Bluetooth Low Energy (BLE) devices are configured with a set of static parameters that are used to determine how to pair with other BLE devices. These parameters decide the level of security applied to a device’s connection.
When BLE devices pair, a key exchange method (association model) is selected based on the exchanged pairing parameters. The association model can provide authentication and correlates to a security mode and level of a paired connection. The BLE peripheral hosts data using the Generic Attribute Profile (GATT), which is a framework for organizing data on the device into services, characteristics, and descriptors. Each GATT characteristic has a property that states the minimum required security mode and level in order to access it, which can be used to guarantee that data transferred to/from the characteristic is protected.
We wanted to understand and test BLE device communication security. In order to do this, we would have needed to obtain a set of BLE devices that support each permutation of the static pairing parameters so that we could see each pairing method and view how it was implemented. Instead we created BLEBoy, which allows users to configure pairing parameters on-the-fly in order to force a specific pairing method to be used between BLEBoy and a BLE central device. Creating BLEBoy removed the need for tracking down multiple BLE devices and simplified the testing and training process.
BLEBoy is a BLE peripheral comprised of open source hardware and software that supports all BLE pairing methods, allows on-the-fly pairing parameter manipulation, and hosts data protected by varying levels of security. The goal of the device is to provide an accessible testing and training resource that can be used to understand BLE pairing and the types of protections that can be applied to GATT characteristics on BLE peripherals.
Why are BLE Pairing and GATT Security Important?
When assessing a BLE device, it is important to identify the pairing parameters used by the device and the level of security applied to GATT characteristics on the peripheral. If the pairing parameters provided by BLE devices result in the devices using a weak pairing method, it is possible for an attacker sniffing BLE traffic to crack the BLE encryption (if used) and compromise any transmitted data. If sensitive GATT characteristics on the peripheral aren’t configured to use a security mode that enforces strong communication security, the data transferred between BLE devices may be compromised.
What Does BLEBoy Provide?
In order to understand the varying levels of security available in BLE, we needed a device that can be used to see each pairing method and demonstrate how developers can protect data transferred between BLE devices. Since BLE devices typically have static pairing parameters, it is difficult to obtain a set of BLE peripherals that allow us to analyze and understand each pairing method. With BLEBoy, we can configure pairing parameters dynamically and apply different pairing methods as needed. By default, BLEBoy contains four characteristics, covering each security level (1-4) in BLE security mode 1. To top it all off, BLEBoy is built using off-the-shelf Adafruit Featherboards and Featherwings for simple device construction.
BLEBoy can pair with a central device using the association model of our choice. This allows us to attempt to exploit issues with pairing methods or discover weaknesses in the implementation of a device’s pairing procedure. For instance, we can configure BLEBoy to force a LE Legacy Just Works pairing with a central device and use an Ubertooth (https://greatscottgadgets.com/ubertoothone/) and Crackle (https://github.com/mikeryan/crackle) to demonstrate an attacker cracking the weak key exchange by sniffing the BLE traffic. Alternatively, we can use BLEBoy to show the different levels of protection that can be applied to GATT characteristics (security mode and level) and how it relates to the pairing method used.
How it Works
BLEBoy is a BLE peripheral that has a GATT server containing a custom GATT service with four read-only GATT characteristics. Each GATT characteristic is configured with security mode 1 level 1 - 4. In order to access each of the GATT characteristics, the BLEBoy device must be connected with a BLE central device using a security mode 1 level 4 connection. Any lower security level will reduce the number of readable GATT characteristics.
To demonstrate the GATT access controls, we used an Android device with the “nRF Connect for Mobile” Android application (https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp&hl=en).
- On the BLEBoy, navigate to “Main Menu” and select the item “Advertising” to tell the BLEBoy to begin advertising.
- Navigate to the “Status” menu and take note of the value next to the “Addr” field. This is your BLEBoy’s Bluetooth address.
- From the “nRF Connect for Mobile” application, select the “Scanner” tab and press the “SCAN” button (in the upper right hand corner of the app).
- Once the BLEBoy with the address retrieved from step 2 appears on the scanner list, click the connect button next to the BLEBoy entry.
- After the previous step is complete, a new tab in the application will appear that represents our BLEBoy peripheral. Notice the “Unknown Service” listed. Select this service and notice the 4 GATT characteristics.
- Select the first characteristic in the list and notice the value read is “Sec1Level1Char”. This is a GATT characteristic that requires a connection with security mode 1, level 1.
- From the BLEBoy, select the “Status” menu again and look at the values for “SecMode” and “SecLevel” (you will need to scroll down to see these values). These are the security mode and level for the current BLE connection with the BLEBoy.
- From the BLEBoy, select the “Settings” menu and configure the following options:
a. Bonding: 1
b. LESC: 0
c. MitM: 1
d. Keypress: 1
e. IO: DisplayOnly
f. OOB: 0
- From the mobile application, select the 3rd characteristic from the list and attempt to read the value.
- Notice a bonding request is issued by the application. This is because the phone is attempting to read a characteristic that it is not authorized to access. As a result, the phone attempts to pair with the BLEBoy.
- Attempt step 8 again, making sure to accept the bonding prompt on the phone and follow the instructions displayed on the phone and BLEBoy. The application should show “BONDED” on the screen.
- Notice we can now read the value from the 3rd characteristic, which requires security mode 1, level 3.
- Now, attempt to read the 4th characteristic.
- Notice no value is read. This is because the 4th characteristic requires security mode 1 level 4, which means LE Secure connections pairing must be used. Since we set LESC to 0 in step 8 on the BLEBoy, we force the devices to pair using a LE Legacy association model, thus preventing us from reaching security mode 1, level 4.
Additional features that we would like to add to BLEBoy includes:
- Support for security mode 2
- Tutorial modules for interacting with BLEBoy using BLESuite (https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/september/introducing-blesuite-and-ble-replay-python-tools-for-rapid-assessment-of-bluetooth-low-energy-peripherals/)
- Expanding IO support for BLEBoy to remove requirement of computer serial connection for OOB and keypass entry association models.
BLEBoy is a great resource for learning about BLE security and provides a single BLE peripheral that can be used to experiment with each BLE pairing method. This release of BLEBoy includes a parts list, instructions for how to construct the device, source code that needs to be compiled and uploaded to the device, and several training modules. The training modules included with BLEBoy cover an overview of basic BLE concepts and security properties, an explanation of functionality supported by BLEBoy, explanation of how to view BLE traffic from an Android device, additional BLEBoy pairing examples, and a module dedicated to demonstrating out-of-band pairing with an Android device.
BLEBoy build instructions, source code, and training modules can be found on our public GitHub at https://github.com/nccgroup/BLEBoy.
Published date:  12 March 2018
Written by:  Taylor Trabun