Published on April 14, 2019
1. BLE Exploitation Unfit Story of Fitness Trackers Yogesh Ojha
2. #whoami Yogesh Ojha ● From Nepal ● Cyber Security Analyst @ TCS Cyber Security Unit, India ● IOT & Mobile Application Security ● Machine Learning enthusiast ● Love to Build and Play with Robots and sometimes break them too ;)
3. Expectations You can expect: ● Basic Overview of Bluetooth Low Energy ● Bluetooth Classic vs Bluetooth Low Energy ● BLE Stack ● BLE MiTM/Sniffing BLE Packets ● Reverse Engineering the Mobile Applications of Fitness trackers ● Doing some cool stuff ● Uploading the firmware over the air
4. Bluetooth Story... Bluetooth is a short-range wireless communication protocol and allows devices such as smartphones, headsets, to transfer data and/or voice wirelessly. Developed in 1994 as a replacement for cables. Uses 2.4GHz frequency and creates 10 meters radius called piconet!
5. And comes Bluetooth Low Energy(4.0)... Bluetooth low energy aka Bluetooth Smart ● Designed to be power efficient ● Low cost and easy to implement ● Used in sensors, lightbulbs, medical devices, wearables and many other “smart” products.
6. Bluetooth classic vs BLE Bluetooth Classic Bluetooth Low Energy ● Great for products that requires continuous streaming of data ● High power consumption ● Faster data rate ● High application throughput ● Best Suited for: ○ Headsets, Speakers ○ Bluetooth Hotspot etc ● Great for products that do not require continuous streaming of data. ● Ultra low power consumption ● Slower Data rate ● Low application throughput ● Best Suited for: ○ Home Automation ○ Fitness trackers etc It is designed to operate in sleep mode and waken up only when connection is initiated. Like maybe your light is on or off or a quick command to turn on or off the light.
7. Bluetooth Low Energy
8. Fitness Tracker - BLE Applications
9. BLE Stack ● Generic Attribute Profile (GATT) ● Generic Access Profile(GAP) Applications Apps Generic Access Profile Generic Attribute Profile Attribute Protocol Logical Link Control & Adaptation Protocol Applications Security Manager Host Control Interface Link Layer Direct Test Physical Layer HOST Controller
10. Generic Attribute Profile (GATT) GATT defines the way that these BLE devices communicate with each (client & server) other using something called Services and Characteristics. Here Connections are Exclusive! Means your BLE peripheral can only be connected to one central device at a time! It will stop advertising itself and other devices will no longer be able to see it or connect to it until the existing connection is broken.
11. Basic Process 1. Select the target a. Install Bluez stack, hcitool & gattool 2. Enumerate the services and characteristics a. Do the scan using hcitool b. Connect using gatttool c. List all the services and characteristics 3. Reverse Engineer the mobile application (if any) a. For reverse engineering android application use apktool. 4. Finally do some cool stuff!
12. Selecting the target Goal: Finding the BLE devices near the vicinity Tools Used: Bluez, hcitool, gatttool Install Bluez: $ sudo apt-get install bluez Install Hcitool: hcitool comes preinstalled with bluez stack
13. Enumerate the services and characteristics sudo gatttool -b <BLE ADDRESS> -I >connect List down all primary services > primary List down all characteristics > characteristics
14. Services & Characteristics Services: Set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. Characteristics: Characteristics are defined attribute types that contain a single logical value. https://learn.adafruit.com/
15. Services & Characteristics https://learn.adafruit.com/
16. Sniffing BLE Packets Ubertooth ● Works great for both Classic and BLE ● Open Source Hardware/Software ● About $100 CC2540 ● Cheaper but limited configuration ● About $50
17. Alternate to Sniffers ● Enable Developer Option ● Enable Bluetooth HCI Snoop Log ● $ adb pull /sdcard/btsnoop_hci.log
18. Authentication Main Service UUID 0000fee1-0000–1000–8000–00805f9b34fb Auth Characteristic UUID 00000009–0000–3512–2118–0009af100700 Notification descriptor handle 0x2902 Thanks to Andrey Nikishaev https://email@example.com ● Setting on auth notifications (to get a response) by sending 2 bytes request x01x00 to the Des. ● Send 16 bytes encryption key to the Char with a command and appending to it 2 bytes x01x00 + KEY. ● Requesting random key from the device with a command by sending 2 bytes x02x00 to the Char. ● Getting random key from the device response (last 16 bytes). ● Encrypting this random number with our 16 bytes key using the AES/ECB/NoPadding encryption algorithm (from Crypto.Cipher import AES) and send it back to the Char (x03x00 + encoded data)
19. Send some Notification? ;) First Two Byte is Notification Type 01 -> Email 03 -> Call 04 -> Missed Call 05 -> SMS/MMS Next Two Byte is numbers of notification And remaining is the hex value of the notification title that you are sending.
20. Send some Notification? ;)
21. Firmware My aim was to display this!
22. Firmware!!! A firmware is a piece of Software that runs on embedded CPU! How do I get firmware? Reverse Engineering the Mobile application maybe? Or during the DFU update? Let’s reverse engineer the mobile application! $ apktool d cool_app.apk
23. Uploading the firmware
24. How does firmware upload works? ● Initialize the firmware/resource Update On Characteristic 1531 with write command of 4-byte ● x01 + fileSize in Hex(3-byte) ● But, for the resource, its 5-byte! x01 + fileSize in Hex(3-byte) + x02 ● Last byte x02 is for letting the firmware update service know that it's a resource and not the firmware file. Doesn’t accept 0x5EFAC but accepts 0xAcEF05
25. After that, ● Send x03 to notify Start Data, and you are ready to transfer the Firmware ● It can receive a maximum of 20 bytes for a single command. Send 20 bytes at a time. The firmware/resource has to be written on Characteristic “1532”. ● Send x00 on characteristic 1531, it’s update sync command Your firmware is uploaded, but something is missing! Checksum!!! How does firmware upload works?
26. What is Checksum? Calculated value that is used to determine the integrity of data during the transmission. BLE does not perform error correction but can only perform error detection. Bluetooth 5.0 introduces error correction. How does firmware upload works?
27. Once the CRC is calculated, write the checksum to Characteristic “1531” of 3 bytes. The checksum must begin with x04 and your checksum value x04 + checksum If the checksum matches the resource will be accepted and updated. But for firmware, you need to send reboot command as well. On Characteristic “1531” send x05 for the reboot. And yes, the firmware update is done! How does firmware upload works?
28. And what about the skull Icon? ;)
29. Q&A More about this hack is on Medium & Github! https://medium.com/@yogeshojha https://github.com/yogeshojha/MiBand3/