In our last article about Bluetooth, we looked at how Bluetooth Low Energy devices advertise themselves to their surroundings. We discovered that the advertising data sometimes contains device names, vendor names, and information about services offered by the device. But we also mentioned that a large number of Bluetooth Low Energy devices can be connected to without pairing. In order to explain the significance of this statement, we first have to look at the concept of pairing and at the benefits of connecting to devices.
Pairing is the process of establishing a mutual trust relationship between two devices. Connecting to Bluetooth devices without prior pairing is generally not possible. The Bluetooth pairing process usually requires the participants thereof to ensure that a specifically displayed number is the same on both devices. The goal here is that the device users each confirm the pairing process before it actually happens. This verification number is nowadays usually a six-digit random number, but sometimes it is also just set to
0000, depending on the vendor’s configuration of the devices.
In the background, both Bluetooth devices perform a cryptographic handshake in order to establish an encrypted communication channel between those two devices. After the pairing process, the content of the communication is not visible to others (unless they’ve recorded the handshake). For more information about Bluetooth pairing, please refer to a memo on pairing security published by the Bluetooth consortium.
Since the Bluetooth pairing process requires cryptographic algorithms, and these algorithms are often computationally expensive by design, many Bluetooth Low Energy devices are not powerful enough to perform encryption. As such, much of the communication between these devices is done in the clear, and connections can often be established without pairing.
Upon connecting to a target Bluetooth Low Energy device, the target will provide access to a variety of Generic Attribute Profile Services (GATT). Each service is characterized by a unique identifier, a UUID, and encapsulates a number of GATT Characteristics. Each characteristic in turn is also identified by a UUID, flags such as
write, and a byte array value. The Bluetooth consortium declared many services and characteristics, but it is also possible for vendors to specify their own. Both the Bluetooth consortium and the BlueZ repository document known services and characteristics. As an example, take the
Device Information service, as defined by the Bluetooth consortium, which consists of a total of 8 characteristics, and is accessible without restrictions upon connection:
So, in the concrete example of an iPhone, the
Device Information service will display two of the aforementioned characteristics:
Manufacturer Name String, and
Model Number String. They will
Apple Inc. and the device is an
iPhone8,1 (the numbers likely refer to the iOS version). But the service is missing some characteristics, and this is crucial; vendors may decide not to provide this information even though the service defines it. But, heck, they might also decide to provide all information, as is the case for a Zebra Technologies printer, which provides a model identifier
ZD410, the full (!) device serial number, the firmware revision
V77.19.17Z, the hardware revision
ZD41022-D0EM00EZ, the software version
3.2 and a Plug-and-Play ID. This information can be an important basis for strategically preparing for attacks on these devices. Due to the fact that many characteristics are writeable, it is conceivable that even device behavior may be modified using the GATT hierarchy.
How does this relate to the devices commonly around us? The sniffer presented in the last article about Bluetooth was updated to connect to the discovered devices and now records the GATT hierarchy for each device. Unfortunately, it cannot properly record the values of GATT characteristics yet, but this will be added in the foreseeable future. Issues and pull requests are appreciated!
The sniffer was used to record Bluetooth Low Energy devices in a rather busy area over a period of 15 minutes. From a sample of 356 discovered devices, 157 thereof had a public device name and 185 devices provided a total of 31 unique (12 known) services to others. While many of the Bluetooth Low Energy devices were infrastructure devices with unclear function, only very few were smart phones, and a large proportion of the devices were IoT devices, particularly smart watches and fitness monitors.
Devices commonly identified by their names were Alta, Fitbit, Garmin, and Microsoft smart watches, Bose and Jabra headphones, as well as Estimote iBeacon devices, Apple TV and Apple Pencil. A few devices were ostensibly named after their owners. Most devices provided three services on average. The
Device Information service is present on almost all devices. Some particularly salient services were:
B&O Play A/S,
Anhu Huami Information Technology Co.,
GoPro, Inc., and
Kontakt Micro-Location Sp. z o.o..
With the exception of the
Heart Rate service, all of the aforementioned services are vendor-defined. It remains open to speculation, what the specific purposes of these services are, as there is generally no documentation on vendor-defined services. Given what we were able to gather from the Zebra Technologies printer, it is very likely that at least some of these services provide juicy information or even control over the device of some sort.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here