This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html

Student ID: IoTE-728

 

I examined a smart light bulb which can be controlled via Bluetooth Low Energy.

smartbulb

After I installed the device and installed and configured the mobile phone application of the smart bulb, I used an UD100 Bluetooth dongle and Blue Hydra to check the availability of the device. Blue Hydra is a tool and can be downloaded from here.

bluehydra

Blue Hydra showed that the name of the device is CHSmartBulb. It also showed the MC address of the device and the Bluetooth version. BTLE means Bluetooth Low Energy.

I used an Adafruit Blue Sniffer to capture the traffic. This device is capable of sniffing only BLE traffic, however a much cheaper alternative to Ubertooth. It can also capture into pcap file, which can be viewed in wireshark later. On Windows it can capture BLE traffic on the fly. However the dissector is not supported on the latest Wireshark.

I downloaded the python tool from github, plugged in the device and started the tool. The Adafruit Blue Sniffer was located on the /dev/ttyUSB0. I passed this as an argument to the tool.

The tool detected one device. I selected it and started the capture. The MAC address was the same I had detected earlier with Blue Hydra.

adafruit

The tool created a capture.pcap file in the logs folder. I loaded the pcap file in Wireshark.

wireshark

I found a packet which contained the CHSmartBulb text in cleartext form.

 

There was one vulnerability which was obvious without any further investigation. The Bluetooth pairing does not require any secret code or password (lack of authentication). Anybody can pair with this device with a mobile phone and the installed application.

I also examined the mobile application, but I did not find any other vulnerability.