If you want to interact with this talk, download nRF Connect

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Bluetooth: With Low Energy

Comes High Power

bernie@allthenticate.com

Lead Software Architect @ Allthenticate

Senior studying CompSci @ UCSB

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Quick Disclaimer

I know more than I’d like to know about Bluetooth but I don’t know everything.

If I don’t know, see me after and I’ll get your contact to circle back!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Goals

• Give you background on Bluetooth/BLE
• Delve into some of the inner workings and see it in action!
• Give you resources and tools if you want to learn more!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Quick Audience Poll

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Who has connected to something over bluetooth before?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Who is familiar with general client server relationships?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Has anyone taken a networking class or is in a networking class?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Who has experience programming?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Who has experience programming with python?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Quick Demo

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

allthenticate.com

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Bluetooth Crash Course

Its history, strengths, and shortcomings

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Why was Bluetooth so important?

​

Bluetooth was invented at a time when:

• Phones used serial or USB communication to transfer data

Bluetooth (BR: 1999) enabled:

• Omnidirectional data transfers between phones + personal computers + accessories
• Built on short-link radio communication by a Swedish phone company
• Started the Bluetooth Special Interest Group (SIG)

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Improvements

​

Bluetooth Enhanced Data Rate (BR/EDR: 2005):

• Tripled the data rate to 2.1Mbps and a range boost to 100ft!

Bluetooth High Speed (HS: 2009)

• Got up to 24Mbps
• Used a trick of bootstrapping a connection with Bluetooth to using 802.11 hardware as the transport layer for the speedup

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Bluetooth sounds great!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Strengths and Shortcoming

​

• Most IoT devices, computers, phones use it due to wide adoption in the early 2000s
• Early on it was fast enough, now it is slow compared to WiFi direct
• Very much not optimized for low power use due to active connection maintenance
• Range is limited to roughly 100m, on the fringe a lot of packets can be dropped

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Pop Quiz!

Apparently it’s a good way to engage viewers ¯\_(ツ)_/¯

Why is Bluetooth called Bluetooth?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Any Civ V fans?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

This is great right?

​

• Works great for:
• Sharing files, videos, photos
• Streaming music to peripherals
• Connecting peripherals to your computer wirelessly
• Not great for:
• Low power consumption
• Cost effectiveness
• Short quick things

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is BLE?

How is it related to bluetooth?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

BLE

​

• Bluetooth Low Energy (originally Wibree/Bluetooth Smart/Ultra Low Power Bluetooth) was introduced in Bluetooth 4
• Designed for super low power IoT edge applications
• Reduced memory requirements, more efficient discovery, connection steps, shorter packets and simpler services

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

BLE vs BR/EDR (Bluetooth Classic)

​

• BR/EDR supports much more data transfer, but comes with a cost of battery life
• Better for wireless headphones, microphones, think things that are constantly sending one to one data
• BLE supports snippets of less frequent data, and can run on edge devices using coin cell batteries for years
• Better for beacons, fitness trackers, medical equipment
• Also supports mesh or piconet topologies but that is beyond the scope of this talk

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Parts of BLE

1. Connecting
2. Sending
3. Receiving

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Quick Vocab Lesson

• Peripheral: treat similar to a server, this would be the edge device
• Central: treat similar to a client, this usually is a phone

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Connecting

​

• Discovery is done by a peripheral device advertising and a central device actively scanning
• Supports passive scanning
• Also supports a connectionless broadcaster observer role
• Once the central sees a peripheral device, it can choose to connect

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Connect

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Let’s see this in action!

Try to connect to “Click Me!” in nRF Connect

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

BLE Advertisements

This is a data a peripheral can include so centrals can distinguish them:

• A Name and appearance
• Service UUIDs
• Service Data
• Manufacturer Data

​

• Less Common
• Solicit UUIDs

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Before we send or read data...

​

What kind of data can be sent or read? How is that managed?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is GATT?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

GATT

• Table for services which contain characteristics (and descriptors) that carry short pieces of data which can be read or written to
• All parts are defined by a UUID, a value, and permissions (some UUIDs are reserved for research/companies)
• The bluetooth stack assigns a handle after initialization
• These are “discovered” after a LE connection completes
• A device will define a GATT table of these services and characteristics with permissions during setup

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Abstractly...

• Generic Attribute Profile (GATT) creates a table structure of data
• Services: group together related attributes
• Ex. Temperature Service
• Characteristics: containers for user data w/ metadata and a value (formally the declaration and value)
• Ex. 82.1
• Descriptors: optionally expand a characteristic with more metadata (formally the definition)
• Ex. String that says “Temperature in the Room”

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is a profile?

• Spec/Protocol for different BLE applications eg:
• BLP (Blood Pressure Profile)
• HRP (Heart Rate)
• LNP (Location and Navigation)
• HOG (HID over GATT)
• WSP (Weight Scale)
• Defines how an application behaves to ensure compatibility across platforms/devices
• Device can use multiple profiles*

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Let’s send some data

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Write

Acknowledge

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Let’s see this in action!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

How does a central get data?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Read

Data

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

But...

How do you think a peripheral sends new data to a central?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Subscribe

Indicate

Acknowledge

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Central

Peripheral

Subscribe

Notify

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Let’s see this in action!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is a characteristic?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is a characteristic?�What is a service?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

What is a characteristic?�What is a service?�What is a descriptor?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

How does a central send data?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

How does a central get data?

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Now you know:

• The history of bluetooth
• BLE applications
• The BLE protocol
• GATT

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Things we couldn’t get to

• Bluetooth security: see later slides
• Beacons - how Apple’s iBeacons work

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

My Story With BLE and GATT

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

@Allthenticate

• We use BLE for our smart door readers and computers to beacon data to any phone running our app
• Phones with access will connect, authenticate using asymmetric keys
• Authenticated phones can automatically (un)lock doors, login to computers, even sudo up without a password!
• All communication is handled by BLE

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

@UCSB

• Researching vulnerabilities in implementations of the HID over GATT (HOG) profile
• Trying to get remote access to a phone without any user interaction by leveraging privacy weaknesses in the BLE spec

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Project Ideas

• Create a desktop app that your phone can connect to and send commands to run programs
• App that tracks BLE beacons around your home
• Maybe auto connect when you see a beacon and start some home automation

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Tools for you!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Hardware

• Raspberry Pi’s with Bluetooth 4.0+
• Compute modules are legit
• Any bluetooth adapter ($10)
• Arduino Nano 33
• Ubertooths

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Software

Python Packages:

• ABle
• reliABle
• Bleak (Henrik Blidh)
• Bless (Kevin Carr)

Other:

• Bluez (Linux Bluetooth Stack)
• Tools like btmon
• Arduino BLE libraries
• nRF Unit Tests

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Check us out!

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Thank you!

Hmu bernie@allthenticate.net

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Neat Facts

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Security Concerns

​

• Secure Simple Pairing (SSP): pretty fast pairing protocol (pin based ECDH)
• Can be cracked if the pin is observed (or guessed/brute forced)
• Assuming the protocol is followed to the tee - a lot of implementations have/had critical bugs
• “Security Mode 4” is recommended which uses authenticated pairing, AES128
• Most IoT uses level 1 or 2 which is unpaired and beatable
• “Security Mode 1 devices never initiate security and therefore should never be used” (but it's easy so…)
• Or use Just Works pairing which is a joke which is free for MITM fun

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Is the Security Better with BLE?

​

• “With the Bluetooth 4.1 and 4.2 releases, the differences have been minimized” - NIST
• One difference is the use of a long term key which is transmitted during pairing
• Meaning if you observe the transfer of this key, you can decrypt all transmissions
• There used to be major privacy issues because devices would advertise static public address
• Now they broadcast a dynamic resolvable private address that makes it a little harder (see papers in note)
• But....

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

“None of the pairing methods provide protection against a passive eavesdropper”

-Bluetooth Core Spec

​

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Issues with LE key exchanges...

• Usenix Talk on This
• Not going to dig into the cryptography (I’m comically underqualified) but a passive observer can watch a connection
• Determine the hop interval, hop increment, initial crc value and target address
• If you don’t observe a connection you can jam the connection to force a repair since enough nonces will be missed
• The long term key is a function of these and the pin they shared so we have to brute force the pin...how hard can that be?
• Takes a little under a second with Crackle
• All you need is off the shelf hardware (~$25), wireshark and crackle

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21

Moral of the story: encrypt the data if it matters or don’t send really important data, as it stands there’s no private way to advertise

Intro To Bluetooth/BLE - Bernie Conrad - 11/06/21