crackle is a tool to crack Bluetooth Smart Encryption (BLE), it exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.
crackle can guess or very quickly brute force the TK (temporary key) used in the pairing modes supported by most devices (Just Works and 6-digit PIN). With this TK, crackle can derive all further keys used during the encrypted session that immediately follows pairing.
The LTK (long-term key) is typically exchanged in this encrypted session, and it is the key used to encrypt all future communications between the master and slave. The net result: a passive eavesdropper can decrypt everything. Bluetooth Smart encryption is worthless.
Modes of Operation
Crack TK
This is the default mode used when providing crackle with an input file using -i.
In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.
Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.
Usage
|
1 2 3 4 5 6 7 8 9 |
# crack TK mode $ crackle -i <file.pcap> -o <decrypted.pcap> TK found: 412741 LTK found: 26db138f0cc63a12dd596228577c4730 Done, processed 306 total packets, decrypted 17 # decrypting future communications with the above LTK $ crackle -i <file.pcap> -o <decrypted.pcap> -l 26db138f0cc63a12dd596228577c4730 Done, processed 373 total packets, decrypted 15 |
You can download crackle here:
Or read more here.