We will learn Hacking a Smart Bulb with Bluetooth. Since the topic is extensive and lengthy, I decided to divide it into two parts. In the first part, we will get to know the basics and theory about Bluetooth, and in the second part, we will look at the use itself.
Let’s get started.
Our goal – What do we want to do?
We have a mobile app that can be used to interact with the smart bulb. However, we will control the smart light bulb remotely using a Bluetooth CSR v4.0 dongle (hereinafter referred to as the dongle). (Dongle CSR v4.0 is a tool that can be used to interact and communicate with the bulb). More on the dongle later. Simply put – we will control the light bulb, even if we do not own it.
Hacking a Smart Bulb with Bluetooth:
Bluetooth Theory – We all know what Bluetooth is and have been using it for a long time. As you may or may not know, there are two types of Bluetooth communication.
- Classic Bluetooth, i.e. Bluetooth 2.0
- Bluetooth Low energy, i.e. BLE 4.0
Classic Bluetooth and its specifications were introduced as part of Bluetooth 1.0. These specifications are developed by the SIG (Bluetooth Special Interest Group) and all Bluetooth manufacturers and service providers are members of the SIG.
BLE (Bluetooth Low Energy) is a wireless PAN. It was created by Nokia under the name Wibree in 2006 and merged with the Bluetooth standard in 2010. BLE was designed specifically for low-power devices. Since IoT devices run on low power, they use BLE to communicate. There are many wireless protocols for IoT, but BLE is the easiest to design and implement.
BLE OS Support – BLE is supported and available for almost all platforms. The main ones are listed below –
- Mobile devices – Android, iOS, Windows, etc.
- Desktop/Laptop – Windows, Linux and macOS.
- Operating frequency – 2.4 – 2.48 GHz ISM band.
BLE Stack – This is what the BLE Stack looks like
(Image Source – https://devzone.nordicsemi.com/tutorials/17/)
It consists of 3 layers –
- The host layer
- Controller layer
- Host Controller Interface (HCI) – Demarcation of both layers
- Both layers are thus bounded by a layer of HCl.
We don’t need to understand the functions of all layers for this tutorial. We will go over what is needed (GATT, GAP and ATT). Let’s understand their functions –
GAP – Abbreviation for Generic Access Profile. It is responsible for the discovery aspect of BLE devices. Simply put, your device should be discoverable to other devices and mobile apps in order for us to connect to it. GAP does the work to make it discoverable.
ATT – Abbreviation for Attribute Protocol. Simply put – If we want to talk to a web server, we use the HTTP protocol. Therefore, HTTP is responsible for communication between the browser and the web server. Similarly, in this case, how the mobile app and the bulb talk to each other is managed by ATT.
GATT – Abbreviation for Generic Attribute Profile. Simply put – we use a browser to communicate with a web server. The browser is therefore responsible for all exchange of user data. GATT plays the same role. It is responsible for exchanging data and profile information between the mobile app and the bulb. GATT comes into play once a connection is established between two devices. GATT uses services and features.
To understand what it is, let’s look at the diagram below –
Let’s understand the scheme –
Within a profile is a service and within a service are various properties.
- Profile – Collection of services.
- Service – A collection of characteristics
- Characteristics – Single Datapoint.
- I deliberately did not write the definition. Let’s take this simple example –
Let’s say you’re a security consultant and you know how to do web and mobile pentesting. List your skills in the form given below –
- Continuous testing of web applications
- Testing Java applications
- Pentesting .Net applications
- Pentesting PHP application
- Pentesting of mobile applications
- App for Android Pentesting
- Continuous testing of iOS applications
- Continuous testing of Windows applications
- In the above example –
Profile is – Security Advisor
The service is – Pentesting web application and Pentesting mobile application.
Features are – Pentesting Java App, Net Pentesting App, Android Pentesting App etc.
I hope the concept of profile, service and characteristic is now clear.
In BLE – there is nothing called Profile. It’s just a collection of services and you won’t come across a profile when testing any BLE device.
A list of services offered by the Bluetooth SIG can be obtained here – https://www.bluetooth.com/specifications/gatt/services. If you open the link, you will see a list of services offered by the Bluetooth SIG. All of these services are predefined services offered by the Bluetooth SIG, please refer to the “Assigned Number” column. Each service is assigned a number and all services start from the range “0x18**” where 0x18 always remains constant.
Similarly, the list of characteristics offered by the Bluetooth SIG can be obtained here – https://www.bluetooth.com/specifications/gatt/characteristics. If you open the link, you will have a list of features offered by the Bluetooth SIG. All these properties are predefined and offered by the Bluetooth SIG, see the “Assigned Number” column. Each characteristic is assigned a number and all characteristics start from the series “0x2A**” where 0x2A always remains constant.
Tools – There are many tools available for playing Bluetooth packets. Tools like Ubertooth, Bluefruit and Bluetooth CSR v4.0 dongle can be used. Ubertooth is widely used, but the cost of Ubertooth is around $120. The cheapest tool we have available is a dongle and costs around $7-8. In our blog we will use the dongle as mentioned.
About Bluetooth CSR v4.0 Dongle – First look at the dongle shown below –
As shown above, it is like a USB dongle that can be directly plugged into the laptop and ready to use.
Settings – We have a smart bulb and an Android app. The bulb can be controlled using a mobile app. So we can communicate with the bulb using an Android app.
for exploitation –
Capture the communication between the bulb and the mobile device. The dongle is unable to capture the communication between the mobile and the bulb, but we can capture the communication on the mobile device using the Bluetooth HCI Snoop log function on the phone. It is present in the Developer Options tab as shown –
Once enabled, it captures all Bluetooth traffic on the phone.
- Transfer the Bluetooth protocol files to your computer.
- Analyze traffic.
- Play packets using Bluetooth CSR.
Procedure – I am using Bluetooth CSR v4.0. So I will capture all the communication between the bulb and the mobile app using the “Bluetooth HCI snoop log” feature present in the phone and transfer the log file to my computer for analysis using Wireshark. After analyzing the packets, a replay attack using CSR will be performed.