Open in app

Sign in

Write

Sign in

Bluetooth hacking #2: Sniffing Bluetooth Low Energy communication

Sethu Satheesh
10 min readMar 31, 2024

--

Hello guys, my name is Sethu satheesh, i am a cyber security researcher and a software engineer. This is our second part of Bluetooth hacking series. First of all if you are not red the 1st part read it here. And also do follow me on instagram @whxitte .

In this second part of our Bluetooth hacking series we will be focusing on Bluetooth low energy (BLE) and we will delve into the process of capturing BLE traffic. If you haven’t watched Part 1 yet, where we provided a general overview of BLE, I highly recommend checking it out first. Okey without any further do, let’s jump into the second part of this series where we talk about capturing Bluetooth Low Energy traffic.

We’ve got all these tools here, and I see it constantly told to the hacker community that “if you want to do Bluetooth hacking, you got to get the Ubertooth One, and that’s the thing that you’re going to use, that’s the Bluetooth hacking tool…”, but I will say it’s the least used tool out of everything else that you’ll see on the screen here.

we have the Nordic Semiconductor NRF52840. This is a dongle that has a really cool SOC that’s made by Nordic Semiconductor. It doesn’t just do Bluetooth Low Energy; it also does Google’s new Thread protocol, it does Zigbee, it does a bunch of other stuff that operates on 2.4 gigahertz. Up above your basic Bluetooth dongle, that can be really helpful, especially if you’re operating inside of a VM because you can’t do Bluetooth stuff inside of a VM unless you have a USB device that’s passed through to that VM. But the number one tool that I use for capturing Bluetooth data is none of those other tools that I just mentioned. It is the device there on the left, it is my trusty mobile phone. Let’s have a detailed look:

  1. Ubertooth One:
  • Ubertooth One is a popular open-source Bluetooth development platform that allows users to monitor and analyze Bluetooth communications. It’s designed specifically for Bluetooth Low Energy (BLE) hacking and monitoring activities.
  • It’s equipped with features like monitoring Bluetooth traffic in real-time, capturing packets, and analyzing Bluetooth protocols. This makes it a valuable tool for security researchers, developers, and hobbyists interested in Bluetooth security and analysis.
  • Ubertooth One can be used for various purposes such as sniffing Bluetooth communications, identifying vulnerabilities, analyzing encryption methods, and testing Bluetooth-enabled devices for security weaknesses.

2. Nordic Semiconductor NRF52840:

  • Nordic Semiconductor NRF52840 is a Bluetooth Low Energy (BLE) system-on-chip (SoC) that integrates Bluetooth capabilities into electronic devices. It’s commonly used in IoT devices, wearables, and other connected products.
  • This SoC provides advanced features for BLE communications, including support for Bluetooth 5.0, BLE mesh networking, low power consumption, and compatibility with various BLE profiles and services.
  • Developers and manufacturers use NRF52840 to create Bluetooth-enabled products with reliable wireless connectivity, energy efficiency, and support for modern BLE features and standards.

3. Basic Bluetooth Dongle:

  • A basic Bluetooth dongle refers to a standard Bluetooth adapter that provides Bluetooth connectivity to devices like computers, laptops, and other systems. These dongles are often used to add Bluetooth functionality to devices that don’t have built-in Bluetooth support.
  • They typically support Bluetooth Classic and may also support Bluetooth Low Energy depending on the model. Basic Bluetooth dongles are used for tasks like connecting wireless peripherals (e.g., keyboards, mice, headphones), transferring files wirelessly, and creating Bluetooth-enabled setups.
  • Unlike specialized tools like Ubertooth One or NRF52840, basic Bluetooth dongles offer general Bluetooth connectivity without advanced monitoring or hacking capabilities. They are more commonly used for everyday Bluetooth tasks in consumer electronics.

We will look about how to extract Bluetooth data that has been communicated with an android phone. We can also do with ios devices but bit of process is involved.

Getting BLE Packets

To capture Bluetooth Low Energy (BLE) packets effectively, you have 2 main options depending on the control you have over the devices involved in the communication.

Firstly, if you have control over at least one of the devices (such as a smart device or wearable like a heart rate monitor), capturing packets becomes more reliable and offers several advantages:

  • Reliable Data: When capturing packets from a device you control, you can obtain reliable and accurate data without interference or unknown variables.
  • Pre-Encryption Data: Importantly, you can capture data before encryption is applied, leveraging the Host Controller Interface (HCI) layer advantage. This means you can access data at a lower level in the Bluetooth stack before encryption occurs at the link layer.

For example, if the communication involves a heart rate monitor and your Android phone, enabling developer options on your Android device allows you to take a Bluetooth capture log. This log can then be extracted and analyzed. Similarly, if the communication is between devices like desktop machines (Linux, Windows, or macOS), various tools are available on these systems to capture BLE packets effectively.

However, if both devices involved in the BLE communication are not under your control, you may need to resort to capturing packets over the air, which comes with its own set of challenges:

  • Unreliable Method: Capturing packets over the air is less reliable compared to capturing from controlled devices. Factors like distance, interference, and signal strength can impact the quality and completeness of captured data.
  • Potential Encryption: In scenarios where encryption is applied, capturing over the air may result in potentially encrypted data, making it harder to interpret or analyze without decryption keys.
  • Last Resort: This method should be considered a last resort when you have no control over both the master and slave devices in the BLE communication.

It’s crucial to note that encryption in BLE is applied at the link layer, which means that capturing packets over the air may not provide access to pre-encryption data as with controlled captures. This limitation underscores the importance of prioritizing controlled captures whenever possible to ensure reliable and comprehensive data capture for analysis and security research purposes.

So we need to start with the first method and try to do everything in your power to get a reliable capture from one of the devices from Bluetooth low energy exchange.

Now let’s look at this in action:

So, how do we pull this data off of an Android device? you need to enable Developer Mode, you go and you click like the build number option from about device in settings of your phone like seven times, I think it is, and then this option appears in the developer options. You will see there it will show Bluetooth HCI option, that stands for Host Controller Interface like we talked about earlier (Snoop Log). So, this is going to generate it, this is going to log all Bluetooth traffic, and a bunch of other stuffs that you really don’t care about, some really low-level messages between the host and controller that we don’t care about, but also all of the good stuff is going to get put into the log file. If it’s a rooted device or non rooted device, it will work. The log file, it’s named .log, it’s not exactly a pcap file, but you can kind of call it a pcap file. It can get open directly in Wireshark, so this is really a Grade A option for when we’re trying to capture packets, which we will do in a second.

Bluetooth HCI log option (You need to make it enable)

If your phone is rooted you can get the file directly from the file system, it’s location may differ and the name will be “btsnoop_hci.log” that might also differ. If your phone is non-rooted you need to run “adb bugreport” to pull all the logs, then you will get a .zip file which you need to extract and there you can find the “btsnoop_hci.log” file. The file can be directly opened and analyzed by wireshark tool. We will look at this shortly.

When we lack control over both devices in a Bluetooth Low Energy (BLE) communication, we rely on a sniffing tool like the Ubertooth One. These Ubertooth devices are essential for reliable sniffing. As mentioned previous writeup, devices advertising their services can do so on three advertising channels. To capture the initial connection between a central and peripheral device, you must listen on the right channel at the right time. For dependable results, employing three Ubertooth devices to sniff on all three channels simultaneously is recommended. This ensures that one of them captures the desired packet data. So we need to use 3 Ubertooth devices.

For enhanced reliability, utilize the “-t” flag to specify the MAC address of the target device. This approach enables you to focus solely on connections matching the specified MAC address, optimizing the Ubertooth’s utility. Determine the MAC address of your target device beforehand using various methods. The captured data can then be piped directly to Wireshark, although this method may encounter issues. The best is by using the Linux command with the “-F” flag ensures seamless connection tracking. The “-t” flag targets a specific MAC address, while the “-c” flag outputs data to a pcap file, facilitating analysis in Wireshark.

• Linux command: — ubertooth-btle -f-t XX:XX:XX:XX:XX:XX -c out.pcap

The command “ubertooth-btle -f -t XX:XX:XX:XX:XX:XX -c out.pcap” is used for sniffing Bluetooth Low Energy (BLE) packets using the Ubertooth One device and saving the captured data to a pcap (packet capture) file named “out.pcap”. Let’s break down the components of this command:

ubertooth-btle: This is the command to run the Ubertooth One tool specifically designed for Bluetooth Low Energy (BLE) sniffing.

-f: This flag indicates that the tool should follow or “sniff” Bluetooth Low Energy packets.

-t XX:XX:XX:XX:XX:XX: This flag specifies the target MAC address (XX:XX:XX:XX:XX:XX) of the device whose BLE packets you want to capture. Replace “XX:XX:XX:XX:XX:XX” with the actual MAC address of the target device.

-c out.pcap: This flag instructs the tool to save the captured BLE packets to a pcap (packet capture) file named “out.pcap”. You can replace “out.pcap” with any desired filename.

Putting it all together, the command is telling the Ubertooth One tool to sniff BLE packets, target a specific device with the specified MAC address, and save the captured packets to a pcap file named “out.pcap”. Make sure to replace “XX:XX:XX:XX:XX:XX” with the actual MAC address of the device you want to target and customize the output filename as needed.

So, we are going to do a Wireshark demo. So, the data that we’re going to look at is a data dump from my phone when it was communicating to my heart rate monitor wearable. And so, just so it’s easier to see, we have a couple of filters in wireshark. So, when we get into Wireshark, it’s going to be really important to just get rid of a bunch of noise if we want to just see Bluetooth Low Energy data that’s being transferred. This “btatt” filter is going to be very effective, and then there’s this really helpful dialogue which we’ll get into. But underneath the wireless menu, there a menu option called Bluetooth ATT Server Attributes that’s going to give us some insight into those characteristics, those services that are available and being enumerated by Wireshark with the data that it sees going over the air.

First unzip the bug report file from our android phone:

Unzipped the bug report file which contains the hci snoop log

Open the btsnoop_hci.log file with wireshark:

screenshort of the log file opened in wireshark

Apply the filter “btatt” to filter out the traffic:

filter applied
Send and Read responses sample

ATT server attributes option:

ATT server attribute insights about the UUIDs

In summary, this write-up offers a detailed exploration of Bluetooth Low Energy (BLE) hacking and packet capturing methodologies. It introduces essential tools such as Ubertooth One, Nordic Semiconductor NRF52840, and basic Bluetooth dongles, explaining their roles in monitoring BLE communications. The discussion encompasses controlled capture techniques from devices under your control, emphasizing the reliability of obtaining pre-encryption data and accurate packet analysis. Over-the-air capture methods are also covered, particularly useful when both devices are beyond your control. The write-up provides insights into enabling Bluetooth HCI logging on Android devices and leveraging sniffing tools like Ubertooth One, along with a Wireshark demonstration for effective data analysis. It concludes by stressing the importance of thorough research, meticulous data analysis, and security awareness in Bluetooth hacking and BLE packet capturing endeavors

So, with that, that will conclude part two where we discussed how to sniff Bluetooth Low Energy traffic. Wait for the next part where we discuss how to reach out and interact with Bluetooth Low Energy devices around you. And much more to see…

I recommend to do a deep research over this part we done today and gain more knowledge like how to clearly analyze the data packets in wireshark and read information and so on.

Thank you and happy h4cking :)

Follow here for more intresting contents and follow me on instagram @whxitte

~ By Sethu Satheesh

Bluetooth Low Energy
Cybersecurity
Ethical Hacking
Bluetooth Hacking
Hacking

--

--

Sethu Satheesh

Written by Sethu Satheesh

72 Followers

Cyber security researcher | Software engineer | own: whxite lab

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams