crackle

Check whether the recorded BLE communications contain the packets necessary for recovering temporary keys (TKs)

$ crackle -i [path/to/input.pcap]

$ crackle -i [path/to/input.pcap] -o [path/to/decrypted.pcap]

$ crackle -i [path/to/input.pcap] -o [path/to/decrypted.pcap] -l [81b06facd90fe7a6e9bbd9cee59736a7]

crackle -i <input_pcap> [-o <output_pcap>] [-k <keystream_file>] [-e <e0_file>] [-v] [-l] [--help]

-i <input_pcap>
    Specifies the input PCAP file containing Bluetooth traffic to be analyzed.

-o <output_pcap>
    Specifies an optional output PCAP file to write the decrypted traffic to.

-k <keystream_file>
    Provides a known keystream file to aid in the decryption process. Useful for faster decryption if partial information is available.

-e <e0_file>
    Specifies a raw E0 stream file for direct analysis, typically generated from other tools.

-v
    Enables verbose output, showing more details about the decryption process and progress.

-l
    Lists captured Link Key (LK) or Long Term Key (LTK) from the input PCAP file, if present.

--help
    Displays the help message and available options for the command.

crackle is a specialized command-line utility designed for auditing the security of Bluetooth connections. Its primary function is to decrypt Bluetooth E0 encryption streams, which are primarily used in older Bluetooth versions (Bluetooth 2.1 and earlier). The tool works by taking a captured Bluetooth traffic file, typically in PCAP format (e.g., from an Ubertooth device or other Bluetooth sniffer), and attempting to recover the encryption keystream or decrypt the communications. It leverages known vulnerabilities or weaknesses in the E0 stream cipher to reconstruct the conversation. This makes crackle an invaluable tool for security researchers, penetration testers, and anyone interested in understanding the security posture of Bluetooth devices and implementations. It is not a standard utility found in most Linux distributions but is often compiled from source for specific security testing environments.

crackle primarily targets the E0 stream cipher used in older Bluetooth versions (Bluetooth Basic Rate/Enhanced Data Rate, often up to 2.1). While some principles might apply, it's generally less effective against modern Bluetooth Low Energy (BLE) or Bluetooth 4.0+ connections which use different encryption algorithms (AES-CCM).

The effectiveness of crackle often depends on capturing sufficient traffic, particularly connection setup and pairing sequences, and the presence of vulnerabilities in the specific Bluetooth implementation.

It requires specific hardware (like Ubertooth One) to capture the necessary low-level Bluetooth packets effectively. It cannot decrypt traffic without a suitable capture.

This tool is for security research and ethical hacking. Misuse for unauthorized access is illegal and unethical.

crackle requires libbtbb (Bluetooth Baseband Library) for parsing Bluetooth packets and libgcrypt for cryptographic operations. These libraries usually need to be installed before compiling crackle from source.

Users are strongly advised to use crackle only on networks and devices for which they have explicit permission to test. Unauthorized decryption of communications is illegal in most jurisdictions and can lead to severe penalties.

crackle was developed by Mike Ryan, a prominent security researcher known for his work on Bluetooth security. It gained significant attention within the security community, particularly after its public release and presentations at security conferences like Black Hat and DEF CON. The tool was created to demonstrate the vulnerabilities in Bluetooth's E0 encryption, allowing researchers to decrypt captured Bluetooth communications under certain conditions. Its development highlighted the importance of using stronger, modern encryption standards and contributed to improving the security posture of Bluetooth technology over time. The tool remains a valuable resource for auditing legacy Bluetooth implementations.

ubertooth-btle(1), wireshark(1), hcidump(1), bluetoothctl(1)