BlackHat Europe. March 3rd 2006, Amsterdam, The Netherlands. by Adam Laurie, Marcel Holtmann and Martin Herfurt

Similar documents
Bluetooth Hacking: A Case Study. Dennis Browning dennisbrowning@gmail.com. Champlain College Center for Digital Investigation Burlington, Vermont

What your phone vendor didn t tell you about Bluetooth security TOOTHACHE. theory. Figure 1 shows the Bluetooth protocol stack.

Bluetooth Hacking: A Case Study

Bluetooth wireless technology basics

1. What is the main difference between the X3 micro and other Bluetooth headsets? 3. How does the X3 micro use the Bluetooth technology?

Part K:11 OBJECT PUSH PROFILE

ITL BULLETIN FOR AUGUST 2012

BLUETOOTH SERIAL PORT PROFILE. iwrap APPLICATION NOTE

Mapping of Services on Bluetooth Radio Networks

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

Professur Technische Informatik Prof. Dr. Wolfram Hardt. Network Standards. and Technologies for Wireless Sensor Networks. Karsten Knuth

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

MCB3101 (Class I) WiRobot Serial Bluetooth Wireless Module User Manual

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

WPAN. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Bluetooth Health Device Profile and the IEEE Medical Device Frame Work

Data sheet Wireless UART firmware version 4.02

Ebook Review - Bluetooth Network Security

javax.bluetooth java.obex (optional) Fakulta elektrotechniky a informatiky - Rygol Lukáš

Design and Implementation of Ad-hoc Communication and Application on Mobile Phone Terminals

ARIB STD-T V Wide area network synchronisation standard

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Wireless Technologies for Automation

Potential Targets - Field Devices

Configuring connection settings

Working With Bluetooth Devices

Policy and Profile Reference Guide

Bluetooth: Understanding the Technology, Its Vulnerabilities, and Security Recommendations

Provide Simple Protection for Bluetooth Connection in Wireless Personal Area Network Mohammad Zaki H. Allayla. Abstract

Bluetooth HC-06 with serial port module Easy guide

Thick Client Application Security

CeBIT 2004

WI-FI VS. BLUETOOTH TWO OUTSTANDING RADIO TECHNOLOGIES FOR DEDICATED PAYMENT APPLICATION

Who is Watching You? Video Conferencing Security

Wireless Personal Area Networks (WPANs)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Nokia E61i Configuring connection settings

Purdue University proudly presents. Aaron Jarvis, Network Engineer.

AUTOMOTIVE BLUETOOTH TELEPHONY.

Bluetooth Packet Sniffing Using Project Ubertooth. Dominic Spill

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

802.11b and associated network security risks for the home user

Java Bluetooth Wireless Technology for Evaluating Student Performance in Classroom

Advanced Attacks Against PocketPC Phones

Hardware and software implications of creating Bluetooth Scatternet devices

Wireless Security: Secure and Public Networks Kory Kirk

Bluetooth usage with Architecture view & security measures

Essentials of Bringing a Bluetooth Product to Market

8.5 Using Your Phone As a Modem (Internet Sharing)

Ways to Use USB in Embedded Systems

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

File Transfer Using Bluetooth

Using the Microsoft Bluetooth Stack

Mike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Logitech Advanced 2.4 GHz Technology With Unifying Technology

ENABLING WIRELESS DATA COMMUNICATION IN CONSTRUCTION MANAGEMENT SYSTEM

Closing Wireless Loopholes for PCI Compliance and Security

Important Notice Baracoda products works with all Bluetooth devices accepting both SPP connection and sniff mode.

Nighthawk AC1900 WiF Range Extender

Introducing the Adafruit Bluefruit LE Sniffer

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

GROUPTALK FOR ANDROID VERSION for Android

Penetration Testing. Presented by

A Decision Maker s Guide to Securing an IT Infrastructure

Bluetooth Protocol Architecture

Automated Testing of Bluetooth Connectivity. Technical Brief from Missing Link Electronics:

Architectural Overview of Intel s Bluetooth Software Stack

MN-700 Base Station Configuration Guide

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

Wireless Network Standard and Guidelines

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

FREQUENTLY ASKED QUESTIONS

Wireless Auditing on a Budget

Tecnologías Inalámbricas.

Exploiting USB Devices with Arduino. Greg Ose Black Hat USA 2011

Samsung KNOX User Guide KNOX for Consumers Edition

Bluetooth Teollisuussovelluksissa BlueGiga Technologies Oy Tom Nordman

Quick Start Guide: Iridium GO! Advanced Portal

Network Defense Tools

Electromagnetic Spectrum (3kHz 300GHz)

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Credit Card Security

your Gateway Windows network installationguide b wireless series Router model WBR-100 Configuring Installing

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Connecting your Aiki phone to a network

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Bluetooth to serial HC-06 wireless module

Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library

Installer and Admin App Guide

Sync Security and Privacy Brief

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Wireless Network Standard

AllJoyn Android Environment Setup Guide

Kryptoanalyse og anngrep på Bluetooth

Remote Deposit Terms of Use and Procedures

How To Secure An Rsa Authentication Agent

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Payment Card Industry (PCI) Terminal Software Security. Best Practices

1.0 Safety Instruction

Transcription:

Bluetooth Hacking The State of the Art BlackHat Europe March 3rd 2006, Amsterdam, The Netherlands by Adam Laurie, Marcel Holtmann and Martin Herfurt

Agenda Quick technology overview Security mechanisms Known vulnerabilities Toools & new stuff Demonstrations

Who is investigating Adam Laurie CSO of The Bunker Secure Hosting Ltd. DEFCON staff and organizer Apache-SSL co-publisher Marcel Holtmann Maintainer of the Linux Bluetooth stack Red Hat Certified Examiner (RHCX) Martin Herfurt Security researcher Founder of trifinite.org

What we are up against

What is Bluetooth Bluetooth SIG Trade association Founded 1998 Owns and licenses IP Bluetooth technology A general cable replacement Using the ISM band at 2.4 GHz Protocol stack and application profiles

Network Topology Hopping sequence defines the piconet Master defines the hopping sequence 1600 hops per second on 79 channels Up to seven active slaves Scatternet creation

Bluetooth Stack Application specific security mechanisms Bluetooth host security mechanisms Security mechanisms on the Bluetooth chip

Security modes Security mode 1 No active security enforcement Security mode 2 Service level security On device level no difference to mode 1 Security mode 3 Device level security Enforce security for every low-level connection

How pairing works First connection (1) > HCI_Pin_Code_Request (2) < HCI_Pin_Code_Request_Reply (3) > HCI_Link_Key_Notification Further connections (1) > HCI_Link_Key_Request (2) < HCI_Link_Key_Request_Reply (3) > HCI_Link_Key_Notification (optional)

Principles of good Security (CESG/GCHQ) Confidentiality Integrity Data is available when needed Authentication Data has not been modified Availability Data kept private Identity of peer is proven Non-repudiation Peer cannot deny transaction took place

Breaking all of them Confidentiality Integrity Deleting data Authentication Modifying data Availability Reading data Bypassed completely Non-repudiation Little or no logging / no audit trails

Remember Paris

Compromised Content Paris Hilton's phonebook Numbers of real Celebrities (rockstars, actors...) Images US Secret Service Confidential documents

BlueSnarf Trivial OBEX push attack Pull knows objects instead of pushing No authentication Discovered by Marcel Holtmann Published in October 2003 Also discovered by Adam Laurie Published in November 2003 Field tests at London Underground etc.

How to avoid pairing vcard Contacts IrMC OBEX Channel 3 OBEX Push Profile Channel 4 Synchronization Profile Security Manager RFCOMM L2CAP

HeloMoto Requires entry in My Devices Use OBEX push to create entry No full OBEX exchange needed Connect to headset/handsfree channel No authentication required Full access with AT command Discovered by Adam Laurie

BlueBug Issuing AT commands Use hidden and unprotected channels Full control over the phone Discovered by Martin Herfurt Motivation from the BlueSnarf attack Public field test a CeBIT 2004 Possibility to cause extra costs

Authentication abuse Create pairing Authenticate for benign task Force authentication Use security mode 3 if needed Connect to unauthorized channels Serial Port Profile Dialup Networking OBEX File Transfer

BlueSmack Using L2CAP echo feature Signal channel request and response L2CAP signal MTU is unknown No open L2CAP channel needed Causing buffer overflows Denial of service attack

BlueStab Denial of service attack Bluetooth device name is UTF-8 encoded Friendly name with control characters Crashes some phones Can cause weird behaviors Name caches can be very problematic Credits to Q-Nix and Collin R. Mulliner

BlueBump Forced re-keying Authenticate for benign task (vcard exchange) Force authentication Tell partner to delete pairing Hold connection open Request change of connection link key Connect to unauthorized channels

BlueSnarf++ OBEX push channel attack, again Connect with Sync, FTP or BIP target UUID No authentication Contents are browseable Full read and write access Access to external media storage Manufacturers have been informed

BlueSpooof Clone a trusted device Device address Service records Emulate protocols and profiles Disable encryption Force re-pairing

BlueDump Yanic Shaked and Avishai Wool http://www.eng.tau.ac.il/~yash/bluetooth/ Expands PIN attack from Ollie Whitehouse Requires special hardware or firmware Destroy trust relationship Use the BlueSpooof methods User interaction for pairing still needed

BlueChop Disrupts established Bluetooth piconets Works for devices that are multiconnection capable in page scan mode while connected

Blueprinting Fingerprinting for Bluetooth Work started by Collin R. Mulliner and Martin Herfurt Based on the SDP records and OUI Important for security audits Paper with more information available

Bluetooone Enhancing the range of a Bluetooth dongle by connecting a directional antenna -> as done in the Long Distance Attack Original idea from Mike Outmesguine (Author of Book: Wi-Fi Toys ) Step by Step instruction on trifinite.org

Bluetooone

Blooover Blooover - Bluetooth Wireless Technology Hoover Proof-of-Concept Application Educational Purposes only Java-based J2ME MIDP 2.0 with BT-API Released last year at 21C3 150.000 + x downloads Blooover also distributed by other portals

Blooover II Successor of the popular Blooover application Auditing toool for professionals/researchers Included Audits BlueBug HeloMoto BlueSnarf Malformed Objects Beta Version available now

Blooover II - Auditing

Blooover II - Settings

Blooover II - Breeeder World Domination through p2p propagation Breeeder Version distributes 'Blooover II Babies' Babies cannot breed

The Car Whisperer Use default pin codes to connect to carkits Inject audio Record audio Version 0.2 now available Better phone emulation capabilities

The Car Whisperer Stationary directional antenna 15 seconds visibility at an average speed of 120 km/h and a range 500 m

BlueStalker Commercial tracking service GSM Location tracking (Accurate to about 800 meters) BlueBug SMS message to determine phone number and intercept confirmation message

Nokia 770 Tablet PC Supports Wi-Fi Bluetooth No GSM/GRPS/UMTS Linux-based Almost open source Details here http://www.nokia.com/770 http://trifinite.org/trifinite_stuff_nokia_770.html

Nokia 770

Nokia 770

Nokia 770

Nokia 770

Blooonix

Blooonix Linux distribution for Bluetooth audits Linux-based Live CD Recent 2.6 kernel Contains all latest BlueZ utilities

GNU Radio (1) GNU Software defined radio Universal Software Radio Peripheral hardware from Ettus http://www.gnu.org/software/gnuradio/ http://www.ettus.com/

GNU Radio (2)

Bluetooth Sniffing Local Sniffing Piconet Sniffing hcidump special hardware or firmware Air Sniffing Frontline ( http://www.fte.com/ ) LeCroy/CatC ( http://www.lecroy.com/ )

Conclusions Bluetooth is secure standard (per se) Problems are at the application level Cooperation with the Bluetooth SIG Pre-release testing at UPF (UnPlugFests) Better communication channels Clear user interface and interaction Mandatory security at application level Using a policy manager

trifinite.group Adam Laurie (the Bunker Secure Hosting) Marcel Holtmann (BlueZ) Collin Mulliner (mulliner.org) Tim Hurman (Pentest) Mark Rowe (Pentest) Martin Herfurt (trifinite.org) Kevin Finesterre (DigitalMunition) Joshua Wright (SANS) Spot (Sony)

Further information trifinite.org Loose association of security experts Public information about Bluetooth security Individual testings and trainings TRUST = trifinite unified security testing Contact us via contact@trifinite.org

The Next Big Challenge Hacking TheToy - Just imagine all the girls freaking out when they sense the proximity of your geeky laptop ;)

Any questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information