Crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.
With the STK and LTK, all communications between the master and the slave can be decrypted.
If it’s not installed on your Linux simply type
apt-get update apt-get install crackle
[email protected]:~# crackle Usage: crackle -i <input.pcap> [-o <output.pcap>] [-l <ltk>] Cracks Bluetooth Low Energy encryption (AKA Bluetooth Smart)
Major modes: Crack TK // Decrypt with LTK
Input PCAP file must contain a complete pairing conversation. If any
packet is missing, cracking will not proceed. The PCAP file will be
decrypted if -o <output.pcap> is specified. If LTK exchange is in
the PCAP file, the LTK will be dumped to stdout.
Decrypt with LTK:
Input PCAP file must contain at least LL_ENC_REQ and LL_ENC_RSP
(which contain the SKD and IV). The PCAP file will be decrypted if
the LTK is correct.
LTK format: a string of hex bytes, no separator, most-significant
octet to least-significant octet.
Example: -l 81b06facd90fe7a6e9bbd9cee59736a7
-v Be verbose
-t Run tests against crypto engine
CRACKLE USAGE EXAMPLE
[email protected]:~# crackle -i ltk_exchange.pcap -o ltk-decrypted.pcap !!! TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) !!! Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3