Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sniffing and Decoding NRF24L01+ and Bluetooth LE Packets For Under $30

Posted by timothy on from the on-the-cheap dept.

An anonymous reader writes "I was able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR. As far as I can see, this is the first time NRF24L01+ is being decoded, especially considering the low entry price for the hardware. Given the extreme popularity of this transceiver, we are likely to see a wave of hackers attacking the security of many wireless gadgets, and they are likely to succeed as security is usually the last priority for hardware designers of such cheap gadgets. A lot of work has been done to decode bluetooth using dedicated hardware, and I am sure this software can be adapted to output the right format as input to existing Bluetooth decoders such as Wireshark."

11 of 46 comments (clear)

  1. wireless keyboards and mouse by nobuddy · · Score: 3, Insightful

    Who needs a keylogger when you can just pipe their output to your local machine directly?

    1. Re: wireless keyboards and mouse by AmiMoJo · · Score: 3, Insightful

      Good wireless keyboards and mice encrypt the data. Microsoft hardware does this, and I believe that at least some of it also uses Nordic chips.

      This isn't really a security vulnerability at all. It's like trying to argue that ethernet is insecure. It's a transport layer, the security comes higher up the chain at the application level. Individual devices may fail to do this, but the author of the blog post made no attempt to determine how many of the devices he claims he could see fit into this category.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. What security does Bluetooth have? by gstoddart · · Score: 2

    I've always suspected pretty much none at all, which is why I keep it turned off unless I really specifically need it -- that and it sucks battery life.

    So, what do the people who know the protocols say? Is Bluetooth a protocol with any actual security, or is it just a lame, wide-open security hole written by lazy people who don't care?

    --
    Lost at C:>. Found at C.
    1. Re:What security does Bluetooth have? by AmiMoJo · · Score: 2

      BTLE has minimal security. It is designed to be low power and low range, and most devices are transmit only. I suppose they were hoping that limited range and the transmit only nature of most devices would be enough to get away with extremely minimal security, but in practice users probably don't want other people to be able to monitor their heart rate sensor or send messages to their smart watch.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:What security does Bluetooth have? by mpeg4codec · · Score: 4, Informative

      Hi, I'm a Bluetooth Security researcher. My primary focus is on BLE for which I built a highly robust sniffer on the Ubertooth platform. I have experience in other aspects of Bluetooth.

      TL;DR: Classic Bluetooth is very secure, BLE is secure under some circumstances. Even if you leave your Bluetooth on in discoverable mode, there isn't much an attacker can do to harm you barring bugs in your Bluetooth stack.

      Bluetooth is a well-designed protocol stack that takes security seriously in its design. Implementation quality (and bugs therein) varies from stack to stack. It's always a good idea to disable Bluetooth if you aren't using it, as is the case with any other remotely accessible feature.

      Classic Bluetooth has used Secure Simple Pairing (SSP) since 2.1 in 2007. This pairing mechanism is based on ECDH to provide perfect forward secrecy and is highly secure. There was one weakness discovered in the numeric entry pin mode in 2008 by Andrew Lindell. This mode is not commonly used in older devices and more recent devices do not implement it. It's effectively impossible for an attacker to sniff any data sent over Bluetooth with SSP.

      BLE has major weaknesses in its pairing protocol that I spoke about at BlackHat USA 2013 and other venues. For the most recent video see my presentation at USENIX WOOT 13.

      In BLE, a passive eavesdropper who is present during pairing can recover the secret key used to encrypt all communications. This effectively makes the security worthless. However, if the attacker is not present during pairing then the encryption is very effective. It uses AES-CCM and doesn't have any major flaws in the design. AES-CCM is used in WPA2-AES; it's well-established and has no major shortcomings.

      Finally, some Bluetooth stack implementations have bugs. I've found remote bugs in one major vendor's stack.

  3. Re:create a secure computer by wonkey_monkey · · Score: 2

    Someone digs in from miles away, steals the computer - you forgot to pour any concrete in before the computer, and even if you did they could take their time cutting through it - and you're completely oblivious to the crime. I'd put it in a glass box at the top of a greasy pole in the middle of the gun-toters.

    --
    systemd is Roko's Basilisk.
  4. Uh, Nordic documents its over the air protocols... by tlambert · · Score: 2

    Uh, Nordic documents its over the air protocols...

    https://devzone.nordicsemi.com...

  5. Re:Logic Violation Citation by Joce640k · · Score: 2

    I can't imagine it was very difficult. It's not as if they're trying to hide anything or even pretending it's secure.

    It's a 2.4GHz transmitter using GFSK modulation. All the information is in the datasheet, downloadable from their website.

    You can get transceivers for a couple of bucks on eBay. Knock yourself out...

    --
    No sig today...
  6. RTFA, everyone... by Shoten · · Score: 4, Informative

    He isn't decrypting the traffic; he's just able to pull the raw packets from the air and express then, still encrypted, as data. And for BTLE, he isn't even able to do that, as he can't manage the frequency agility. So he isn't even seeing the encrypted data, just the BT advertisements...which you can already do with a variety of tools (bluetoothscan, bluelog, etc.) and a cheap BT dongle with greater range than the setup he has put together.

    It's a clever kluge for capturing and reading 2.4 GHz traffic with a sub-2.2 GHz device on the cheap but it's not really meaningful from a security perspective.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  7. Why is this a big deal? by Bender_ · · Score: 2

    This is a nice hack, but in the end, he just build a receiver for the 2.4Ghz band. Big deal.

    There has been a much nicer hack to convert a nRF24L01 into a promiscuous listening device:

    http://travisgoodspeed.blogspo...

    This achieves a very similar goal, but much cheaper.

  8. It's not just reading, it's writing too by dutchwhizzman · · Score: 2

    If you can intercept the traffic, you can also take over control over the peripheral and write. Once you control someones mousepointer, you suddenly have a lot more power, no?

    --
    I was promised a flying car. Where is my flying car?