 Hello everybody. Good afternoon. I know it's lunch time, so I really appreciate you all being here. If you made your way to this room, that means you want to hear about how to hack Bluetooth low energy devices. So hopefully I get to answer some of those questions today. My name is Jose Gutierrez. Oh, this is funny. The title of my presentation is actually, how do I BLE hacking, but really, truly underground? It's called How to Make Nick Cage Rich Again, and I'll tell you one in a second. My name is Jose Gutierrez. I'm a researcher. My background is electrical computer engineering, and I like to consider myself a perpetual dabbler. I dabbled all over the place. Most recently, I did that. Most recently, home automation and definitely Bluetooth low energy security. Our research director is Ben Ramsey. Unfortunately, he couldn't be here today. He's recovering from surgery out east, but some of his most recent work is all sorts of Z-Wave stuff, which I know a lot of guys here have worked with, and he's talked of Derby Khan, Schmuckan, and he has most recently a POC or GTFO article, which is really cool about reading eProm and extracting some private keys out of it. So it's pretty awesome. All right, cool. So some housekeeping slash expectation management. What I will be presenting today is a basic overview of how Bluetooth low energy works. I'll be talking about some of the most basic Bluetooth low energy tools and how to use them and when to use them, most importantly. I won't be presenting an in-depth, down-in-the-weeds, Bluetooth low energy talk. I don't have enough time, so I'll go over the specs and you'll get all that information, and I'm not going to present every single tool out there. So there's plenty of approaches to do some of the stuff that we're talking about today, but I'm just going to present what we have done and what we've used. Some nomenclature. Whenever I say tablet, think mobile. So smartphones, tablets, phablets, whatever is. Whenever I say Cali, think Linux machine with a bluesy Bluetooth stack. So most of the time you'll be able to do all of these things with those two types of devices. So let's get started. Let's go into a little bit of a story here. We know that Bluetooth low energy is a forefront technology in smart devices slash IoT, because it's super easy to use. It's super low energy, and we knew that it was pretty available, but we didn't actually know how much it was being used. People use this on everything. We're talking smart watches, outlets, pressure cookers out there you can buy. You can buy a bib, and sorry, what's that called? A pacifier. Oh my god. You can buy a pacifier that basically reports on baby's temperature using Bluetooth energy. There's all sorts of shit out there you can buy. Some of them have some implications, security implications, so there's Bluetooth locks, and actually one of my co-workers, Anthony Rose, is going to give a talk later today and tomorrow about how to hack Bluetooth low energy locks, so if you're interested go check that out. There's also industrial sensors, so this is a pressure sensor you can go buy online. We decided to focus on a data logger, temperature humidity data logger, specifically the Onset MX-1101. Why did we focus on this? Well, the manufacturer actually is really proud to include some testimonials. This is one of them, so this lady's claiming that she uses this to monitor the temperature and humidity of the Magna Carta, one of the four copies of the Magna Carta in England, and there's no way this is actually happening, right? Well, I don't know. I haven't been to England recently, and I couldn't get them to pay for a trip, but we do know that this picture exists, and this is like a marketing picture, if you will, but it's her holding an app that's controlling the temperature sensor that's inside the case of the Magna Carta. So there are some, the potential implications. So let's talk about this, yeah, that's how you make it rich again, right? Let's talk about this sensor a little bit more closely. Specifically, it's a data logger, so essentially you put this thing out there, and it just tracks temperature humidity and just logs it, and you can walk by with a companion app to actually pull off that information. There's a password that you can set up on the sensor so that not anybody can walk by and pull off your data, and you can also do firmware updates over the air that the manufacturer has enabled on this device, which are both very interesting things that we'll talk about in a little bit, okay? So before we move on, I want to draw a clear line in the sand between Bluetooth classic and Bluetooth low energy, okay? When you hear Bluetooth, it kind of covers all these things, so I want to make sure that we're talking about the same thing here. Classic is a high overhead, fast data rate, something that you might use to listen to music, to make phone calls, right? So your car is using Bluetooth classic type of communications. Bluetooth low energy is a completely different protocol that is designed specifically for low energy transmissions. Specifically, stateful type of transmission, so whether a door is open or closed, whether a light is on or off, or a command to turn a light on or off, so it's very quick, very short bursts of transmissions, and that's what Bluetooth low energy is primarily useful, and that's the type of communications that we're going to be talking about today, okay? So our basic hacking process, if you will, kind of follows the traditional hackers methodology that you can just go Google. Basically, you have to find a target first, then you enumerate its services and characteristics, we'll talk about what those mean, and then you kind of have to reverse the application protocol and try to figure out what the application is trying to do, specifically like the app on your phone, what's it trying to do when it communicates to the device, okay? And if you complete these three steps, then you can of course do whatever you want, attack, profit, whatever, okay? Cool. So step one, select the target. As of yesterday, there wasn't really a clear way to do this. Thanks to Zero and his team, they put out a tool called Blue Hydra, which helps you find Bluetooth low energy devices out in the wild. So there you go. So go download that and use it. If you don't have that, here's some of the other ways that you can do it. Basically, every Bluetooth low energy device advertises some sort of information, specifically advertises connectivity, am I connectable? It advertises optionally available services that it's providing, or some manufacturer specific data, okay? So if you can listen to those advertisements, you can generally see that there's a device out there. Your other option is to do a scan request. So a scan request is just a broadcast asking for what devices are out and they all respond with scan responses. And then there you go. You have what devices are out there, okay? To do it on a tablet, you can use an app called Light Blue or NRF Connect. If you just download it right now, you can find what Bluetooth low energy devices are around here. If you're on Cali, you can use HCI tool. So anybody heard of HCI tool ever used it? Yeah, right. So it comes available with the BlueZ Bluetooth stacks, or you just use it, run an LE scan and you can see all the Bluetooth low energy devices in the area. If you just want to listen to those advertisements without sending scan requests, you can use the passive option. Now anytime I do anything Bluetooth low energy on my Cali box, I have BTmon running on a different window. And BTmon essentially is wire shark for Bluetooth. So anything that computer sends down to the Bluetooth dongle and anything that comes back from the dongle back to your machine gets displayed on by BTmon, actually. And I think Blue Hydra actually uses BTmon and parses BTmon to provide you information about what devices are in the area. So cool, awesome. Okay. If all this fails, you can always use a sniffer. So we're going to have three different types of sniffer or three sniffers that are out there. Number one, Ubertooth one. It's probably the most popular one. It's one of the most, it's one of the first dongles that could actually sniff Bluetooth classic communications for the cheap. So it's really well known and widely available. So you can find that for about a hundred bucks. If you don't have a hundred bucks and you only want to sniff Bluetooth low energy devices, you can use something like the CC2540 eval kit, which actually comes preloaded with a sniffer. And then you just download TI software to run on your machine that displays all the sniff packets. Or you can use the Bluetooth, or I'm sorry, the Blue Fruit LE sniffer, which is about 30 bucks. Again, or these types of sniffers are actually, those two are actually meant for debugging purposes, right? So you're building a Bluetooth low energy application and you want to know what kind of communications are occurring between your devices and like your app and your device or something. These sniffers will help you debug that communication. We're just taking advantage of it because hell, that's the information that we're looking for. So you can use those. Now, you might come across packets that are actually encrypted. And this is kind of what an encrypted packet looks like in Wireshark. So most notably, you'll see the start encryption requests at the top. That's kind of a giveaway that the packets or the communication was encrypted at the link layer. If you see a lot of L2CAP fragments like that, it's also, probably means that it's encrypted. So you're not shit out of luck if there's encryption. Mike Ryan gave us a tool called Crackle, which takes advantage of a vulnerability that he found with the pairing process if you're using either six digit pin pairing or just works pairing. So if you use his tool, and you can capture the sniffing process, which only happens once at the very beginning, whenever you first get the device, you capture that sniff pairing, you feed the encrypted traffic to the tool and out comes out unencrypted traffic. So we've run a lot of this, we've tested this tool and it works really great if you're using those two types of, either one of those two types of pairing modes. Now, the Bluetooth gods, if you will, put out another type of pairing, which actually was recommended by Mike Ryan, which mitigates this attack. But what we found is that actually most devices don't even use link layer encryption because you have to pair. So that's harder for the user to do. So they just avoid it all together and they either don't encrypt their communication or they encrypt at a higher level, at the application level or something like that. So we actually prefer not to use any sniffers at all if we can avoid it because sniffers still do drop a lot of packets. So what we prefer to do is just, if there's an Android app available for the specific thing that we're trying to interact with, we'll download the Android app, we'll enable developer options, enable that Bluetooth HCI snoop log option, and then it just does the same thing that BTmon does except for in your Android tablet. So you just pull that file off and you can read it and wash. Super easy. So step one was finding devices. Step two, enumerate. We're trying to figure out what services and characteristics are running on our target. If you want to do it actively, you can use your tablet to connect. So as soon as you connect with NRF Connect or LightBlue, it's just going to tell you what services are available on the device and what characteristics are on there. If you're on Cali, you can use a tool called GapTool, which is also included with the Bluesy stack. You can use commands primary and characteristics to get all of that information. If you want to do it passively, you can always sniff it. So at the very beginning of a Bluetooth connection, you'll see some of these service discovery messages, which essentially is a device talking to each other saying, hey, I'm providing these types of services and here's my characteristic handles and all that stuff. So at this point, you're probably wondering, what the hell is a service and what the hell is a characteristic and why don't you tell me? I will. So I want to do it through an example. So let's pretend that we're working out. I have a phone and a heart rate monitor and essentially my phone is asking my heart rate monitor through Bluetooth Low Energy, hey, what's this guy's heart rate? So this is a type of communication that we might see during a workout. Now, what's actually happening is the heart rate monitor is a Bluetooth Low Energy server, in this case, serving three different services. Two that are required by Bluetooth Low Energy that I'm not going to go into today and one that's application specific. And actually, any other ones that you see besides those two are going to be application specific. So what's really happening is my phone is contacting the heart rate service inside the Bluetooth Low Energy server and asking for my heart rate. Pull back one layer, really what's happening is my phone is contacting the heart rate measurement characteristic inside of the heart rate service asking for my heart rate. You can actually pull one more layer back. The BLE client is actually sending a read request to the value attribute inside the heart rate measurement characteristic inside the heart rate service inside the Bluetooth Low Energy server. But I pulled the wool over your eyes because really the Bluetooth Low Energy server is just a list of attributes. The whole thing is just one giant database of attributes. Now the GATS profile is what assigns meaning to those attributes. So it says this is a service or this is a characteristic. So really at the end of the day all Bluetooth Low Energy communications are reads and writes to these attributes. That's it. That's all it is. So if you can break the communication down to those to that level, you know what's going on between the app and the device. So here's how it looks for the MX-1101 data logger that we talked about earlier. This is literally all of the attributes on that device. The first 11 attributes define those two services that I talked about that we're not going to talk about for the rest of the talk. The next 11 attributes define the device ID service which includes stuff like manufacturer name and model number string. This specific service is actually defined by the Bluetooth SIG, the Bluetooth Gods if you will. So these guys took their specs and just applied it here and created that service on the device. And then the last 11 are actually the application specific stuff that onset the manufacturer developed and put on the server. And this, the most interesting thing about these attributes is the command and control attribute. So as we'll talk about in a sec, they use this one single handle to control it and to pull data off of it. And we'll talk about all that in a little bit. So once you've found your device and you've enumerated all the services and characteristics and found that attribute table, then you have to understand, like I said, what the application is actually doing, how it's communicating with those handles to figure out what kind of data it's pulling, how it's pulling that data, okay? So the strategies for this are endless. I mean, it's just a reversing project. One of our favorite things to do is once you figure out what the handles are and how they relate to services and characteristics, you just impersonate the device. So we pretended after we found that, got that database, we implemented our own device with that same database. And then we used the app to communicate with our device. And because of that, we were able to extract a lot of functionality that the app had that the device maybe didn't have. So just an interesting thing to do here. So let's talk about the MX1101, our target and Nick's favorite item here. The password that I talked about that protects your device, it's sent from the app to the device in clear text to that command control handle. Literally, just sit here with an Uber tooth and you will know my password, which is ridiculous because that command control handle does everything from configuring the device, setting alarms, pulling data off, whatever. And you can do all of it if you've authenticated with the device using the password that, oh, you just sniffed, okay? Now, the most interesting thing for me is the fact that they allow, oh, that, okay. This is an example. You would send a command to that, to that handle. And everything that comes back is data, okay? That's kind of what that looks like. Now, the most interesting thing to me is that you can send a specific command that's just unhandled right after you've authenticated. You spend the specific command and it just stops logging. It just breaks down, which is a problem because in order to get it to start logging again, you have to reconnect with your app and you have to reconfigure the device and then restart it and then I'll just do it again and then you're offline. Cool? But even more interesting than that, you can perform over-the-air updates. So I thought, well, can I perform over-the-air update with my own firmware? And this is just a proof of concept. Remember, I said they had a device information service running in that device. I just changed where the manufacturer name string and model number string were and then I uploaded my own firmware and I changed it, right? So proof of concept, you can change, you can add your own firmware to this thing. And actually, if you guys pull out the app right now, you'll see that the device, which is, I meant to pull it out. Yeah, right. I'm not Nick Cage, all right. If you guys find this device right now, it's actually a heart rate monitor or it's pretending to be a heart rate monitor. So I yeah, I literally rewrote the whole firmware for this thing and just added my own whatever the hell I wanted to do. So, so not good. But this is the type of stuff that you'll find out there once you start looking into Bluetooth or energy devices. So once you figured out the application, do something with it, okay? So if you want to write stuff on your Cali machine, you can use Scapey. And Scapey has a lot of nice libraries that you can just use to send send write commands and read commands and pull data off. Again, all you're doing is interacting with these handles. So as long as you can code that up, you're good to go. If you're on a tablet, you can actually just like pull it up, tap handle 19, tap write this set of hex characters, go. That's it. Now, you know, most of these communications will take like 20 or 30 back and forth, you know, handle writings and reads. So you probably want to implement a lot of it on your on your Cali box if you can. Proof of concept, we built a password sniffer and a brute-forcer, password brute-forcer. We built a data dumper so you can just pull data off of that device arbitrarily. We built that device impersonator that I was talking about earlier. So that's, and a firmware uploader. And all those tools are available on our GitHub as proof of concept tools. Now, you probably don't have an MX 1101 to play with, but what you can, if you look through that code, you'll see how we're actually writing to handles and reading from handles and then, you know, go forth and conquer. So some more resources for you. If you're interested at all in Bluetooth energy hacking, read the developer's handbook by Robin Hayden. He's one of the original developers for the Bluetooth energy protocol and he wrote this book and it's awesome. So read through it and a lot of this will make more sense. Mike Ryan, the guy who made Crackle, he's done a lot of Bluetooth energy research that you can go find at his sites. Some people to think, a lot of some of them in the audience, Ben Ramsey, Anthony Rose, Caleb Mays, Mike Ryan and directly the folks at Wireless Village for letting me come here and talk. And of course, the lady at home. Now, does anybody have any questions for me at this time? Ma'am, maybe not, maybe I'm not familiar with it, but the only security protocol, I guess, that I would know about is the link layer encryption, which is all handled by a security manager service, basically. And I, yeah, so I'm not really familiar with what you mean, but maybe we can talk offline about it. Anybody else? All right, hopefully this was helpful. I'll be around. Come ask me questions, grab me a beer if you want. We'll be cool. Appreciate it. Thank you very much.