4

I captured Bluetooth traffic between a master vault Bluetooth smart padlock and an iPhone 6s. This was done using a Bluetooth sniffer and the captured traffic was stored to a pcap file. Analysing it on Wireshark displays all the packets transferred between the two devices and the attributes that were changed during the write process. Obviously there's not much data exchanged between an iPhone when it's working with a locking device so I was wondering, how it is possible to differentiate between encrypted and an unencrypted Bluetooth traffic in this case?

The first capture is from my mac which appears to use encryption enter image description here enter image description here

The other is the Wireshark in using on my Windows machine which has got all the plugins necessary to view the captured files from Nordic's nRF Sniffer software. I don't understand how the same file can be displayed with completely different information.

Alexandre Neukirchen
  • 193
  • 2
  • 4
  • 16
Antonio
  • 41
  • 5
  • Have you tried looking at the data to see which you can read and which you can't? I know it sounds silly, but... – Rory Alsop Aug 22 '16 at 20:38
  • @RoryAlsop as it's a lock there isn't much data transferred between the two, if it was a consistent connection it is probably easier to judge. What I can see in the captures is the lock advertising prior to a connection, the connection request, then there's the 'control opcode: LL_VERSION_IND' which i'm not too sure what it means, the received write response and finally the prepare to write response. For the write process I can see the code added to the attributes table and I can also see the CID for all the packets. Does that suggest it's been decrypted? – Antonio Aug 22 '16 at 20:51
  • @RoryAlsop is it possible for me to add a screenshot here? It'll be easier for me to show you. – Antonio Aug 22 '16 at 20:53
  • @Antonio: It is indeed possible for you to add a screenshot. Click the "[edit]" link. Now click the "add image" button (the framed-mountain-range icon). Or, click anywhere in the text input box then press Ctrl+G. – unforgettableidSupportsMonica Aug 22 '16 at 23:29
  • Ok i've done it @unforgettableid , could you take a look to see if you could help me out please. The windows capture doesn't appear to be encrypted from the look of it. – Antonio Aug 23 '16 at 02:12
  • @RoryAlsop I've added a screenshot now, could you also take a look at it please. – Antonio Aug 23 '16 at 02:14
  • @Antonio: The bottom screenshot is a bit blurry, and I can't zoom in. – unforgettableidSupportsMonica Aug 23 '16 at 02:14
  • @unforgettableid seems to be coming up ok for me, would you like me to try and add a new screenshot? – Antonio Aug 23 '16 at 02:18
  • @Antonio: it's up to you. I can still read the text in it, it just takes a bit more effort. 1. Why do you think that the Mac screenshot shows encrypted data and the PC screenshot shows decrypted data? 2. Why do you want to view the exchange between the iPhone and the smart lock in the first place? – unforgettableidSupportsMonica Aug 25 '16 at 12:20
  • @unforgettableid 1) I have a feeling that this is due to the plugins that are installed to dissect the captured bluetooth traffic . 2) I'm trying to understand how bluetooth traffic is transmitted between devices and how secure this form of connection is. I am doing this as part of my research project. But i'm still not sure if the traffic I can see on the PC is encrypted or not. – Antonio Aug 29 '16 at 22:20
  • It looks like encrypted information framed with non-encrypted information. I don't know much about the bluetooth protocol but whenever you see nonsensical values that aren't aligned to anything (4 byte boundaries are a good clue) then I generally take it to be encrypted to some degree. – Qix - MONICA WAS MISTREATED Nov 18 '16 at 08:33

0 Answers0