A few days ago I read about NCC Group’s Sniffle tool, a BLE sniffer for Bluetooth 4.X and 5. Given my interest and previous track record at looking into the security of BLE devices, I could not stop myself from testing it.

The tool is available on NCC Group’s Github, along with quite good documentation. It was not hard to install all the prerequisites and set up everything following their documentation. My environment is pretty well set up for this type of experimentation and devices, so from Python to PySerial, I did not have to do much. All the TI-specific tools should be installed in their default folders suggested upon install (when running the .run files) and one will not have any major issues.

So far, I have been able to run the sniffer on the TI CC26x2R Launchpad Board. The firmware loads without issue and the board is ready to use. Note that, as I will describe below, I have been having a bit of stability/buggyness issues with the sniffer. Whenever something acts up a bit, the best thing to do is to reload the firmware. That seems to get things fixed for me most of the times.

sniffle_load_fw

Once the firmware is loaded, it is easy to start running captures. Given the simplicity of the radio it’s running on, the sniffer can only scan one channel at a time, so you are either scanning ADV channels (37, 38 and 39) or following a connection. Therefore, unless you happen to catch an actual connection establishment, you should expect to only see ADV-related messages on your first captures.

sniffle_raw_capture.png

Once you are all set up, it is highly recommended to dump the traffic being captured to a pcap file using sniffle’s -o option. Looking at one of the captures I took, I see the expected advertising traffic. A whole bunch of Apple devices (in my experience, always very “loud” at sending ADV-related traffic) from my neighbors, some smart TVs (including mine; it’s been the subject of my research before and I know like the back of my hand the characteristics of its ADV packets) and some interesting devices that I will explore when I have more time.

sniffle_wireshark

Now that I am all set up, I will start taking actual captures of devices connecting and will test how reliable Sniffle’s ability to follow connections is. By the way, once you capture a full initial pairing and connection establishment, you should be able to process the pcap with Crackle to bruteforce the LTK session key and decrypt traffic. This is possible unless the pairing is being done with the Out of Band method. In my experience, the only device that I have observed in the wild using OOB pairing is the Apple Watch, though.

While using Sniffle I have noticed some instability. Every now and then I get weird errors raised by sniffle when having trouble parsing certain packets. See example above for a crash when it parses a packet that, allegedly, has an incorrect length field. I have observed similar parsing errors happening from time to time. When this happens, sniffle seems to get stuck when you try running it again. The quickest fix is to reload the firmware.

sniffle_error

Once I have some time I will continue playing with sniffle. With two kids now, time is a very scarce resource! 🙂

EDIT (10/04/2019): Correction to myself. Bluetooth 5 *should* be using Diffie-Hellman for the handshake to derive STK which encrypts the handshake to exchange LTK. If that is the case, even when sniffing a full initial pairing+connection, one could not be able to brute force anything. I have to find myself a Bluetooth 5 device and capture that traffic. I’ll update when I have some time.