crackle, crack Bluetooth Smart (BLE) encryption

Fork me on GitHub

downloadhow2usegitsample filesmore infothanks

overview

crackle cracks Bluetooth Smart (BLE) encryption. It exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.

crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing. The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave.

The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.

crackle is open source software, available under the simplified BSD license. It has been built and tested on the following platforms:

Please let me know if you run it on another platform!

See more about my Bluetooth Smart security research.

crackle source can be found on Github.

download

Build source by running

make

Install with

make install

running it

Full details on running crackle are in the README. Briefly:

# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17

# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15

git

crackle source can be found on Github.

sample files

Grab some sample files for cracking with crackle. Refer to the README inside the tarball for more information:

sample files for crackle

more info

crackle was first presented during my ShmooCon 2013 presentation How Smart Is Bluetooth Smart? on February 16, 2013. The video is available online.

thanks

Super mega huge thanks go to Mike Ossmann (@michaelossmann) and Dominic Spill (@dominicspill) for Ubertooth and being generally awesome dudes.

Thanks also to Jouni Malinen from wpa_supplicant for writing an awesome AES-CCM implementation and releasing it under the BSD license.

Thanks to the rest of #ubertooth on irc.freenode.net for keepin it real.