bluetooth hacking padocon

대학대학 연합연합 해킹해킹//보안보안 컨퍼런스컨퍼런스 PADOCON PADOCON

“ for the Passionate Future ”Bluetooth HackingBluetooth Hacking

August 26, 2006 University Hacking & Security Frontier

PADOCON [email protected]@padocon.org

1Bluetooth Hacking

Bluetooth Technology and VulnerabilitiesⅠ

목목 차차

Bluetooth Hacking in Korea by PADOCONⅡ

Some Advices for Bluetooth SecurityⅢ

2Bluetooth Hacking

Ⅰ. Bluetooth Technology and Vulnerabilities

Are you happy in a burning bunker?

3Bluetooth Hacking

BT Technology OverviewBT Technology Overview

BT Technology- A general cable replacement for low range wireless standards (eg. IrDA)- Usage : information exchange and networking between devices

(eg. vCard, PAN)

- NOT WiFi!

- Pairing : Mechanism for establishing long term trust between two BT devices

- RFCOMM : Wireless serial port emulation (basically)

- AT Commands : used to control some devices across an RFCOMMconnection

- Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires

4Bluetooth Hacking

BT Technology Overview (~cont.)BT Technology Overview (~cont.)

Core Specs v2.0 from Bluetooth SIG- Hardware based radio system + Software stack- 2.4GHz ISM

- Frequency Hopping Spread Spectrum

(1600 hops/s on 79 channels)

- Low power consumption, short range (10~100m)

- Data rates : 2 and 3 Mbps (Enhanced Data Rate)

- Security is largely unchanged from 1.1 spec

BT Profiles - profiles govern how like devices talk to each other

5Bluetooth Hacking

BT related ProductsBT related Products

BT products are everywhere~!- 무선 데스크탑 컴퓨터 (Cordless Desktop)

- 인터넷 브릿지 (Internet Bridge)

- 파일 전송 (File Tranfer)

- 서류가방 Trick (Briefcase Trick)

- 상호 회의 (Interactive Conference)

- 자동 동조기 (Automatic Synchronizer)

- 순간 엽서 (Instant Postcard)

- Three-in-One 폰

- 헤드셋 (Ultimate Headset)

- 핸즈프리 장치 (Hands-Free Car Kit)

- etc.

6Bluetooth Hacking

BT Technology and Flaws TimelineBT Technology and Flaws Timeline

7Bluetooth Hacking

Contemporary Bluetooth Attacks Contemporary Bluetooth Attacks

Leading group [http://trifinite.org]- leading the charge of publicly disclosed Bluetooth attacks

- Bluediving(bluediving.sourceforge.net) has Linux based

implementations of most of their tools

Others [@stake and TSG, and etc.]- have tackled some BT issues as well

Problems come from poor implementations- Rush to market leads to poor security

- Super complicated protocol stack leads to poor security

- Lack of security training for developers leads to poor security

8Bluetooth Hacking

Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Stupid DefaultStupid Default

Hard configured PIN- pairing time issue

- possible attack : Car Whisperer

Profiles turned on by default- same as keeping unneeded network services from running

No authentication

Poor per-profile default- eg. BT CF adapter that had the filesharing profile defaulted

to world writable and shared the entire filesystems

Discoverable by default - attacker can find users because they use discoverable mode

- DoS attack can occur for sucking down battery faster

9Bluetooth Hacking

Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– LinkLink--Level AttacksLevel Attacks

Resetting the link key- a way to force a device to lose its link key and try and repair

- basically, fake the BDADDR and repeatedly fail to bring up a

secure channel, and the device will assume you “lost” the key

- If a device has a default PIN, you can then automatically set up

a trust relationship

Cleartext data- just like on the web

Location Based - RF, you can track people

(http://braces.shmoo.com)

10Bluetooth Hacking

Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Bad ImplementationBad Implementation

Exposing functionality prior to authentication- basis for the BlueSnarf attack

- AT commands are sent to the phone that retrieve the address book

- The phone for some reason assumes this is OK and give you all

the data

Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort

to kill it

- Protocol fuzzing in general is a dandy way to knock over BT

devices

11Bluetooth Hacking

Hacking Tools on BT Hacking Tools on BT

- trivial OBEX push attack

- discovered by Marcel Holtmann

- also discovered by Adam Laurie

- issuing AT commands

- discovered by Martin Herfurt

- possibility to cause extra costs

12Bluetooth Hacking

Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)

- using L2CAP echo feature

- causing buffer overflows

- denial of service attack

- denial of service attack

- credits to Q-Nix and Collin R. Mulliner

- forced re-keying

- tell partner to delete pairing

- connect to unauthorized channels

13Bluetooth Hacking


- clone a trusted device

- disable encryption

- force re-pairing

- fingerprinting for bluetooth

- work started by Collin R. Mulliner and Martin Herfurt

- based on the SDP records and OUI

- important for security audits

- paper with more information available

14Bluetooth Hacking


- Enhancing the range of a bluetooth dongle by connecting a

directional antenna : as done in the Long Distance Attack

15Bluetooth Hacking


- Bluetooth Wireless Technology Hoover

- Proof-of-Concept Application

- Educational Purposes only

- Phone Auditing Tool

- Running on Java

16Bluetooth Hacking


The Car Whisperer- use default PIN codes

to connect to carkits

- inject audio

- record audio

- don’t whisper and drive!

- stationary directional antenna

17Bluetooth Hacking

Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)

BlueBag- GNU/Linux Gentoo OS

- v2.6 kernel + BlueZ subsystem

- Custom python-based software

- Remote controlling

- Monitoring

- Data storage

- Data gathering in crowded places and related issues

18Bluetooth Hacking

Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)

19Bluetooth Hacking

Ⅱ. Bluetooth Hacking in Korea by PADOCON

(DEMO)

20Bluetooth Hacking

Hacking Tool Development Hacking Tool Development –– BluezBluez AttackAttack

00:11:22:33:44:5500:02:32:5C:3F:22F0:00:0C:23:43:92

00:02:32:5C:3F:22

- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)

21Bluetooth Hacking

Various Attacks on BT Devices Various Attacks on BT Devices –– Headset InjectionHeadset Injection

Headset Injection- inquiring → paging

- 낮은 수준의 보안 모드를 적용하는 Headset

- 인증되지 않은 사용자, 인가되지 않은 장치의 접근

INQUIRING

PAGING

CONNECTION

공격서버

22Bluetooth Hacking

Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS

휴대폰의 보안

- 헤드셋보다 높은 수준의 보안 적용

- PIN (Personal Identification Number) : 블루투스 패스키

- 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함

L2CAP layer의 구현상의 보안 취약성

- multiplexing, segmentation 및 재조합

- 최대 64Kbytes 크기의 패킷 수신

- 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류

23Bluetooth Hacking

Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS

L2CAP 패킷구성

…#define SIZE 1000 #define FAKE_SIZE (SIZE-3)// (3 bytes <=> L2CAP header) …l2cap_cmd_hdr *cmd; …cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; …send(sock, buffer, SIZE, 0); ……

24Bluetooth Hacking

Various Attacks on BT Devices Various Attacks on BT Devices –– ESN SniffingESN Sniffing

SDP (Service Discovery Protocol)- 블루투스 장비의 서비스 정보를 제공

- Hidden channel의 존재 가능성? (for developer~ ☺ )

ESN (Electronic Serial Number) Sniffing- 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유

…Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …

25Bluetooth Hacking

Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving

Wardriving- 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것

Bluetooth Wardriving 개요

- 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분

- 장소 : 대전 대형마트(XXX), 유성 도로, 음식점

- 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트

26Bluetooth Hacking


Bluetooth Wardriving 결과

addr name type time

1 00:15:B9:B7:68:C8 Anycall P 2006-8-20 19: 7:10

2 00:0C:78:12:96:39 BT20S P 2006-8-20 19: 7:16

3 00:0A:3B:F6:40:22 Audio Decoder P 2006-8-20 19: 7:20

4 00:16:CE:EF:29:53 SENSQ1 P 2006-8-20 19: 7:22

5 00:00:F0:9A:D0:93 이쁜내새끼들 P 2006-8-20 19: 8:13

6 00:12:56:3A:49:E5 LF1200 P 2006-8-20 19:11:27

7 00:12:56:3B:97:67 [unknown] P 2006-8-20 19:13:58

8 00:15:B9:BC:39:26 Anycall P 2006-8-20 19:14:29

9 00:15:B9:B9:B9:04 Anycall P 2006-8-20 19:17:39

10 00:00:F0:9C:B4:23 Anycall P 2006-8-20 19:17:57

11 00:07:7F:30:0B:AE [unknown] P 2006-8-20 19:18:55

12 00:12:56:47:A0:B4 LF1200 P 2006-8-20 19:19:13

13 00:12:56:00:42:30 [unknown] P 2006-8-20 19:19:54

14 00:15:B9:B6:AA:05 Anycall P 2006-8-20 19:23:25

15 00:00:F0:98:1F:C8 나도연애하는데~ 풉ㅋ P 2006-8-20 19:23:49

27Bluetooth Hacking


16 00:15:B9:BB:4C:72 [unknown] P 2006-8-20 19:29: 517 00:12:47:01:23:45 [unknown] P 2006-8-20 19:29:5618 00:00:F0:9C:3E:F4 Anycall P 2006-8-20 19:30:3019 00:05:C9:51:CD:99 [unknown] P 2006-8-20 19:31:1220 00:00:F0:96:0A:76 [unknown] P 2006-8-20 19:33:2221 00:00:F0:9B:CE:B8 인생빠꾸없다 P 2006-8-20 19:33:4322 00:02:78:0E:21:91 [unknown] P 2006-8-20 19:34:2523 00:07:7F:31:01:99 [unknown] P 2006-8-20 19:35:1624 00:15:B9:BB:D9:72 [unknown] P 2006-8-20 19:35:5725 00:12:56:15:B3:85 [unknown] P 2006-8-20 19:36:3826 00:05:C9:53:FA:2E [LG]-LP3900 P 2006-8-20 19:38:4527 00:00:F0:98:FE:E2 Anycall P 2006-8-20 19:40:1628 00:12:56:9F:33:E5 [unknown] P 2006-8-20 19:40:5729 00:15:B9:BE:19:0E Anycall P 2006-8-20 19:43:5330 00:00:F0:94:A1:28 [unknown] P 2006-8-20 19:59:5631 00:12:56:00:8F:92 LG-KF1000 P 2006-8-20 20: 9: 932 00:05:C9:6F:6F:AD [unknown] P 2006-8-20 20:18:4033 00:12:56:46:BA:70 LF1200 P 2006-8-20 20:21:3934 00:05:C9:54:CF:E1 [LG]-LP3900 P 2006-8-20 20:36: 8

-국내 블루투스 탑재 기기 이용자 증가

- 공격에 대한 대량 피해 사례는 없으나

개인정보유출에 대한 대비 필요

28Bluetooth Hacking

Ⅲ. Some Advices for Bluetooth Security

29Bluetooth Hacking

PlzPlz, No more defaults~ , No more defaults~ OTL OTL Secure ConfigurationSecure Configuration

PIN 번호의 수정

- 좀 더 나은 PIN 관리 수행 필요

Link Key에 대한 좀 더 나은 보안

- 좀 더 안전한 Link key의 보관 장소 필요

- 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요

Handsfree / Headset – 사용가능한 AT Commands 리스트 작성

- AT+RING, AT+CKPD, etc.

Serial Port

- fuzzing 탐지 기법 구현

OBEX

- 인증 상시 수행 필요

30Bluetooth Hacking

감사합니다.

Contact Point :*About presentation : [email protected]*About included tests : [email protected]*http://hackers.padocon.org, http://padocon.org

bluetooth hacking padocon

Documents