GATTacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool

Black Hat USA 2016

Presented by: Slawomir Jasek
Date: Wednesday August 03, 2016
Time: 13:50 - 14:15
Location: South Seas GH

Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices: gadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without flaws, although that's another story we are already aware of. A surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact, provided on higher "application" (GATT protocol) layer of the data exchanged between the "master" (usually mobile phone) and peripheral device. The connection from "master" in such cases is initiated by scanning to a specific broadcast signal, which by design can be trivially spoofed. And guess what - the device GATT internals (so-called "services" and "characteristics") can also be easily cloned.

Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes interesting - just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions - which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks. Ladies and gentlemen - I give you the BLE MITM proxy. A free open-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging. Run it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the code.

Slawomir Jasek

Slawomir Jasek is an IT security consultant with over 10 years of experience.He participated in many assessments of systems' and applications' security forleading financial companies and public institutions - including a few dozene-banking systems. Slawomir developed secure embedded systems certified foruse by national agencies. He received an MSc in automation & robotics andloves to hack home automation and industrial systems. Besides his currentresearch (BLE, HCE), Slawomir focuses on consulting design of secure solutionsfor various software and hardware projects during all the phases - startingfrom a scratch.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats