Thursday, June 7, 2018

Learning Bluetooth Hackery with BLE CTF


Do you want to get into tinkering and hacking Bluetooth LE devices?  Up until now, doing so was very much a DIY process.  You would have to find relevant documentation or videos, and then find various BLE devices to test on.  In order to make this learning process easier, I created a Bleutooth LE CTF, named BLECTF, which aims to teach the fundamentals of BLE connections, interactions, and hacking.

At its core, the CTF focuses on teaching BLE GATT service connection fundamentals.  The CTF runs a BLE GATT server on an ESP32 device with 20 flag based challenges.  Each challenge focuses on teaching different BLE functionality you would typically see in the wild.  Adventurous individuals who complete all 20 flags will obtain the skills needed to start exploring all things BLE in the world!



In order to get started, you will need a couple of things.  First, you have to obtain some hardware to run the CTF.  It runs on the ESP32 chipset and they can be found for roughly $10 on amazon.  If you want to skip all of the setup, I sell them pre-flashed with the CTF for $20 here or you can trade me cash/beers at DEFCON/Blackhat.  I will be presenting the project at Blackhat Arsenal (and likely other locations in Las Vegas this year).  Second, you will need a laptop with a bluetooth device capable of connecting to the CTF.  Some laptops come with embedded bluetooth devices which you can use.  However depending on the chipset or operating system, you may not be able to use these devices to connect to the CTF.  I prefer to use SENA’s Bluetooth USB dongle as it has an amazing range and is compatible with Linux and the Bluez Bluetooth stack.  Third, you will need an operating system and tools to interact with your laptops bluetooth device or USB dongle to connect to the CTF.  I prefer to use Linux for this as tools like gatttool and bleah run without issues.  If you are running windows or OSX, I would recommend that you just install a Linux VM and do you bluetooth hacking though the VM with a USB bluetooth device (vagrant is amazing for this).

Setting up the CTF is fairly easy.  As I mentioned above, you can skip this if you purchase the ESP32 pre-flashed.  However if you want to save some cash or learn the process yourself, you can follow the setup steps located here.

Now, lets get started!  Im not going to spoil the CTF too much here!  I'll just give you a taste and help you get started!  The next few sections assume you are all setup with a CTF server running on an ESP32 and have a Linux box with blues-tools and bleah installed.

In order to hack the things, you must find them first.  Lets run the following command to find the BT address of the CTF device:


Now, lets use bleah to enumerate all of its handles and characteristics.


There are a few things to take note of here.  The first is handle 0x002a which shows your CTF score.  As you find and submit flags, this score will update accordingly.  The second tidbit to notice here is handle 0x002c.  This handle will be the one you interact with the most as it is where you will be submitting flags once you find them.

Now, lets find ourselves an easy flag and submit it.  The easiest one to find is one that is not even given to you by the CTF server.  It is obtained by reading the documentation for the project here.  If you look in the hints section, you will see that Flag #1 can only be obtained from reading this flag hint section of the documentation

Lets submit it!  You can use gatttool or bleah to do this, but lets follow the docs and use gatttool here.  Keep in mind, while bleah is super cool, it won’t get you through the whole CTF.  You will have to use tools like gatttool on a lot of the flags.

Submit it with the following:

Now, lets check our score to see that it registered:


Thats it!  I've told you a bit about the project and helped you on your first flag.  Now, go forth and “responsibly”hack all the Bluetooths!  

No comments:

Post a Comment