Introduction
In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer.
Code
BLE Internals and Working
The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE.
Profiles - Uniquely Classify the categories of BLE products like blood pressure , heart rate, etc
Service - Collection of characteristics which uniquely encapsulates a behavior. They are identified by Unique IDs.
Characteristics - They are basically data. The are meant to be read or written.
Enumeration
Enumerating the BLE devices reveal lot of information on the service the BLE device provides.
In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer.
Code
BLE Internals and Working
The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE.
- Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload. The GAP uses broadcast mechanism to send out the data payload.Now this advertisement process will only continue to work so longer the BLE device is not connected with any device.During the research I learn this as I was not able to find the device as it was paired with an android device. Once I unpaired or switched off the bluetooth in the android device , the scan showed up the BLE device. In the next image we can see how a advertising data payload looks like that is received from the BLE device that is under test.
The another type of payload that is available is called Scan Response Payload. This is generally used to help designers to send extra information about the BLE device, like its name.
- Generic Attribute Profile (GATT) - After we connect to the device , the next step is all about data transfer. Here GATT protocol comes in picture.This profile describes how two BLE devices exchange data. It uses the ATT Protocol which is a protocol that is used to read and write certain attributes from and to the BLE devices. GATT uses the concept of client server architecture. So here the BLE device will act as server and our android device as a client. In GATT we need to know few more terms i.e Profile , Service and Characteristics.
Profiles - Uniquely Classify the categories of BLE products like blood pressure , heart rate, etc
Service - Collection of characteristics which uniquely encapsulates a behavior. They are identified by Unique IDs.
Characteristics - They are basically data. The are meant to be read or written.
Enumeration
Enumerating the BLE devices reveal lot of information on the service the BLE device provides.
BLE Target and Working
So we have few information about the services with us right now after the recon and enumeration
Let us see how the entire set up behaves. If you review the code once you will find that for the value 'a' the LED switches ON and for the value 'b' it switches OFF.
From the bluetooth logs we can find more details about the services and we can confirm that the service ffe1 is used to control the LED light. The Service ID is same as that of the Unknown Service ID. So we can confirm now that service is all about controlling LED.
- BLE Device MAC Address
- The Generic Access
- The Generic Attributes
- Device Information
- An unknown services ( Which I am most interested as an attacker )
From the bluetooth logs we can find more details about the services and we can confirm that the service ffe1 is used to control the LED light. The Service ID is same as that of the Unknown Service ID. So we can confirm now that service is all about controlling LED.
Now that we know about the target BLE device's MAC, the BLE services's handle to switch ON or OFF the LED and the characteristic value it expects to alter the state of the LED. Now with these information, we can attack the setup and inject values of 'a' and 'b' to switch ON or OFF the LED without having access to the client / android app.
If you are from non-security background you might wonder whats the "BIG DEAL" about it ?
Well imagine that a company produces this setup in a mass and an attacker can compromise every device just by knowing how to hack one device.
References:
https://www.bluetooth.com/specifications/gatt/generic-attributes-overview
https://learn.adafruit.com/introduction-to-bluetooth-low-energy/
https://roboindia.com/tutorials/tutorial.php?tutorial_id=30