search

nccgroup / Sniffle

A sniffer for Bluetooth 5 and 4.x LE
https://www.nccgroup.trust/us/our-research/sniffle-a-sniffer-for-bluetooth-5/?research=Public+tools
GNU General Public License v3.0
803 stars 123 forks source link

Relay Attack #85

Open johnb21098 opened 1 month ago

johnb21098 commented 1 month ago

Hi, graet product. I ahve bought some TI dev boards to play around with.

Have you documented the relay attack methodology anywhere? I'm looking to give it a go and didn't know whether there were some documented instructions somewhere? Or if you could give us a point in the right direction.

Thanks!

sultanqasim commented 1 month ago

The methodology is described in this talk: https://hardwear.io/netherlands-2022/presentation/bluetooth-LE-link-layer-relay-attacks.pdf

I hope to release the code for that functionality eventually, though at the time of publication of that research, there was reluctance in our company to release it due to concerns about possible misuse. With that said, you can implement the relay attack functionality as described in the talk with the public Sniffle firmware if you write the host-side "glue" code yourself.

johnb21098 commented 1 month ago

Many thanks for your quick reply.

By the host side glue code, is this the part of sending the BLE data between two of the sniffle devices and ensuring its transmitted? That's what I was wondering how to implement properly.

Many thanks

sultanqasim commented 1 month ago

Yes, that’s what I meant by host side glue.

johnb21098 commented 1 month ago

are you able to say if we can just transmit the pcap files we get or do we need to do some processing in the middle?

sultanqasim commented 1 month ago

It’s mostly just forwarding packets from one side to another, though you do need to keep track of the connection event counter on both sides. If they’re too far out of sync, there will be issues with connection parameter changes. For unencrypted connections, you can change the instant value in connection parameter change requests to avoid issues. For encrypted connections, you need to keep the connection event counters roughly in sync.

johnb21098 commented 3 weeks ago

Hi,

sorry another question. I beleive I have most of the host side code sorted but am having some issues transmitting the received packets. currently im using the cmd_transmit function but it won't transmit my bytes. I've tried just giving it some random bytes and asking it to transmit the bytes but it doesn't seem to be working according to my sniffer. here is the code, any help is apreciated. Do the bytes have to follow a certain pattern or can I just transmit random bytes?

#!/usr/bin/env python3

from sniffle_hw import SniffleHW

def main():
    # Initialize Sniffle hardware 
    serial_port = "/dev/ttyACM0"  # Replace with your actual serial port
    hw = SniffleHW(serial_port)

    # Set the device MAC address
    device_mac = bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06])
    hw.cmd_setaddr(device_mac)

    raw_data = [0x01, 0x02, 0x03, 0x04, 0x05]  

    # Transmit the raw data
    hw.cmd_transmit(raw_data)
    print(f"Transmitted raw data: {raw_data}")

if __name__ == "__main__":
    main()