I really wanted to see what was going on under the hood, so to speak, when a new device ( IOT) is turned on and it is magically detected by the mobile (IOS/Android) app for the initial configuration. Just for fun, I started sniffing the Bluetooth communication during the initial connection and it was quite interesting.
General Process:
Initially what happens is that the IOT device turns on it’s Bluetooth sends a broadcast on the air. The application on the android device responds to the broadcast and the initial connection is established. Then, in the android device the user searches for an access point and provides the credentials. Those credentials are than transferred to the IOT device for it to connect. Once the WIFI connection is established, the device turns off it’s Bluetooth interface.
Issue:
The issue observed here is that if an attacker follows the connection, he or she can very easily view the data and communication (L2CAP packets). As they are not encrypted, hence the the WIFI password is leaked in clear text. The severity of this issue is localized but BLE now supports encryption, but this initial pairing and transfer of data is sent unencrypted. Though the data is base64 encoded which is quite trivial to decode.
To do this, the following is required:
SW TOOLS:
Wireshark
Linux Distro
HCItool
HW TOOLS:
Ubertooth One
nRF52840 Dongle (if you really need it)
Initially you would have to determine the Bluetooth address of the device (IOT) and then once you have it you need to create a pipe the details of how to do it are mentioned in the official Ubertooth Documentation page. Once the pipe is created, run ubertooth-btle and dump the data to the pipe which you just created.
ubertooth-btle -f -c /tmp/pipe
Open the pipe as an interface in Wireshark and you are ready all ready and good to go.