Bluetooth Smart, But Not Smart Enough

Similar documents
Bluetooth: With Low Energy comes Low Security

Bluetooth Packet Sniffing Using Project Ubertooth. Dominic Spill

PM0237 Programming manual

UG103.14: Application Development Fundamentals: Bluetooth Smart Technology

nblue TM BR-LE4.0-D2A (CC2564)

BLUETOOTH SMART CABLE REPLACEMENT

SmartDiagnostics Application Note Wireless Interference

Bluetooth low energy 1

Introducing the Adafruit Bluefruit LE Sniffer

DRAFT. Implementing an Attack on Bluetooth 2.1+ Secure Simple Pairing in Passkey Entry Mode

Logitech Advanced 2.4 GHz Technology With Unifying Technology

Quick Start Guide v1.0. This Quick Start Guide is relevant to Laird s BT800, BT810 and BT820 Bluetooth modules.

Hacking US Traffic Control Systems. Cesar CTO at IOActive Labs

ITL BULLETIN FOR AUGUST 2012

Logitech Advanced 2.4 GHz Technology

IS187x_BM7x - BLEDK3 v1.01 Release Note

Bidirectional wireless communication using EmbedRF

WPAN. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

QUANTIFIED SELF A Path to Self-Enlightenment or Just a Security Nightmare?

Security in Near Field Communication (NFC)

An Overview of ZigBee Networks

BLE113 DEVELOPMENT KIT

Bluetooth Health Device Profile and the IEEE Medical Device Frame Work

Home Automation and Cybercrime

Wireless Personal Area Networks (WPANs)

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Kryptoanalyse og anngrep på Bluetooth

Texas Instruments CC2540/41 Bluetooth Low Energy Sample Applications Guide v1.3.1

Overview of Public-Key Cryptography

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

Tecnologías Inalámbricas.

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Bit Chat: A Peer-to-Peer Instant Messenger

Computer Networks - CS132/EECS148 - Spring

Wireless LAN Pen-Testing. Part I

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Topics in Network Security

Ebook Review - Bluetooth Network Security

Wi-Fi, Bluetooth, and the Internet of Things

ATBTLC1000 BluSDK USER GUIDE. Bluetooth Low Energy API: Software Development. Description

Overview and Evaluation of Bluetooth Low Energy: An Emerging Low-Power Wireless Technology

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Figure 1.Block diagram of inventory management system using Proximity sensors.

Bluetooth usage with Architecture view & security measures

CPSC 467b: Cryptography and Computer Security

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Bluetooth voice and data performance in DS WLAN environment

Einführung in SSL mit Wireshark

Bluetooth 4.0: Low Energy

Use case possibilities with Bluetooth low energy in IoT applications

ZIGBEE ECGR-6185 Advanced Embedded Systems. Charlotte. University of North Carolina-Charlotte. Chaitanya Misal Vamsee Krishna

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

MCB3101 (Class I) WiRobot Serial Bluetooth Wireless Module User Manual

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Wireless Home Networks based on a Hierarchical Bluetooth Scatternet Architecture

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

: Instructor

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT Hackito Ergo Sum 2012 April 12,13,14 Paris, France

IPSEC: IKE. Markus Hidell Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers

Professur Technische Informatik Prof. Dr. Wolfram Hardt. Network Standards. and Technologies for Wireless Sensor Networks. Karsten Knuth

Bluetooth Jamming. Bachelor s Thesis. Steven Köppel. koeppels@student.ethz.ch

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Demystifying Wireless for Real-World Measurement Applications

3. Designed for installation by the user without further substantial support by the supplier; and

Bluetooth Low Energy Based Ticketing Systems

A Research Study on Packet Sniffing Tool TCPDUMP

Develop a Dallas 1-Wire Master Using the Z8F1680 Series of MCUs

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

BLUETOOTH SERIAL PORT PROFILE. iwrap APPLICATION NOTE

A DIY Hardware Packet Sniffer

Wireless LAN advantages. Wireless LAN. Wireless LAN disadvantages. Wireless LAN disadvantages WLAN:

Mobile Office Security Requirements for the Mobile Office

Connecting UniOP to Telemecanique PLC s

LoRaWAN. What is it? A technical overview of LoRa and LoRaWAN. Technical Marketing Workgroup 1.0

Microchip Technology. February 2008 Valerio Moretto Slide 1

Intrusion Detection, Packet Sniffing

Microsoft Message Analyzer Packet Analysis at a Higher Level. Neil B Martin Test Manager WSSC- Interop and Tools Microsoft Corporation

CS 494/594 Computer and Network Security

Pocket Verifier Quick Start HTC Touch Diamond

What s on the Wire? Physical Layer Tapping with Project Daisho

Overview of Network Hardware and Software. CS158a Chris Pollett Jan 29, 2007.

MPLS Environment. To allow more complex routing capabilities, MPLS permits attaching a

AUDIENCE MEASUREMENT SYSTEM BASED ON BLUETOOTH CORDLESS COMMUNICATION

Security and Privacy Issues of Wireless Technologies

About Sectra Communications

Analyzing 6LoWPAN/ZigBeeIP networks with the Perytons Protocol Analyzer May, 2012

Transcription:

Mike Ryan isec Partners isec Open Forum Jan 31, 2012

Slides and More Info http://lacklustre.net/bluetooth/

Overview Three parts what is LE how do we sniff it demo! security analysis 3

What is Bluetooth LE? New modulation mode for low-power devices Introduced in Bluetooth 4.0 AKA Bluetooth Smart Almost completely different from classic Bluetooth Designed to operate for a long time off a coin cell 4

Where is LE used? Sports devices (heart monitor, pedal cadence) Sensors (e.g., thermometer) Wireless door locks Upcoming medical devices epic foreshadowing 5

How does LE compare to Classic BT? Master/slave architecture Reuses high-level protocols Different modulation parameters Different channels (still in 2.4 GHz ISM) Different channel hopping scheme Different packet format Different whitening 6

7

8

How do we sniff it? Start at the bottom and work our way up: GATT ATT L2CAP Link Layer PHY 9

PHY Layer GFSK modulation 40 x 1 MHz channels spaced 2 MHz apart Handled entirely by CC2400 RF bits 10

Link Layer octets you say? 11

Link Layer What we have: Sea of bits What we want: Start of PDU What we know: AA 10001110111101010101 10011100000100011001 11100100110100011101 12

L2CAP and Beyond 06 0b 07 00 04 00 1b 11 00 16 58 b8 02 62 fb b2 RTFM It's actually quite readable! 13

L2CAP and Beyond GATT ATT L2CAP Link Layer PHY 14

Example Packet 06 0b 07 00 04 00 1b 11 00 16 58 b8 02 62 fb b2 L2CAP length: 7 channel 4: LE Attribute Protocol Handle Value Notification Attribute Handle flags heart rate: 88 bpm RR-interval: 696 ms 15

So we can turn RF into packets Now what? BTLE doesn't sit on a single channel, it hops! Let's follow connections! 16

How Connections Work Hop along data channels One data packet per timeslot 3 10 17 24 31 1 8 15 hop increment = 7 17

Following Connections The four things you need to follow a connection are: How do I get 1. AA these values? 2.CrcInit 3.Time slot length 4.Hop increment 18

Finding AA Sit on data channel waiting for empty data packets Collect candidate AA's and pick one when it's been observed enough 10001110111101010101 10011100000100011001 10000000000000001101 10100011000110000101 Not depicted: whitening! 19

Finding CRCInit Filter packets by AA Plug CRC into LFSR and run it backward See also Bluesniff: Eve meets Alice and Bluetooth 20

Finding time slot length Observation: 37 is prime Sit on data channel and wait for two consecutive packets Δt =time slot length 37 21

Finding Hop Increment MATH Start on data channel 0, jump to data channel 1 when a packet arrives We know hop interval, so we can calculate how many channels were hopped between 0 and 1 I won't bore you with the math We use a LUT to convert that to a hop amount 22

Promiscuous: Summary The four things you need to follow a connection are: AA CrcInit Hop interval Hop amount 23

Current Status Sniff new connections Sniff already-established connections (promiscuous) Wireshark protocol dissector Grab the git! Available in Gentoo! (thanks Zero_Chaos) Everything implemented in-firmware 24

Wireshark! 25

Demo demo demo demo demo demo demo demo demo 26

Security Good news: there is encryption Bad news: depending on your situation it's probably not very effective 27

Key Exchange Pairing mode determines temporary key (TK) Just Works 6 digit PIN OOB Not DH! Just works: no passive eavesdropper protection 6 digit PIN: easily brute forceable OOB provides the only meaningful security 28

Eavesdropping Scenario Alice pairs with her brand new LE device Eve observes pairing / key exchange Just Works or 6 digit PIN: Eve recovers TK With TK and pairing data: Eve recovers STK With STK and key exchange: Eve recovers LTK LTK = Session Key = GAME OVER 29

Well, not quite.. Each connection uses a different nonce, so Eve has to witness connection setup The LTK is exchanged once and reused for many connections 30

Active Attacks How do you witness a connection setup? Force a reconnect! Should be as simple as jamming the connection What about connections that use a pre-shared LTK? Inject message LL_REJECT_IND (reject LTK) 31

My Bad None of the pairing methods provide protection against a passive eavesdropper during the pairing process as predictable or easily established values for TK are used. A future version of this specification will include elliptic curve cryptography and Diffie-Hellman public key exchanges that will provide passive eavesdropper protection. 32

Why should I care about LE security? 33

34

Take-Away LE security compromised by design If security matters, use OOB pairing Alternatively: BYOE see also: The end-to-end principle

Future Work Wireshark capture source Demonstrate encryption attacks Master/slave on dongle SD + battery Channel maps that don't use all 37 channels 36

Thanks Mike Ossmann Dominic Spill Mike Kershaw (dragorn) #ubertooth on freenode bluez Bluetooth SIG Facebook / isec 37

Thank You Mike Ryan @mpeg4codec mikeryan@isecpartners.com http://lacklustre.net/ http://ubertooth.sf.net/ 38

Related Work TI CC2540EMK-USB $49 BlueRadios BlueSniffTM $249 Only available to BlueRadios Clients who purchased our modules for use Ellisys Bluetooth Explorer 400+LE $N0,000 None support sniffing already-established connections! 39

Slave Device Lifecycle When connected Hop along data channels One data packet per timeslot When not connected periodically announce existence on advertising channel respond to requests from master 3 10 17 24 31 1 8 15 hop amount = 7 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information