Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets For Under $30

← Back to Stories (view on slashdot.org)

Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets For Under $30

Posted by timothy on Tuesday January 21, 2014 @05:11AM from the on-the-cheap dept.

An anonymous reader writes "I was able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR. As far as I can see, this is the first time NRF24L01+ is being decoded, especially considering the low entry price for the hardware. Given the extreme popularity of this transceiver, we are likely to see a wave of hackers attacking the security of many wireless gadgets, and they are likely to succeed as security is usually the last priority for hardware designers of such cheap gadgets. A lot of work has been done to decode bluetooth using dedicated hardware, and I am sure this software can be adapted to output the right format as input to existing Bluetooth decoders such as Wireshark."

46 comments

Min score:

Reason:

Sort:

wireless keyboards and mouse by nobuddy · 2014-01-21 05:22 · Score: 3, Insightful

Who needs a keylogger when you can just pipe their output to your local machine directly?
1. Re: wireless keyboards and mouse by AmiMoJo · 2014-01-21 06:02 · Score: 3, Insightful
  
  Good wireless keyboards and mice encrypt the data. Microsoft hardware does this, and I believe that at least some of it also uses Nordic chips.
  This isn't really a security vulnerability at all. It's like trying to argue that ethernet is insecure. It's a transport layer, the security comes higher up the chain at the application level. Individual devices may fail to do this, but the author of the blog post made no attempt to determine how many of the devices he claims he could see fit into this category.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re: wireless keyboards and mouse by Joce640k · 2014-01-21 06:34 · Score: 1
  
  Good wireless keyboards and mice encrypt the data. Microsoft hardware does this
  Yeah, right...
  https://www.google.com/search?...
  
  --
  No sig today...
3. Re: wireless keyboards and mouse by Anonymous Coward · 2014-01-21 09:02 · Score: 0
  
  mice?
  What useful data can you deduce from mouse clicks and movements if you don't have access to the screen? I'm missing something so I would like to know what because I cannot think of any application where it would be a security issue if some unauthorized party got the mouse movements and clicks made. Not to mention that the simplicity of data a mouse can send means that if it must be secure, the encryption has to be pretty good. When the set of possible values is so small (move up/down/right/left + click right/left) it's vulnerable to many attacks that e.g. text isn't in practice.
4. Re: wireless keyboards and mouse by Anonymous Coward · 2014-01-21 09:44 · Score: 0
  
  Logitech encrypts.
Well, that was LUdditic by Anonymous Coward · 2014-01-21 05:29 · Score: 0

As we all know, we can 3D print any hardware we want. Can't someone just 3D print a new transceiver and we can download a new one?
Logic Violation Citation by briancox2 · 2014-01-21 05:35 · Score: 1, Flamebait

As far as I can see, this is the first time NRF24L01+ is being decoded, especially considering the low entry price for the hardware.
begin sarcasm:: It is either the first time or it is not the first time. There is nothing that makes it "especially" so. Your violation has been noted. You will be watched for further grammar/logic errors in the future. Tread carefully on Slashdot.

--
We should learn what we need to know about issues, before we decide what we need to feel about them.
1. Re:Logic Violation Citation by Anonymous Coward · 2014-01-21 06:16 · Score: 0
  
  you forgot to end the sarcasm
2. Re:Logic Violation Citation by Joce640k · 2014-01-21 06:16 · Score: 2
  
  I can't imagine it was very difficult. It's not as if they're trying to hide anything or even pretending it's secure.
  It's a 2.4GHz transmitter using GFSK modulation. All the information is in the datasheet, downloadable from their website.
  You can get transceivers for a couple of bucks on eBay. Knock yourself out...
  
  --
  No sig today...
3. Re:Logic Violation Citation by foobar+bazbot · 2014-01-21 08:08 · Score: 1
  
  you forgot to end the sarcasm
  YMBNH; on /., the sarcasm never ends.
create a secure computer by swschrad · 2014-01-21 05:40 · Score: 1

1) dig a hole 30 feet deep, say, 10x10 feet.
2) drop computer in.
3) no wires, dammit, take those out.
4) fill with concrete.
5) place crew-served weapons on top 24x7 for eternity.
that's the only way. it would also help to nuke the machine in a microwave for a minute first so all the chips are back to sand.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:create a secure computer by Anonymous Coward · 2014-01-21 06:03 · Score: 0
  
  1) dig a hole 30 feet deep, say, 10x10 feet.
  2) drop computer in.
  3) no wires, dammit, take those out.
  4) fill with concrete.
  5) place crew-served weapons on top 24x7 for eternity.
  that's the only way. it would also help to nuke the machine in a microwave for a minute first so all the chips are back to sand.
  Ha, let's see 'em try to sniff RF signals off my difference engine!
2. Re:create a secure computer by wonkey_monkey · 2014-01-21 06:03 · Score: 2
  
  Someone digs in from miles away, steals the computer - you forgot to pour any concrete in before the computer, and even if you did they could take their time cutting through it - and you're completely oblivious to the crime. I'd put it in a glass box at the top of a greasy pole in the middle of the gun-toters.
  
  --
  systemd is Roko's Basilisk.
3. Re:create a secure computer by plover · 2014-01-21 06:32 · Score: 1
  
  Ha, let's see 'em try to sniff RF signals off my difference engine!
  You kid, but a radar set could easily do just that.
  
  --
  John
4. Re:create a secure computer by evilviper · 2014-01-21 09:02 · Score: 1
  
  I'd put it in a glass box at the top of a greasy pole in the middle of the gun-toters.
  Then somebody drives up in a bucket-truck, wearing a high-visibility shirt with the city/county/state logo on it, and smiles at everyone passing by, while he robs you....
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
What security does Bluetooth have? by gstoddart · 2014-01-21 05:40 · Score: 2

I've always suspected pretty much none at all, which is why I keep it turned off unless I really specifically need it -- that and it sucks battery life.
So, what do the people who know the protocols say? Is Bluetooth a protocol with any actual security, or is it just a lame, wide-open security hole written by lazy people who don't care?

--
Lost at C:>. Found at C.
1. Re:What security does Bluetooth have? by plover · 2014-01-21 05:48 · Score: 1
  
  The security is "adequate" for most people. However, it's not perfect: http://www.hackfromacave.com/p...
  
  --
  John
2. Re:What security does Bluetooth have? by Megol · 2014-01-21 05:50 · Score: 1
  
  The question could be answered by a search string shorter than your post - I'd suggest you'd learn to optimize.
  Yes BT supports encryption, or not. It depends on what is sent and how.
3. Re:What security does Bluetooth have? by gstoddart · 2014-01-21 06:00 · Score: 1
  
  The question could be answered by a search string shorter than your post - I'd suggest you'd learn to optimize.
  I know how to use google there, skippy.
  But since Slashdot is most useful when we put these things into the comment threads, I opted for that.
  But, hey, you can feel free to continue to be a smarmy little wanker who thinks the rest of us don't know how to use search engines.
  Because, your "yes, maybe, sorta" adds nothing of value to the discussion.
  
  --
  Lost at C:>. Found at C.
4. Re:What security does Bluetooth have? by Anonymous Coward · 2014-01-21 06:03 · Score: 0
  
  you're a fuckwit. Plain and simple... and since you were called out, you're double-sacked.
  Loser.
5. Re:What security does Bluetooth have? by AmiMoJo · 2014-01-21 06:04 · Score: 2
  
  BTLE has minimal security. It is designed to be low power and low range, and most devices are transmit only. I suppose they were hoping that limited range and the transmit only nature of most devices would be enough to get away with extremely minimal security, but in practice users probably don't want other people to be able to monitor their heart rate sensor or send messages to their smart watch.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:What security does Bluetooth have? by Anonymous Coward · 2014-01-21 06:26 · Score: 0
  
  Awww, did your daddy cum in your ass again, and now you feel the need to throw a tantrum to be sure people are still listening?
7. Re:What security does Bluetooth have? by Ingenium13 · 2014-01-21 06:31 · Score: 1
  
  It used to suck battery on my older phones, but on my last 2 phones (current being Galaxy S4) it doesn't even register most of the time. Bluetooth is integrated into the same chip as wifi, so if you leave wifi on then it shouldn't really use any extra power.
8. Re:What security does Bluetooth have? by gstoddart · 2014-01-21 06:36 · Score: 1
  
  Bluetooth is integrated into the same chip as wifi, so if you leave wifi on then it shouldn't really use any extra power.
  Well, I'm not really prepared to leave wifi on for well documented reasons.
  Wifi and Bluetooth are turned on only as needed -- anything else seems like a dumb idea.
  
  --
  Lost at C:>. Found at C.
9. Re:What security does Bluetooth have? by mpeg4codec · 2014-01-21 07:22 · Score: 4, Informative
  
  Hi, I'm a Bluetooth Security researcher. My primary focus is on BLE for which I built a highly robust sniffer on the Ubertooth platform. I have experience in other aspects of Bluetooth.
  TL;DR: Classic Bluetooth is very secure, BLE is secure under some circumstances. Even if you leave your Bluetooth on in discoverable mode, there isn't much an attacker can do to harm you barring bugs in your Bluetooth stack.
  Bluetooth is a well-designed protocol stack that takes security seriously in its design. Implementation quality (and bugs therein) varies from stack to stack. It's always a good idea to disable Bluetooth if you aren't using it, as is the case with any other remotely accessible feature.
  Classic Bluetooth has used Secure Simple Pairing (SSP) since 2.1 in 2007. This pairing mechanism is based on ECDH to provide perfect forward secrecy and is highly secure. There was one weakness discovered in the numeric entry pin mode in 2008 by Andrew Lindell. This mode is not commonly used in older devices and more recent devices do not implement it. It's effectively impossible for an attacker to sniff any data sent over Bluetooth with SSP.
  BLE has major weaknesses in its pairing protocol that I spoke about at BlackHat USA 2013 and other venues. For the most recent video see my presentation at USENIX WOOT 13.
  In BLE, a passive eavesdropper who is present during pairing can recover the secret key used to encrypt all communications. This effectively makes the security worthless. However, if the attacker is not present during pairing then the encryption is very effective. It uses AES-CCM and doesn't have any major flaws in the design. AES-CCM is used in WPA2-AES; it's well-established and has no major shortcomings.
  Finally, some Bluetooth stack implementations have bugs. I've found remote bugs in one major vendor's stack.
10. Re:What security does Bluetooth have? by Chelloveck · 2014-01-21 07:27 · Score: 1
  
  users probably don't want other people to be able to monitor their heart rate sensor
  I should say not! Hell, if hackers can monitor your heart rate sensor they can get in and adjust it. Make your heart race until it explodes! This is why we need to restrict the transceiver technology this article talks about. Keep it in the hands of licensed professionals. It's just too dangerous to let hackers get anywhere near it.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
11. Re:What security does Bluetooth have? by jodosh · 2014-01-21 08:37 · Score: 1
  
  That well documented reason is only an issue if you have your device try to join any open WiFi network. Why that is even an option is beyond me, but leaving WiFi on is not itself a problem.
12. Re:What security does Bluetooth have? by dfsmith · 2014-01-21 09:03 · Score: 1
  
  You can adjust the heart rate of someone nearby by telling them a joke. ("Wenn ist das Nunstück git und Slotermeyer?", etc.)
13. Re:What security does Bluetooth have? by AmiMoJo · 2014-01-21 09:18 · Score: 1
  
  Did you read the bit about it being transmit only? It has no receiver, you can't send commands to it. Even if you could it doesn't have any control over your heart, it is just a sensor.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Uh, Nordic documents its over the air protocols... by tlambert · 2014-01-21 06:03 · Score: 2

Uh, Nordic documents its over the air protocols...
https://devzone.nordicsemi.com...
Fun project but... by svirre · 2014-01-21 06:18 · Score: 1

why so much complexity to decode a standardized protocol.
Just to be clear. This is no security breach this is just a very complicated way to set up a demodulator. All that happens is that this guy pulls out the bits from the on-air datastream. Any reasonably configurable 2.4GHz band RF device capable of 1Mbit GFSK would be able to do this.
BLE uses AES to encrypt the channel, so to compromise security you need to extract the key. You either need to compromise the initial key exchange, or you need to perform a successful side channel attack. Both options are certanly viable technically. However in practice. BLE devices pair once at the start of their life and never again limiting the practical scope of a key extractioppn by key exchange comprtomise. Side channel attacks require physical access and as BLE devices tend to be in physical control of their user this is also a bit challenging.
1. Re:Fun project but... by plover · 2014-01-21 06:38 · Score: 1
  
  If you can force errors to cause the user to perform another key exchange that you can compromise, it's still game over. Never pair your Bluetooth devices in an untrustworthy location, especially if they "used to work".
  
  --
  John
RTFA, everyone... by Shoten · 2014-01-21 06:19 · Score: 4, Informative

He isn't decrypting the traffic; he's just able to pull the raw packets from the air and express then, still encrypted, as data. And for BTLE, he isn't even able to do that, as he can't manage the frequency agility. So he isn't even seeing the encrypted data, just the BT advertisements...which you can already do with a variety of tools (bluetoothscan, bluelog, etc.) and a cheap BT dongle with greater range than the setup he has put together.
It's a clever kluge for capturing and reading 2.4 GHz traffic with a sub-2.2 GHz device on the cheap but it's not really meaningful from a security perspective.

--

For your security, this post has been encrypted with ROT-13, twice.
1. Re:RTFA, everyone... by mpeg4codec · 2014-01-21 07:32 · Score: 1
  
  I built a BLE sniffer on Ubertooth which does capture traffic on BLE data channels. Also I wrote a tool that can crack the pairing protocol and decrypt the data.
  It is more expensive than the sniffer in the article ($120) but very robust. I achieve the requisite frequency agility by handling timing in real-time on the microcontroller on the dongle.
Not even close to the first time on nRF24l01+ by Anonymous Coward · 2014-01-21 07:00 · Score: 1

This is not a hack. This is a kludge that is more expensive and way more complicated than any competent person could have done by reading the datasheet and using the device as it was intended. I know this because I use it this way on a project I'm working on right now.
There is no security on the nRF24l01+. It transmits in the clear and describes how it does so in it's publicly and freely available datasheet.
The nRF24l01+ data has been decoded millions of times - by other nRF24l01+ devices. If you just buy one of their modules (Under $3, about $1 in bulk) and set it as a receiver with no ACK packets, you can decode whatever you like by selecting one of the 3 speed options and scanning the 128 frequency channels until you see a 1 in the Recieved Power Detector register. Then it's a matter of selecting one of the 32 addresses so it will accept the data. In all, should take less than an hour to program and set up on an Arduino, a little longer but cheaper on a TI MSP430f2012 (Under $7 total).
RTLSDR is NOT tranceiver! by Anonymous Coward · 2014-01-21 07:18 · Score: 0

The RTLSDR is a receiver ONLY! To actually transmit, it would require a USRP or similar, costing 100s of dollars.
Re:Uh, Nordic documents its over the air protocols by Chelloveck · 2014-01-21 07:19 · Score: 1

This reminds me of a 2600 article I saw way back in the day. The authors had painstakingly reverse engineered the analog cellular system control channel. I read the article, saw the trouble they went through and where they drew the wrong conclusions, and thought to myself, "Guys, you know you can just go buy the actual spec, right?"

--
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Why is this a big deal? by Bender_ · 2014-01-21 08:36 · Score: 2

This is a nice hack, but in the end, he just build a receiver for the 2.4Ghz band. Big deal.
There has been a much nicer hack to convert a nRF24L01 into a promiscuous listening device:
http://travisgoodspeed.blogspo...
This achieves a very similar goal, but much cheaper.
It's not just reading, it's writing too by dutchwhizzman · 2014-01-21 10:22 · Score: 2

If you can intercept the traffic, you can also take over control over the peripheral and write. Once you control someones mousepointer, you suddenly have a lot more power, no?

--
I was promised a flying car. Where is my flying car?
1. Re:It's not just reading, it's writing too by chihowa · 2014-01-21 15:17 · Score: 1
  
  You can't transmit with an RTL-SDR, it's just a software defined receiver. You can, however, just buy a NRF24L01+ IC and build your own transceiver like you always could.
  The novelty here is decoding the transmissions using an RTL-SDR, not in decoding the transmissions in general.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Microsoft keyboard sniffing. by Anonymous Coward · 2014-01-21 20:31 · Score: 0

Microsoft keyboards use XOR with the 5-byte MAC address.
http://travisgoodspeed.blogspot.de/2011/02/promiscuity-is-nrf24l01s-duty.html