Hacking And Exploit Development For Bluetooth Low Energy (BLE)

uh hello everybody and welcome to my talk uh hacking like exploit development for bluetooth low energy let me first introduce myself my name is sargamada i'm a security analyst at inside attack logic whereby my main fields are iot and hardware hacking web network printer penetration test as well as the bluetooth technology a few words to my company inside attack logic was founded 2014 in munich where we also have our headquarter we are doing mainly offensive security so uh red and purple teaming penetration test as well as security consulting so bluetooth low energy what is this do we need this is this important if you have a look at this diagram which is provided by the bluetooth stick the

special interest group in the yearly market update um this bluetooth special interest group is responsible for publishing and maintaining the bluetooth specification and if we look at this diagram then we can see that the estimate a total of nearly of over 5 billion bluetooth low energy devices in 2022 and if you compare this to the world population which is uh over 7.9 billion people then probably it's quite an interesting topic and most of you at least have a smartphone which i assume to be bluetooth capable so what about security

we can divide the vulnerabilities in bluetooth and for categories there are general flaws which relate to every wireless protocol as also wi-fi for example so everyone can send packets over the air so jamming a connection and denial of service attacks are very easy to realize the next big problem is our configuration issue so simplified that if you do not use any encryption then it's probably not secure um a big problem from for this protocol itself are design issues um in the beginning of the protocol you might already have heard about uh the talk from mike ryan with low energy comes low security um so the earlier version did not provide any security in the pairing at

all it's still in the newer versions which uh try to uh we will come to this uh soon still in the newer versions many vulnerabilities were discovered and published and i think the last one was at the end of the of last year which i known about and finally we have implementation issues and implementation issues can lead to very serious vulnerabilities of there's one very impressive example the bleeding bit vulnerability which was discovered by the armistice army's research lab and hereby the researchers detected and heap-based buffer overflow and the handling of advertising package which lead to code execution and finally could lead to network compromise of the connected wi-fi network i added the sources for reference

so getting started if you start with bluetooth low energy you might you have at first the bluetooth specification which is a very large document the bluetooth specification the newest version 5.3 is over 3000 pages large and is quite overwhelming if you start nevertheless we have not the time to dive in that deep today but i will give a short overview of the of the techniques we need for the for the later exploit after this we will discuss a tech scenario have an overview of the mirage framework which i prefer to use for my exploit development i have here some implementation details and finally we have our demonstration and the conclusion if you start with bluetooth uh you have

at first to know that bluetooth has its own protocol stack the protocol stack is hereby divided into hosted controller the host layers are marquis and blue are regularly implemented in the host operation system or your smartphone and the controller layers are separated in hardware so if you think for example um the easiest example here is if you have a bluetooth usb dongle then the control controller layers will be in this will be implemented in this normal and the host layers are implemented in the host operation system the host controller interface is then implemented or realized via usb and my also other interfaces are possible the most important layers for us here are the probably the security manager

the security manager is responsible for the security bluetooth mainly for establishing a long-term key and further distributing encryption keys or for example at keys for address resolution and the second layer which is involved in security is the link layer which uses this uh previously established key for the final encryption so we can summarize the connection set up as follows we have always two or the most cases we have two parties in the protocol the master slave device the master device is usually your smartphone or your computer and the slave device are peripheral devices as for example keyboards or smart light bulbs or any other smart iot product this slave devices send advertisements to make itself

discoverable for the master device and the master device will then scan for this advertisement and if it's uh if this is the correct slave device to connect and the connection requests are sent and the connection on the physical uh layers are established and after this we have a service discovery so every slave device offers services for the host for the master device to use and if one of both devices decides that it requires a higher security then the pairing process can be started so pairing a bluetooth has depends on at first on the version of the protocol or of the of the hardware which is which version is uh the hardware is capable of and the other factor are input in and

output capabilities in and output capabilities are for example displays or keyboards um the earlier versions were the legacy pairing so 4.0 and 4.1 here we have just works pesky entry and out of bad pairing out of band pairing we won't discuss it today because out of band is everything but it's not using bluetooth at a protocol just works pairing as the name says uh just works so the user has no further here's no further interaction from the user required and for pass key entry uh at least one device with a keyboard and one device is a display is necessary so here the display device will present a pin code you i assume you already know this procedure

if you paired a bluetooth device earlier and on the keyboard device you have to insert this pin to finish the pairing process uh this legacy pairing is very broken and i already mentioned the talk with low energy comes low security and should no longer be used with version 4.2 the cq connection feature was introduced secure connections are based on an elliptic curve tiffy helman key exchange and also offered adjust works and pass key entry pairing as well as out of band and additionally here we have the numeric comparison pairing or numeric comparison means that on we have two devices with a display and the both devices the same pin will be presented and if the user

compares this pins it verifies that the pins are identical then the pairing is complete here we have to set the have to say that just works pairing is an unauthenticated pairing so that just works parent has no protection for many of the middle attacks okay so uh reversals are very good in bluetooth hacking so we have to do something other funny and what is uh widely accepted are these bluetooth keyboards and i have to stately that this is not manufacturer related it's just an example this is um this flaw relates to the to to the specific service specification so in this case the human interface device service and what we can do here um we can

man in the middle such a bluetooth keyboard and turn the legitimate keyboard into an uh rubber ducky device if we do not know what a rubber ducky is a rubber duck is a malicious usb stick is once plugged in and the victim's computer is able to lock or inject keystrokes to execute commands so for our example we will refer to the rubber ducky language the ducky script and try to exploit the victim computer with a very simple example which just pops up the calculator so to achieve this man in the middle situation we have multiple options the first options is already stated we try to use the just works pairing which is unauthenticated and man in the middle

setup is very easy to establish for this the attacker requires two usb uh two bluetooth dongles uh one for the connections with the slave device and one for the connection with the master device and the attacker will present to both directions that has neither in nor output capabilities and as a result the just works pairing will be used if the if the devices accept this the second option is if you say okay i know downgraded text i would never connect my keyword if i have if i do not have to insert my pin code then we have a second option with the human interface device service and this scenario we first pair with the slave device with the just works pairing

the keyboard often doesn't have the requirement to do an authenticated pairing process and then we pair with the bus we've spoofed the device wait for the master to connect and allow the passkey entry pairing because we say okay we're a keyboard we have input capabilities and as soon as the victim inserts the pin on the master presented pin to the keyboard it will be sent to our attacker device because as regular keystrokes and therefore we can use these keystrokes for the pesky entry pairing so what do we need for this attack we need two usb dongles i prefer to use the nrf 58420 dongles they cost around about 10 euro and are supported by many

frameworks and are therefore very flexible um i use them with the cpu project here we have an host controller interface usb sample which is at the end bluetooth usb dongle done if you want to say it like this for the host layers i like to use the mirage framework the mirage framework is very complex but also very flexible a devil fit does fit the needs for the bluetooth protocol which is also very complex so as the auto states the mirage framework is a powerful and modular framework dedicated to the security analysis of wireless communications the python framework is supports multiple protocols for example bluetooth slow energy wi-fi zigbee or infrared and we have a closer look here

the miraf framework has several components there are at one side the core component components which are necessary for configuration loading and execution of modules we have the internal libraries whereby the bluetooth low energy stack is implemented for example and we have modules and scenarios we will focus on the modules and scenarios today modules offer the possibility to implement a specific attack for example demand in the middle attack and can be used by multiple scenarios to to adjust this attack to our needs so we have one module and multiple scenarios and can easily modify this man in the middle attack to our needs to do so we have to define a scenario signals in the module

that means every scenario signals stands for a packet that the module might receive in this example the packet is called say hello and if the scenario want to overwrite send out this method or this packet and it would have would have to overwrite the hello world method additionally we can control if the module code is executed so if the scenario signal signal method returns true then the module code is also executed and if the scenario signal returns false then the module code will be skipped to create a module in mirage we can use the command option create module this will create a following template here we have two methods which are very self-explanatory i think we have init

which initializes the module here the most important thing to note are the arguments so we can pass some command line arguments to our execution most important for example the target device address and host controller interfaces which are used by the module and we have the run method which is used for the final module code so since the model for this specific example the secure connections man in the middle model is very large and also complex and i also had to implement the cryptography for the secure connection a mirage we cannot cover this in detail here but i will give an overview what the model does so at first the attacker will initializes both bluetooth devices

to bluetooth interfaces and scan for the first for the provided slave device for the bluetooth device address and tries to connect earlier than our original master device after this happens the most devices are blocked because slave devices usually are only capable of holding one connection at one time and a legitimate master is no longer able to detect the slave device after this we clone the slave device wait for the master to connect and pair with both sides depending on the scenario and the requirements after this the middle setup is complete and the module is only forwarding package from master to slave and from slave to master so we will have now a deeper look into the scenario

the scenario can be created nearly the same way here we have three methods on start on end on key on start and on end are very explanatory again on starts is executed when the model starts and on end is executed when the module ends and on key is executed if any key on the attacker keyboard is pressed so since we want to pass our human interface device key keys to to lock to lock the final user input to console and also we have to pass our ducky script here we will do this in our start method the mirage framework provides a ducky script parser function which is very comfortable so we can provide our file here and have

for callbacks which i will explain on the next slide on and can hear by be ignored very trivial and on key just says if we press the escape key then we enter this module and if we press one we want to inject our ducky script to the to the establishment in the middle connection the best way to explain this method is if you compare this to our ducky script so at first you have to add keystrokes method which is most important so here we have um so for human interface interface devices um the it works as follows the so if you press the key on your keyboard then the sticker will be sent for the key and

if you release the key that the keystroke release message will be sent and what is most important here is the timing so if you are too fast or if you are sending our keys or messages too fast then some of our keys will be skipped and if we are too slow then the user can see every single letter appearing on the on the screen which is a bit obvious um in the packet list just is the array add delay adds the delay or is for the delay parameter of our ducky script and add text is for the text for the string parameter of our ducky script so one last thing to do since you want to lock our

keystrokes we have to overwrite the enslave handle value notification packet in bluetooth these keystrokes are sent via notifications from the keyboard to the computer uh and here we check for the handle hex 13 and if it's the right packet then we lock our keystroke to the command line so one last thing uh the used keyboard for this example uh requires uh requires the user to put to push the button on the back side to put the device in advertising mode so the device is regularly regularly not in advertising mode but you have to push the button if you want to connect this device i will get to this point after the demonstration so i hope

to stop this here okay so what we can see here is on the left side of the victim windows operation system on the right bottom we have the bluetooth keyboard and in the right top we have the attacker terminal whereby the mirage framework is called with the bluetooth secure connection man in the middle module we are providing the bluetooth device address the bluetooth device address can easily be sniffed for example with the uber tools or also with lunix utilities as for example bluetooth ctl this device is a funny fact uses a random address and the randomness of this device is that the fourth bias of the address is regularly increased by one bit so okay

then we have our interfaces host controller interface 0 0 and 1. we do not require master spoofing in this case so the keyboard does not care about who's connecting but we need slave spoofing so that the computer holds the keyboard for a regular bluetooth for the regular bluetooth device we provide our scenario so bluetooth brushless energy human interface device man manual middle and finally we provide our ducky script okay

okay that's good at first we are entering the scan stage so okay this is very bad sorry um maybe i can start one second sorry

so maybe this is better hopefully yes okay so we're editing the scan stage now the moment is here to push the button on the background of the keyboard after this the keyboard will be detected connected and cloned and now we are waiting for the master device to connect

so master is connected uh when in the middle stage is established in the background here is now the service discovery that takes a take some seconds and now the bluetooth keyboard is connected we can check now that our keylogger is working

and this key logger is also working if the window screen is locked so we can also capture the the login password of the user

and finally uh we can inject our ducky script by pressing the one button on the attacker keyboard and opening the calculator

okay so a few thoughts here how how easy is this um you could say okay if this uh this attack is only possible if the devices are not paired well there are many ways to disturb the connection and enforce a new pairing process so the easiest way i can think of is i just jam the connection and as soon as the user is annoyed enough to repair his device i'm able to intercept this connection the next question is what you can ask yourself would you push the button if your keyboard is no longer working and repair the device i think i probably would and to prevent this attack you have to make sure that your keyboard provides a

security mode 1 level 4 this is this means that the secure connection mode is enforced so that the both devices enforce that an authenticated pairing algorithm is used so not just works pairing and then this attack is no longer possible okay that's it so questions cool thank you very much um round of applause for him [Music] i think it was really interesting we have some time for question if you have a question please run to the front to the microphone and um

class specification also has unauthenticated pairing so it's also called just work so the specifications are not identical but the pairing algorithms are comparable and if you have if your keyboard allows this authenticated pairing then you also have the problem

you mentioned that specification has 3000 plus pages and then if you look it also has a ton of specifications for profiles and services and you have different types of operation mesh and you have sort of regular advertising and then the authenticated uh communication how do you start with bluetooth low energy if you want to do this and do cool things like this uh it's a good question um i think if you start with bluetooth then there are uh some easy tools as for example uh gerteka or beetlejack which you can start with and i think most important is that you get used to the protocol so uh analyze the regula the the communication of devices so very easy to analyze the

communication for bluetooth protocols via the host controller interface this is um possible on linux devices via the bluetooth one monitor you can also extract the host control database new block on android devices so this is a developer feature and the benefit in this case is that the since the encryption is established in a link layer and you capture the devices in the on the host layers then they are not encrypted and you can check what the protocol is doing because if you're sniffing the protocol over the ear which is uh on the one side very complex and not not working very well um uh then you have encrypted traffic if they're using encryption and then you

cannot determine what is happening there so the best way is to um i think is to start to get a device check check the get the host controller interface logs put them to wireshark and analyze the connection setup and try to find the required parts in the specification it's not easy but once you get used to the specification it also makes kind of sense cool thank you very much so we don't really have time for another question but feel free to reach out to sarah in the break i think she will be happy to answer any more questions thanks again a lot for the talks adam