Unable to Connect to Advertised Device

[emanuelduss]

Hi

I would like to setup BtleJuice but i'm currently not able to get a working setup.

Tl;Dr

I can select a BLE device in the web interface but the web interface stays empty and I'm also not able to connect to the new advertised device.

Details

VM Setup

Used VirtualBox version:

$ virtualbox  -h
Oracle VM VirtualBox VM Selector v6.0.10
[...]

Download latest Kali VM for VirtualBox:

$ curl -LO https://images.offensive-security.com/virtual-images/kali-linux-2019.2-vbox-amd64.ova

Install VM:

• Import downloaded OVA in VirtualBox
• Network: Bridge to WiFI interface
• Create Snapshot

Start the VM. Change keyboard layount and timezone.

Update the VM:

# apt-get -y update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get -y autoremove && apt-get -y autoclean  && apt-get -y clean

Install basic software:

# apt-get install bluetooth bluez libbluetooth-dev libudev-dev

Install Node Version Manager (nvm):

# curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash

Install and configure node version 8:

# nvm install 8
Downloading and installing node v8.16.0...
Downloading https://nodejs.org/dist/v8.16.0/node-v8.16.0-linux-x64.tar.xz...
########################################################################################################################### 100.0%
Computing checksum with sha256sum
Checksums matched!
Now using node v8.16.0 (npm v6.4.1)
Creating default alias: default -> 8 (-> v8.16.0)
# nvm use 8
Now using node v8.16.0 (npm v6.4.1)
# node --version
v8.16.0

Install BtleJuice

# npm install btlejuice

Installed in:

# ls -l node_modules/btlejuice/
total 268
drwx------ 2 root root   4096 Jul 26 10:36 bin
-rw------- 1 root root   1153 Sep 15  2016 CHANGELOG.md
-rwx------ 1 root root  10722 Jan 12  2017 core.js
drwx------ 3 root root   4096 Jul 26 10:36 doc
-rwx------ 1 root root  17080 Jan 13  2017 fake.js
-rwx------ 1 root root    623 Aug  5  2016 logging.js
drwx------ 3 root root   4096 Jul 26 10:38 node_modules
-rw------- 1 root root   1887 Jul 26 10:38 package.json
-rw------- 1 root root 175484 Jul 12  2017 package-lock.json
-rwx------ 1 root root  23458 Oct  5  2017 proxy.js
-rwx------ 1 root root   7173 Aug 24  2017 README.md
drwx------ 5 root root   4096 Jul 26 10:36 resources
drwx------ 2 root root   4096 Jul 26 10:36 views

Poweroff and clone the machine. Start these machines. Now there are two machines:

- Kali BLE 1
- Kali BLE 2

BLE Configuration

Start VM "Kali BLE 1".

No Bluetooth dongle available:

# hciconfig

Insert the Bluetooth dongle:

# journalctl -f
[...]
Jul 25 11:48:15 kali kernel: usb 2-2: new full-speed USB device number 4 using ohci-pci
Jul 25 11:48:16 kali kernel: usb 2-2: New USB device found, idVendor=0a12, idProduct=0001, bcdDevice=88.91
Jul 25 11:48:16 kali kernel: usb 2-2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
Jul 25 11:48:16 kali kernel: usb 2-2: Product: CSR8510 A10
Jul 25 11:48:16 kali systemd[1]: Starting Load/Save RF Kill Switch Status...
Jul 25 11:48:16 kali systemd[1]: Reached target Bluetooth.
Jul 25 11:48:16 kali systemd[1]: Started Load/Save RF Kill Switch Status.
[...]

Bluetooth dongle is now available:

# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 004: ID 0a12:0001 Cambridge Silicon Radio, Ltd Bluetooth Dongle (HCI mode)
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

# hciconfig
hci0:   Type: Primary  Bus: USB
        BD Address: 11:11:11:11:11:11  ACL MTU: 310:10  SCO MTU: 64:8
        DOWN
        RX bytes:574 acl:0 sco:0 events:30 errors:0
        TX bytes:368 acl:0 sco:0 commands:30 errors:0

# hciconfig  hci0 version
hci0:   Type: Primary  Bus: USB
        BD Address: 11:11:11:11:11:11  ACL MTU: 310:10  SCO MTU: 64:8
        HCI Version: 4.0 (0x6)  Revision: 0x22bb
        LMP Version: 4.0 (0x6)  Subversion: 0x22bb
        Manufacturer: Cambridge Silicon Radio (10)

# btmgmt info
Index list with 1 item
hci0:   Primary controller
        addr 11:11:11:11:11:11 version 6 manufacturer 10 class 0x000000
        supported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr hs le advertising secure-conn debug-keys privacy static-addr
        current settings: br/edr
        name CSR8510 A10
        short name

Enable Bluetooth Low Energy (BLE):

# btmgmt le on
hci0 Set Low Energy complete, settings: br/edr le

# btmgmt info
Index list with 1 item
hci0:   Primary controller
        addr 11:11:11:11:11:11 version 6 manufacturer 10 class 0x000000
        supported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr hs le advertising secure-conn debug-keys privacy static-addr
        current settings: br/edr le
        name CSR8510 A10
        short name

Briing the Adapter up:

# hciconfig hci0 up
# hciconfig
hci0:   Type: Primary  Bus: USB
        BD Address: 11:11:11:11:11:11  ACL MTU: 310:10  SCO MTU: 64:8
        UP RUNNING
        RX bytes:1172 acl:0 sco:0 events:64 errors:0
        TX bytes:1062 acl:0 sco:0 commands:64 errors:0

Bluetooth LE works:

# hcitool lescan
LE Scan ...
37:0A:E7:5B:01:A1 (unknown)
27:41:48:4D:31:1F (unknown)
10:B4:D6:63:32:44 (unknown)
59:1F:51:62:1E:BF (unknown)
37:0A:E7:5B:01:A1 (unknown)
27:41:48:4D:31:1F (unknown)
10:4E:89:41:0E:52 (unknown)
10:4E:89:41:0E:52 (unknown)
37:0A:E7:5B:01:A1 (unknown)
10:4E:89:41:0E:52 (unknown)
27:41:48:4D:31:1F (unknown)
10:B4:D6:63:32:44 (unknown)
37:0A:E7:5B:01:A1 (unknown)
27:41:48:4D:31:1F (unknown)
41:E3:D4:60:68:C1 (unknown)
41:E3:D4:60:68:C1 (unknown)
59:1F:51:62:1E:BF (unknown)
[...]

BtleJuice Setup

On Kali BLE 2 (Proxy)

Start BtleJuice Proxy:

# ./bin/cmd_btlejuice_proxy.js
[info] Server listening on port 8000
[info] Client connected

On Kali BLE 1 (Master)

Start BtleJuice Web Interface:

# ./bin/cmd_btlejuice.js -u 10.5.23.88 -w
   ___ _   _       __        _
  / __\ |_| | ___  \ \ _   _(_) ___ ___
 /__\// __| |/ _ \  \ \ | | | |/ __/ _ \
/ \/  \ |_| |  __/\_/ / |_| | | (_|  __/
\_____/\__|_|\___\___/ \__,_|_|\___\___|

[i] Using proxy http://10.5.23.88:8000
[i] Using interface hci0
2019-07-26T08:57:36.615Z - info: successfully connected to proxy

Access the web interface:

Scan for devices and select a device (the device LED shows that it is connected now):

On the proxy:

# ./bin/cmd_btlejuice_proxy.js
[info] Server listening on port 8000
[info] Client connected
[i] Stopping current proxy.
Configuring proxy ...
[status] Acquiring target 30:45:11:44:ee:30
[info] Proxy successfully connected to the real device
[info] Discovering services and characteristics ...
[status] Proxy configured and ready to relay !

On the web interface console:

# ./bin/cmd_btlejuice.js -u 10.5.23.88 -w
   ___ _   _       __        _
  / __\ |_| | ___  \ \ _   _(_) ___ ___
 /__\// __| |/ _ \  \ \ | | | |/ __/ _ \
/ \/  \ |_| |  __/\_/ / |_| | | (_|  __/
\_____/\__|_|\___\___/ \__,_|_|\___\___|

[i] Using proxy http://10.5.23.88:8000
[i] Using interface hci0
2019-07-26T08:57:36.615Z - info: successfully connected to proxy
2019-07-26T09:02:29.900Z - info: proxy set up and ready to use =)
2019-07-26T09:02:30.037Z - debug: start advertising
2019-07-26T09:02:30.048Z - info: BTLE services registered
2019-07-26T09:02:30.051Z - info: Fixing Bleno handles ...
2019-07-26T09:05:57.577Z - info: dummy: accepted connection from address: 40:b8:77:06:de:85
2019-07-26T09:05:57.578Z - info: dummy: disconnected from address: 40:b8:77:06:de:85
2019-07-26T09:06:07.383Z - debug: start advertising
2019-07-26T09:06:07.385Z - info: proxy set up and ready to use =)
2019-07-26T09:06:07.469Z - info: BTLE services registered
2019-07-26T09:06:07.470Z - info: Fixing Bleno handles ...

The fake device is advertised:

The web interface does not list any services of the device:

It's not possible to connect:

Trying to connect to the spoofed device. However, for example the offical Android App used for this device does not connect and also the nRF application is not able to connect. I assume that nRF should be able to connect, even if the MAC address was not spoofed to the original one.

Question

Does someone has an idea what I'm doing wrong? I don't see why my setup does not work.

Note: I have the same issues when I use gattacker.

Can I verify somehow if my Bluetooth dongles are "good" ones?

Thanks & best regards, Emanuel

[IHbib]

Hey did you find a solution to your issue?

[emanuelduss]

Hi

No, I was not able to solve the problem. But I got this:

I found a presentation about BLE online: https://nis-summer-school.enisa.europa.eu/2018/cources/IOT/nis-summer-school-damien-cauquil-BLE-workshop.pdf

In there, there is a link to an Ubuntu VM that has btlejuice preinstalled: https://mega.nz/#!nsdxhArR!fGGB2on_JChsmAuT-OORAhDLWdrOgVlu-BRczhFUQXo

I downloaded the VM and I could run btlejuice. It worked better, which means I was able to connect to the advertised "fake" device but it was not very stable. I did not see every packet and I could not all the time manipulate them. So in the end, it was also useless for me.

I don't know why the Ubuntu VMs work but my own Kali setup not. I could not get any more details on that :(.

Some other news: The way to go for me in terms of BLE hacking is to use a BBC Micro:Bit and the btlejack software. This has the disadvantage that you can't perform active man in the middle. You can only sniff traffic (but also from existing connections) and also hijack existing connections (kick out the connected device and connect yourself to the ble device).

Greetz, Emanuel

[IHbib]

Hi again and thanks for your suggestion about btlejack, I bought the BBC Microprocessor and will try it next week.

But sadly the VM link is expired, do you perhaps have the VM on your drive and could upload it for me?

[emanuelduss]

Hi

I do not have the VM anymore. I deleted it b/c as I said, btlejuice or also gattacker did still not work for me in a reliable way on this VM.

[trishmapow]

Any update on this? There's a similar issue with a different tool I tried earlier https://github.com/securing/gattacker/issues/3.

Looks like I might have to go down the Micro:Bit route too.

[IHbib]

I got it to work by downgrading node.js to version 4.3.2. Also make sure your bluetooth interfaces both support bluetooth low energy. My notebook didnt support it.

[emanuelduss]

Any update on this? There's a similar issue with a different tool I tried earlier securing/gattacker#3.

Looks like I might have to go down the Micro:Bit route too.

Hi

I don't have any news. I had the exact same problems when I also tried gattacker. So I'll stick to the Micro::Bit device that works quite well. Not perfect but OKish.

[Kunal-Rex]

I got it to work by downgrading node.js to version 4.3.2. Also make sure your bluetooth interfaces both support bluetooth low energy. My notebook didnt support it.

Can you tell me the steps, you did to make it work?

[pi3ch]

@Kunal-Rex This is my workaround. it comes up and start advertising the dummy device. You can use nrf Connect to connect as see data being intercepted.

# OS Ubuntu 18.4.3 however it should be possible on latest version of Ubuntu as well.
# Remove NPM and NODE that you may have installed via apt get
sudo apt install curl python build-essential bluetooth bluez libbluetooth-dev libudev-dev
# NVM is used to get exact version of node
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
source ~/.nvm/nvm.sh
# you can change version to any other, 4.3.2
nvm install 8.10.0
npm i -g --unsafe-perm btlejuice
# Sudo to run the remaining command as root
sudo -s 
service bluetooth stop
hciconfig hci0 up
btlejuice -w -u PROXYIP 
# OR
btlejuice-proxy

However, I still get crypto.js:60: TypeError: Cannot read property 'length' of undefined when a device tries to pair, this seems to be related to underlying library bleno: https://github.com/abandonware/bleno/issues/23

[iHanxD]

@pi3ch I was able to get proxy set up and ready to use. However, the dummy device does not start advertising. Why is that?