accepting the four bytes to initialize the formware and update the five bytes for resources. So if you're going to send something on formware, like suppose if you want to send device name, your software revision number or whatever, that's going to be in the formware. But if you wanted to send something, images, all this stuff, it's going to be in the resource. It first sends 01 as the first byte saying that, hey, I've got this file with this particular file size. So once you have this resource, you could append 02 at the end to notify the update service saying that you are starting to send the resource and not the formware. I have written the detailed steps on how this formware upload works and I'm not going to spend much time on this. You may feel free to take the picture and maybe you could go to medium.com. So I've written it over there. So I'm going to move into something really important. Now once you upload the formware, your device could be waiting for section. This is really important. You need to know what exactly is section and I was hacking this fitness tracker. I spent a lot of time not knowing what exactly is section. What I did was, I sent the formware. It was until 99% is and after that I was stuck. It was not accepting the formware. It's because I was missing out something really important that was section. So let's see what exactly is section. Section means a calculated value that is used to determine the integrity of the data during the transmission over the wireless so that the man in the middle attack doesn't happen. Section subs is a unique identify for the data that is transmitted. If the data is changed, so does the section value as well. This makes it super easy to verify the integrity of the data. To test the data integrity, the sender calculates the section for the data that is being sent and it does calculate the section as well. Now the sender sends the section as well as the data to the receiver saying that hey, this is the section I've got. Is it the same thing with you as well? Now if this section value matches with the high degree of confidence, the data is received is proper and the smart device is going to accept the formware. If the section matches, then the formware resource is accepted. Really it doesn't perform the error correction, but it can only perform the error detection and blue 5.0 introduces the error correction as well. Now there are several types of sections available in Bluetooth, but Bluetooth particularly uses CRC, cyclic redundancy section. In this fitness tracker that I worked with, it was using CRC section. So now if you see here, I was able to change, this is such a proof of concept where I was able to change the device name as well as the software revision number. If you see the device name, Jasper is my dog by the way. So I could attend my software revision number if you see the version number 99999. This morning I found out that when the version number it says, you no longer can fill your smart fitness tracker with your mobile application because like suppose if right now it's running version 3.2.2 example I'm saying and if the software revision number is 99999, the official mobile app is going to think that maybe that particular application already has the latest version of the update that. So what's more cool than that? So remember I told you about the Skull Icon, right? Again this is a proof of concept. You could expect more than this. If you see the Skull Icon here, this is how I was able to upload the Skull Icon. This whole software is there in the GitHub. Former over the update is really cool feature that's found nearly in all the embedded devices. I demonstrated on how this feature could be expected to allow attackers to inject malicious firmware modification into the devices. The problem is that hardware manufacturers do not cryptographically sign the firmware in the system. Now include the authentication feature in the device that could recognize if the firmware is signed by the vendor, authenticated vendor. They literally accept the firmware from anyone. The solution for this could be cryptographically signing the firmware. If they implement this security measures, again the cost of the device is going to be up high but they have to sell a lot of device, right? So many smart device manufacturers like Fitness Tracker or maybe a Brutalock do avoid this just to reduce down the cost. So I am at the end of the talk. Does anybody has any questions for me?