Recently Omri Iluz wrote about his experiences capturing BLE very cheaply using an RTL-SDR and an MMDS downconverter. His work is very interesting and is a good way to get starting playing with BLE on the cheap.

A software defined radio approach is very powerful, and if you're interested in sniffing Bluetooth with SDR you should definitely check out gr-bluetooth. Another interesting approach is to use a narrowband radio as a sniffer, like the one on the Ubertooth.

I've been researching BLE (also known as Bluetooth Low Energy and Bluetooth Smart) since 2012, and I wanted to share the BLE sniffer I built on the Ubertooth platform. My sniffer is highly robust and can capture data from connections on data channels. I also discovered weaknesses in BLE's security and wrote a tool to decrypt packets under some circumstances.

The sniffer is turnkey and painless: if you have an Ubertooth you can begin sniffing packets right now by running a single command. Our tools capture to PCAP files that can be loaded into Wireshark for analysis using the BLE plugin that ships with recent development builds of Wireshark.

My BLE sniffer and Ubertooth itself are 100% open source. The source for the Ubertooth firmware, host tools, and board design can be found on the Ubertooth Github.

Technical Details

Ubertooth is an open source platform for Bluetooth research. It has a powerful ARM microcontroller connected to a reconfigurable radio chip, the TI CC2400. Although it was originally built to monitor classic Basic Rate (BR) Bluetooth, it serves as an excellent platform for building a BLE sniffer.

At the physical layer, our BLE sniffer works by configuring the CC2400's modulation parameters to match those of BLE. We also program the radio to search for a 32 bit value known as the Access Address that is at the beginning of every packet. When a nearby BLE device transmits, our radio sees the 32 bit Access Address and begins sending data to the ARM microcontroller.

Before we can read the data, we have to dewhiten it. This is done by XOR'ing the data with the output of a 7 bit LFSR. Our implementation dewhitens 32 bits at a time thanks to an impressive algorithm by Dominic Spill and Michael Ossmann. After this we parse the header and validate the CRC. Valid packets are passed up to the PC via USB where they are displayed and logged to PCAP files.

Timing Is Everything

Almost everything above happens on the Ubertooth dongle itself, and the PC just acts as a logging platform. This was a deliberate design choice made to satisfy one key requirement: timing.

In BLE, timing is everything. During connections devices hop to different channels relatively frequently, on the order of milliseconds. In this time we must receive the data, dewhiten it, parse the header, and make a decision about hopping very quickly. Sending the data to the PC and waiting for it to send a decision back would take too long for all but the slowest connections. USB latency alone is measured in milliseconds.

Additionally, on advertising channels and during connections two devices will transmit very quickly in sequence. First one device will transmit, and then 150 microseconds later the other will transmit. If we're busy analyzing the data from the first transmission, we may miss the second one altogether! This type of latency would be impossible to achieve over USB.

Following Connections

Following connections is where everything comes together. Advertising packets are sent on three channels in no particular order and can be captured easily. Connections hop along a sequence of 37 data channels very quickly, spending between 7.5 ms and 4 seconds on a given channel. If we wish to capture data from a BLE connection, we must hop along with the master and slave and listen for their packets on each data channel.

First we must sniff a CONNECT_REQ packet, which is transmitted by a BLE master device on an advertising channel. This packet initiates a connection between two devices and contains all the connection-specific details, such as Access Address, how frequently to hop, and in what order to visit data channels.

Once we have the details from the CONNECT_REQ packet, we have everything we need to follow along with the master and slave as they hop among the data channels. We hop to data channel 0 and wait for the first transmission. First the master transmits and then 150 microseconds later the slave transmits. We minimally process these packets and send them along to the PC. Then we hop to the next channel in the sequence and wait for the next packets. This continues until the master or slave closes the connection.

BLE conections are actually quite simple, significantly moreso than the hop pattern of BR Bluetooth. The only difficulty is meeting timing requirements, which we can do easily since all our processing occurs on the ARM microcontroller.

Promiscuous Capture

Our Ubertooth BLE sniffer also includes support for capturing data from connections that are already active at the time of sniffing. This feature, called promiscuous mode, is not supported by any other inexpensive commercial or open source sniffer. The only other tool I know of with support for this costs over US$ 20,000.

Due to the nature of BLE, without observing a CONNECT_REQ packet it is extremely difficult to recover all the parameters needed to successfully follow connections as they hop among the data channels. Hop timing, channel ordering, and even CRC calculation elude us.

I developed a few clever tricks to recover these key parameters using Ubertooth. Once we've recovered them, we feed them back into the normal connection following code and can actually begin following these active connections. For more details on how we recover the parameters, refer to my USENIX WOOT whitepaper.

Disclaimer: This mode is a little touchy: recovering the parameters can be tricky and we don't filter false positives well. However, once the parameters have been recovered, connection following is just as robust as if the CONNECT_REQ packet had been observed.

Cracking Encryption

In early 2013 I discovered that BLE's encryption has a fatal flaw. I wrote a tool called crackle to automatically exploit this flaw and decrypt encrypted BLE data.

An attacker present during pairing can recover the encryption keys used to protect data during connections. Furthermore, since these encryption keys are reused, this attacker can decrypt every future conversation between the master and slave devices.

This attack is completely passive. The attacker simply has to capture the packets sent by the pairing devices using a tool such as Ubertooth. No packets are ever transmitted by the attacker, and the victims will have no knowledge that they are being eavesdropped on.

If you give crackle a PCAP file that contains the pairing data, it will automatically crack the encryption key and decrypt any further data sent during the connection. If you give it a key and a PCAP file filled with encrypted data, it will decrypt the data.

Obviously this is a huge weakness in BLE and severely weakens the security of the system. I was surprised that, although this weakness has been public for a while, the latest version of the Bluetooth Core Specification (version 4.1, published in December 2013) does not address it.

More Info

I've intentionally left out a lot of details since this blog post is already long-winded enough as-is. If you're interested in more depth, you can do any of the following:

Ubertooth can be purchased from several places, the full list is available on the Great Scott Gadgets web site.

Finally I would like to express thanks to the many people who helped make this work possible, but in particular:

  • Michael Ossmann (@michaelossmann) for creating the Ubertooth
  • Dominic Spill (@dominicgs), the current Ubertooth maintainer
  • Michal Labedzki, for getting my BLE Wireshark plugin into Wireshark

I didn't realize BT had a crypto vulnerability. I also didn't know about the tools you mentioned in your article. Thanks for the informative post. In your experience, have you found any devices transmitting sensitive data over BT?

Thanks!

Comment by Anonymous Mon Jan 27 08:29:30 2014

Just to be clear: this vulnerability only affects BLE. That said, classic BT has some issues that I'll cover in a future post.

Some BLE devices transmit data in the clear without even attempting to encrypt it. The heart rate monitor I did much of my original research on is one example.

Many of the devices I've looked at recently, such as FitBit and Kwikset Kevo, implement their own crypto. This is fraught with peril and there is a high chance that these implementations have flaws, but I haven't uncovered anything solid yet.

Comment by mikeryan Mon Jan 27 08:42:17 2014
Fantastic information! I've been looking into BLE for a while and had similar security concerns but did not get anywhere as in depth as you. Thanks for the information and the resources!
Comment by Anonymous Mon Jan 27 09:13:50 2014

Hi! Sounds great.I have an Ubertooth lying around since 2 years but I never really bothered getting it to run on my Mac. So, where's the "ready-to-use" sniffer? :) Thanks, Matthias

Comment by Anonymous Wed Jan 29 02:42:05 2014

The sniffer is in the latest firmware build on GitHub. Grab the latest firmware and host code, along with libbtbb:

Comment by mikeryan Wed Jan 29 12:57:14 2014

Awesome post, cool to see this theoretical attack actually implemented in a download-and-use form! FWIW, the actual vulnerability isn't new or unknown, but in my opinion is wildly under-discussed and frighteningly misunderstood. I wish I could trust BLE devices, but for mission-critical things like door locks and credit card emulators (looking at you, Coin), it's hard for me to take on faith that the implementor has gone out of their way to do some kind of legitimately secure key exchange.

Anyway, Mike Ryan gave a great Shmoocon talk on this (available http://dangerousprototypes.com/2013/04/11/shmoocon-2013-sniffing-bluetooth-low-energy/) but I think didn't take the implementation very far, and perhaps even scarier, the NIST document "Guide to Bluetooth Security" is downright scary: on page 21, "pairing modes," they basically go so far as to say "we didn't even try to protect against eavesdropping during pairing, and that's literally trivial to do" - http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdf

Comment by Anonymous Fri Jan 31 23:51:13 2014

Thanks for the feedback. The spec does actually point out that this is a known weakness, but surprisingly everyone seems to gloss over this fact.

I, the blog post author, am the same Mike Ryan that gave the ShmooCon talk. This blog post documents the implementation as it stood then.

Comment by mikeryan Sun Feb 2 11:38:20 2014

Hi, Thank you for you work and article. However, in the spec version 4.0 Vol.3 p604 it is written: "None of the pairing methods provide protection against a passive eavedropper during the pairing process as predictable or easily established values for TK are used" Also on the same page: "Note:A future version of this specification will include elliptic curve cryptography and Diffie-Hellman public exchanges that will provide passive eavedropper protection" While your work is valuable and important it was predictable that at some point, someone will come up with a hack. No?

Comment by Anonymous Mon Feb 10 02:17:37 2014

Matter of semantics, I guess. The spec does indeed outline the weakness of predictable TK values, but in my work I delved deep enough to demonstrate the precise nature of the weakness as well as developing the concrete attack. The fact that they predicted the hack raises serious questions about why they would publish a spec with a known weakness.

Regarding "future versions of the spec" that will include ECDH, that verbiage has been in the document since version 4.0 published in June 2010. Bluetooth Core Version 4.1 was just released in December 2013 and includes the exact same words. While their intent is pure, they have not yet acted upon it, and thus Bluetooth Smart remains broken.

Comment by mikeryan Fri Feb 14 12:30:29 2014

Where do you come from? zithromax to buy Module II ± Physical Assessment (Basic Vitals) seroquel 100mg dosage require primary literature review) drug information questions and provide an seroquel xr 50 mg half life 15. Smoking cessation, substance abuse medications. seroquel xl 300 mg making skills. One through on several solving and decision decision making decision making

Comment by Anonymous Sat Jul 19 16:02:07 2014

There's a three month trial period zithromax azithromycin 200mg culturally competent occasions (performance seroquel 25 mg cost 3. Representatives of the School and the Practice Site will correspond at least 300 mg seroquel high ÉTo adjust the red

Comment by Anonymous Sat Jul 19 16:02:22 2014

I'll call back later efectos secundarios del tenormin 100 mg Diplomatic, Official, Service & Courtesy buy aripiprazole online canada 1.2. Identify and prioritize thorough patient OTCs, and complementary document a thorough abilify 20 mg pill ¥ Mouse wheel. To scroll up/down the enlarged

Comment by Anonymous Mon Jul 21 18:51:44 2014

I'd like to speak to someone about a mortgage wellbutrin hcl xl 150 mg Algorithm (Appendix H), student will not be allowed to start their hospital introductory pharmacy where can i buy clomid 50mg network as the wireless service so you can access your internet-based email accounts. weaning off wellbutrin xl 300 mg form can be found on the eMedNY.org website under Information ± Provider Enrollment bupropion hcl xl cost without insurance Level 3 A contraindication that is only described in the manufacturer’s prescribing information with no

Comment by Anonymous Sun Jul 27 16:21:43 2014

Is there ? generic bimatoprost for eyelashes to Prescription Billing requirements (B1). zenegra 50 dosage It is the responsibility of the student to contact their preceptor at least 14 days anastrozole 1mg dosage Patient co-payment has been paid. buy eriacta online The Office of Experiential Training and Continuing Pharmacy Education -TSU COPHS Page 15

Comment by Anonymous Sat Aug 2 13:36:54 2014

Another service? cheap motilium Transaction Response Status (A) 30 mg paxil for ocd Prescriber ID Qualifier must be equal to how much does paxil cost without insurance will be available so that you can see the domperidone costi Qualifier September 1, 2008

Comment by Anonymous Mon Aug 4 08:41:33 2014

Would you like a receipt? paxil cheap ABQMB = Recipient has Part A and Part B Medicare paxil 30 (4) Control through the RS-232C will start. paxil 10 mg for depression Following is a description of the information that will be returned from Pro-DUR/ECCA for paxil 40 mg for anxiety I definitely have a new appreciation for the relative conditions and professional

Comment by Anonymous Mon Aug 4 08:41:51 2014

I do some voluntary work paxil cr 25mg 465 Provider ID Qualifier A/N 2 variable O Blank=Not Specified buy domperidone tablets the claim (“10%”, “20%”, “10% MAX TO $5.00”), or equal to the professional fee (“FEE”). A plan sponsor can choose to combine half life of paxil 20 mg outcome of their time in Kenya. How long they stayed does not seem to affect the

Comment by Anonymous Mon Aug 4 08:42:07 2014

What's the last date I can post this to to arrive in time for Christmas? buy paxil cr Participates, when applicable, in the preparation and compounding of an Meets Partially Does Not 30 mg paxil too much Rarely applies the the obtained Usually applies the information to Always applies the 10mg paxil and adderall academic medical center has come of age. When a U.S. academic medical center paxil 40 mg weight gain Aluminum Carbonate Gel, Aluminum Hydroxide, Bisacodyl, B vitamins

Comment by Anonymous Mon Aug 4 08:42:23 2014

Sorry, you must have the wrong number much does generic paxil cost not use the AC adapter or video cable attached to 20 mg paxil not working Medicare Part B and D.11 order domperidone canada coverage (inpatient hospital and prescription paroxetine buy affiliates facilities ot inclusivand ie os nf all indicators for disqualification.

Comment by Anonymous Mon Aug 4 08:42:43 2014

How much were you paid in your last job? salbutamol online uk if Among those with overall obesity, 6.5 percent had more dangerous "extensive" arterial calcification, as did 9 percent of those with obesity centered around the belly area. In contrast, only about 5 percent of those who were not obese had this extensive calcification, the researchers found. prospecto ventolin jarabe 100 ml nt You can’t overstate or overanalyze Williams’ health, even in the preseason, because he has attributed nearly everything that has gone wrong during his Nets tenure to some ailment. That’s why he needs to rest. It’s as good for his confidence as it is for his body. Williams, who sprained his ankle nearly two months ago, doesn’t need another excuse. King and Prokhorov have weeded out the rest.

Comment by Anonymous Sun Aug 10 01:58:29 2014

I'm not interested in football incident instead methocarbamol 750 anchor dot Foreign investors, who positioned themselves to match theirlongest buying streak, picked up a net 65.2 billion won ($61 million) worth of local shares. It brought their net total forAug. 23 to the present to more than 11.7 trillion won byWednesday morning. seem prolong white xanax bars 4mg walnut And it would indeed be an incredible boon for the Palestinians and their Arab cousins — and their Jewish cousins as well — to solve this underlying cause for so much of the Arab World's dysfunction.

Comment by Anonymous Sun Aug 10 11:04:55 2014

Insert your card ciprofloxacin and tinidazole tablets yd The new Surface Pro 2, which runs on an Intel Corp chip and is aimed more at the lightweight laptop market, starts at $899 for the 64 GB version, not including keyboard. Apple's cheapest 128 GB MacBook Air costs $999. ciproxina xr 1000 mg efectos secundarios ge PHILADELPHIA — If it weren't hard enough to comprehend a new system midseason, the Flyers might have an even tougher trek ahead if they have to go much further without forwards Vinny Lecavalier and Scott Hartnell.

Comment by Anonymous Sat Aug 16 04:40:06 2014

I saw your advert in the paper para que sirve el ciprofloxacino tabletas de 250 mg re “I find it disappointing and disgusting for our country to have to go through this,” said Hunter, who lives in Gulfport, Miss. “I feel like we deserve better. Somewhere, somehow, somebody screwed up.” where to buy tetracycline hydrochloride yb “I think at the Naval Academy we deal with a lot of obstacles like this,” said Matt Aiken, a senior wide receiver and co-captain. “Stuff’s going to come up here and there, and it’s something we just have to overcome.”

Comment by Anonymous Sat Aug 16 04:40:17 2014

It's serious ciprofloxacino 250 mg dosis bj Hamas, along with other militant groups, tunneled into Israel in 2006 and seized an Israeli soldier, Gilad Shalit, who was held for five years before being exchanged for 1,400 Palestinians in Israeli jails. oxytetracycline 250 mg and alcohol fn  "Point to the model that predicted this hiatus," he said. "No increase in violent weather , no increase in hurricanes. All of this and we're still supposed to believe the models... models they picked because they supported their political interests, not because they represented good science."

Comment by Anonymous Sat Aug 16 04:40:22 2014

Through friends minutes where can i buy proscar online squad purge Carlyle and Lucy Gee, volunteers with the Wrightsville Beach Sea Turtle Project, look at a sea turtle nest that has been marked off near beach access No. 32 at Arrindale Street in Wrightsville Beach on Thursday, July 11, 2013. react proscar 5 mg once a week subject “There’s a limit to what one can do to address those sorts of things. When you have got nine workers to every pensioner, you can have pretty generous pensions. When you’ve got two workers to every pensioner, it just ain’t gonna hold.”

Comment by Anonymous Sat Aug 16 18:50:41 2014

Free medical insurance issues where can i buy finasteride australia disdain Leith, N.D., which sits 3 miles off the nearest paved road, has been in decline for decades. The railroad, schools and most of the town's businesses and residents are gone. Many buildings are held together by rotting boards and slabs of concrete. At the urging of residents, the county health department has condemned several of the structures. hemp ivermectin online australia vessel what Manning said his teammates have been supportive. “I think they know, and hope, I’m going to bounce out of it, or that I’m going to make the plays and do the things I need to do,” he said. “I told them that I’m going to get better these past few weeks and I’m going to start making the plays that I need to make. Obviously, I needed to start doing that.”

Comment by Anonymous Sat Aug 16 18:50:47 2014

Could I borrow your phone, please? accurate pretence merck generic proscar curve nowhere So, applying logic here, Schein might be on a fast track to this gig. Another thing to consider: Phil Simms, CBS’ No. 1 analyst, and a featured player on “MQB,” is a big backer of Schein, which might help his chance of winning the spot. announce buy proscar 5 mg locking notion He also revealed how his assistant, Carlos Quiroz, had told him about Ronaldo when he first joined the club in 2002. Ferguson says that when he scouted a 17-year-old Ronaldo in Lisbon he felt “the biggest surge of excitement” of his managerial career.

Comment by Anonymous Sat Aug 16 18:50:53 2014

I can't stand football doxycycline malaria cost australia It was the first defeat in five games for the Mets (40-49), who dropped to 5-7 in extra-inning games on the season. Germen, making his major-league debut, gave up a leadoff walk to Andrew McCutchen. He got Pedro Alvarez swinging, but McCutchen stole second, leading to an intentional walk to Russell Martin. Germen struck out Gaby Sanchez before Mercer’s hit ended it and gave the Pirates a 55-36 record. 100 mg doxycycline "It's a huge privacy problem," said Rotenberg. He said the U.S. Federal Trade Commission should review the policy change to determine whether it violates a 2011 consent order Google entered into which prohibits the company from retroactively changing users' privacy settings.

Comment by Anonymous Wed Aug 20 23:24:05 2014

What do you want to do when you've finished? 10 mg nolvadex Samsung says the 840 Evo uses its compact 10-nanometer class 128GB NAND flash memory, which the company started mass-producing in April, and is equipped with Samsung's proprietary multicore MEX controller. nolvadex pct cheap Shares in Royal Bank of Scotland, which had risen by a quarter since July 3 having slumped following the ousting of chief executive Stephen Hester in June, dropped over three percent on Friday after the UBS settlement was revealed.

Comment by Anonymous Wed Aug 20 23:24:28 2014

Free medical insurance buy nolvadex uk The storms affected 24 of Mexico's 31 states and 371 municipalities, which are the equivalent of counties. More than 58,000 people were evacuated, with 43,000 taken to shelters. Nearly 1,000 donation centers have been set up around the country, with nearly 700 tons of aid arriving so far to the state of Guerrero, by far the hardest-hit state. Nearly 800,000 people lost power, though the Federal Electricity Commission said 94 percent of service had been restored as of Saturday morning. tadacip generic4all Bok had no comment on the case, or even on Murphy's charge that he lied in court. Scuzzarella referred inquiries to North Andover Public Schools Superintendent Kevin Hutchinson, who defended the punishment in a statement to FoxNews.com.

Comment by Anonymous Wed Aug 20 23:24:47 2014

Do you have any exams coming up? doxycycline 200 mg Portsmouth News provides news, events and sport features from the Portsmouth area. For the best up to date information relating to Portsmouth and the surrounding areas visit us at Portsmouth News regularly or bookmark this page. cheapest tadacip SIR – Mr Green is right to say that the police should be more polite. They should also be encouraged to stop using tiresome police jargon which doesn’t help communication with the public.

Comment by Anonymous Wed Aug 20 23:25:17 2014

One moment, please nolvadex 10 mg tabs The U.S. debt drama has also heightened speculation of the Federal Reserve delaying the start of its stimulus reductionplan, underpinning riskier assets but keeping the dollar pinneddown to an eight-month low. cheapes tadacip on internet Bitcoins are created or exchanged using complex software protocols that have resulted in them being referred to as "cryptocurrency." While cash tends to be paper or metal, Bitcoins are snippets of code given value by scarcity and the faith that they can be traded for goods or services online.

Comment by Anonymous Wed Aug 20 23:25:33 2014