ATT Profiler is a Node.js tool for profiling a Bluetooth Low Energy peripheral, built on top of a modified version of the BLE central emulator by Sandeep Mistry. It enumerates the services/characteristics that are exposed by a device and attempts to identify the minimum level of security at which each characteristic on the device can be accessed.
The tool also offers the functionality to perform a rudimentary "dictionary attack" against the device PIN, by performing repeated pairing attempts with different PIN values.
Install Node.js
- Kernel version 3.6 or above
libbluetooth-dev
sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev
node-gyp requirements for Windows
Install the required tools and configurations using Microsoft's windows-build-tools from an elevated PowerShell or cmd.exe (run as Administrator).
npm install --global --production windows-build-tools
node-bluetooth-hci-socket prerequisites
- Compatible Bluetooth 4.0 USB adapter
- WinUSB driver setup for Bluetooth 4.0 USB adapter, using Zadig tool
Download the project and then navigate to /app/external/noble/ and run
npm install
Make sure the bluetoothd
service is not running, by typing
sudo systemctl stop bluetooth
You will then need to manually bring the HCI interface back up again. Assuming, hci0:
sudo hciconfig hci0 up
Start the tool from within the project folder:
sudo node index
From within the project folder:
node index
The switches "-r", "-w", and "-n" are used to check Read, Write, and Notify access respectively. If no parameter is specified, then only Read access is checked. e.g., if you would like to check Write security, then use:
node index -w
By default, the code will only check those characteristics that have the relevant access type in their properties lists. That is, if we consider Reads, it will only check Reads for characteristics that have the Read property set. The "-a" switch can be used to perform the check for all characteristics. e.g., to check Read access for all characteristics:
node index -r -a
e.g., to check Read and Write for all characteristics, use:
node index -r -w -a
Use the -p
flag to work with different passkey options.
-p <PIN>
allows the user to provide a static PIN during code execution. Works for devices with fixed PINs.
-p u
prompts the user to input a PIN via the console during runtime. Applicable for devices that generate dynamic PINs.
-p d
performs a dictionary "attack" to try and find the PIN. Useful for identifying weak static PINs (although, any static PIN is inadvisable).
By default, the tool generates a timestamped JSON file. If a specific name is required, it can be specified with the -o
flag. Do not specify a file extension.
-o <outputfilename>
If the code gets stuck after "Connected to xx:xx:... ", or if it disconnects immediately after connecting, it probably means that the system has stored some previous pairing information for the device. On Windows, delete or "forget" the pairing. On Linux, try unpairing using
bt-device -r xx:xx:xx:xx:xx:xx
where xx:xx:xx:xx:xx:xx is the MAC address of the peripheral.
You can double-check this by running
sudo ls /var/lib/bluetooth/YY:YY:YY:YY:YY:YY
Here YY:YY:YY:YY:YY:YY is the MAC address of the HCI interface on the test machine. There should be no file or folder named xx:xx:xx:xx:xx:xx (where again xx:xx:xx:xx:xx:xx is the MAC address of the peripheral).
A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals.
Poster paper, published in the Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy.
Some devices artifically "lock" access to some of the characteristics, which have to be "unlocked" by writing some custom bytes to other characteristics. This is implementation-specific and won't be identified by the Profiler. The output may show Read/Write Not Permitted or Unknown for such characteristics.
This script, especially when used with the -w switch, may brick or otherwise render unusable the test device. We accept no responsibility if this should occur. Please understand the risks before running the script.
Only use the script on devices that belong to you!