iOS: Bluetooth packet logging

About.

This blogpost describes how you can access the BlueTooth communication of your iOS device. At the time writing this blogpost iOS 13 was not yet released to the public, but only to Apple Developers. Therefore, an Apple developer account is a prerequisite. Furthermore, the „Additional Tools for Xcode 11 Beta“ are required. (Apple developer account required as well)

Tools.

In order to start capturing Bluetooth packets with your iOS device you need the following:

• iOS 13 beta
• Bluetooth logging profile
• PacketLogger

Step-by-step setup.

Install iOS 13 beta (skip if iOS > 13 is installed).

First you need to download and install the iOS 13 beta profile. The download can be performed here. Installation can be done with Apple Configurator 2 (AC2).

• Connect your phone to the PC
• Open AC2
• Right click your phone in AC2
  • Add -> Profile -> Select the downloaded profile
• Install the iOS 13 beta

Install the Bluetooth logging profile.

Download the Bluetooth logging profile and install with Apple Configurator 2 (AC2).

• Connect your phone to the PC
• Open AC2
• Right click your phone in AC2
• Add -> Profile -> Select the downloaded profile
• On the phone
  • Open settings
  • Enable Profile

Install PacketLogger.

Download the Additional Tools for Xcode 11 Beta and install PacketLogger.

• Download the dmg
• Mount the dmg
• Go to Hardware
• Copy PacketLogger to your Programms directory

Start Capturing.

Once you successfully setup your test environment you can connect your prepared iPhone to your capturing by USB. Next you can start the PacketLogger application (MacOS) and navigate to File -> New iOS Trace, or press option+command+N.

Now if everything is setup correctly you will see a message like the following in the logging section of PacketLogger.

On the top left corner you can now start and stop capturing packets. If you want to see which Bluetooth devices around you are broadcasting you can e.g. install the app nRF Connect (iOS). You can also connect a Bluetooth headset of your choice and start listening music, you will see the live packet trace.

I found the PacketLogger useful for capturing but inspection capabilities are limited. Fortunately, you can export a dump in the BTSnoop format (Wireshark compatible). Therefore, you simply select File -> Export -> BTSnoop or press caps+command+E.

Conclusion.

I found it super useful having the ability to access the packet trace for Bluetooth communication on the iOS device. From a security perspective this will help in future assessments on iOS connectable Bluetooth devices.