Skip to content

Latest commit

 

History

History
121 lines (90 loc) · 5.03 KB

README.md

File metadata and controls

121 lines (90 loc) · 5.03 KB

README

ATT Profiler

ATT Profiler is a Node.js tool for profiling a Bluetooth Low Energy peripheral, built on top of a modified version of the BLE central emulator by Sandeep Mistry. It enumerates the services/characteristics that are exposed by a device and attempts to identify the minimum level of security at which each characteristic on the device can be accessed.

The tool also offers the functionality to perform a rudimentary "dictionary attack" against the device PIN, by performing repeated pairing attempts with different PIN values.

Prerequisites

Install Node.js

Linux

  • Kernel version 3.6 or above
  • libbluetooth-dev

Ubuntu/Debian/Raspbian

sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev

Windows

node-gyp requirements for Windows

Install the required tools and configurations using Microsoft's windows-build-tools from an elevated PowerShell or cmd.exe (run as Administrator).

npm install --global --production windows-build-tools

node-bluetooth-hci-socket prerequisites

  • Compatible Bluetooth 4.0 USB adapter
  • WinUSB driver setup for Bluetooth 4.0 USB adapter, using Zadig tool

Install and Usage

Download the project and then navigate to /app/external/noble/ and run

npm install

On Linux

Make sure the bluetoothd service is not running, by typing

sudo systemctl stop bluetooth

You will then need to manually bring the HCI interface back up again. Assuming, hci0:

sudo hciconfig hci0 up

Start the tool from within the project folder:

sudo node index

On Windows

From within the project folder:

node index

To check security for different access types

The switches "-r", "-w", and "-n" are used to check Read, Write, and Notify access respectively. If no parameter is specified, then only Read access is checked. e.g., if you would like to check Write security, then use:

node index -w

To check all characteristics

By default, the code will only check those characteristics that have the relevant access type in their properties lists. That is, if we consider Reads, it will only check Reads for characteristics that have the Read property set. The "-a" switch can be used to perform the check for all characteristics. e.g., to check Read access for all characteristics:

node index -r -a

e.g., to check Read and Write for all characteristics, use:

node index -r -w -a

Passkey options

Use the -p flag to work with different passkey options.
-p <PIN> allows the user to provide a static PIN during code execution. Works for devices with fixed PINs.
-p u prompts the user to input a PIN via the console during runtime. Applicable for devices that generate dynamic PINs.
-p d performs a dictionary "attack" to try and find the PIN. Useful for identifying weak static PINs (although, any static PIN is inadvisable).

Output options

By default, the tool generates a timestamped JSON file. If a specific name is required, it can be specified with the -o flag. Do not specify a file extension. -o <outputfilename>

Troubleshooting

If the code gets stuck after "Connected to xx:xx:... ", or if it disconnects immediately after connecting, it probably means that the system has stored some previous pairing information for the device. On Windows, delete or "forget" the pairing. On Linux, try unpairing using

bt-device -r xx:xx:xx:xx:xx:xx

where xx:xx:xx:xx:xx:xx is the MAC address of the peripheral.

You can double-check this by running

sudo ls /var/lib/bluetooth/YY:YY:YY:YY:YY:YY

Here YY:YY:YY:YY:YY:YY is the MAC address of the HCI interface on the test machine. There should be no file or folder named xx:xx:xx:xx:xx:xx (where again xx:xx:xx:xx:xx:xx is the MAC address of the peripheral).

Publications

A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals.
Poster paper, published in the Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy.

Limitations

Some devices artifically "lock" access to some of the characteristics, which have to be "unlocked" by writing some custom bytes to other characteristics. This is implementation-specific and won't be identified by the Profiler. The output may show Read/Write Not Permitted or Unknown for such characteristics.

Disclaimer

This script, especially when used with the -w switch, may brick or otherwise render unusable the test device. We accept no responsibility if this should occur. Please understand the risks before running the script.

Only use the script on devices that belong to you!