Attacking and Crashing IoT devices via Bluetooth LE Protocol

Ajay Pratap Singh

Agenda• BLE in IoT devices• Bluetooth Low Energy Protocol Stack• Functionality of Protocol Layers in BLE• BLE Pairing Mechanisms• Attacking IoT Devices – Case Studies

Internet of Things• What The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.

Source : Wikipedia

Smart HomesIOT Devices

More devices can be found at: http://iotlist.co

Connected CameraTooth brush

Automobile Industry

Wearable devices

Bluetooth Low Energy• Wireless protocol operating in 2.4 GHz band with GFSK modulation.

Bluetooth Low Energy

Broadcaster

Observer Device

Observer Device

Observer Device

Observer Device

BLE Packet

• Preamble – 1 byte

• Access Address – 4 bytes

• PDU – 0-20 bytes

• CRC – 3 bytes

Preamble Access Address PDU CRC

Bluetooth Device Address• 48 bit unique number, which identifies the device among its peers.

• Device Address =

NAP – non-significant address part

http://standards-oui.ieee.org/oui/oui.txt

• Manufacture ID=

• DEVICE ID= LAP

LAP – Lower Address part UAP – Upper Address part

+ Device IDManufacture ID+ UAP (1 byte)NAP (2 bytes)

Bluetooth Core Specification

• Applications

Source: https://www.bluetooth.com/specifications/bluetooth-core-specification

• Logical Link control & Adaption Protocol(L2CAP)

• Attribute Protocol• Security manager• Generic Attribute Profile

(GATT)• Generic Access Profile• Link layer• Physical layer• Direct test mode

• Host control Interface

(GATT)

Generic Attribute Profile - GATT• GATT is the backbone of the BLE data

transfer as it defines how data is organized and exchanged

GATT server

Service

Service

characteristic

characteristic

characteristic

• Services are collections of characteristics and relationships to other services that encapsulate the behavior of part of a device.

• Characteristics are defined attribute types that contain a single logical value.

Example

Service

Handle

READService0x0021 HRS

ValuePermissionUUID

0x0024Characteristic

Characteristic0x0027

CHAR

CHAR

READ

READ

0x0026

bpm

Bluetooth LE Pairing Process• Phase-1 Information required for

generating the temporary key is exchanged between the master and the slave.

• Phase-2 The short term key is generated independently on both the ends and the process of encryption is started.

• Phase-3 Once the connection is secured by encryption and only if bonding is performed, the permanent keys can be distributed for storage and reuse at a later time.

CASE STUDIES

Case Study 1 – Sniffing traffic

BLE Device

sniffing

Mobile Device

Case Study 2 – GATT Misconfiguration

BLE Device

Initial value - 0a 18

GATTTOOL

Changed Value – 0b 17

Real-Time Example

Case Study 3 - MiTM

BLE Device

Mobile Device

Cloning Mac address

0A:0B:0C:0D:0E:0F

0A:0B:0C:0D:0E:0F

Case Study 4 – Denial of Service attack

BLE Device

l2cap Packets

Mobile Device

Connection request

Thank youMichael Mcneil Ben Kokx Minatee MishraMaheshan Neelesh swami Anirudh DuggalPardhiv Reddy Sanjog Panda ArchitaSagar Popat Jiggyasu Sharma Narendra MakkenaSwaroop Yermalkar Kartik Lalan AbhishiktChandrakant Nial

Audience

QUESTIONS