Before start putting our hands dirty on hacking smart bulbs we need to understand a widely used protocol called BLE – Bluetooth Low Energy. There are many wireless protocols out there but what makes BLE so popular is because it’s easy to implement. BLE is used on many applications on healthcare, fitness, beacons, security, home entertainment and so on. Other advantage of BLE is it’s reduced power consumption and cost. It’s a light-weight subset of classic Bluetooth
Now let’s understand the main concepts you should know about BLE.
The first concept you should know is GAP. GAP is an acronym for the Generic Access Profile, and it controls connections and advertising in Bluetooth. GAP is what makes your device visible to the outside world, and determines how two devices can (or can’t) interact with each other.
Another important concept is GATT that is an acronym for the Generic Attribute Profile, and it defines the way that two BLE devices transfer data back and forth using concepts called Services and Characteristics.
It makes use of a generic data protocol called the Attribute Protocol (ATT), which is used to store Services, Characteristics and related data in a simple lookup table using 16-bit IDs for each entry in the table.
And a BLE peripheral can only be connected to one central device (like a mobile phone) at a time! As soon as a peripheral connects to a central device, it will stop advertising itself and other devices will no longer be able to see it or connect to it until the existing connection is broken.
GATT transactions in BLE are based on high-level, nested objects called Profiles, Services and Characteristics.
Now the first process as an attacker would be to identify our target device. This is done by obtaining information such as the MAC address, the bluetooth version, RSSI and more. For most cases the BD_ADDR – Bluetooth address is enough to exploit the device
This can be found using the hcitool command.
>hciconfig
check if the interface like hci0 is up and running.
Now you can issue the following command:
>sudo hcitool lescan
You can see all the BLE devices around you. Our target device is the LEDBLE. So we can now copy it’s Bluetooth address.
Now that you have the Bluetooth address you will be able to sniff the traffic and see the value of the handle being written when you for example turn on or turn off the bulb from the mobile app or change it’s color and you’ll be able to see it all in clear text. I had already captured the BLE traffic to keep this video short and you can see the handle code and the value from the picture here.
Now we will use a tool called Gattool to interact with BLE.
>gatttool -I -b BD ADDR
Now we will use the connect command to connect to the target device and look the available characteristics.
>connect >characteristics
We’re ready to exploit the smart bulb and write the handler with a new color using
>char-write-req 0x00b 560074dc00f0aa
And Bingo! My smart bulb just changed it’s color! You can now use the same concept to exploit any other BLE device and do more!
Check out this video and much more on my YouTube Channel clicking here!
