Intel Edison as Bluetooth LE — Exploit box

So if you have been following my blog on reverse engineering a Smart massager or the smart band. I have used several tools like gattool , bluez, and gattacker. The problem which is faced is in the GATTacker. Since it is a MiTM tool, i need to have two machines to perform the task. i was using a virtual machine and it sure is pain and takes up lot of run since i was running a full fledged Ubuntu in it.

So in this blog I am going to explain how i used Intel Edison as Bluetooth proxy and used it for pentesting.

I will give you details on setting up bluetooth in Intel Edison and how to install GATTacker and BTLEjuice.

Setting up Bluetooth in Intel Edison

I don’t want to explain on how to configure Intel Edison and get a shell. You can refer this link https://software.intel.com/en-us/intel-edison-board-user-guide

let’s restart the Bluetooth interface in the Edison

rfkill unblock bluetooth && hciconfig hci0 up && hciconfig

If you got the output like this it means your bluetooth is up and running . if not try flashing your Intel Edison with recent firmware from https://downloadcenter.intel.com/search?keyword=edison and https://software.intel.com/en-us/flashing-firmware-on-your-intel-edison-board-linux to flash it.

just like your ubuntu machine, You need to have bluez installed manually.

wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.24.tar.xz tar -xf bluez-5.24.tar.xz && cd bluez-5.24 
./configure --disable-systemd –disable-udev &&make && make install
export PATH=$PATH:~/bluez-5.24/attrib/

It will take some time to compile, so grab a cup of coffee or two.

This should install the latest bluez in your intel edison.

You can check it by doing a

hcitool lescan
bluetoothctl or gattool

Now the setup is done for settingup Bluetooth in Intel Edison

Setting up GATTacker

GATTacker is an amazing tool to perform Man in the Middle attack on Bluetooth devices.

Let’s configure it

install node and npm inorder to install and run it.

opkg install npm 

So the GATTacker has two import dependancies which are noble and bleno

npm install bleno
npm install noble

You can either use the Git repo or node package manager to install. I recommend using npm.

npm install -g gattacker

Now install the same in your host machine and go to ~/node_modules/gattacker and open config.env and enter the IP address of the intel edison in WS_SLAVE and save it.

Now in the Intel Edison, goto the location ~/node_modules/gattacker and start the gattacker session

node /node_modules/gattacker/ws-slave.js

Now go to your host and goto /node_modules/gattacker/

If you understand how bluetooth LE communication really works. check this link

1. Scanning

First step is to perform a Scan of the BLE device around the area

node /node_modules/gattacker/scan.js

Advertisment files are saved inside /devices folder with .adv extension.

2. Service Discovery

Now to perform service scan use this

node /node_modules/gattacker/scan.js <macaddress with :>

Service files are saved inside /devices folder with .srv extension.

3. MiTM

To perform the MiTM attack

node /node_modules/gattacker/advertise.js -a <location of adv file> -s <location of srv file> -f

Now connect to the app and perform the Bluetooth MiTM operation

5. Replay

You can repeat for multiple operations and reverse the communication to perform a replay attack using GATTacker or GATTool.

You can also Burp suite or OWASP ZAP to perform on the fly modification by intercepting the packets from the Intel Edison to the host.

gattool -I -b <mac address of the target device>

BTLEJuice

BTLEJuice is a similar tool like GATTacker, this allows you to intercept the request and modify it in the fly. The installation is straightforward if you have already installed the GATTacker.

You can use node package manager to install the BTLEJuice

npm install -g btlejuice
npm install btlejuice-bindings

in your Intel Edison start the btleproxy

btlejuice-proxy

In your host machine start the proxy.

btlejuice-proxy -u <IP address of the edison> -w

-w is for web ui.

Now in your browser, goto http://localhost:8080 and you get a interface like this.

Now click on the bluetooth icon and select the device you want to intercept.

Once the device is connected. now use the suitable app and connect to the device and perform some operation to intercept the bluetooth commands to the device.

You can now enable the interceptor to intercept the communication and modify it and retransmit it back.

You can now use ssh to connect to the intel edison and perform all operation on the fly without giving so much load to your machine.

If you encounter any issue in the bluetooth the magic command is

rfkill unblock all
hciconfig hci0 reset
hciconfig hci0 up

My next plans are

1. To connect two Edison and make a complete setup with a Mobile app
2. Create a interface for Bluetooth Classic(2.0/3.0) base attacks.