crackle, crack Bluetooth Smart (BLE) encryption

overview

crackle cracks Bluetooth Smart (BLE) encryption. It exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.

crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing. The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave.

The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.

crackle is open source software, available under the simplified BSD license. It has been built and tested on the following platforms:

Linux
FreeBSD

Please let me know if you run it on another platform!

See more about my Bluetooth Smart security research.

crackle source can be found on Github.

download

Latest version: 0.1, released 2013-02-15
- crackle 0.1 - source

Build source by running

make

Install with

make install

running it

Full details on running crackle are in the README. Briefly:

# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17

# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15

Thanks to the rest of #ubertooth on irc.freenode.net for keepin it real.

crackle, crack Bluetooth Smart (BLE) encryption

overview

download

running it

git

sample files

more info

thanks