crackle
crackle cracks and decrypts Bluetooth Low Energy (BLE) encryption by exploiting a flaw in the pairing process to guess or brute force the Temporary Key (TK). It recovers the Short Term Key (STK) and Long Term Key (LTK) to decrypt communications between BLE master and slave devices.
Description
crackle is a tool for cracking BLE encryption, also known as Bluetooth Smart. It targets a vulnerability in the BLE pairing process, allowing attackers to guess or rapidly brute-force the TK. Using the TK and pairing data, it derives the STK and LTK, enabling full decryption of encrypted traffic.
Use cases include analyzing BLE communications for security research, reverse engineering IoT devices, or auditing BLE implementations. The tool processes PCAP captures containing pairing conversations or encryption handshakes.
It supports two major modes: cracking the TK from complete pairing data, or decrypting traffic using a known LTK. LTK exchanges in captures are dumped to stdout during cracking.
How It Works
crackle exploits a BLE pairing flaw to guess or brute-force the TK from complete pairing conversations in PCAP files. With the TK and pairing data, it computes the STK and LTK. For LTK mode, it uses a provided LTK (hex string, MSB to LSB) with LL_ENC_REQ and LL_ENC_RSP packets containing SKD and IV to decrypt traffic. It processes packets sequentially, skipping unencrypted or invalid ones, and outputs decrypted PCAP if specified.
Installation
sudo apt install crackleFlags
Examples
crackle -i ltk_exchange.pcap -o ltk-decrypted.pcapcrackle -i pairing.pcap -o decrypted.pcapcrackle -i capture.pcapcrackle -i encrypted.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c -o output.pcapcrackle -i test.pcap -vcrackle -tcrackle -h