Introduction
This article is written for penetration testers wanting to learn how to hack Bluetooth low energy (BLE) smart devices using relay attacks. These attacks can be employed against smart locks to even BLE-powered ignition systems in connected cars. This article goes into technical depth on how to build and configure two Raspberry Pis running Gattacker and explains in detail what relay attacks are, how and why they are effective against BLE, and how BLE differs from Bluetooth.
The Rise of Bluetooth 4.0
Let’s make something abundantly clear, there’s Bluetooth and Bluetooth Low Energy (BLE). Bluetooth was designed for short-range wireless communication (10-100 meters), such as connecting your mobile phone to your wireless earphones. Bluetooth operates on the 2.4 GHz band from 2.402-2.481 GHz, split across 79 different 1 MHz channels. While 1 MHz in bandwidth is slow, Bluetooth is used for more than just audio, files can also be transferred over Bluetooth between devices as well despite the slower bandwidth than traditional WiFi.
BLE arrived with Bluetooth version 4.0 and is now used in version 5.0. Unlike Bluetooth, BLE devices remain in sleep mode until a connection is initiated, reducing the amount of battery utilization compared to traditional Bluetooth devices. Like Bluetooth, BLE operates at 2.4 GHz in the same frequency range of 2402-2.481 GHz. The major distinction that is relevant to you is that Bluetooth application throughput is far higher than BLE. Bluetooth throughput runs between 0.7-2.1 Mbit/s while BLE runs at a slower 305 kbit/s. While the throughput with BLE is far smaller than Bluetooth, the application of BLE doesn’t necessitate a large throughput size. BLE is typically used in connected medical devices, smart locks, connected cars, industrial control systems, pretty much all smart technology in the internet of things ecosystem, all of which don’t really require the higher throughput.
The Attack Lab
To perform a relay attack using Gattacker, you’ll need a few things for your attack lab.
Gattacker: https://github.com/securing/gattacker
NodeJS (Version 8 Only)
Custom Gattacker scripts: https://www.alissaknight.com/file-share: Unarchive these files into the main root folder of the Gattacker directory once Gattacker is installed (typically ~home/nodejs/modules/gattacker)
Why Raspberry Pis? Because typically when you’re employing a relay attack (in authorized penetration tests of course), you wan’t to be mobile. Raspberry Pi’s make a perfect mobile relay attack kit since they can be powered by battery packs.
Understanding Relay Attacks
A relay attack is a type of man-in-the-middle (MITM) attack where the signal from a transmitter sent to a receiver is recorded to be resent at a later time. The signal and data isn’t manipulated in any way nor read, it’s simply stored to be sent later. In a MITM and even in replay attacks, the signal is often captured and is modified in some way or read and forwarded on to the receiver.
Understanding Gattacker
Gattacker is simple. Gattacker is installed onto two separate systems -- in our case, our two Raspberry Pis. The CENTRAL pi (which runs ws-slave.js) sits next to the BLE device waiting for advertisement broadcasts then records them to advertisement files. The CENTRAL pi scans the target BLE device’s services for emulation by the PERIPHERALpi, which sits next to the victim’s mobile phone. The PERIPHERAL pi (which runs advertise.js) emulates the BLE lock with the information it was provided from the CENTRAL pi causing the victim’s mobile phone to connect to it thinking it’s the lock.
If the lock’s mobile app is configured to automatically unlock when the victim’s phone is near it, (passive entry), the lock can be automatically unlocked simply by the two Raspberry Pis operating this relay attack so long as the two Raspberry Pis can communicate with one another. Otherwise, the victim will have to manually push unlock on their mobile app in order for the unlock command to be relayed to the CENTRAL pi and thus unlock the door (Figure 1).
The Target
In this exercise, we’ll be using the August Smart Lock Pro. This lock is one of six different BLE locks I targeted in my BLE hacking research on KnighTV. To watch the live-fire exercise, please watch the BLE hacking series on KnighTV located on my YouTube channel.
The August Smart Lock Pro is confirmed vulnerable to relay attacks as shown in the video I recorded in Episode 11 of KnighTV:
NOTE: As of this writing, August released a new lock that uses the WiFi connection of a home. I have not yet confirmed if this lock uses BLE and vulnerable to this same relay attack. I’ve purchased this lock and will publish my research once it’s done.
On Both CENTRAL and PERIPHERAL Rasberry Pis
Install NodeJS (Version 8)
*Install into /usr/local/lib/nodejs
Add nodejs to your path at the bottom of the file
Install Gattacker
Install my custom Gattacker scripts
The custom scripts I use are avaialable for download from my homepage at http://www.alissaknight.com. Download and overwrite the Gattacker installation directory in /home/pi/node_modules/gattacker
The next section assumes you’ve installed Raspbian on both Raspberry Pis. If you purchased the Cannakit version I linked to above, then simply continue with the installation of Gattacker below. It’s important in order to keep things sane and you know which Raspberry Pi you’re on at all times, change the host name to either CENTRAL or PERIPHERAL. I’ve broken up these installation steps accordingly.
CENTRAL Rasberry Pi
Identify the device ID of the external Bluetooth adapter
Ensure NOBLE_HCI_DEVICE_ID=<the device ID from hciconfig output> and BLENO_HCI_DEVICE_ID=0. In my case, it was 0 and ensure they are uncommented. Ensure WS_SLAVE=127.0.0.1.
Find out the IP address of the CENTRAL Pi so you can add it's IP address to the config.env file on the PERIPHERAL Pi
PERIPHERAL Raspberry Pi
Identify the device ID of the external Bluetooth adapter
Edit config.env and set the WS_SLAVE IP address. Point it at the CENTRAL Pi IP address.
Running the Attack
First, start the ws-slave daemon on the CENTRAL pi, which will cause the CENTRAL pi to await for incoming connections from the PERIPHERAL pi.
CENTRAL
PERIPHERAL
NOTE: Before doing anything, make sure you go into the ~/node_modules/gattacker/helpers/bdaddr directory and compile bdaddr. It will be required by a later step.
Find the BLE lock you are targeting using node scan:
Create the file the PERIPHERAL pi will advertise to the mobile phone once you determine the ID of the BLE device from node scan.
NOTE: <id> refers to the ID prepended to the filename of the advertisement file, e.g. 789c85086975_L309E01.adv.json. So in my case, the command to generate the advertisement file would be: $ node scan -o 789c85086975. This will cause the Central pi to connect to the device, scan it, then write the values to the JSON formatted advertisement file that the PERIPHERAL will broadcast to the victim’s phone.
Advertise the information pulled from the device:
In my case, its 789c85086975_L309E01.adv.json:
If you see the above message, hit ENTER and you should get an INITIALIZED message banner indicating Gattacker is ready to launch the relay attack:
You're done! Go ahead and pick up your mobile phone and run the BLE lock app. Ensure you're as far away as possible from the lock itself and place thePERIPHERALpi next to you. For example, I have my Central pi next to the lock in my home office and am in another part of the house with thePERIPHERALpi and my mobile phone. ThePERIPHERALpi of course should have connectivity to the Central pi in order for this to work. If all goes well, you should see the below output from Gattacker and the lock should unlock once you hit unlock in the mobile app:
Like and Share
The best way you can support me in my continued content development and influencer efforts in cybersecurity is to like and share my article.
Subscribe and Follow
Subscribe to my YouTube channel to get notifications of my VLOG, live streams, and Vodcast/Podcast episodes uploaded weekly and follow me on Twitter. To view my latest content calendar, visit our firm's web site at Knight Ink.