Hardware Hacking: A Primer on Reverse Engineering Bluetooth Transmissions

all right here we go all right so good morning everyone um uh this is uh well my name is Edward Warren and uh this is my second bsides first time public speaking so um I want to welcome everyone everyone to Hardware hacking a brief primary on reverse engineering Bluetooth

Transmissions all so just going going to briefly go over an overview we have who am I getting started some ENT resources for Bluetooth and iot devices uh brief history and Bluetooth some select tools for Bluetooth iot analysis some tools for Bluetooth sniffing um a section called the medical information at risk you'll have to wait to see the contents there trial and air reverse engineering B transmissions and Android application secrets so hope we have time to get through all these sides successfully all right so who am I um I'm actually a jior security Analyst at sedara and uh former manage Wi-Fi technical sport representative um I like more than software bugs and this is actually my

backyard fence um I have a lot of hobbies way outside the scope of this talk so but yeah pray manness is one of them all right so getting started we have some uh some pretty basic information here um she be self-explanatory to a lot of people here when you're going after a device um I want to get right to the the meat of it so you definitely want to re Recon the attack service um a lot of time can be wasted when a few more Google searches can can get you there utilizing open source intelligence and having a clear Mission once again pretty self-explanatory but um the amount of devices I bought without a clear agenda

for what I wanted to do with it has kept me scattered brain for a while so I would definitely keep your eye on the prize and in that respect all right so more about these uh uh open source intelligence resources for Bluetooth and just device in general um one of one of my two favorite resources would be the FCC directly along with Google um and you can find uh this one website fcc.io through Google search um and as it states here they are required for all Wireless main devices sold in United States and honestly uh you can get a wealth of information um and internal external diagrams to the device where you can take a look at the chips

if you want to do any uh desoldering or anything along those lines but fcc.io um is a great resource and we'll have a surprising amount of information often times uh due to things like uh like radiation all devices have to have to meet certain specifications so a lot of stuff that won appear in a manual which is very little at all in modern manuals you can get right off this website I'm going to show in a second uh all right little little little hiccup there all right so now this information was scraped directly off fcc.io um in this case this is actually going to be a uh one of the devices I'm going to be speaking about referring the

medical devices and these are the internal schematics um we're going to talk more about this device but right away I didn't even have to open up the device in fact the device I'm going to be demonstrating this particular device I didn't open up at all so but I was able to get a lot of information right off the internal specs I get to see the type of Chip that was being used and uh along with some of the other reports you can just get a a good visual look for potential debug ports like art um in this case those uh in particular are non applicable but I got a lot of information without ever touching device

as you'll see moving forward so now I just want to go over a brief history of Bluetooth and this information will summarize directly bluetooth.com um but I'll go ahead and just uh reinstate it so what is Bluetooth it's not an acronym and doesn't stand for anything so what does it mean the name actually dates back to the Viking era specifically King Herold gson who earned the nickname Bluetooth essentially due to a rotting tooth which had that color and uh apparently he's also known for unifying Denmark and Norway in 958 and it's essentially a combination of two runes I won't try to pronounce these because I'll winch them but um they together form the Bluetooth logo and it looks like that little cool

in it didn't render my PowerPoint correctly correct but yeah so sorry about that all right so like I said this is a brief primer so um the nitty lot of these nitt grade details unfortunately you're not going to get that for me but we're going to start this intro just comparing Bluetooth classic to BL um Bluetooth classic well Bluetooth in general is a specification there's a lot of versions we're currently up to 5.3 oh I'm sorry all right can can everyone hear me better all right all sorry about that um so the Bluetooth specification we're currently at version 5.3 and uh one thing to keep note is that um what's often referred to as a as

a Bluetooth Smart Starts at version 4.0 it's when Security started to get a lot better majority devices are still running 4.0 and we've had that spec since 2016 so um as of as of right now even the device I'm going to show the chip was compatible with 5.3 but the Bluetooth version um was set for 4.0 so even newer chips are still using old um using old protocols and that's essentially part of the problem um another thing about Bluetooth is that I'm sure a lot of you familiar with is that the in terms of the wireless Spectrum uses the same exact frequency range as Wi-Fi um starting at um 2 . 402 to about 2480 and and and part of the reason with

so part of the issue with Bluetooth in terms of um in terms of interference between signals it'll do something called frequency hopping so essentially there's three advertising channels and uh there's 36 data channels and when a device when a device is getting okay so I'm going to just a preference Bluetooth operates on a client ser model so you have a device speaking here trying to connect from point A to point B and one of the issues uh with with Bluetooth because of the interference it does frequency helping to limit uh interference with wi tie Wi-Fi RC cards and the ladder along with microwaves all right so now we're going to go over some select tools for

Bluetooth the iot analysis granted there's there's tools better than this these four tools are directly used which is why I'm referencing them um you see that one get up project at Jad X um it's a it it's great at uh essentially turning uh Android Java code into or Android um APK uh compiled into Java pseudo code so you can just directly look at an application um right off the Play Store and decompile it and get straight Java code so it does most of the work for me that tool all by itself um we have better cap which is a great tool for interfacing um with with a Bluetooth chip and in general it allow you to to make arbitrary write and read

commands allow you to set up a um what's going to be referred to as a g server or generic attribute server which is prior to Bluetooth spec we're going to go into that a little more in the future Aurora store honestly the reason why like Aurora store it's essentially a clone of the Play Store but when you when you're downloading things it allows you to get the APK without installing it so just having access to the APK you can pick the corresponding version and often times with issues with the with at least uh Android reverse engineering the div verion specific is very important so once again wire shark you know as I'm sure most of you are familiar with wire

shark it's going to be our a primary tool I use to to go over the protocol all right so on this this is actually uh this is actually the result of running better cap so we're going to focus on two uh two points here and as I have stated in the the bottom text the the gther generic attribute profile is a protocol that defines how data is exchanged between Bluetooth devices once again it is client server and the Gat server stores attribute data so the way I like to look at this is that essentially um if you think about like a network protocol like U uh for example a web server running on Port 443 there's a

similar interaction with with Bluetooth they're called uu IDs or unique identifiers it's essentially a a uh string of 32 characters reflecting 128 bits and the Bluetooth specification like um like a web server running standard Port 443 or Port 80 it it defines use cases so for example you see battery level and you see four characters that's actually a a shorten uu ID um we're only getting a essentially a um 16 bits of the the the whole long string um for so in the Bluetooth protocol for things that are known well like like battery level um those are usually condensed when you see this long string this is essentially the specification allowing vendors to create their own um

unique protocols so in this case you see the one that starts with 736 319 um in this case this is actually a this is actually a Bluetooth blood pressure cuff and this service allows a few abilities like read and write along with send notifications um we're going to go and move forward and some of for this particular slide though um I added some generic information because the the device in particular there is some redacted information uh but I'm going to proceed so once again we have better cap if if you're looking for like a um an example of of how to run the command this is still on directly off their website this is just a literally a

screenshot um I would definitely recommend going to better cap and checking out there's resources in this case um the guy listed here was able to to unlock a Bluetooth Smart Lock by just seeing uh by sending a a strings of all FS um and he called it he got the locked up PP I'm using this as more so just as notes I'm not going to really go over this but if you would like to reference it i' I recommend going to the site another honorable mention is uh this program called NRF connect it has it has a it's an application that works on Android iOS along with desktops and Nord semiconductors makes it they're same

company that produced the chip that was actually on the device um and in this case uh once again like better cap uh you can create your own Bluetooth servers and even allows you to set macros where you can do some kind of arbitrary command attempt to fuzz the device see what kind of responses you get um great resource you're not going to really get into the weeds of it but I just want to leave it up there for reference and once again at the at the end of these slides uh you'll see where you can get all this information so now we have select tools for Bluetooth sniffing um there's a lot of devices um there's the alysus you

know Bluetooth Explorer probably not even pronouncing that one right but we're let that slide at 25,000 uh the thing about Bluetooth is that because the advertising is always done on one of three overlapping channels um depending on the device if if you're using a device like the ubertooth one you can only get about 33% of the information that you need so it's recommended to have three Uber teeth for this to work out properly but in all honesty um ubertooth 1 worked out best for me I've never used this device right here but I'm not paying $ 25,000 for anything so um uh no ubertooth one I got actually you can get this on eBay for about 60 bucks

flash to the current firmware which will save you like enough headache by itself so ubertooth one is the way to go and you can still get these 60 bucks fully flashed that's what I recommend NRF once again they have this Bluetooth dongle pack there's a lot of stuff I can't really get into it but they're they're Nordic semiconductors um they know their stuff and I would definitely recommend using them as a resource okay so we want to talk about Bluetooth sniffing I will have a a demonstration of Bluetooth sniffing we're going to save that for the end but I just want to go over this a quick concept uh called the the HCI Bluetooth stack use this thing called The Host

controller interface and the easiest way to looking at it is this is my pixel 4A that I doing this demonstration on um it will reflect the host the controller is actually the Blue Chip Chip the Bluetooth chip directly on the phone so you can think about the interface being like a bus for these two things um but yeah the the host and controller are often times uh on the same device um the reason why I I I bring this up is that if you're trying to do Bluetooth reverse engineering because the difficulty and actually doing practical Bluetooth sniffing it's important to get the information before it's being broadcasted because you run into two issues broadcasted Bluetooth

data can be encrypted and it's not going to do much use there and also there's a there's a lot of diagnostic information that's sent from the host the controller that never makes it to the internet I mean I'm sorry that never makes it over the air instructions for setting a um setting a long-term or short-term key so just something to keep in mind that uh by pulling What's called the HCI Snoop log it will allow you to get this information if you have a if you have an Android phone it's a set you can just enable right now um since go into your settings menu if you just type if you look up HCI Snoop or HCI Snoop blog

you'll be able to immediately start load uh loading this data the good thing about it is that because it's Gathering the information prior to encryption um it can just give you it can just save you a save you a lot of time I I uh I was you sliming my head against the wall for a while so I don't want you guys to have that experience so all right so here we go find random random Bluetooth blood pressure monitor okay so the reason why it's random is that uh I although there would be plenty of hints and I I I I kind of look at it like a visual like capture the flag challenge if you're actually able I I

have I have another test if anyone's actually able to determine what device um based on enough hints there in the presentation I don't make it very easy um and also because of a few vulnerabilities I've reported on this device um there's a few things that just there's a few there's a few vulnerability uh sorry vulnerability numbers that being pended so um this is an official disclosure but uh look at this as a sneak peek it's officially coming out next month so yeah all right so here we go um lots of stuff on this slide so now in this case we have a we have a wire shark peap and we've got a a lot of stuff going on here

what I'd like to bring everybody's attention to though is that wi shark is great at at parsing all this Bluetooth information and for devices that use that use Define the uh G uu IDs like for example like there is a there is a measurement for blood pressure that's that's well defined by the spec in this case this device did not use um did not use that identifier if you see unknown unknown is because it can't determine what it is so just take a look at this we're going to go further into this I just like to dump a bunch of information in front um and this case you see a value column these are actually uh these are actually strings

that were sent from my phone to the blood pressure cuff um and part of this reverse engineering is going to go over what this actually means so that you know to make sense of it and we're going to we're going to go over a few examples the application in in question here um or at least for the vendor the vendor makes like about at least six products so they there's just a there's a lot of code that's meant for different devices we'll we'll go over that in a second here but I just want to get you looking at the the wire Shar pcap um in this case I don't know if you can see the in

the upper leftand corner I used a a filter called btat for Bluetooth attribute um essentially by using that filter you'll get rid of everything that's not actually over the air that'll be more important as you move forward so let's keep this moving here okay so now we're uh we're now we're still looking at this data so I spent a lot of time just staring at values staring at values and just staring at to see if it made sense and I Wast a lot of time just staring at it and it didn't start off this didn't start off very technical I I lots of staring um eventually though we get we get some insights here and uh this it can't be

said for the rest of it but we know what some of these values are through through a lot of trial and error and in the future I'm going to show you how to avoid some of this error because the information was was in the app to make it a lot easier to find but if you're doing trial and error you'll eventually realize that getting all these strings these heximal strings it turns out you know just converting base 16 to base 10 or or hexad desal to to what we normally use we get we get all the values here that are left in this application so you see 6f is 111 for systolic and diastolic pressure um we have the pulse rate mean

arterial pressure imp pulse pressure but all that information was in there not encrypted I mean still uh it's still considered plain text um all right so we're going to go back to this trial and error so in this case I'm actually what you're seeing is the result of an actual is the result of my blood pressure actually being monitored live so we got the columns once again we see the information that appears over here um like syic diastolic pressure we also see this column to the far right right and the reason why it's changing is because as the pulse is being calculated those values are changing so you're basically getting real time data so trial and

error was me trying to figure out what the rest of it means and I'm I'm only going to get so far here just trying to stare at it and guess how could be coded I had a brick wall again so I'm just like well trial and error see this value incrementing or doing something I think we're getting somewhere but uh I eventually decideed it's time to look at the app because I can't spend like I I spent a ridiculous amount of time just staring and it was yeah all right so here we go we go to the app so now once again uh although I don't think you'll I tried to Google most of the functions and the this information

is not just it's not sitting out there easy to grab but the reason why I pull up this screenshot right here is that this is actually a function that was pulled out at jet jetex um called B service fortunately it's called B service so I didn't have to really think about what it did not exactly obuse kid in this situation what's important though is that when I scan the device with better cap or I used NRF connect I looked at those uu IDs and I tried to find it in the source code so as we see redacted you ideas find them in the source code and like I said your IDs are not are not private um in this case they are

um for this service all of their devices use the same uu ID to reflect write and notify so these These are essentially static but they're not part of the official specification all right so here's here's things start getting interesting so I'm I'm looking uh I'm looking at where I got so far and what I know is that if you see the you see the vertical lines at the top um I got these basically separated like like there Aras and uh I stick to what I know so uh I still have the information that I got from the app you know I see uh I see pulse Ray 91 uh me pressure 72 so I'm still looking at this

trying to figure out like what's going on here so I keep looking at the app and I keep looking at the app and um the what's in this first position confused me at first eventually I found a function called get request and uh yeah so we got this git request function and uh we see these bite arrays that it makes now it may not be uh SP right away but if you look at where where we start with uh um we start with with that number minus 91 what I quickly notice is that from Bay position 0o through um 6 Cann now be reflected so essentially this first line from the my Google phone to the device um that ends in '92 that's

essentially a a git request where is reading a file off the blood pressure monitor so that minus 91 is uh here's things get a little tricky apparently in Java when we get minus numbers because Java doesn't have unsigned bytes so so the fact that this number is stored as minus 91 it gets the two complement version of it so essentially minus 91 becomes 91 you invert all the the bits and then you add one so that Min - 91 is represented so that's where I get essentially this 165 and honestly the built-in calculator that comes with Windows was a another honorable mention because I spent a lot of time just using that um all right so we're going to go ahead

and move forward so we can explain the rest of this all right so now we're going to focus on this uh B position one um I was still looking at uh that number 243 you know we got 243 from F3 so I kept wondering what exactly is it doing um I don't know what 243 is I kept searching the app until I found the 243 and I kind of got a little lucky here so here we go 243 we have another function called the B command so now we have a bunch of commands so at least we know the first part is you know the my phone is making request a blood pressure monitor making a request in this case uh

the request is the read is the read package 243 but at this point I'm still not entirely sure that's a coincidence this app has hundreds of of of functions and I'm not entirely sure so I'm going to move forward to see everything matches up so we're just going to go ahead and move forward all right so now I find some additional code it actually turned out that this code is actually not for the blood pressure monitor but for another one of their devices um this uh this oxidizer use a finger but um it gave me important context though the context it gave me is this word command at least let me know that we're on the right page

that you know when I'm looking at this string it must be the it must refer to a command um a difference here though is that for by the way position 4 um it indicates package number and the original static bite it reflects sequence number I'm not really sure these are entirely the same but you know they they seem pretty consistent with their their product so we're going to move forward all right so now we've got a we got the next por um we got to quickly line the tiity symbol and uh entally we're looking at this um till it's basically acting as a not operator so if we see the 243 represent a binary flip it we invert the bits we get 12 so

at least it's making sense still not 100% sure what it does but at least it's starting to click here so all right and uh this is pretty straightforward uh just like in um the other function Bay 3 it's a zero why they chose zero still not 100% sure but at least it's making sense here I see Zero up here um at the top you see Z 0 so we're we're getting somewhere all right finally um we've got this last thing CRC so usually CRC is usually cyclic redundancy checks uh devices use this to make sure that data um data isn't getting corrupted what's OD about Bluetooth is that although Bluetooth already has its own built-in CRC um they

in this because they essentially made a proprietary protocol to to exchange information between the smartphone and the device in their own protocol they added a CRC check CRC check 8 um which I thought was interesting so I use crc.com and uh yeah it it turned out to be valid now um the math behind do CRC checks you'll have to look ask somebody else about that but this Hy website here it uh it g it let me know that everything was good all right so once again we have a wire shark filter basic cheat sheet um this is just a quick and dirty cheat cheet once again I mentioned BT attribute that'll show you what's going over the air um if you

see uh the second one you'll see it ends in long-term key that lets you know that you're running at least Bluetooth version 4.0 and and if you see a value for longterm key that it means that uh the the the HCI is setting a long-term key which means that you know it's encrypted and if you see the second value just the link key you know that you're running bluetoo classic um so but if you don't see these then you at least know that it's not encrypted which is great because in this case it wasn't encrypted so not being encrypted brings us to just a couple issues I'm going to go ahead and show a demo I forgot those

was the next slide so but I'm I'm going to I'm going to link this so if you guys want to go over this again um what what's important to make out here I'm going to probably play this one more time is that essentially what you're seeing here is you're seeing the ubertooth following the connection so you'll have the connection between my phone and the device and what usually happens is that when when a Bluetooth is uh when a Bluetooth device is sending out advertising requests it'll advertise on one of those three channels 37 38 or 39 in the hour and then once it finds the once it uh once it completes the pairing process which in this case the

pairing process was kind of flawed because of the lack of encryption um but once the appearing process completes you'll see one of these fields you'll see it you'll say frequency and you'll see that it's hopping and that's done after the connection's been established so right now the uberto is able to file the connections across the fact that they're hopping between uh 36 channels so that's the magic of the ubertooth the fact that it can do this following the connection and in this case uh this is unencrypted data that was able to get with the ubertooth and the main thing it's here to demonstrate is that on this device information wasn't encrypted it was medical adjac information so for pii

controls or potential hippo violation um I was able to pull off the air who oops uh uhoh technical difficulties here few

moments so get a little

recap all right

all right so another thing that's just worth noting um when you're using jet X to do um Android app like reverse engineering you're just looking at the app you'll be surprised what's inside there in this case I found hardcoded uh API keys and you know there's there's limited damage you can do with the Google API key but you could certainly cost the company a lot of money by having them fetch resources um I also found API keys for their own for for their own API um because because I limited my research to a device that I own and nothing nothing transversing out I haven't uh done much poking at it but uh like I said this information is right

in the app and uh if you can determine what the device it is you'll you'll have these API Keys too to get get into some Mischief here so once again we have some conclusions here um and uh one of the big one of the big conclusions if there's nothing else is a takeway is that there are so many different classes of vulnerability that if your goal is just toine a vulnerability you'll definitely find one because there's there's enough vulnerability like I said the but here's a few examples missing cription sensitive data and use to hard code credentials there there there is a there is a point of concept I'm still working on I haven't uh but I'm pretty

sure I see a few buffer overflow examples here so if any want feel free to beat me to it and can identify the device have that it but uh I I don't have a working PC yet so if want contact me uh you know you can get these slides on GitHub and uh you can find me on LinkedIn um yeah any questions how long did this process take start and finish um I I spent an embarrassing amount of time looking over the app and I'm still not 100% done there's there's just so many functions and just trying to get to play through my head uh it was definitely a challenge but uh I I I I spent an

embarrassing amount of time on the just this presentation so I appreciate everyone for for showing up here uh we're uh a month

yesel at so the FCC website says that they had they had the the spec sheet at 2019 so I'm guessing it's a 2020 device it's still pretty it's pretty new device to still be running 4.0 um we've got some uh there's a lot of been security been added even in 4.2 uh they added the idea of secure connection so um you're when when devic is a when device pairing happens it is using public key crypto um but even this device you know it's relatively new and even had a brand new chip and it was still using a deprecated version so like like most devices I've encountered yes yeah so uh when you were running the wi sh were you just

specifying the Uber too directly so I was specifying the MAC address the device because one of the issues is that often times your Bluetooth devices you'll notice if you if you ever look for Bluetooth and you'll see a bunch of iPhones often times the the vendor will enable like like like mac address randomization kind of like for we normally use for Wi-Fi but you'll see the Bluetooth interfaces in this case it didn't change it had a static Mac address and another odd thing though is that I actually thought it was a randomly generalized Mac address but then if you do like a a vendor lookup you'll see like the the first uh first six characters um they don't they're not

specified so it's like they were randomly generating the Mac addresses but they were hard they were burnt on there so like yeah I thought that was uh thought that was interesting um yes if you do run into something that's encrypted do you have advice for starting to try to round that figure anything out about that there when it when it I mean when it comes to encryption Bluetooth is vulnerable to a lot of there's a lot of like attacks against Bluetooth so it really just depend on how weak uh like the nons is generated um I think I'll top of my head for for Bluetooth I mean if you happen to have the key you you can get wire Shar to to

decrypt it if you have the right information um but that uh yeah that's going to be very tricky but that like I said the there's a lot of vulnerable chips when it comes to Bluetooth a lot of it seems to be chips specific I know like uh um esp32s they're they're vulnerable to class of attacks so I would I would look at the chip and see if there's anything specific um but I've heard of some wild attacks when it comes to Bluetooth but I don't have anything specifically to attack encrypted I would say out of I mean I looked at about 20 devices and only one of them was encrypted uh the Garmin the Garmin one I

can say Garmin because that's not this device but the Garmin blood pressure monitor it is is encrypted so yeah and it also it it it bypasses some of the shenanigans but yeah this was not g I know we want to ask more questions our next speaker weat onor you have any more questions you can with him