Bluetooth Packet Sniffing Using Project Ubertooth. Dominic Spill dominicgs@gmail.com

Similar documents
Bluetooth Smart, But Not Smart Enough

Bluetooth Jamming. Bachelor s Thesis. Steven Köppel. koeppels@student.ethz.ch

Bluetooth: With Low Energy comes Low Security

Quick Start Guide v1.0. This Quick Start Guide is relevant to Laird s BT800, BT810 and BT820 Bluetooth modules.

Kryptoanalyse og anngrep på Bluetooth

Wireless Networks. Welcome to Wireless

PM0237 Programming manual

WPAN. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Wireless Personal Area Networks (WPANs)

What s on the Wire? Physical Layer Tapping with Project Daisho

Tecnologías Inalámbricas.

Chapter 17. Transport-Level Security

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

ITL BULLETIN FOR AUGUST 2012

Analyzing 6LoWPAN/ZigBeeIP networks with the Perytons Protocol Analyzer May, 2012

Logitech Advanced 2.4 GHz Technology With Unifying Technology

802.11b and associated network security risks for the home user

Wireless LAN Pen-Testing. Part I

Logitech Advanced 2.4 GHz Technology

Recent technological innovations and declining prices for personal computers (PCs) and

AUDIENCE MEASUREMENT SYSTEM BASED ON BLUETOOTH CORDLESS COMMUNICATION

Bluetooth voice and data performance in DS WLAN environment

An Overview of ZigBee Networks

Frequency Hopping Spread Spectrum PHY of the Wireless LAN Standard. Why Frequency Hopping?

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Web Security Considerations

Wireless Tools. Training materials for wireless trainers

Bluetooth Health Device Profile and the IEEE Medical Device Frame Work

Professur Technische Informatik Prof. Dr. Wolfram Hardt. Network Standards. and Technologies for Wireless Sensor Networks. Karsten Knuth

Bluetooth Wireless Technology

BlackHat Europe. March 3rd 2006, Amsterdam, The Netherlands. by Adam Laurie, Marcel Holtmann and Martin Herfurt

The next generation of knowledge and expertise Wireless Security Basics

Introducing the Adafruit Bluefruit LE Sniffer

Keeping SCADA Networks Open and Secure DNP3 Security

ZIGBEE ECGR-6185 Advanced Embedded Systems. Charlotte. University of North Carolina-Charlotte. Chaitanya Misal Vamsee Krishna

DRAFT. Implementing an Attack on Bluetooth 2.1+ Secure Simple Pairing in Passkey Entry Mode

Bluetooth for device discovery. Networking Guide

Network Security Part II: Standards

Computer and Network Security. Alberto Marchetti Spaccamela

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Protocolo IEEE Sergio Scaglia SASE Agosto 2012

Wi-Fi and Bluetooth - Interference Issues

Zebra. Quick Start Guide. Wireless Configuration for n and Bluetooth Radios for. Link-OS Mobile Printers. P Rev.

Chapter 9. IP Secure

AirStation One-Touch Secure System (AOSS ) A Description of WLAN Security Challenges and Potential Solutions

Performance of Symmetric Neighbor Discovery in Bluetooth Ad Hoc Networks

Bluetooth wireless technology basics

Security and protection of digital images by using watermarking methods

TDM & FDM Overlays on Bluetooth

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Chapter 6 CDMA/802.11i

Wireless Home Networks based on a Hierarchical Bluetooth Scatternet Architecture

Bluetooth Security Protocol Analysis and Improvements

Ebook Review - Bluetooth Network Security

Side Channel Analysis and Embedded Systems Impact and Countermeasures

APPLICATION NOTE. AVR2130: Lightweight Mesh Developer Guide. Atmel MCU Wireless. Features. Description

Wireless Technology and RF Standard in Medical Device Development

BLUETOOTH SERIAL PORT PROFILE. iwrap APPLICATION NOTE

The influence of Wi-Fi on the operation of Bluetooth based wireless sensor networks in the Internet of Things

WiFi Security Assessments

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Microchip Technology. February 2008 Valerio Moretto Slide 1

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Microsoft Message Analyzer Packet Analysis at a Higher Level. Neil B Martin Test Manager WSSC- Interop and Tools Microsoft Corporation

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Easy H.264 video streaming with Freescale's i.mx27 and Linux

BLUETOOTH SMART CABLE REPLACEMENT

AN1066. MiWi Wireless Networking Protocol Stack CONSIDERATIONS INTRODUCTION TERMINOLOGY FEATURES

Evaluating GSM A5/1 security on hopping channels

Device and Service Discovery in Bluetooth Networks

Electromagnetic Spectrum (3kHz 300GHz)

CSE 123: Computer Networks Fall Quarter, 2014 MIDTERM EXAM

Security Requirements for Wireless Networks and their Satisfaction in IEEE b and Bluetooth

AUTOMOTIVE BLUETOOTH TELEPHONY.

On the Effectiveness of Secret Key Extraction from Wireless Signal Strength in Real Environments

What's on the Wire? Physical Layer Tapping with Daisho. Dominic Spill Mike Kershaw / Dragorn Michael Ossmann

Einführung in SSL mit Wireshark

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

Wireless LAN advantages. Wireless LAN. Wireless LAN disadvantages. Wireless LAN disadvantages WLAN:

Bluetooth Low Energy

Transport Layer Protocols

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

PCI Express Overview. And, by the way, they need to do it in less time.

Keep it Simple Timing

UG103.5 EMBER APPLICATION DEVELOPMENT FUNDAMENTALS: SECURITY

EKT 332/4 COMPUTER NETWORK

CSCI Topics: Internet Programming Fall 2008

Implementation of Wireless Gateway for Smart Home

... neither PCF nor CA used in practice

Transcription:

Bluetooth Packet Sniffing Using Project Ubertooth Dominic Spill dominicgs@gmail.com

Dominic Spill Bluesniff: Eve meets Alice and Bluetooth Usenix WOOT 07 Building a Bluetooth monitor Shmoo/Defcon/Toorcamp 09 With Michael Ossmann Lead on project Ubertooth

Disclosure Not an employee of GSG I receive some funding Not here to sell Ubertooths

Warning If you wish to remain anonymous: Remove your name from Bluetooth device names Or turn off Bluetooth devices now Live demos at a con may not work Especially when using 2.4GHz

Ubertooth

Ubertooth Designed by Michael Ossmann 2.4GHz experimentation platform Bluetooth 1.x, Low energy, 802.11 FHSS Hardware CC2400 (+CC2591 frontend) NXP LPC1756 USB device (2.0) Open source software and hardware http://ubertooth.sourceforge.net

Spot the difference?

Bluetooth Bluetooth is a registered trademark of Bluetooth SIG, Inc

Bluetooth 2.4GHz ISM band Variable data rates Basic Rate 1Mb/s Enhanced Data Rate 3Mb/s High Speed - Alternate MAC/PHY 24Mb/s LE (Smart) 200Kb/s FHSS @ 1600Hz 79 channels

Bluetooth Bluetooth SIG 17,000 members Free to join Bluetooth devices 7 billion devices sold to end 2011 Will ship 2 billion devices this year 20 billion expected in use by 2017 http://www.bluetooth.com/pages/sig-membership.aspx

Bluetooth - Terminology Bluetooth device address / MAC / BD_ADDR Three parts, not all present in packets LAP - Lower lowest 24 bits UAP - Upper next 8 bits NAP - Non-significant top 16 bits CLKN 27bit 3200Hz internal clock Increments twice per time slot

Bluetooth - Terminology Access code Derived from LAP Packet Header Error check based on UAP Payload Possibly encrypted CRC also based on UAP

Bluetooth - Terminology Non-Discoverable mode Does not respond to inquiry scans Still responds to page scans Some newer devices ignore unknown page scans Data whitening Packets XOR'd with pseudo-random sequence

Bluetooth sniffing is hard No monitor mode Fixed correlator not promiscuous Frequency hopping 1600 hops/s 625us/packet Pattern based on MAC and CLKN Data whitening PRNG initialised with CLK1-6

Bluetooth sniffing is profitable (apparently) Known connection LE only - $250 Known connection BR only - $10,000 All channel BR/EDR/LE - $25,000

Finding Packets Old method Find access code Treat 64bit chunks as possible access codes LAP stored in bits 34-57 Check access code Check trailer (2 errors) Generate access code from LAP Compare access code to 64bit chunk (6 errors)

Packets! 000010111110101110101010101010101010101010101010101 010101010101010101011011111001100001011011001100110 011111100110100101100011110010101011111111100000011 100000000000000000000011111111100000011110000111100 001111000011110000111100001111000011110000111100001 111000011110000111100001111000011110000111100001111 000011110000111100001111000011110000111100001111000 011110000111100001111000011110000111100001111000000 001000011111000101010011100011101101110011101101001 101000100001000101010

Flaws Slow on desktop CPU Unworkable on low power devices No errors allowed in LAP No error correction

Error Correction

Error Correction (64, 30) expurgated block code Based on BCH (63, 30) code Calculate syndromes to find error vectors Supposed to correct up to 6 bit errors Too many false positive results In practice correct <4 bit errors

Error Correction Manufacturers don't implement it Known access code loaded into correlator Compared to received bits Up to 6 bit errors This is what we do for a known address

Finding Packets New Method Pre-calculate syndromes for n-bit errors Use known access code XOR with all possible n-bit error vectors Generate syndrome for each error Store in hash (uthash rules!) For each 64bit block Calculate syndrome Check hash for error vector Correct error

Finding Packets New Method Demo

Ubertooth-scan Finding non-discoverable devices Wright's Law Security will not get better until tools for practical exploration of the attack surface are made available.

Frequency Hopping

Frequency Hopping Local Device Ubertooth-follow Follow a local Bluetooth device Use bluez to extract CLKN Push to Ubertooth Start hopping Demo

Frequency Hopping Local Device Pros Reliable Potentially sniff pairing Cons Requires local BT device No AFH support Expected soon Clock drift causes problems This is fixable

Frequency Hopping Any Device Derive CLKN from received packets Calculate hopping pattern for known address Sniff single channel or hop randomly Observe packets, timing and channel Place packets in hopping pattern Yields unique CLKN Calculate clock offset from CLKN Ubertooth Send to Ubertooth Follow hopping piconet

Frequency Hopping Any Device Ubertooth-hop Follow a remote piconet Given LAP and UAP Finds clock offset and hops Demo

Kismet Plugin Plugin for current and upcoming Kismet Only survey mode static or sweep Demo

Wireshark Plugin Demo

Bluetooth Smart AKA Bluetooth Low Energy Bluetooth 4.0 Wibree Much simpler protocol Mike Ryan has just started working on this Sniffing connection phase Sniffing some data AES Encryption possible flaws in key exchange

Future Work Adaptive Frequency Hopping Encryption / Pairing Transmit packet injection Full LE stack Follow in Kismet Storage Embedded platforms

Thanks to... Michael Ossmann Jared Boone Mike Kershaw (dragorn) Will Code Mike Ryan Zero Chaos

Questions? dominicgs@gmail.com Twitter: dominicgs Slides: dominicspill.com/ruxcon/slides.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information