Gattacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool

by Slawomir Jasek
Sept. 15, 2017 1 comment belen_caty Encryption & Authentication

The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without flaws, although that's another story we are already aware of. A surprising number of devices do not utilize these mechanisms. Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes interesting - just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions - which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks.

Steven Ulm 8 months ago

The rule is as simple as it gets: you don't need Bluetooth, turn it off - no matter how, why and for how long.