Agenda• BLE in IoT devices• Bluetooth Low Energy Protocol Stack• Functionality of Protocol Layers in BLE• BLE Pairing Mechanisms• Attacking IoT Devices – Case Studies
Internet of Things• What The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
Source : Wikipedia
Smart HomesIOT Devices
More devices can be found at: http://iotlist.co
Connected CameraTooth brush
Automobile Industry
Wearable devices
Bluetooth Low Energy• Wireless protocol operating in 2.4 GHz band with GFSK modulation.
Bluetooth Low Energy
Broadcaster
Observer Device
Observer Device
Observer Device
Observer Device
BLE Packet
• Preamble – 1 byte
• Access Address – 4 bytes
• PDU – 0-20 bytes
• CRC – 3 bytes
Preamble Access Address PDU CRC
Bluetooth Device Address• 48 bit unique number, which identifies the device among its peers.
• Device Address =
NAP – non-significant address part
http://standards-oui.ieee.org/oui/oui.txt
• Manufacture ID=
• DEVICE ID= LAP
LAP – Lower Address part UAP – Upper Address part
+ Device IDManufacture ID+ UAP (1 byte)NAP (2 bytes)
Bluetooth Core Specification
• Applications
Source: https://www.bluetooth.com/specifications/bluetooth-core-specification
• Logical Link control & Adaption Protocol(L2CAP)
• Attribute Protocol• Security manager• Generic Attribute Profile
(GATT)• Generic Access Profile• Link layer• Physical layer• Direct test mode
• Host control Interface
(GATT)
Generic Attribute Profile - GATT• GATT is the backbone of the BLE data
transfer as it defines how data is organized and exchanged
GATT server
Service
Service
characteristic
characteristic
characteristic
• Services are collections of characteristics and relationships to other services that encapsulate the behavior of part of a device.
• Characteristics are defined attribute types that contain a single logical value.
Example
Service
Handle
READService0x0021 HRS
ValuePermissionUUID
0x0024Characteristic
Characteristic0x0027
CHAR
CHAR
READ
READ
0x0026
bpm
Bluetooth LE Pairing Process• Phase-1 Information required for
generating the temporary key is exchanged between the master and the slave.
• Phase-2 The short term key is generated independently on both the ends and the process of encryption is started.
• Phase-3 Once the connection is secured by encryption and only if bonding is performed, the permanent keys can be distributed for storage and reuse at a later time.
Case Study 2 – GATT Misconfiguration
BLE Device
Initial value - 0a 18
GATTTOOL
Changed Value – 0b 17
Case Study 3 - MiTM
BLE Device
Mobile Device
Cloning Mac address
0A:0B:0C:0D:0E:0F
0A:0B:0C:0D:0E:0F
Thank youMichael Mcneil Ben Kokx Minatee MishraMaheshan Neelesh swami Anirudh DuggalPardhiv Reddy Sanjog Panda ArchitaSagar Popat Jiggyasu Sharma Narendra MakkenaSwaroop Yermalkar Kartik Lalan AbhishiktChandrakant Nial
Audience