GATTacker – BLE (Bluetooth Low Energy) Man-in-the-Middle

A Node.js package for BLE (Bluetooth Low Energy) security assessment using Man-in-the-Middle and other attacks.Prerequisites

npm install gattacker

Running both components Set up variables in config.env:

NOBLE_HCI_DEVICE_ID : noble (“central”, ws-slave) device

BLENO_HCI_DEVICE_ID : bleno (“peripheral”, advertise) device

If you run “central” and “peripheral” modules on separate boxes with just one BT4 interface, you can leave the values commented.

WS_SLAVE : IP address of ws-slave box

DEVICES_PATH : path to store json files

Start “central” device

sudo node ws-slave

Connects to targeted peripheral and acts as websocket server.

DEBUG=ws-slave sudo node ws-slave

ScanningScan for advertisements

node scan

Without parameters scans for broadcasted advertisements, and records them as json files (.adv.json) in DEVICES_PATHExplore services and characteristics

node scan

Explore services and characteristics of chosen peripheral. Saves the explored service structure in json file (.srv.json) in DEVICES_PATH.Hook configuration (option)
For active request/response tampering configure hook functions for characteristic in device’s json services file.

{ “uuid”: “06d1e5e779ad4a718faa373789f7d93c”, “name”: null, “properties”: [ “write”, “notify” ], “startHandle”: 8, “valueHandle”: 9, “endHandle”: 10, “descriptors”: [ { “handle”: 10, “uuid”: “2902”, “value”: “” } ], “hooks”: { “dynamicWrite”: “dynamicWriteFunction”, “dynamicNotify”: “customLog” } }

dynamic: connect to original device
static: do not connect to original device, run the tampering function locally
It will try to invoke the specified function from hookFunctions, include your own. A few examples provided in hookFunctions subdir.
staticValue – static valueStart “peripheral” device

node advertise -a [ -s ]

It connects via websocket to ws-slave in order to forward requests to original device. Static run (-s) sets services locally, does not connect to ws-slave. You have to configure the hooks properly.MAC address cloning
For many applications it is necessary to clone MAC address of original device. A helper tool bdaddr from Bluez is provided in helpers/bdaddr.

cd helpers/bdaddrmake

wrapper script:

./mac_adv -a [ -s ]

Turn off, cross fingers, try again ;)reset device

hciconfig reset

Running ws-slave and advertise on the same box
With this configuration you may experience various problems.
Try switching NOBLE_HCI_INTERFACE and BLENO_HCI_INTERFACEhcidump debug

hcidump -x -t

FAQ, more information
More information:
Download GATTacker


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair /  Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )


Conectando a %s