You are currently browsing the tag archive for the ‘BLE’ tag.

A few days ago I read about NCC Group’s Sniffle tool, a BLE sniffer for Bluetooth 4.X and 5. Given my interest and previous track record at looking into the security of BLE devices, I could not stop myself from testing it.

The tool is available on NCC Group’s Github, along with quite good documentation. It was not hard to install all the prerequisites and set up everything following their documentation. My environment is pretty well set up for this type of experimentation and devices, so from Python to PySerial, I did not have to do much. All the TI-specific tools should be installed in their default folders suggested upon install (when running the .run files) and one will not have any major issues.

So far, I have been able to run the sniffer on the TI CC26x2R Launchpad Board. The firmware loads without issue and the board is ready to use. Note that, as I will describe below, I have been having a bit of stability/buggyness issues with the sniffer. Whenever something acts up a bit, the best thing to do is to reload the firmware. That seems to get things fixed for me most of the times.


Once the firmware is loaded, it is easy to start running captures. Given the simplicity of the radio it’s running on, the sniffer can only scan one channel at a time, so you are either scanning ADV channels (37, 38 and 39) or following a connection. Therefore, unless you happen to catch an actual connection establishment, you should expect to only see ADV-related messages on your first captures.


Once you are all set up, it is highly recommended to dump the traffic being captured to a pcap file using sniffle’s -o option. Looking at one of the captures I took, I see the expected advertising traffic. A whole bunch of Apple devices (in my experience, always very “loud” at sending ADV-related traffic) from my neighbors, some smart TVs (including mine; it’s been the subject of my research before and I know like the back of my hand the characteristics of its ADV packets) and some interesting devices that I will explore when I have more time.


Now that I am all set up, I will start taking actual captures of devices connecting and will test how reliable Sniffle’s ability to follow connections is. By the way, once you capture a full initial pairing and connection establishment, you should be able to process the pcap with Crackle to bruteforce the LTK session key and decrypt traffic. This is possible unless the pairing is being done with the Out of Band method. In my experience, the only device that I have observed in the wild using OOB pairing is the Apple Watch, though.

While using Sniffle I have noticed some instability. Every now and then I get weird errors raised by sniffle when having trouble parsing certain packets. See example above for a crash when it parses a packet that, allegedly, has an incorrect length field. I have observed similar parsing errors happening from time to time. When this happens, sniffle seems to get stuck when you try running it again. The quickest fix is to reload the firmware.


Once I have some time I will continue playing with sniffle. With two kids now, time is a very scarce resource! 🙂

EDIT (10/04/2019): Correction to myself. Bluetooth 5 *should* be using Diffie-Hellman for the handshake to derive STK which encrypts the handshake to exchange LTK. If that is the case, even when sniffing a full initial pairing+connection, one could not be able to brute force anything. I have to find myself a Bluetooth 5 device and capture that traffic. I’ll update when I have some time.

Although for deep security analysis and experiments I do all Bluetooth and BLE things using either an Ubertooth One or my USRP (either B210 or B205mini **) and gr-bluetooth, I always start any experimentation with a basic sniffer.

Until now, my sniffer of choice was the BLE sniffer by Nordic Semiconductor (you can get the dongle for $25 on Adafruit and install the software). Such a simple and small form factor sniffer that runs great on Windows and Linux. I don’t even need to fire up any Linux VM to start poking around.


It’s user interface is rather archaic, purely shell-based, but it works just great. And it has a nice added feature that, when listing the devices it detects advertising around you, it automatically adds the device name if it’s advertised in plaintext… which is usually the case.


I was going to set up the sniffer in my laptop today when I noticed that Nordic Semiconductor released a new version of their BLE sniffer. And it is a HUGE update and improvement. The new sniffer is actually integrated as a Wireshark plugin and works great. And allows doing all the work within Wireshark, which is great.

You can follow the instructions on how to install it and set it up here. In a nutshell, you’ll need Python 2.7, pyserial (version 3.4 or higher – to upgrade run pip install pyserial –upgrade), Wireshark 2.4.2 or higher (I like to keep my old installations of Wireshark that I have nicely configured to color-code certain things and have specific columns in specific orders for my work on LTE security, 802.11 security, etc, so I keep several installations of Wireshark on my machine and so did I this time), and Segger J-Link v6.16c (which comes in the sniffer’s compressed file).

By the way, in case you run into the same problem, the instructions are not super clear and it took me some time to realize that one has to copy the contents of “root of the uncompressed folder of the sniffer software\extcap\” to the Wireshark extcap folder (to find it run Wireshark, Help->About->Folders). I had initially copied everything into that folder, d’uh!

I did not manage to get this to work with the nRF51 USB dongle (the one I showed above), but it works great with both the nRF51 and nRF52 development kits.

I have one bit of feedback if anyone from Nordic Semiconductor is reading this. The current way to select the device I want to sniff from, by selecting it from the Device section of the Wireshark plugin, is not very useful. The text is tiny, the partial view of the list is to show and, more importantly, now you guys do not include the advertised device name if it’s in the clear! Hopefully this will be fixed in an upcoming release.


Anyhow, happy BLE sniffing folks!

(**) Looking for the USRP mini link I noticed they sell it now with the case and not board and case separately. Hooray! I wonder when they will do the same for the big brother B210.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 146,153 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.