Bluetooth Low Energy

BLE¶

Bluetooth Low Energy (BLE) is a part of the Bluetooth 4.0 specification which additionally also includes Classic Bluetooth and Bluetooth High Speed Protocols.
BLE is an "always off" technology
Only transmits short amounts of data when required.

Sources:
Bluetooth: With Low Energy comes Low Security
https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/
https://forum.digikey.com/t/a-basic-introduction-to-ble-4-x-security/12501
https://www.simform.com/ble-iot-security-vulnerability-countermeasures/
https://interrupt.memfault.com/blog/ble-throughput-primer
Bluetooth Smart (LE) Man-in-the-Middle framework
A sniffer for Bluetooth 5 and 4.x LE

Physical Layer¶

Uses 2.4Ghz - 2.485GHz
- Bandwidth 1 Mbit/sec.
- Uses 40 Channels 2MHz across.
  - 37 data channels
  - 3 Advertising channels used for broadcasting and establishing connections
- Uses Gaussian Frequency Shift Keying (GFSK) with a 250 kHz offset.
- Devices hop channels after a single packet is transferred and received
- The PDU and CRC data is whitened by XORing it with the output of a linear-feedback shift register (LFSR).
- Seed of the LFSR is dependent only on the channel number. This does not complicate sniffing.

Packet Information¶

Preamble:
8 bit alternating binary sequence.

Access Address:
32 bit unique identifier per connection
For advertising channels the Access Address is set to 0x8e89bed6.

Protocol Data Unit:
Variable length from 2-39 bytes of data. This contain the main message.

CRC:
24 bit CRC

Data Packet Information¶

Regular Data Packet:
Data packets consist of a
- 16 bit header
- 0-37 octets of payload (PDU)
- 24 bit CRC

Empty Data Packet:
An empty data packet consists of a
- 16 bit header
- 24 bit CRC
- Only two bits of the header are set (SN and NESN, used for flow control).
These packets are thus easy to identify.

Passive Eavesdropping¶

To sniff a connection we need to know four values unique to that connection:
1. Hop interval (also referred to as dwell time)
2. Hop increment
3. Access address
4. CRC init

These values can be extracted from the connection initialization packet or by exploiting the properties of the packets.

Setting up the SDR¶

Configure the modem to demodulate GFSK with a frequency offset of 250 kHz and a data rate of 1 Mbit.
Identify the start of a transmission by searching for a known 32 bit access address.

Hoping Sequence:
There are 37 data channels, and most connections use all 37.
Each Connection has a defined hop Increment.

nextChannel ≡ (channel + hopIncrement) mod 37

The master transmits a packet, and the slave transmits a packet shortly thereafter.
If no data is need to be transfered then an empty data packet which consists of a header, and 24 bit CRC will be transmitted.
Both will then wait for a period time (hop interval) before hopping to the next channel as defined above.

Detecting a Empty Data Packet:
When we see a 16bit header with one of the two headers set. The previous 32 bits are the Access Address.
Using this address we can see other packets that have the same Access Address.
When we see multiple packets with the same address then we have a connection we can follow.

Recovering CRCInit:
The CRC is needed to remove false positives from the Access Address'.

The 24 bit CRC is calculated using a linear feedback shift register (LFSR) over the whole packet including the header.
The LFSR is pre-seeded with a 24 bit value known as the CRCInit.

The CRC for Bluetooth and Bluetooth Low Energy are reversible. By sending the data backwards through the LFSR results in the CRCInit value.
When we see multiple packets with the same CRCInit value then we have a connection we can follow.

Hop Interval:

The hop interval is recovered by observing the time it takes for the channel to repeat.

By measuring the time between two packets on the same data channel we can calculate the hopInterval from

hopInterval = delta_time / (37 data_channels * 1.25ms)

If a packet is missed then we have a integer multiple of hopInterval. We can repeat this until we have the lowest multiple hopInterval.

Hop Increment:

The hop increment is recovered by measuring the interval time of packets on two data channels.

channels_hopped = delta_t/(1.25ms * hop_interval)

hop_increment = channels_hopped^(-1) (mode 37)

Paring Methods¶

Master and slave must establish a shared secret known as a long-term key (LTK). Once this is established it should reuse it for future sessions. Otherwise the LTK is renegotiated.

Select a 128-bit AES temporary key (TK), whose value depends on pairing mode. Use the TK to calculate the “confirm” value this is exchanged over the air.

Aside from the TK, all values used to calculate the confirm are exchanged in plaintext over the air.

Just Works: 0
6-digit pin: 000000-999999
Oob

128 bit value exchanged out of band

For 6-digit pin a TK can be cracked in less than one second on a single core.

Using the TK a short-term key (STK) and a LTK are created.

The STK exchange messages are encrypted using the TK.

Using the STK an encrypted session transfers the LTK.

A passive eavesdropper that can recover the LTK is able to decrypt any future conversation between this master and slave.

Security¶

BLE uses AES-CCM to encrypt data transmitted.
BLE Key Exchange or “pairing method” or “association model” uses XXXX.

Under renegotiation the link_layer_message (LL_REJECT_IND) to cause the master and slave to reject the key and renegotiate the key from scratch.

If we know the LTK but do not know the session nonce. Jamming the connection forces the master and slave to re-establish a secure session. Then the nonce can be sniffed along the wire. The jammer hops along the channels injecting random noise(output from an LFSR) killing the connection.

Sniffing¶

Sniff Bluetooth with Android
Bluetooth Smart (LE) Man-in-the-Middle framework
A BLE scanner for "smart" devices hacking.
Guide to Hacking BTLE
Good TUI for BLE packets

Crackle¶

Crack and decrypt BLE encryption

crackle -i input.pcap -o decrypted.pcap