BLE:Bit

Author: BLE:Bit is developed and maintained by Theodoros Danos.

Source Code: @ BLE:Bit's GitHub page

Hardware: If you don't wanna mess with the hardware, you may buy BLE:Bit directly from the creator @ shop.cybervelia.com

Technical articles using BLE:Bit: shellwanted.com, cybervelia.com

About BLE:Bit

BLE:Bit is a tool for Bluetooth Low Energy. The tool can be used in various ways, but the main reason of its development is to help CyberSecurity community to conduct penetration tests on BLE-enabled devices more easily.

There are some tools available, but it has to be mentioned that the tools are only an example of how BLE:Bit can be used. The BLE:Bit SDK provides much more than those tools do.

Available Tools

  • BLE Harverster - Automatically connects to targets, clone and store their services, characteristics and values in a json file
  • MiTM CLI - Perform Man-in-the-middle attack/proxy by using BLE:Bit (non-interactive mode)
  • MiTM Android Server - Perform Man-in-the-middle and replay attacks by using BLE:Bit and an android application as a client

java -jar tool.jar

Tools require JRE >= 11

Tool Capabilities

Simulate BLE Services

BLE:Bit helps to create a Peripheral (Equivalent of Access Point in 802.11), or a Central (Equivalent of Client in 802.11). Also, BLE:Bit can create any service or characteristic and can achieve real-time interaction with the peer device. The characteristics may have a custom UUID or a UUID defined by the Bluetooth SIG Standard, both 16-bit and 128-bit are supported. Additionally, each characteristic may have custom properties or permissions.

Access to encryption keys

Many devices and software bundles exist out-there which allow interaction with Bluetooth devices but none of the current solutions offer the options of BLE:Bit at that price. In a real scenario where a device supports encryption, all other solutions out there fail to support all-in-one features, including data encryption. The BLE:Bit supports encryption and multiple simulations of Input/Output Capabilities such as Keyboard and Display capabilities (a capability that is vital to the pairing procedure of any two devices that wish to bond and encrypt their traffic). The BLE:Bit can return the Long-Term-Key of the communication of two peers in order to inspect the traffic using a BLE Traffic Sniffer – That assumes the BLE:Bit works as a proxy. This is very important to a penetration tester that wishes to monitor and inspect the traffic in real-time.

Unlike any other tool, the BLE:Bit supports the following pairing methods:

  • No-Encryption – Pairing Method: Just Works
  • Encryption (No IO, Keyboard-Only, Display-Only, Keyboard-and-Display)
  • Encryption & MiTM (No IO, Keyboard-Only, Display-Only, Keyboard-and-Display)
Detect new attacks, miss-configurations or vulnerabilities

By using the BLE:Bit is easier to find new vulnerabilities and even implement a PoC within minutes. The vulnerabilities CVE-2020-15509, CVE-2020-13425 were discovered with the help of The BLE:Bit Mark 1.0 Prototype Version !!. It is now easier for a tester to discover misconfigurations as the device provides informational events in the process of the whole procedure of connecting, pairing, disconnecting, or while sending and receiving data. Each event can be logged and displayed with meaningful status and error codes which will eventually help a tester to identify a bug.

Proxy Device

BLE:Bit is more than just a simulator. By using two BLE:Bit devices (central and peripheral) one can set it up as an active proxy device and simulate the same services of the original device. Additionally, the user may set a custom MAC Address, an option that is impossible or difficult to set on other solutions. Having the option to select a custom MAC Address, advertise the same data, and simulate the same services and characteristics completes the profile of any BLE Device out-there.

Cloning

The features that BLE:Bit provides can help in the automatic device cloning. That is, the complete automation of cloning of services and mac address of any device exists out-there. The BLE:Bit device can automatically clone all services of a particular BLE device, in real-time, and also clone the original MAC Address, and therefore start advertising with the same original address. BLE:Bit can be configured to advertise in a more frequent window than the original device in order to have the chance of locking the target. Also, the BLE:Bit is optimized for an antenna of 1/2 of a wavelength which will help to have enough gain and RF Transmission (50 m in line of sight).

Configuration Parameters

The user has a number of configuration options available. The user may configure the following parameters:

  • Minimum Connection Interval in milliseconds
  • Maximum Connection Interval in milliseconds
  • Supervision Interval in milliseconds
  • Slaves Interval
  • Scan Timeout
  • Advertisement Timeout
  • Advertisement Frequency Interval in milliseconds
  • Scan Window in milliseconds
Automatic construction of advertisement payload

Many applications or centrals are configured to connect automatically to peripherals that contain specific custom data. Our device may build the payload of advertisement automatically in contrast to the different solutions that exist out-there. In addition, in case that an option is not available the user may add custom data as well.

  • Service Data
  • Solicited UUIDs
  • Complete UUIDs
  • Incomplete UUIDs
  • Manufacturer Data
  • TX Power
  • Device Name (Also support for shortened device name)
  • Flags
  • MAC Address
  • Custom Advertisement Data

If the configuration of the advertisement payload is not enough, we are not over yet. Our device allows the user to send separate data for scan responses. Scan payload can also be built automatically. It can include the exact same features of advertisement data.

More control over pairing procedure

The user may choose when to disconnect or when to avoid disconnection (for example because of an invalid PIN). In that way you may discover patterns or misconfiguration of the other peer device.

Hook on read

On each read, the user is able to pause the request, inspect the read request, replace the value, and then allow a response to pass to the peer device. This is very important because the user is informed when the peer device has the characteristic’s value being read, so as to set a value depending on the current conditions of the test the penetration tester is using!

Send and Receive Notifications

Notifications in Bluetooth Low Energy are very important. Notifications allow peers to send events when the value has changed. BLE:Bit can send any notification event at any time with any given value. Additionally, when a peer device sends a notification, the peer device may read the notifications with the correct order, the characteristic and the handle of such characteristics

Enforce-repairing

Many solutions out-there have very limited options and provide high-level abstractions to Bluetooth Low Energy. BLE:Bit supports bonding enforced repairing. This is important as it may change the flow and process of the encryption procedure. Many BLE Software stacks fail to check corner cases and BLE:Bit is here to help.

Portability

The mindset of BLE:Bit is to allow to be used in real-life scenarios in order to be used as Proof-of-concept in a red team penetration test environment.

A scenario could be the following: an existing target in a building is having a smartphone with Bluetooth left enabled, and, at the same time the peripheral device (e.g. CAR, HomeLock) is somewhere else. Many mobile applications rely only on the detection of mac addresses, and thus, while those applications are scanning for the peripheral device and once a known address is found, the app connects to the devices automatically.

The BLE:Bit can be configured so the two separate devices (BLE:Bit Peripheral and BLE:Bit Central) can be set in two different physical locations. That is because they are developed with the mentality that the two target devices will not be always at the same location! Because of that, the BLE:Bit devices are pre-configured as peripheral or central and so the accompanied SDK contains a separate controller for each one of the devices. In that way, two servers can be configured, and placed in two different physical locations. By connecting the two devices to the internet, the two servers can communicate and the cloning and Man-in-The-Middle procedures can be achieved.

Disable Advertisement Channels

When performing a security assessment there are times that sniffing is necessary (for debugging reasons). Even though, in order to capture all three channels, three devices are needed for optimal performance. By using BLE:Bit, one can disable advertising on specific channels, and thus sniffing on a single advertising channel is possible. Therefore, one device is enough for sniffing and thus a capture is always possible to be achieved.

Peripheral Example

    public static void main(String[] args) 
    {   
        setupPINProtectedProfile("COM1");
    }

    private static void setupPINProtectedProfile(String com_port_peripheral)
    {
        try {
            PEBLEDeviceCallbackHandler mycallbackHandler = new PEBLEDeviceCallbackHandler();
            BondingCallback bcallback = new BondingCallback() {

                @Override
                public void authStatus(int status, int reason) {
                    System.out.println("authStatus: " + status + " with reason: " + reason);
                }

                @Override
                public byte[] getPIN() {
                    System.err.println("Please provide 6-digit PIN Number:");
                    byte[] pin = new byte[6];
                    Scanner scn = new Scanner(System.in);
                    String num = scn.nextLine();
                    for(int i = 0; i<6; ++i)
                        pin[i] = (byte) num.charAt(i);
                    return pin;
                }

                @Override
                public void bondSuccess(int procedure) {
                    System.err.println("Bond Successful");
                }

                @Override
                public void bondFailure(short error, int bond_error_src) {
                    System.err.println("Bond Failed - To blame: " + bond_error_src + " with error: " + error);
                }

                @Override
                public void deletePeerBondRiseError() {
                }

                @Override
                public void deletePeerBondSuccess() {

                }

            };

            mycallbackHandler.installBondingCallback(bcallback);

            PEController pe = new PEController(com_port_peripheral, mycallbackHandler);
            PEConnectionParameters con_params = new PEConnectionParameters();
            con_params.setMinConnectionIntervalMS(50);
            con_params.setMaxConnectionIntervalMS(60);
            pe.sendConnectionParameters(con_params);

            pe.sendDeviceName("HeartRateService");
            pe.setAppearanceValue((short)833);
            pe.configurePairing(ConnectionTypesCommon.PairingMethods.DISPLAY, "001234");


            pe.sendBluetoothDeviceAddress("ea:bb:cc:11:33:12", ConnectionTypesCommon.BITAddressType.PUBLIC);

            pe.eraseBonds();
            pe.disableAdvertisingChannels(ConnectionTypesPE.ADV_CH_38 | ConnectionTypesPE.ADV_CH_39);

            // Add BLE Services
            BLEService heart_rate_service = new BLEService(UUID.fromString("0000180D-0000-1000-8000-00805F9B34FB").toString());

            // Create Advertisement Data
            AdvertisementData adv_data = new AdvertisementData();
            adv_data.includeDeviceShortName(3);
            adv_data.setFlags(AdvertisementData.FLAG_LE_GENERAL_DISCOVERABLE_MODE | AdvertisementData.FLAG_ER_BDR_NOT_SUPPORTED);
            adv_data.addServiceUUIDComplete(heart_rate_service);

            /** Add BLE Characteristic Heart Rate Measurement **/
            byte[] value = new byte[10];
            String uuid_char = UUID.fromString("00002A37-0000-1000-8000-00805F9B34FB").toString();
            BLECharacteristic hr_measurement = new BLECharacteristic(uuid_char, value);
            hr_measurement.enableRead();
            //hr_measurement.enableWriteCMD();
            hr_measurement.enableWrite();
            hr_measurement.setMaxValueLength(31);
            hr_measurement.setValueLengthVariable(true);
            hr_measurement.enableNotification();
            hr_measurement.setAttributePermissions(BLEAttributePermission.ENCRYPTION_MITM, BLEAttributePermission.ENCRYPTION_MITM);
            heart_rate_service.addCharacteristic(hr_measurement);

            pe.sendBLEService(heart_rate_service);

            pe.sendAdvertisementData(adv_data);

            pe.finishSetup();

            /* Do Stuff */

        }catch(IOException e) {
            System.err.println(e.getMessage());
        }
    }

Troubleshooting

No BLE:Bit Found If the SDK cannot find your ble:bit device, make sure you have retried by using the latest SDK, the usb port works and the device is in working condition. Also, make sure the user has the necessary permissions accessing the UART port. In linux, the user must be in the group dialout in order to communicate with tty devices. Finally, if you have previously used the device and you may have terminated the program without terminating the device (ie by using the terminate() method), you may try to hard-reset the device, by using the on-board physical button.

License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.