Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices: gadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding – a mechanisms not without flaws, although that’s another story we are already aware of. A surprising number of devices do not (or simply cannot – because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact, provided on higher “application” (GATT protocol) layer of the data exchanged between the “master” (usually mobile phone) and peripheral device. The connection from “master” in such cases is initiated by scanning to a specific broadcast signal, which by design can be trivially spoofed. And guess what – the device GATT internals (so-called “services” and “characteristics”) can also be easily cloned.
Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic – without consent of the mobile app or device. And here it finally becomes interesting – just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions – which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks. Ladies and gentlemen – I give you the BLE MITM proxy. A free open-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging. Run it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the code.