securing / gattacker

A Node.js package for BLE (Bluetooth Low Energy) security assessment using Man-in-the-Middle and other attacks
http://www.gattack.io
MIT License
704 stars 142 forks source link

Specific BLE Device is Causing GATTacker (ws-slave) to Crash #17

Open GamingTechRides opened 6 years ago

GamingTechRides commented 6 years ago

Hello, I am very new to reverse engineering, BLE, node, javascript, linux, etc. I am attempting to MitM a specific BLE device (https://www.homedepot.com/p/Genie-Aladdin-Connect-Smartphone-Enabled-Garage-Door-Controller-to-open-and-monitor-your-door-from-anywhere-ALKT1-R/206268108).

I've already determined the device does not use authentication or encryption and sends its payload to the Master every 30 seconds using a Notify of the Battery Level characteristic. The value it puts in for the Battery Level handle is actually the application-layer data the Master needs.

Here's the problem: when I insert the battery so the device starts advertising- it actually crashes GATTacker. I am running the slave on a Kali VM within a regular Kali box that is acting as the master. GATTacker runs fine and see's the other BLE devices in the area and records their advertisements- but when I turn on the BLE device I want to clone- GATTacker crashes with "erros.RangeError('ERR_INDEC_OUT_OF_RANGE').

I am so new to this I do not even know where to begin troubleshooting. I've attached a screenshot so you can see how GATTacker was seeing other BLE devices, then crashed with the above-mentioned errors (it happens every time I turn on the BLE device). The left terminal in the screenshot is the VM acting as the slave, and the right terminal is the real box acting as the master (Im using 2 separate BLE dongles). Any help would be greatly appreciated. Thank you.

screenshot from 2018-03-30 17-48-21

jslawek commented 6 years ago

Hi, it looks like you have found a bug in advertisements parsing. Would you be able to give us this specific advertisement content (in raw hex would be best)? It could be read using e.g. nRF Connect mobile app (in "scanner" click on device and choose "raw"), or hcitool lescan + hcidump -X -R.

jslawek commented 6 years ago

Also, can you check if noble example advertisement-discovery.js (https://github.com/noble/noble/blob/master/examples/advertisement-discovery.js) properly recognizes this specific device advertisement? The problem may be in noble's internals.

GamingTechRides commented 6 years ago

Here you go: 0x0201051002031802180418202A47454E49454E450B0947656E6965204450532D

screenshot_20180405-215723