The Generic Attribute Profile (GATT) is the necessary profile that is used to send data between Bluetooth devices. The transfer of data using GATTs has two steps that are repeated to continue sending data. The GATT server is whatever Bluetooth device you are connecting to your host device. The host device is the GATT client. The first step in this server client communication is the client sends a request to connect; then the server responds to the request. This communication is depicted in Figure 1 below:
Recently we were able to intercept and capture some of these GATTs from a Schlage Smart Sense Lock using btlejuice. This blog post, will detail our progress of capturing these GATTs.Btlejuice Update
In an attempt to understand why we have been having difficulty working with the Btlejuice application, we had the laptops we are working with re-imaged. This allowed the team to work with a 100% fresh install of Kali to ensure that both tools were installed properly. Further research revealed a more efficient and correct method of installing Btlejuice with all the proper dependencies required for the program to work.
The fresh installation of Kali and Btlejuice provided us with the ability to began our tests again to see if we could intercept packets going to our Schlage Smart Sense lock. When we connected the device to the Btlejuice proxy it immediately dumped anywhere between 4 to 8 packets without even having clicked on the ‘Start Interception’ button. This provided us with an interesting point that would be further investigated in the next week.
The next step we took was bringing the laptops and our Schlage Smart Sense lock to an isolated environment to conduct more testing with these packet dumps. We tried a wide variety of configurations for Btlejuice involving the spoofing of our bluetooth adapters on the proxy; some of which would dump packets, others would not. We attempted spoofing the Bluetooth Address of our iPad (working as our GATT client) and spoofing the address of the lock itself as well. When we used our second bluetooth adapter to spoof the lock, then ran the proxy on our first adapter and started intercept mode we received a read intercept packet. This intercepted packet was one of the packets that appeared before but this time it it popped up with a message specifically saying the packet was intercepted. We were still not able to capture any packets being sent between the lock and iPad because as soon as the lock is connected to the proxy the iPad is not able to communicate with the lock and thus instructions can neither be sent nor received.
We have come to the conclusion that our proxy is essentially hijacking the connection between the two devices and leaves the iPad on the outside of that connection (The iPad cannot send or receive information over bluetooth from the lock). Another interesting note is that whenever the Smart Sense lock is not sending or receiving commands it is in discovery mode and is open to receive connections from devices. This changes when the iPad or lock sends commands to the other. Upon transmission by either device the lock automatically pairs with iPad and communication is done through this line. After a period of 15-20 seconds the lock disconnects from the iPad and is open again. We believe that this method of connection was part of their most recent firmware update which was applied to the lock last semester. With the device only pairing when commands are sent back and forth it is hard to “Man in the Middle” the communication, as the lock only accepts one communication partner at a time.. As the semester comes to an end and we have exhausted all of our efforts attempting to hijack the connection between the Schlage Smart Sense Lock and the iPad using Btlejuice, we have decided to switch our efforts to targeting the other Bluetooth devices in our repertoire.Conclusion
In the next week we will be finalizing our research for the semester. It has been a long road and we have seen some successes and failures. L2ping has proved to be a decent method of Bluetooth device interruption. We’ve had success with it in disrupting paired devices, disrupting unpaired devices, and interfering all kinds of devices from watches to keyboards. The security on some devices knows when an illegitimate request is coming in or it is smart enough to no longer broadcast itself when it is paired. Those two methods prevent l2ping from disrupting the device. BlueHydra has proved to be an extremely effective and easy to view tool for Bluetooth scanning. One can enter a room having no knowledge of bluetooth devices within and find many devices, their names, their MAC addresses, and other important information. Btlejuice has proved to be one of our toughest steps. The proxy has given the team trouble in that it does not relay between the bluetooth device and the controller. It merely takes one side of that connection and does not connect out the other side. Our final report is coming soon, so stay in the loop for our final analysis and explanation of our methods.
The post Bluetooth Security Forensics 5.0 appeared first on The Leahy Center for Digital Investigation.