Bettercap for Debugging Bluetooth LE

There’s a useful tool called bettercap that claims to be the “Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks”.

While you might want to use it to test Bluetooth LE security, a more interesting use is for debugging Bluetooth LE. If you are scanning for advertising or creating or using GATT, for example with a beacon, it’s sometimes useful to have a separate way of exercising Bluetooth LE.

Bettercap is written in Go and runs on GNU/Linux, BSD, Android, Apple macOS and the Microsoft Windows. However, a bug in Windows and macOS prevents the Bluetooth commands from working. Hence, it’s for Linux or Android only.

Better caps runs in the browser and you can create scripts.

UPDATE: There’s a tutorial on Medium.

Bluetooth MAC Randomization Can Be Defeated

The Register has an article Brilliant Boston boffins blow big borehole in Bluetooth’s ballyhooed barricades: MAC addy randomization broken.

Beneath the hyperbolic alliteration is some research (pdf) that Bluetooth MAC randomization isn’t foolproof. Researchers have found that similarities between the non-MAC information in advertising allows devices to be uniquely identified:

“What is perhaps even more concerning, say the Boston Uni trio, is the message Bluetooth vendors are putting out to the public when they advertise Bluetooth LE as being an untrackable standard.”

In actual fact, very few vendors do MAC randomization. The majority of beacon manufacturers don’t because the whole idea of a beacon is that it can be identified via MAC address or iBeacon id. For the same reason, most Bluetooth accessories don’t as they want to be identified via apps. Android smartphones don’t do MAC randomization but iOS and Windows 10 do to improve end-user privacy. It’s mainly iOS devices that will be moving around and possibly tracked in-store or on-site via the ‘vulnerability’ described in the paper.

Guide to Bluetooth Security

We occasionally get asked about the specifics of Bluetooth LE security. This is usually when a project has security requirements or needs to formally document things such as cryptography schemes and vulnerabilities.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) has an informative Guide to Bluetooth Security (pdf) that provides information on the security features of Bluetooth, vulnerabilities, threats and extensive recommendations.

The following table provides an overview of Bluetooth LE compared ‘Classic’ Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol:

Bluetooth LE 4.2 and later uses ECDH P-256 Elliptic Curve public key cryptography for protection against passive eavesdropping and man in the middle (MITM) during pairing.

While it’s good for projects to be aware of the underlying mechanisms and their limitations, we find that, in practice, security threats and weaknesses tend to be related more to how Bluetooth LE is used (by software) on a particular project rather than Bluetooth implementation itself.

Crowd Security with iBeacons

The UK Defence and Security Accelerator (DASA) held a competition to find ideas to reduce the threat of terrorists in public spaces. KSharp created CriB, Crowd Resilience through iBeacons, a system using iBeacons to allow people to report terrorist threats and receive security alerts through an app. This allows venues such as city centres, shopping centres and sports stadiums to improve safety and security. A video has recently become available:

Bluetooth Beacon Security

We sometimes get asked about Beacon security. Beacons use Bluetooth so the underlying security is that provided by Bluetooth 4.0. There’s a great new video by Ellisys, who create Bluetooth test equipment, that explains the threats and mitigations:

In the context of beacons, the mentioned perisistent bonding never happens. Pairing is temporary. Also, beacon manufacturers often layer additional security on top of Bluetooth in the form of pins or passwords required to set up the beacon.

As the underlying Bluetooth communication is relatively secure, the main beacon security issues tend to be related to spoofing (the possibility of beacons pretending to be yours). However, this is usually only pertinent in security sensitive scenarios such as payment. Contact us if you need more advice on beacon security.

Beacons and Physical Web Security Review

Renaud Lifchitz, a security consultant, has some great new slides on Security review of proximity technologies: beacons and physical web.

He mainly concludes that:

  • Beacons can easily be spoofed
  • Beacon passwords are often sent in plain text
  • Web Bluetooth might be used with XSS to allow hacked sites to access local devices via GATT

The spoofing issue is well known and is a necessary consequence of a broadcast, non-connectable, type mechanism. Fortunately, people mainly only use these things for nefarious purposes when there’s a profit motive. Spoofing beacons rarely benefits anyone.

The beacon passwords thing sometimes happens when beacons are set up using the manufacturer app. This is usually a one-off event, when the beacon is first set up, when the user is usually control who in their surroundings. Hence, it’s very unlikely other people will ‘sniff’ the beacon password.

For Web Bluetooth, GATT communications without a known password is benign. You can’t do much by just connecting to a beacon or Bluetooth device. You usually need a password to change or view security sensitive data.

While it’s good to know these things, it’s very unlikely any of these security observations will ever be a problem. Beacons don’t tend to be used in critical or valuable scenarios so the risk of things being subverted is low. There are much easier, more valuable and higher profile targets for hackers in the shape of servers, desktops, laptops and apps. Even if one of the mechanisms mentioned in the slides were used one day, the consequences, for most scenarios, would be minimal.

Paper on Using Eddystone Ephemeral-ID (EID)

There’s a recent paper by Debasis Bhattacharya Mario Canul and Saxon Knight of the University of Hawaii on the Impact of the Physical Web and BLE Beacons (pdf). The paper is based on a project that uses Eddystone Ephemeral-ID (EID). The paper is more a backgrounder and description rather than providing new insights. Nevertheless, it provides a useful description of some security issues with beacons that include tracking of beacon locations, forgery and showrooming.

New INGICS Bluetooth Sensor Beacons

We have some new INGICS Sensor beacons in stock.

These are slightly different to our other beacons in that they don’t transmit iBeacon or Eddystone. Instead the Bluetooth advertising is wholly used for sensor and battery information. Hence, they are more suitable for sensing, security and IoT applications rather than retail-marketing type scenarios.

There are 4 models:
iBS01G – movement/fall sensor
iBS01H – magnetic (hall) sensor
iBS01RG – (raw) accelerometer sensor
iBS01T – temperature and humidity sensor

ibs01t_smaller

They derive power from 2xCR2032 or via a micro USB smartphone charger (not supplied). They all also have a detectable button press. While the manufacturer’s app shows the sensor data, you will probably need a custom app or gateway to scan and use the advertising data.

Man-in-the-Middle Attacks on Beacons

There’s an interesting BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework on GitHub. It allows you to listen in on the Bluetooth GATT communication that goes on when an app connects to a beacon.

The majority of, scanning-type, apps don’t tend to connect via GATT and only read the advertising data that’s available to anyone. Connection usually only happens when configuring beacons or in advanced scenarios where the apps needs to read sensor or battery data. Some custom platforms’ apps also connect to beacons to perform platform related things such as remote setup, security or other such things specific to the platform.

The availability of a Man-in-the-Middle framework presents a security threat. The likelihood depends on the scenario. In the case of most beacons, the main GATT connection activity is one-off beacon setup by an administrator. In these cases the beacon communication interception is very unlikely.

The larger problem might be with platforms’ apps that connect to beacons where GATT connections happen regularly via users (platform apps) and not under control of an administrator. The implications of the communications data being able to be eavesdropped obviously depends on what’s being communicated. That being said, most current non-Beacon Man-in-the-Middle (WiFi) attacks usually have financial motivations. It’s difficult to think up beacon attacks that might lead to financial gain for the attackers. Nevertheless, if you work with such a system that regularly connects to beacons via GATT, you might like to think about the consequences of data and metadata (what’s being changed) eavesdropping.

A more positive use of BtleJuice might be to discover and reverse engineer Bluetooth GATT Services. As mentioned in a previous article, some of our beacon manufacturers haven’t documented their Bluetooth Service Characteristics. This means that while they are ok for scanning/proximity type applications, you can’t write your own app to, for example, change programatically the UUID, major and minor and must rely on the manufacturer’s configuration app or, in the case of the Sensoro beacon, their SDK. While this of no consequence for the majority of uses, more ambitious scenarios might want directly access the Bluetooth GATT services. BtleJuice provides a new way to reverse engineer those Bluetooth GATT Services.