This article is written for penetration testers wanting to learn how to hack Bluetooth low energy (BLE) smart devices using relay attacks. These attacks can be employed against smart locks to even BLE-powered ignition systems in connected cars. This article goes into technical depth on how to build and configure two Raspberry Pis running Gattacker and explains in detail what relay attacks are, how and why they are effective against BLE, and how BLE differs from Bluetooth.
The Rise of Bluetooth 4.0
Let’s make something abundantly clear, there’s Bluetooth and Bluetooth Low Energy (BLE). Bluetooth was designed for short-range wireless communication (10-100 meters), such as connecting your mobile phone to your wireless earphones. Bluetooth operates on the 2.4 GHz band from 2.402-2.481 GHz, split across 79 different 1 MHz channels. While 1 MHz in bandwidth is slow, Bluetooth is used for more than just audio, files can also be transferred over Bluetooth between devices as well despite the slower bandwidth than traditional WiFi.
BLE arrived with Bluetooth version 4.0 and is now used in version 5.0. Unlike Bluetooth, BLE devices remain in sleep mode until a connection is initiated, reducing the amount of battery utilization compared to traditional Bluetooth devices. Like Bluetooth, BLE operates at 2.4 GHz in the same frequency range of 2402-2.481 GHz. The major distinction that is relevant to you is that Bluetooth application throughput is far higher than BLE. Bluetooth throughput runs between 0.7-2.1 Mbit/s while BLE runs at a slower 305 kbit/s. While the throughput with BLE is far smaller than Bluetooth, the application of BLE doesn’t necessitate a large throughput size. BLE is typically used in connected medical devices, smart locks, connected cars, industrial control systems, pretty much all smart technology in the internet of things ecosystem, all of which don’t really require the higher throughput.
The Attack Lab
To perform a relay attack using Gattacker, you’ll need a few things for your attack lab.
NodeJS (Version 8 Only)
Custom Gattacker scripts: https://www.alissaknight.com/file-share: Unarchive these files into the main root folder of the Gattacker directory once Gattacker is installed (typically ~home/nodejs/modules/gattacker)
Why Raspberry Pis? Because typically when you’re employing a relay attack (in authorized penetration tests of course), you wan’t to be mobile. Raspberry Pi’s make a perfect mobile relay attack kit since they can be powered by battery packs.
Understanding Relay Attacks
A relay attack is a type of man-in-the-middle (MITM) attack where the signal from a transmitter sent to a receiver is recorded to be resent at a later time. The signal and data isn’t manipulated in any way nor read, it’s simply stored to be sent later. In a MITM and even in replay attacks, the signal is often captured and is modified in some way or read and forwarded on to the receiver.
Gattacker is simple. Gattacker is installed onto two separate systems -- in our case, our two Raspberry Pis. The CENTRAL pi (which runs ws-slave.js) sits next to the BLE device waiting for advertisement broadcasts then records them to advertisement files. The CENTRAL pi scans the target BLE device’s services for emulation by the PERIPHERALpi, which sits next to the victim’s mobile phone. The PERIPHERAL pi (which runs advertise.js) emulates the BLE lock with the information it was provided from the CENTRAL pi causing the victim’s mobile phone to connect to it thinking it’s the lock.
If the lock’s mobile app is configured to automatically unlock when the victim’s phone is near it, (passive entry), the lock can be automatically unlocked simply by the two Raspberry Pis operating this relay attack so long as the two Raspberry Pis can communicate with one another. Otherwise, the victim will have to manually push unlock on their mobile app in order for the unlock command to be relayed to the CENTRAL pi and thus unlock the door (Figure 1).
In this exercise, we’ll be using the August Smart Lock Pro. This lock is one of six different BLE locks I targeted in my BLE hacking research on KnighTV. To watch the live-fire exercise, please watch the BLE hacking series on KnighTV located on my YouTube channel.
The August Smart Lock Pro is confirmed vulnerable to relay attacks as shown in the video I recorded in Episode 11 of KnighTV:
NOTE: As of this writing, August released a new lock that uses the WiFi connection of a home. I have not yet confirmed if this lock uses BLE and vulnerable to this same relay attack. I’ve purchased this lock and will publish my research once it’s done.
On Both CENTRAL and PERIPHERAL Rasberry Pis
Install NodeJS (Version 8)
*Install into /usr/local/lib/nodejs
Add nodejs to your path at the bottom of the file