Menu
Intro: I'm coming to this problem without full familiarity with the Bluetooth stack and protocols, so this may require several rounds of editing as errors in my assumptions are revealed.
I'm attempting to connect to a Bluetooth device, a Scosche myTREK Pulse Monitor. I was able to connect to the device using the 'official' app for Android, and I captured the Bluetooth packet output using hcidump. I can read and understand the connection process up through the link key exchange; however, the device then sends an HCI Encrypt Change event, after which most (but not all) packets are labeled as ACL packets, and are difficult to interpret.
The basic question is: Does Bluetooth encrypt data, and is there a way to decrypt it securely? Is this related to the shift to ACL packets?
Here is a sample of the packet output provided by hcidump for a given connection, starting at the passing of the Link Key. ( > refers to the monitor sending data )
> HCI Event: Link Key Request (0x17) plen 6
0000: ** ** ** ** ** ** ??????
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ???????????????
0010: ** ** ** ** ** ** ??????
> HCI Event: Command Complete (0x0e) plen 10
0000: 01 0b 04 00 ** ** ** ** ** ** ....??????
> HCI Event: Encrypt Change (0x08) plen 4
0000: 00 0c 00 01 ....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 01 00 00 00 ........@.@.....
< ACL data: handle 12 flags 0x00 dlen 10
0000: 06 00 01 00 0a 01 02 00 02 00 ..........
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x0000
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 00 00 00 00 ........@.@.....
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 04 02 04 00 40 00 00 00 ........@...
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 48
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 03 0a 00 40 00 00 00 00 00 01 02 ........@.......
0010: 30 00 0.
> ACL data: handle 12 flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
Success
> ACL data: handle 12 flags 0x02 dlen 36
L2CAP(d): cid 0x0040 len 32 [psm 0]
0000: 06 00 01 00 1b 35 11 1c 00 00 00 00 de ca fa de .....5......??·?
0010: de ca de af de ca ca fe 00 26 35 03 09 00 04 00 ???»????.&5.....
< ACL data: handle 12 flags 0x00 dlen 33
0000: 1d 00 40 00 07 00 01 00 18 00 15 35 13 35 11 09 [email protected]..
0010: 00 04 35 0c 35 03 19 01 00 35 05 19 00 03 08 12 ..5.5....5......
0020: 00 .
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 07 04 04 00 40 00 40 00 ........@.@.
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 3 scid 0x0041
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 05 08 00 40 00 41 00 00 00 00 00 [email protected].....
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 895
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 06 0a 00 41 00 00 00 00 00 01 02 ........A.......
0010: 7f 03 ..
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 04 03 08 00 41 00 00 00 01 02 f5 03 ........A.....?.
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 18
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 4
MTU 1013
At this point, the payloads delivered by the device vary drastically between runs, much less within a single run. I've placed the remainder of the log in a pastebin for brevity: Link
917
To deter hacking Bluetooth uses encryption based on security protocols called the SAFER+ block cipher. This technical term is complex to explain but essentially it's based on encrypting data using custom algorithms.
This service uses end-to-end encryption and also the data inside the encrypted message is also encrypted with Bluetooth LE security, thus providing a two-layer security. One more step can be to keep all the key information on the user side instead of a cloud.
Data transmission over Bluetooth LE in version 5.0 of the specification uses AES-CCM encryption. This encryption is performed in the Bluetooth Controller.
Bluetooth is a well-known security risk—including the possibility of escalating and executing code—well, malware—on the phone. Strongly suggest talking to cybersecurity experts—or even a Dr.
Yes, bluetooth encrypts data over the air. And yes, this applies to ACL data. But the data you are seeing over the HCI interface is already decrypted. Your problem is that you don't know how to interpret the ACL data stream. There are a couple levels of protocol on top of ACL data. Unless your device documents their protocol, you may be out of luck. It's most likely that they are running SPP (serial port profile) or RFCOMM to talk to the android app. So you have the following nested protocol layers to decode SPP -> RFCOMM -> L2CAP -> ACL data.
It is also possible that your device/app do additional application level encryption on top of SPP. In that case, you're out of luck.
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
