crackle is a tool to crack Bluetooth Smart Encryption (BLE), it exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.
crackle - Crack Bluetooth Smart Encryption (BLE)
crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing.
The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave. The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.
Modes of Operation
Crack TK
This is the default mode used when providing crackle with an input file using -i.
In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.
Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.
Usage
# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17
# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15
1
2
3
4
5
6
7
8
9
# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17
# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15
You can download crackle here
crackle - Crack Bluetooth Smart Encryption (BLE)
crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing.
The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave. The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.
Modes of Operation
Crack TK
This is the default mode used when providing crackle with an input file using -i.
In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.
Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.
Usage
# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17
# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15
1
2
3
4
5
6
7
8
9
# crack TK mode
$ crackle -i <file.pcap> -o <decrypted.pcap>
TK found: 412741
LTK found: 26db138f0cc63a12dd596228577c4730
Done, processed 306 total packets, decrypted 17
# decrypting future communications with the above LTK
$ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730
Done, processed 373 total packets, decrypted 15
You can download crackle here