Bettercap for Debugging Bluetooth LE

There’s a useful tool called bettercap that claims to be the “Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks”.

While you might want to use it to test Bluetooth LE security, a more interesting use is for debugging Bluetooth LE. If you are scanning for advertising or creating or using GATT, for example with a beacon, it’s sometimes useful to have a separate way of exercising Bluetooth LE.

Bettercap is written in Go and runs on GNU/Linux, BSD, Android, Apple macOS and the Microsoft Windows. However, a bug in Windows and macOS prevents the Bluetooth commands from working. Hence, it’s for Linux or Android only.

Better caps runs in the browser and you can create scripts.

UPDATE: There’s a tutorial on Medium.

Beacons for Kiosks

We previously wrote about the requirements for using beacons in vending machines.  There’s a new thought provoking article on Kiosk Marketplace on Are kiosks ready for today’s exciting digital technologies?

The article talks about using beacons to promote consumer interaction, track customer shopping patterns and offer rewards but stops short of providing some scenarios and explaining some of the technical possibilities.

Imagine approaching a kiosk and it automatically knowing who you are and providing one touch (or zero touch) vending of your favourite drink or snack. You are billed automatically and you accrue loyalty points. For the merchandiser, think about extra things you could do (or know) if you could target your top customers and offer them frictionless service. These things are possible using beacons.

Depending on what you need to do, the beacon can be in the kiosk or (or and) with the user. If it’s with the user it can be a physical beacon or an app advertising as a beacon. Some scenarios need more functionality or security than is provided with just Bluetooth advertising. In these cases, it’s possible to connect to the beacon via Bluetooth GATT to store or view data.

If you need more help then view our articles or consider a feasibility study.

Man-in-the-Middle Attacks on Beacons

There’s an interesting BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework on GitHub. It allows you to listen in on the Bluetooth GATT communication that goes on when an app connects to a beacon.

The majority of, scanning-type, apps don’t tend to connect via GATT and only read the advertising data that’s available to anyone. Connection usually only happens when configuring beacons or in advanced scenarios where the apps needs to read sensor or battery data. Some custom platforms’ apps also connect to beacons to perform platform related things such as remote setup, security or other such things specific to the platform.

The availability of a Man-in-the-Middle framework presents a security threat. The likelihood depends on the scenario. In the case of most beacons, the main GATT connection activity is one-off beacon setup by an administrator. In these cases the beacon communication interception is very unlikely.

The larger problem might be with platforms’ apps that connect to beacons where GATT connections happen regularly via users (platform apps) and not under control of an administrator. The implications of the communications data being able to be eavesdropped obviously depends on what’s being communicated. That being said, most current non-Beacon Man-in-the-Middle (WiFi) attacks usually have financial motivations. It’s difficult to think up beacon attacks that might lead to financial gain for the attackers. Nevertheless, if you work with such a system that regularly connects to beacons via GATT, you might like to think about the consequences of data and metadata (what’s being changed) eavesdropping.

A more positive use of BtleJuice might be to discover and reverse engineer Bluetooth GATT Services. As mentioned in a previous article, some of our beacon manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services. BtleJuice provides a new way to reverse engineer those Bluetooth GATT Services.

nRF Connect Now Has Macros

The Nordic nRF Connect app (formerly known as nRF Master Control Panel) allows you to manipulate beacons directly at the Bluetooth GATT Service/Characteristic level. It works with all beacons, not just those containing Nordic SoCs. There’s also a version for iOS. The app is particularly good at recognising known Bluetooth profiles and giving them useful human descriptions rather than leaving the Bluetooth Services as numbers.

The Android version of the app has recently been updated to support macros:

nrfconnectmacros

This means that if you are configuring lots of beacons, it’s now much less tedious, quicker and less error prone if you record and replay a macro setting all your desired Service/Characteristic settings.