7

Intro: I'm coming to this problem without full familiarity with the Bluetooth stack and protocols, so this may require several rounds of editing as errors in my assumptions are revealed.

I'm attempting to connect to a Bluetooth device, a Scosche myTREK Pulse Monitor. I was able to connect to the device using the 'official' app for Android, and I captured the Bluetooth packet output using hcidump. I can read and understand the connection process up through the link key exchange; however, the device then sends an HCI Encrypt Change event, after which most (but not all) packets are labeled as ACL packets, and are difficult to interpret.

The basic question is: Does Bluetooth encrypt data, and is there a way to decrypt it securely? Is this related to the shift to ACL packets?

Here is a sample of the packet output provided by hcidump for a given connection, starting at the passing of the Link Key. ( > refers to the monitor sending data )

> HCI Event: Link Key Request (0x17) plen 6
  0000: ** ** ** ** ** **                                 ??????

< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
  0000: ** ** ** ** ** ** ** **  ** ** ** ** ** ** ** **  ???????????????
  0010: ** ** ** ** ** **                                 ??????

> HCI Event: Command Complete (0x0e) plen 10
  0000: 01 0b 04 00 ** ** ** ** ** **                    ....??????

> HCI Event: Encrypt Change (0x08) plen 4
  0000: 00 0c 00 01                                       ....

> ACL data: handle 12 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 1 scid 0x0040

< ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 03 02 08 00  40 00 40 00 01 00 00 00  ........@.@.....

< ACL data: handle 12 flags 0x00 dlen 10
    0000: 06 00 01 00 0a 01 02 00  02 00                    ..........

> HCI Event: Number of Completed Packets (0x13) plen 5
  0000: 01 0c 00 02 00                                    .....

> ACL data: handle 12 flags 0x02 dlen 16
    L2CAP(s): Info rsp: type 2 result 0
      Extended feature mask 0x0000

< ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 03 02 08 00  40 00 40 00 00 00 00 00  ........@.@.....

< ACL data: handle 12 flags 0x00 dlen 12
    0000: 08 00 01 00 04 02 04 00  40 00 00 00              ........@...

> HCI Event: Number of Completed Packets (0x13) plen 5
  0000: 01 0c 00 02 00                                    .....

> ACL data: handle 12 flags 0x02 dlen 16
    L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
      MTU 48 

< ACL data: handle 12 flags 0x00 dlen 18
    0000: 0e 00 01 00 05 03 0a 00  40 00 00 00 00 00 01 02  ........@.......
    0010: 30 00                                             0.

> ACL data: handle 12 flags 0x02 dlen 14
    L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
      Success

> ACL data: handle 12 flags 0x02 dlen 36
    L2CAP(d): cid 0x0040 len 32 [psm 0]
      0000: 06 00 01 00 1b 35 11 1c  00 00 00 00 de ca fa de  .....5......??·?
      0010: de ca de af de ca ca fe  00 26 35 03 09 00 04 00  ???»????.&5.....

< ACL data: handle 12 flags 0x00 dlen 33
    0000: 1d 00 40 00 07 00 01 00  18 00 15 35 13 35 11 09  ..@........5.5..
    0010: 00 04 35 0c 35 03 19 01  00 35 05 19 00 03 08 12  ..5.5....5......
    0020: 00                                                .

> HCI Event: Number of Completed Packets (0x13) plen 5
  0000: 01 0c 00 02 00                                    .....

> ACL data: handle 12 flags 0x02 dlen 12
    L2CAP(s): Disconn req: dcid 0x0040 scid 0x0040

< ACL data: handle 12 flags 0x00 dlen 12
    0000: 08 00 01 00 07 04 04 00  40 00 40 00              ........@.@.

> ACL data: handle 12 flags 0x02 dlen 12
    L2CAP(s): Connect req: psm 3 scid 0x0041

< ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 03 05 08 00  40 00 41 00 00 00 00 00  ........@.A.....

> HCI Event: Number of Completed Packets (0x13) plen 5
  0000: 01 0c 00 02 00                                    .....

> ACL data: handle 12 flags 0x02 dlen 16
    L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
      MTU 895 

< ACL data: handle 12 flags 0x00 dlen 18
    0000: 0e 00 01 00 05 06 0a 00  41 00 00 00 00 00 01 02  ........A.......
    0010: 7f 03                                             ..

< ACL data: handle 12 flags 0x00 dlen 16
    0000: 0c 00 01 00 04 03 08 00  41 00 00 00 01 02 f5 03  ........A.....?.

> HCI Event: Number of Completed Packets (0x13) plen 5
  0000: 01 0c 00 02 00                                    .....

> ACL data: handle 12 flags 0x02 dlen 18
    L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 4
      MTU 1013

At this point, the payloads delivered by the device vary drastically between runs, much less within a single run. I've placed the remainder of the log in a pastebin for brevity: Link

Kenogu Labz
  • 1,094
  • 1
  • 9
  • 20

1 Answers1

7

Yes, bluetooth encrypts data over the air. And yes, this applies to ACL data. But the data you are seeing over the HCI interface is already decrypted. Your problem is that you don't know how to interpret the ACL data stream. There are a couple levels of protocol on top of ACL data. Unless your device documents their protocol, you may be out of luck. It's most likely that they are running SPP (serial port profile) or RFCOMM to talk to the android app. So you have the following nested protocol layers to decode SPP -> RFCOMM -> L2CAP -> ACL data.

It is also possible that your device/app do additional application level encryption on top of SPP. In that case, you're out of luck.

TJD
  • 11,800
  • 1
  • 26
  • 34