What is it all about?Bluetooth Low Energy incorporates device pairing and link-layer encryption. However, significant amount of devices do not implement these features. They either do not provide transmission security at all, or ensure it by own means in application layers. The vendors promise “128-bit military grade encryption” and “unprecedented level of security”, not willing to share technical details. We have seen such declarations before, and many times they did not withstand professional, independent evaluation and turned out to be “snake oil” security. It is about time to verify these claims, what is now possible with the help of our new open-source tool .
We share several already identified example vulnerabilities. We hope the community will come up with more, helping to develop new tool's features, cooperate with vendors, and in effect improve the security for end-users.
What attacks are possible?There devices can be attacked in various ways - starting from simple denial of service, by spoofing, passive and active transmission interception, up to abuse of excessive and improperly configured device's services. In effect, the attacks can result among other thins in:
- disrupting functionality (Denial of Service) - e.g. you cannot control smart home, open smart lock, or use smart Point-of-Sale device
- spoofing (false indications, disabling alarms)
- data interception of (e.g. personal information, authentication etc)
- taking control over the device (e.g. opening smart lock, turning smart home)
What devices are vulnerable?The attack is most effective against devices that do not implement Bluetooth security features (pairing). We have examined a handful of devices, including:
- smart watches,
- authentication token,
- mobile point-of-sale,
- smart locks,
- anti-thief solutions,
- home automation,
- smart finders,
- various gadgets.
How can I check if my device is affected?First, you can check in Bluetooth settings of your phone if the device is paired.
- If yes - confirm the pairing process involves PIN confirmation, or requires a physical action on device (e.g. pressing button). And be careful with re-pairing, as the connection problem may be an effect of active attack willing to intercept the process.
- If not - don't panic. The device most likely will implement own security features on top of Bluetooth connection. However, such features may have various vulnerabilities. Several examples are described in attached whitepaper.
What hardware is necessary to perfom the attack?The whole functionality of our tool is was tested on Raspberry Pi and other Linux systems with Bluetooth 4 adapters. Some of the attacks may be performed using a smartphone or other embedded devices. It is technically possible to implement the attacking device in a tiny, beacon-sized (a few square cm), battery-powered module.
What risk is associated with the attack?The simplest answer is: that depends. For example, the current pulse indication from a smart wristband of a regular person rather will not be of interest for by-passing people. The situation may change dramatically if the person is a highly ranked official, and an adversary would like to know her pulse during important negotiations. Or - the wristband pulse indication is used as a biometric authentication in a banking application. Most attacks require close physical presence, so the risk is limited.
But, the attacker has to be close to the victim's mobile and device?As the Bluetooth operating range is limited, in order to perform “Man-in-the-middle” attack, an attacker has to be close to your smartphone and the device.
However, some mobile applications have proximity features, which - improperly implemented - may be abused by approaching your smartphone away from the device and original location.
Also, devices may have vulnerabilities possible to exploit directly, without the need to interact with mobile application or intercept the transmission. In such case attacker needs to approach only the vulnerable device.
You can also imagine a mobile malware attacking BLE devices in range of the infected smartphone. Such malware is operated remotely, and the attack is theoretically possible on a mass-scale.
But simple Denial of Service was possible before, using RF-jamming?Yes, but performing such attack using generic RF-jammer was not straightforward nor discreet, as BLE is designed to be very robust against interference. With the new tool, which works in application layer, it is a magnitude easier - using simple tricks it is possible to enforce the victim's mobile phone to connect to impersonated device instead the original one, and then - for DoS scenario - just stall the further actions.
Why vendors choose not to use Bluetooth security?One of commonly mentioned reasons is that vendors struggle to comply with various requirements: usability, multiple users or devices, cloud backup etc. The Bluetooth security features are handled by operating system, and the mobile application does not have full control over this process. That is why they decide to create own security mechanisms on top of the unencrypted Bluetooth LE link.
Will you publish a list of vulnerable devices?We do not aim for that. Following responsible disclosure manners, we inform the vendors on our findings, and help them to fix, as we want to improve security of end-users. Disclosing vulnerability details straight away, before vendor releases patch, may expose users to attacks, and will usually not help to achieve this goal.
How does the tool work?The tool creates exact copy of attacked device in Bluetooth layer, and then tricks mobile application to interpret its broadcasts and connect to it instead the original device. At the same time, it keeps active connection to the device, and forwards to it the data exchanged with mobile application. In this way, acting as “Man-in-the-Middle”, it is possible to intercept and/or modify the transmitted requests and responses.
Why does the application connect to “cloned” device instead the original?Most mobile applications initiate connection to device by looking for advertising packets broadcasted by device. Usually battery-powered devices optimize advertising intervals in order to minimize power consumption. The attacker however can broadcast the relevant advertisements with minimal intervals (much “quicker”). The mobile application will interpret the first received advertisement - and in this case it will most probably be the spoofed one.
Additionally, as most devices do not broadcast advertisements during active connection, the attacker can just constantly keep connected to original device and thus prevent it from broadcasting.
What about Bluetooth encryption, pairing and bonding?Depending on how the devices are paired, it may still be possible to attack such connection by abusing weaknesses in implementation and social-engineering. Details are in attached whitepaper.
Will the tool be available free of charge?Yes. The tool is open-source, public, MIT-licensed. We count on you to help improve it.
Why?We concluded growing Bluetooth Smart adoption and interest in it does not correspond with adequately growing interest of its security.
We believe end-users should be aware of possible attack scenarios and risks, and the vendors' claims on security should be reviewed by independent assessment.
What is the origin of a name “GATTack”?The mobile application “talks” to device's “attributes” using Bluetooth LE GATT (Generic Attribute Profile) specification . The introduced attack scenarios and example vulnerabilities concern this layer of Bluetooth stack.
Will you publish more information?Yes. Stay tuned.
I want to work with you!We're hiring!
Other questions?You can find us: firstname.lastname@example.org
WHITE PAPERYou can download the white paper here
SLIDESYou can download the Black Hat USA slides here
VIDEOSA few videos here
OTHER RESEARCHFollowing initial research on Bluetooth Low Energy security by Mike Ryan:
the BLE hacking is on the rise.
Another very similar BLE MITM tool was presented at Defcon 24 IoT Village by Damien Cauquil.
Defcon 24 "Picking BLE Locks from quarter mile away", "How do I BLE Hacking" by Anthony Rose, Jose Gutierrez and Ben Ramsey. Slides, source code:
We will soon update more details and other available tools (including blue hydra).
If you are aware of other research worth noting here, let us know!
TOOLThe GATTacker tool is available on Github:
You can install it using npm:
npm install gattacker.
LOGOFollowing current standards of “infosec hype”, we had no other option but to create a logo for the research.
After carefully examining past experience of predecessors, we have:
- created an image flip of other recognized trademark
following a few years back widely known in itsec website, which name we are now embarassed to publicly bring back ;)
- added a calm blue element to bottom right:
The market tests of badlock vs sadlock logos exposure clearly show that adding a blue element to bottom right calms down the audience.
- used latest Photoshop and lossless image compression
according to lcamtuf's advisory.
psirt at gattack.io
GPG public key fingerprint: 77:65:20:61:72:65:20:6b:69:64:64:69:6e:67:21
DownloadLicense: Creative Commons. Use it freely.
This site designed is adapted from:www.yomena.de | CC:Attribution