BLE

Bluetooth Low Energy
Now that we have read about ZigBee, the other most common
communication protocol is BLE. BLE has applications in a number of areas
in IoT, especially because it is one of the communication protocols with
which smartphones can speak.
You will find BLE in a number of smart devices including those
used for health care, smart home automation, retail, smart enterprises,
and
so on. BLE has a number of advantages over other communication
protocols, including the ability to conserve power for a longer duration of
time, extremely low usage of resources even with higher amounts of data
transfer, and so on.
Bluetooth was originally designed by Nokia with the name Wibree
in 2006, which was then later adopted by the Bluetooth Special Interest
Group (SIG) in 2010. Later on, the Bluetooth 4.0 core specification was
released with the focus on designing a radio standard with low power
consumption targeting use in devices with low resources, power, and
bandwidth.
BLE Internals and Association
Before jumping into BLE security and the various exploitation techniques,
let’s have a look at some of the BLE internals, so that we have a greater in-
depth understanding of the foundational concepts when we are working
with BLE-based IoT devices. Figure 10-19 shows the BLE stack structure.








As you can see from Figure 10-19, the BLE stack consists of two
different layers—Host and Controller—bound via the Host Controller
Interface (HCI). All the different components in various layers perform
their own functionality; for example, the Physical layer is responsible for
all the modulation and demodulation of the signals; the Link layer handles
CRC generation, encryption, and defining how devices communicate with
each other; and the Logical Link Control and Adaption Protocol (L2CAP)
takes multiple data formats from the upper layers and puts them into a
BLE packet structure.
Figure 10-19. Bluetooth Low Energy stack (Source: https://www.
bluetooth.com/specifications/bluetooth-core-specification)
Chapter 10 exploiting ZigBee and Ble
284
At the very top of the BLE stack, inside the Host layer, you will notice a
couple of more interesting components such as Attribute Protocol (ATT),
Generic Attribute Profile (GATT), and Generic Access Profile (GAP).
Let’s explore what the functionalities of GAP and GATT are, as these
are the two most important components in the BLE stack, and also
something that you will encounter very frequently during your security
research.
• GAP is responsible for all the discovery and related
aspects in any BLE network. ATT defines the client/
server protocol for data exchange, which is then
grouped together into meaningful services using the
GATT.
• GATT is responsible for the entire exchange of all user
data and profile information in a BLE connection.
So as you can imagine, it will be GATT (or ATT) that we are mostly
concerned with during our further security research journey. As we go
deep inside a BLE connection, it is also vital to understand how all of the
data are stored on a device in a BLE connection. This is better illustrated in
Figure 10-20.