 Good afternoon everyone and thank you for coming. I'm going to present the beta juice, beta juice tool I've developed and especially the manual attack, its implements. So, just to start, I am Damien Coquille, French Senior Researcher at Satubic, which is part of the digital security company, French digital security company. And this company is owned by Econocom, maybe some of you know about it. But anyway, I started studying Bluetooth low energy security back in 2013. So it's quite a while. I've been testing stuff in the BLE field. And this is my main focus since then. So you can find me on Twitter. What we are going to talk about here in this talk is mainly the basic stuff in Bluetooth classic, very, very shortly. And Bluetooth low energy, also called Bluetooth smart. And I will discuss the fact that Bluetooth low energy sniffing really sucks. I don't know if some of you perform some kind of sniffing with specific devices like a bottle or something like this. But it's really difficult in certain conditions to get a valid data or something which is something very useful from these tools. And we will go through the manual attack I designed and the tool associated with it that I call the Beetlejuice, great reference to movie. And we will end the talk with live demos. So I spent all the morning to pray the demo gods, of course, in order to have all the demo that went well. But in fact, since there is a lot of people here, maybe there may be some interferences with your devices. And I will show you with my tool that every device I can identify with this tool and maybe some problems with it if there are too much trackers or something like this available on it. So first of all, the Bluetooth smart 101. So you are all aware of Bluetooth classic which has been very, very used the last years. But defined in the Bluetooth specifications, the Bluetooth low energy protocol which is not so new protocol but it has been widely deployed since two years on many devices. And very, very, very common protocol now. And it's really implemented in a lot of devices. And the Bluetooth smart protocol was designed in order to be implemented in very limited devices. In fact, in devices that requires low power and with all the capability of Bluetooth. So it's widely used. If you search on the Internet about Bluetooth smart enable devices, you will find a lot of them. And some of them are very, very freaky. You have the smart mattress. It doesn't show up very, very early here. But this is a kind of device you can put under your mattress. And that device monitors the movement of the mattress. So I guess you can see what we can do with this kind of stuff. Well, anyway, there is also the smart diapers. It's a diaper that tweets when your baby pees. Also, very, very common need. And just to conclude, some kind of security stuff like smart alarms or even smart dogs or bad dogs. I have some of them here to demonstrate. So I thought about another talk at DEF CON about pointing smart dogs. It can be maybe the same in a way. But anyway, the Bluetooth stack is divided in two because there is a traditional model called the Bluetooth smart ready. But basically, the lower protocols are the same, from the physical layer to the L2CAP with some changes, of course. But the upper layers are totally different between Bluetooth classic and Bluetooth low-energy. Bluetooth smart provides a lot of features or new features. So that's on you. The frequency-hopping spectrum mechanism is still used in Bluetooth smart to avoid the interferences between devices. It also supports uncompleted communication through bonding. So if you create a bond between your mobile application, your smart phone, and some BLE-enabled device, it secures the communication. This is covered by the ASMP Security Manager protocol. So we'll cover this later. One of the most important things about Bluetooth smart is the fact that we are not creating sockets to communicate with the device, but basically used what they call services and characteristics. So you have basically a device that provides one, two, three or more services, and for each service, each service provides one or more characteristics. You can see this, like some kind of registers. You can write it, write in it, and read from to put data on the device and get data from the device. And this communication is covered by the GAP and GAT layer of the protocol. So it's pretty cool. I will not go too deep in the description of these protocols. So if you guys want more information, you can read the Bluetooth specifications, good luck. But maybe very useful to understand how things works with this kind of stuff. One more thing about Bluetooth smart. Bluetooth smart devices, for most of them, accepts only one connection at a time. The specifications say that normally a device may be able to accept more than one connection. But in fact, in most of all devices, a single connection is supported. So this is important for the attack. The frequency opening spectrum is a feature you may already know. It's basically a way to avoid interferences between devices since all the devices use the 2.4 gigahertz bandwidth. So this is quite not new, but it's still present in the Bluetooth smart protocol. So basically, when you are using some sniffer, it's very difficult to get valid data because you have to sniff the synchronization step that it's performed first to be able to follow the same hops and get data from it. So basically, when you're in the laboratory environment, this is perfect. You have everything you need for the cages and so on. But in the wild, this is very difficult to perform. I gave a talk last year at the Coast Communication Camp in Germany. I plan to make a demo about BLE sniffing, right on stage. This year, they had the great idea to provide all the attendees with some kind of Akarev badge. Maybe some of you got one. But basically, I was in front of thousands of people with an Akarev. And this badge communicates through the 2.4 gigahertz band, and it was very difficult to perform a valid capture of BLE data, of course. So this is difficult to sniff. To prove it, I just found this on Twitter. It's a semi-cam card, posting a picture of what they call the new Faraday cache technology from IKEA. It's a way to do this. It works, in a way, but you can also use a microwave oven. So basically, it's much more McGever style, but it's maybe used to get accurate data from BLE sniffing. At Digital Security, we have the professional Faraday cage that looks like this, but it costs a lot. Many thousands of euros or dollars. It's not affordable for a single researcher. Some information about the SMP, Security Manager Protocol. I told you that the Bluetooth smart implements some kind of encryption. So between a mobile smartphone and device, we can have an encryption and have an encrypted communication. So this is performed this way. When you are connecting your smartphone to a device, or bounding your smartphone to a device, you send a pairing request about the containing the device, what kind of bounding you support. So if you read the specification, the Bluetooth specification, there are many of them. The first one is just works. No PIN code. It just works, like its name says. You can also provide a PIN code. The other one is the OB bounding, which requires a net of bound communication to provide both the device and smartphone with bounding information. Then they agree on what is called an STK, a short term key used to encrypt the following step. During this following step, the long term key is provided to the device and also some information about identity and revocation. So this can be used to check if the device that uses encryption is a valid one. And of course to encrypt all the further communications. So again, this is a problem when we want to sniff some BAD communication. But many security researchers found a way to bypass it, a tool called Crackily. You also have BTP, which is a tool that performs the same attack. So basically you sniff all the traffic from between a smartphone and a device and then you break the encryption once you get all the data. So your keys can be recovered this way. So this is basically how we perform security, be a little smart security assessment by using mainly a sniffing to guess all the devices in the smartphone that come with exchange data and what is the data exchange between them. So many things to tell about it. First of all, that is that few devices use encryption. So if you buy many BLE-enabled devices, few of them use banding. And this is very interesting because banding provides a way to encrypt communication but also to perform strong authentication. So almost all devices are not strongly authenticated. And this is a problem. Some of them perform authentication but only on the BG address which is basically a MAC address of the Bluetooth device. So sniffing attacks are difficult to perform but there are many, many weaknesses, non-regnaces in the devices you want to test. And here comes the main and the middle attack. It was an attack which was theoretical and it was mentioned by many security researchers, especially some researchers who presented here at DEF CON in presidentization. So it's not an easy attack to set up but as you're going to see, we managed to get it working on many devices. Why BLE sniffing sucks? First, because of the devices you need to perform sniffing. You are maybe aware of the Ubatus which is a USB adapter you can plug in your computer that provides many, many ways to get information. So it's a perform the synchronization step and follow every ops to get information from the BLE exchange. Many, some of you have already used the Adafruit BlueFruit Sniffo which works. It's a very awesome tool. The only non-limitation is that it creates some non-standard pick up files so it's quite difficult to analyze the exchange between the two devices. So it's cheaper than the Ubatus but it has a drawback as you have to use some specific plugins for Wireshark in order to some these sectors to be able to analyze what that exchange and what operations are made on the get stack. BitEpoxy, a well known tool used for Bluetooth Classic. Obviously they do not plan to work on Bluetooth Low Energy. It works perfectly for Bluetooth Classic but it has absolutely nothing to provide for Bluetooth Low Energy. I did not modify BitEpoxy. So basically when you face encryption the strategy, the other strategy is to sniff first and then decrypt so you cannot interact, you cannot modify on the fly the data. You can only monitor what is exchanged between two devices. So it's a pain in the ass to get something sniffing and to get information by sniffing between two BitEpoxy devices. So Man in the middle is a way to bypass all of these limitations. It's very, very simple to set up on paper but to get it working on my computer it was a lot difficult. So basically how can we perform some kind of man in the middle using this on Bluetooth Smart. First of all we set up what I call a proxy which is the central here. The central is simply a kind of service that will connect to a Bluetooth Smart device. So using the classic BT4 adapter you can plug in with some kind of USB it also works with your embedded adapter in your laptop so it's very easy to perform. And this central communicates with the dummy device. This dummy device is again a service that will create or simulate a real BTLE device with the exact same characteristics that the one we are going to interact with. So first we connect to the device then we create this dummy device which is in fact a clone of the first one with the exact same services and characteristics and so on. And then we wait for a connection to the dummy device from a smartphone mobile application and so on and then we forward the information between the smartphone and the target device in a bidirectional way. So it's quite straightforward to set up on paper. It's the basics of man-the-middle and proxy. So why not create a tool that allows people to do the same attack very easily. This is very easy to write on paper but to do it, it was quite difficult. But in fact, there are many libraries, well-known libraries called Noble and Bellino, and these libraries were developed by a Sunday Mystery and put on GitHub so it's a totally open source. Noble is in charge of all the connection operations. So when you want to connect to a Bluetooth device, a little smart device, you can use it and perform all the discovery and the interaction with the device. Bellino is very good to create a dummy device. You can create peripherals, Bluetooth smart peripherals and provide services and characteristics. So you have in one hand Noble which provides all the stuff to connect to a target device and in other hand, you have Bellino library allowing all the stuff to providing all the stuff to create and simulate a device. So we have everything to we need to perform this man-the-middle attack. This man-the-middle attack relies on standard BT4 adapters. There is no expensive hardware to buy. So it's very interesting. The communication between the dummy device and the proxy is made through web sockets. So this is again some kind of standard that can be used to communicate with a web browser or something like this. This can be interesting. And it also supports bonding for specific Linux kernel configurations. So you have to use a version of Linux kernel 4.x, 4.2 or so and a specific version of Blizzard. So the fact this attack relies on Blizzard version 5 it may cause problems on some distro because the Blizzard file is not deployed widely on many distros so if you are using Debian for instance this is a Blizzard 4 by default and if you are using Ubuntu it's a Blizzard 5 so you can upgrade Blizzard if you want but it's up to you to do it well in order not to put a mess on the system. The architecture is the following. So we have the proxy using Noble to connect to the target device and the core, see a service which uses Blinu to create a dummy device so we can upgrade a fake device. The core and proxy communicates with web sockets and the core service also provides a web interface which is basically a blurb-like interface allowing the user to see what happens in the Bluetooth smart communication and also to interact with the device I will demonstrate it later. I also provide bindings for Python and not JS but I had a surprise yesterday I got an email from someone telling me, hey, I made the same tool I created it at Black Hat wow it's just here so I told him, yeah, let's meet let's discuss about other tools let's see what we did and what we did differently, obviously but in fact it gave me more information in this email and it was also based on the same technologies wow so this is the exact same setup that he designed and this is quite interesting because it means I did the right way what I wanted to do so his tool is called Gattac Gattac Cur and there was a website, Gattac.io which was presented with a cool logo, yeah and obviously this tool implements more tricks about Nobel and Brino I mean this guy modified Brino and Nobel libraries to get it working better so it improved these libraries to do the manual attack so when I started my development I did not want to modify these libraries because I wanted to be easily instable through NPM or something like this so this other tool exists which has so many differences between mine and his approach is a bit different from the Gattac strategy we'll see this later hopefully I thought I had enough time to put it on NPM I was quite busy yesterday stressing with this tool I was not aware before writing this slide so it took me some time I've set up all the Github I will give all the URLs later but all the code is already open source and available and in fact I will publish it on NPM right after this talk with the slides so it will be available with NPM sorry did you reserve the name of NPM? what? you have to reserve the name NPM? nope be kind guys well maybe the name will change NPM so it depends on the availability well that's what we call a fail anyway the idea was to provide an easy setup through NPM also for the bindings through NPM and pipy the web UI is very basic and provides all the information you need it sadly uses the XZ notation designed by Angel Batonis I don't know if you know this guy I think he already presented to Defcon or he presented to Defcon many years ago so this is a mix of eggs and ASCII and this is a very... it was useful in my web interface because I wanted to see the strings pop up on the interface as well as the eggs so it was a compromise I made to get nice demos later so this is not a big deal the features this bit adjust tool provides a kind of monitor on navigate operations and data exchange between different devices it is designed like not so full features it's basically the same idea I mean you may be able you can use this tool to perform on the fly data modification you can put some hooks I will demonstrate it later with the interface but it's quite easy to use and you can also do some replay attacks and replay some operations there are bindings for Python 2 Python 3 and not just they tend to be used very easily and communicate with the rest the bindings are not related to the web interface you can use it in command line standard the requirements you need two machines set up to get it working it's better than making Blinu and Noble working on this machine it's very difficult at this time too lucky you so as I said here still has some improvements the best is by using a virtual machine this is the setup I have here to make my demos and you only need two Bluetooth 4 adapters looks like this if you can find some C or SO adapters this is good to go because these adapters provide a way to modify the MAC address so you can spoof the MAC address and of course Node to get it running so let's see this is the web interface running on the machine I have to start proxy on the virtual machine and to start the core service on mine let's do it like this so first of all I start the proxy on this virtual machine then I make sure the bluetooth service is down because I have some problems sometimes it's okay a bluetooth adapter up and running so let's go I'm starting the interface obviously this is not a good IP address so here it is I can sniff for devices as I said there are a lot of them as you can see this is not a problem but this device which is a BLE tracker available in many stores just to see if we can impersonate this well it's going to be a challenge because it should be this one I have many of them right now so picking the good one is always a problem so basically the proxy connects to the device the target device performs all the discovery and then communicates with my core service and this core service creates a dummy device with the exact same information so if I use my smartphone to discover this device and communicate with it I will be able to intercept all the information let's use it this is my smartphone my real smartphone I'm going to launch a BLE scanner connect with the dummy device and if everything goes well here it is of course you have a notification here that the connection from my smartphone so it's good and here the connection information so I'm going to read a characteristic from this device we have two of them here first one should return the version of the firmware as the word 0106 and the second one a kind of timestamp date when the firmware was compiled so this is quite interesting but if you go back to the web interface everything has been logged and you can use it furthermore we can put hooks on this if I try again to read the date from the web interface and I can modify the data that will be sent to the mobile application so just have a look I'm asking for this information so pops here modify the year and if you look at the information displayed here you have 2016 instead of 2015 so it's very easy to modify this remove the hook there is another button here this button enables global interception so for every operation you will be notified and you can choose to perform the read perform the write or dismiss it so you can easily modify the behavior of the device and you also can tamper with the data between two devices it's also easy to perform fuzzing or manual fuzzing with it because we have some kind of replay attacks like this we can perform some read by using this just to prove this is working I removed the previous data but in fact we can get information from the device you can write whenever you want you can interact with the device even with the mobile application is connected to it so it's quite interesting to try to find vulnerabilities or maybe glitches in this device and we also have some kind of notification I don't know if... but it also supports notification to decide to forward or dismiss notification to perform an attack so the benefits of this system is that it works with any Bluetooth 4 adapters you can use any CSR compatible device adapter or even your embedded wordcam Bluetooth adapter you can intercept every get operation and it also supports bonding encryption on a newer version of BlueZ and Linux kernel so if your mobile application tries to create a bond between the simulated device and the mobile application this is possible you can do it and this is supported by not just library it's also compatible with tests made with a forward leakage like we do at digital security since you need two machines to perform this manual attack you can put a machine say a Raspberry Pi for instance in the forward leakage and another Raspberry Pi outside to advertise the same device it's compatible with this kind of test and Bluetooth device address buffing is also possible this because of some features of the Bluetooth smart protocol creating the perfect dummy when we want to clone and make a real clone of a device we want to use the same address the same MAC address for device I want to provide the device with the exact same characteristic I will show you some tricks I found to create a perfect clone by abusing some characteristics of the Bluetooth specification so first of all we connect to the target device since the device only supports one active connection there is no more advertisement it's Bluetooth smart device advertises specifying some manufactured data once we are connected to it it doesn't advertise anymore so it's not visible from a smartphone or mobile application and also frequency open is active that means the Bluetooth device ups from channel to channel and the frequency open system that means we can set up another Bluetooth adapter with the exact same address advertising all the information about some kind of device and it won't interfere with the active connection we have with the device so it's possible to create another device with the same configuration, same characteristics with the Bluetooth address so this is possible to create the perfect dummy the bindings in Python provide some classes you can use to perform some operation and some modification of the data you have many callbacks you can use and it's quite easy to set up an application many attacks using Python bindings and not JS bindings it's easy the code on GitHub has some documentation inside you can read it everything is explained on GitHub about how to create these kind of applications so these bindings require the core and proxy to be running in order to perform the managed middle we have the same in Node.js and of course we can perform on-the-flight data modification so here is an example of battery service hooked by the Betelgeuse proxy and in the un-before-read callback we modify the information returned by the proxy if you're with the code for a given service, 18.0F and a given characteristics to a 19 we modify the battery level and force the response that means the read operation is never forwarded to the target device we answer we provide the answer to this operation this is pretty interesting and of course the un-before-subscribed callback raise hook force response operation cause a dismiss there is no more subscription possible for notification this may be interesting in various attacks anyway there are some limitations with this tool it does not support long writes if you try to write more than 22 bytes in a characteristic it hangs all the adapter and all the stuff it's a drawback affirm maybe I didn't try yet the Gataka tool but since this tool performs low-level reads and writes maybe it's not impacted by this I don't know but this is a problem I noticed while testing my tool there is also an induced latency I mean there is a delay caused by the communication process since we are communicating through BTLE then everything goes through websockets and then back to BTLE it includes some delay and this can be detected by a device to determine if a manual attack is in progress and sometimes it may be very tricky to intercept the communication between a device and a smartphone because of the device itself sometimes the device only stays up or advertises itself for a very short amount of time so you have a very short window to communicate with the device and perform your attack so let's demonstrate this framework I will start with this device which is a BTLE enabled robot I don't know if some of you guys have this device it's not very common but a Chinese one very widespread put it on make some sound this robot is like a dual port and you just put it on the floor I don't know if I can put it right here sounds good I'm going to create a manual middle maybe on the table sounds better let's see this device advertises itself this is a Huawei MIP and we are going to create a proxy with all of this so the proxy is configured and ready to relay so normally I will be able to communicate with it so let's see if everything goes well so I will start the application sorry because there is a drawback with the previous test so I tried to go to Gaby's Light which is in fact a problem we experienced when designing the demo guts this is a problem when you have a lot of devices in the room damn them are good I got it working it's connected on my demo device hopefully it will perform some gut operations red and white and the fun fact is the designers of this robot have many sounds in it you heard one of them I'm going to be very quick but in fact this is the line that causes the sound to be played on the robot I started some kind of replay to see if there are many sounds and if I can make some nice sounds first of all I'm going to pick the second sound of the bank and let you hear the sound sounds like a test beep put on it there's more because developers have a great idea let me play the third sound on the robot I'll do it again 10 problems it was awesome UX I have some improvements to make very effective demo demo I'll spend 1 million more to see if I can get it working but anyway wait a bit so here it is third sound is the following forget about it there are many sounds that can be played this way sad it's the sound of burp I designed another attack on this robot that performs some kind of modification I modified the left and right command just to invert this command if you ask the robot to turn right it turns left it's pretty useless just to show you it's done it's set up automatically if I take my remote control and ask the robot to go forward or backward all the commands are inverted so if someone wants to try it and drive the robot without making it full of the tables of course it works perfectly again oh shit let's forget about this robot if I just saw it working with the correct interception the demo here is pretty difficult to perform because of the number of devices normally the frequency open spectrum system is designed to avoid interferences but with the Bluetooth smart protocol this sometimes happens so there are no limitations about it I made a lot of tests on my test devices which are some kind of gables which is a tracker, another tracker Master Lock 4400D which is this kind of smart lock last one provided by Master Lock and also another padlock I shouldn't give the name because it's very lame it's weak but this kind of padlock we are going to see what these problems are by using the framework and last year I presented at Vioscans my research about a specific smart lock and I will just give some feedback about its security and what can be done with this kind of tool so first of all the gables this is the one I used for my first demonstration and this tracker has absolutely no bonding so you can create a perfect dummy with the exact same MAC address and so on and it works perfectly with a proxy there is absolutely no strong authentication so it's very easy to spoof or to create an exact same gables just to give more information about the gables this is a tracker your phone is normally connected 24x7 on it so you should need to disconnect the gables before performing the manual attack so this is not a really critical sweat for this tracker but anyone may make this gables beeps because it's going to need to write a specific value in the characteristics but I found a general service attack with a general service vulnerability that can be used to render the gables down and I found it by testing this tool especially by testing the replay feature so there is something that can be done maybe I will try to demo the gables light and the general service since I'm very lucky for this oh yeah I created a fake gables on my computer I'm going to connect it with the correct application if everything works fine let's see what happens on this screen it's sometimes a bit messy so here it is to write it to my smartphone my smartphone is connected to it or maybe someone connected to these gables I don't know if some of you have this application it's a demo very difficult to perform in live so let's continue with the rest so gables light the bonding there is the wistiki this one is bonding used so it provides strong authentication and the tag is declared last when connection is lost so it's pretty cool other devices the MasterLux 4400 I made a lot of tests with it there is pretty no vulnerability maybe no vulnerability in it so it can be we'll find out yeah maybe for another talk let's see so it's available in a short amount of time so you have to be very quick to interact with this smart padlock and also I found another padlock this is this one that can be used to start again if you set up a manual attack you will find that the pin card used by the application is stored in exchange in ClioTek so it's no big deal to get the pin card it's very easy to create a fake lock and get it working I will show you with I need to play the demo again because still only one demo works but if I remember to create a fake device this would be possible here my smartphone again this device shows up when you push the button I have to push the button on the padlock to make it appear I'm going to create a perfect clone not so perfect because the MAC address is not fake but here it is I'm launching the normal application so this lock has already been stored in my application my application discovered the available devices connects to this smart lock since we created the quite perfect dummy and I can ask the application to unlock the lock if you look at the web interface I interstated everything between my smartphone and the lock the default password on this lock which is very very complex but if you look at the data captured here you can see this one so the exit format it's not very perfect to see it here it's 12 and character 4 VX if you put it in X this gives you the pin code so basically what an attacker can do with this is set up a manual attack wait for the owner of the lock to unlock this lock but obviously the smartphone will connect to the spoofed here our fake lock our dummy device we intercept the pin code by using this attack the beauty of this attack and of this device is that you don't need this pin code to be able to add this lock to your application because there is no bonding and no strong authentication there is no information put by the mobile application into the lock to say that this lock belongs to this user or to this phone and this is quite interesting to see once you have the pin code you can interact with the lock and unlock it without any problem so this is not so cool in terms of security but it shows that many of these locks are very poorly designed and this can be revealed by your manual attack and bit address in particular so for this power lock everything was sent in plain text authentication is based on the Bluetooth address as shown that it was possible to fake this Bluetooth address so this is not big deal to get a perfect clone of this padlock and it stays active once the client is connected and it stays active and enabled a very long time once you get connected to this padlock it can take 4, 5, 6 minutes for the padlock to shut down the Bluetooth interface so this is very very easy to create to perform a manual attack if you compare this padlock to the master lock which stays active only for say 10 or 12 second max this is easier to access so the master lock is pretty good with strong authentication but the padlock is not interception and we play attacks on this padlock with absolutely no problem like on the gublis and the smart lock I'm not allowed to give the name of the vendor but this smart lock was planned to be widespread in Europe and France in particular and all that was transmitted some of them are unencrypted especially the locks of the smart lock stored in the smart lock and authentication was based sometimes on the advertisement data you can fake a lock without having to spoof the Bluetooth device address I mean the mobile application finds the lock by looking at the data advertised on the Bluetooth smart protocol so it's very easy to create a clone of it without cloning the Bluetooth address also no bonding was required so you can just create it and spoof the device without absolutely no problem the fun part of it is that the unlock and lock operations were based on the AES 128 bit military grade encryption well in fact I found that there were some problems with the 4 more bytes they used to absorb something implementations is very important encryption algorithm is very important so I found many flows in it with this cryptographic approach so basically this smart lock was authenticated only on the data advertised at the Bluetooth smart layer so it was very easy to create a fake one of course this smart lock was been able to intercept and replay attacks so I was able to open it, close it, steal some authentication tokens and some tokens used to lock or unlock this smart lock to sum it up, beta juice can be seen as a security tool to assess the security of various devices so it's maybe useful to determine device behavior or anything and also manipulation as I show you the web interface has some features for replay attacks and for data visualization and you can do replay attacks and this tool supports bonding since the Blinus library supports bonding it can also be seen as an attack tool for bad guys since it can bypass all the authentication based on Bluetooth device address and can be instrumented to automate attacks yes I provide bindings for further use for the tools if you guys want to base an attack or create a new exploit based on beta juice this is possible for the bindings and it doesn't require specific hardware to create and to have this working there is also no limitations due to noble and Blinus implementations so some of these limitations have been solved by the Gataka tool by its author and he finds some tricks to cope with the problems I had with these libraries in particular to improve beta juice proxy reliability and maybe see with the author of Gataka if we can do something and take the best of these two tools maybe because the decision is not up to me but we'll see and also improve the user interfaces and bindings because they are very basics I didn't take time to implement the other features I wanted to implement on it I have more work to do with the interface and I will implement other features very soon just to provide you with a good tool and of course we need more testing more and more testing because we took six months to develop this tool and we tested it at digital security but we were only three persons using this tool and we need more and more testers so if you're interested in this tool with its approach and what attacks can be performed with it feel free to test it and to get it the main code is located here digital security with capital D and capital S and beta juice there is an introduction on how to set it up you can use this repository until I publish it on npm if the name is available but anyway the code is here the bindings also all the bindings there is a lot of example code how to use it, how to connect to it how to set up an attack feel free to try it is there any question about this tool? by using a CSOR VT adapter come with silicon radio adapter which implements a vendor command that can be used to specify the MAC address it was previously done by some people there is a tool called BDO that can be used to spoof the bluetooth device address it is a part of bluetooth if you install the bluetooth library it is provided by this currently I ran it on Ubuntu but I got it working on Debian and it should work on most of the recent distribution that use bluetooth libraries version 5 and more and Linux kernel version 4.2 it is very common I guess if you use some Kali Linux there shouldn't be any problem with it some requirements are blue eyedro for instance the only problem you can have with the setup is the setup of the nobel and blino libraries which on some machines are very difficult to install on the NPM tool other questions? no? thank you for listening