Research On Bluetooth Low Energy Connection Blocking And Device Takeover Method

In today's rapid development of the Internet of Things,Bluetooth(Bluetooth)has become the most widely used short-range wireless communication protocol.In the Bluetooth family,Bluetooth low Energy is favored by a variety of smart devices due to its low power.As a result,BLE occupies a pivotal position in the Bluetooth family.At present,most of the attack and defense research on BLE is focused on cracking consumer-grade smart devices and mining the BLE protocol stack vulnerability of operating systems,while the research on attack and defense of BLE link layer itself is very rare,and the related tools are only BtleJack that posted by GitHub users virtualabs in DEF CON 26.Firstly,the paper analyzes and points out the problems existing in BtleJack.The problem is when reversing BLE connection parameters,the tool takes too long.This problem causes BtleJack to be failed when hijacking BLE connections with frequent update connection parameters.Then,the paper expounds the method of reverse establishment of BLE connection,and optimizes the efficiency of sniffing access address,cracking CRCInit and cracking hop increment relative to BtleJack.For access address,the paper uses the method of fast switching channel to improve its sniffing efficiency,and for CRCInit,the paper introduces pseudo CRCInit to improve its cracking efficiency,and for hop increment,The paper uses Troikas(LUT transferred from the lower computer to the host computer)to improve its cracking efficiency.Then,based on the connection parameters obtained by the reverse BLE link layer connection,the paper puts forward a two-way communication link between the master and slave of the BLE link layer first,and then takes over the attack method of the BLE device.When blocking connections,the core idea of the paper is to use malicious data to fill the frequency hopping channel connected by the target BLE.When taking over the BLE device,the paper expounds the method of identifying the target BLE device in the anonymous state and then taking over the GATT server of the target device.Finally,the paper designs and completes 4 experiments to quantify the efficiency improvement degree and verify the effectiveness of the attack method.The final experimental results show that the paper increased the efficiency of BtleJack in sniffing access address by about 80.91%,increased the efficiency of cracking CRCInit by 52.17%,and increased the efficiency of cracking hop increment by 21.68%.At the same time,the experimental results also prove that the attack method proposed by the paper to block the connection of the BLE link layer and then take over the BLE equipment is effective.