Classic Bluetooth is for Audio (headphones). BLE is for data (commands, sensors). It is designed to be low power. Security was often an afterthought in the spec (until version 4.2).
The G ATT Protocol
BLE organizes data into "Services" and "Characteristics" (UUIDs).
Example Smart Bulb:
- Service: `LightControl`
- Characteristic: `On/Off` (Write '1' to turn on).
The Hack: Connect to the bulb with your phone (Nordic nRF Connect app) and just write '0' to the characteristic. If there is no authentication, you control the lights.
1. Sniffing with Ubertooth One
To hack a Smart Lock, you need to see what the legitimate App sends to the Lock.
Use an ubertooth One (hardware sniffer) to capture the packets in the air.
If the "Unlock" command is static (e.g., "UNLOCK_NOW"), you can just catch it and replay it later to open the door.
2. BLE Encryption
Modern devices use encryption. But how do they exchange keys?
Often via "Just Works" pairing (no pin).
If you sniff the very first pairing process, you can capture the key exchange and decrypt future traffic.
This works because "Just Works" pairing is vulnerable to Man-in-the-Middle (MITM) attacks.