detecting-bluetooth-low-energy-attacks

What this skill does

# Detecting Bluetooth Low Energy Attacks

## Disclaimer

This skill is intended for authorized security testing, penetration testing engagements, CTF competitions, and educational purposes only. Sniffing, intercepting, or manipulating Bluetooth communications without authorization may violate federal wiretapping laws and local regulations. Always obtain explicit written permission before conducting any wireless security assessment.

## When to Use

Use this skill when:
- Performing authorized BLE security assessments of IoT devices, medical devices, or smart locks
- Monitoring a wireless environment for BLE-based replay attacks, spoofing, or unauthorized enumeration
- Analyzing BLE packet captures to detect Man-in-the-Middle attacks or pairing exploitation
- Enumerating GATT services and characteristics to identify insecure read/write permissions on BLE peripherals
- Assessing BLE encryption strength and testing for crackable pairing exchanges
- Building BLE intrusion detection capabilities for wireless security monitoring

**Do not use** for intercepting BLE communications without explicit authorization. Do not deploy BLE scanning tools in environments where wireless monitoring is prohibited.

## Prerequisites

- Ubertooth One hardware for passive BLE sniffing, or Nordic nRF52840 USB Dongle with nRF Sniffer firmware
- Python 3.10+ with pip
- bleak library: `pip install bleak` (cross-platform BLE GATT client)
- Wireshark with BLE dissector plugins for packet analysis
- crackle tool for BLE encryption analysis: built from source at github.com/mikeryan/crackle
- ubertooth-btle CLI tools: `apt install ubertooth` (Linux) or build from source
- Bluetooth 4.0+ adapter on the host system for bleak-based scanning
- Linux recommended for full Ubertooth/nRF sniffer support

## Workflow

### Step 1: BLE Environment Discovery and Device Scanning

Scan the environment to identify BLE devices and their advertising data:

```bash
# Scan for BLE devices using bleak (cross-platform)
python -c "
import asyncio
from bleak import BleakScanner

async def scan():
    devices = await BleakScanner.discover(timeout=10.0)
    for d in devices:
        print(f'{d.address} | RSSI: {d.rssi} | Name: {d.name or \"Unknown\"}')
        for uuid in d.metadata.get('uuids', []):
            print(f'  Service: {uuid}')

asyncio.run(scan())
"

# Passive BLE sniffing with Ubertooth One (promiscuous mode)
ubertooth-btle -p -r capture.pcapng

# Follow a specific BLE connection
ubertooth-btle -f -t AA:BB:CC:DD:EE:FF -r connection.pcapng

# Use nRF Sniffer with Wireshark (via extcap interface)
wireshark -i nRF_Sniffer -k
```

### Step 2: GATT Service and Characteristic Enumeration

Connect to target BLE peripherals and enumerate their GATT profile:

```bash
# Enumerate all services, characteristics, and descriptors
python -c "
import asyncio
from bleak import BleakClient

async def enum_gatt(address):
    async with BleakClient(address) as client:
        print(f'Connected: {client.is_connected}')
        for service in client.services:
            print(f'Service: {service.uuid} - {service.description}')
            for char in service.characteristics:
                props = ','.join(char.properties)
                print(f'  Char: {char.uuid} | Props: {props}')
                for desc in char.descriptors:
                    val = await client.read_gatt_descriptor(desc.handle)
                    print(f'    Desc: {desc.uuid} = {val}')

asyncio.run(enum_gatt('AA:BB:CC:DD:EE:FF'))
"
```

Security-relevant findings during GATT enumeration:
- Characteristics with `write-without-response` or `write` without authentication
- Readable characteristics exposing device configuration, credentials, or firmware versions
- Missing Client Characteristic Configuration Descriptor (CCCD) protection on notification characteristics

### Step 3: BLE Packet Capture and Analysis

Capture BLE traffic for offline analysis:

```bash
# Capture with Ubertooth in PcapNG format (recommended)
ubertooth-btle -f -r capture.pcapng

# Capture in PCAP/PPI format for crackle compatibility
ubertooth-btle -f -c capture_ppi.pcap

# Analyze capture in Wireshark
wireshark capture.pcapng
# Apply display filter: btle
# Filter connection requests: btle.advertising_header.pdu_type == 0x05
# Filter data packets: btle.data_header

# Extract pairing information with tshark
tshark -r capture.pcapng -Y "btle.control_opcode == 0x01" -T fields \
  -e btle.master_bd_addr -e btle.slave_bd_addr
```

### Step 4: BLE Encryption Analysis with Crackle

Analyze captured pairing exchanges to test encryption strength:

```bash
# Crack BLE Legacy Pairing (Just Works / passkey)
crackle -i capture_ppi.pcap -o decrypted.pcap

# Crack with known Temporary Key (TK)
crackle -i capture_ppi.pcap -o decrypted.pcap -l 000000

# Analyze decrypted traffic
wireshark decrypted.pcap
```

BLE Legacy Pairing with Just Works mode uses a TK of all zeros, making it trivially
crackable. Passkey entry uses a 6-digit PIN (000000-999999) that can be brute-forced
in under a second. Only BLE Secure Connections (LE Secure Connections with ECDH)
provides adequate protection against passive eavesdropping.

### Step 5: Replay Attack Detection and Testing

Monitor for and test BLE replay attack susceptibility:

```bash
# Capture characteristic write operations
# Record the raw bytes written to a target characteristic
# Then replay the exact same bytes to test if the device accepts stale commands

python -c "
import asyncio
from bleak import BleakClient

TARGET = 'AA:BB:CC:DD:EE:FF'
CHAR_UUID = '0000fff1-0000-1000-8000-00805f9b34fb'

async def replay_test():
    async with BleakClient(TARGET) as client:
        # Step 1: Read current state
        val = await client.read_gatt_char(CHAR_UUID)
        print(f'Current value: {val.hex()}')

        # Step 2: Write a command (captured from previous session)
        captured_command = bytes.fromhex('0102030405')
        await client.write_gatt_char(CHAR_UUID, captured_command)
        print('Replayed captured command')

        # Step 3: Verify if command was accepted
        new_val = await client.read_gatt_char(CHAR_UUID)
        print(f'New value: {new_val.hex()}')
        if new_val != val:
            print('VULNERABLE: Device accepted replayed command')

asyncio.run(replay_test())
"
```

Indicators of replay vulnerability:
- Device accepts previously captured write commands without freshness validation
- No sequence number, timestamp, or challenge-response mechanism in the protocol
- Device state changes in response to replayed commands

### Step 6: Man-in-the-Middle Detection

Detect BLE MITM attacks by monitoring for anomalous behavior:

```bash
# Monitor for BLE address spoofing (device impersonation)
# Compare advertising data fingerprints over time

# Monitor for unexpected connection parameter changes
tshark -r capture.pcapng -Y "btle.control_opcode == 0x00" -T fields \
  -e btle.control.interval.min -e btle.control.interval.max

# Detect GATTacker/BTLEjuice MITM patterns:
# - Cloned advertising data with different BD_ADDR
# - Rapid connect/disconnect cycles on the same channel
# - Duplicate service UUIDs from different addresses

# Monitor for suspicious pairing requests
tshark -r capture.pcapng -Y "btl2cap.cid == 0x0006" -T fields \
  -e btsmp.opcode -e btsmp.io_capability -e btsmp.auth_req
```

### Step 7: Continuous BLE Security Monitoring

Deploy ongoing BLE monitoring for threat detection:

```bash
# Run the agent in monitoring mode
python agent.py --mode monitor --duration 3600 --output ble_alerts.json

# Combine with Ubertooth for passive monitoring
ubertooth-btle -p -r - | python agent.py --mode analyze --pcap-stdin

# Alert on specific threat indicators
python agent.py --mode monitor --alert-on replay,spoofing,weak-pairing
```

## Key Concepts

| Term | Definition |
|------|-----------|
| **BLE (Bluetooth Low Energy)** | Low-power wireless protocol (Bluetooth 4.0+) optimized for IoT devices, operating on 2.4 GHz w