bluetooth hacking padocon
TRANSCRIPT
대학대학 연합연합 해킹해킹//보안보안 컨퍼런스컨퍼런스 PADOCON PADOCON
“ for the Passionate Future ”Bluetooth HackingBluetooth Hacking
August 26, 2006 University Hacking & Security Frontier
PADOCON [email protected]@padocon.org
1Bluetooth Hacking
Bluetooth Technology and VulnerabilitiesⅠ
목목 차차
Bluetooth Hacking in Korea by PADOCONⅡ
Some Advices for Bluetooth SecurityⅢ
2Bluetooth Hacking
Ⅰ. Bluetooth Technology and Vulnerabilities
Are you happy in a burning bunker?
3Bluetooth Hacking
BT Technology OverviewBT Technology Overview
BT Technology- A general cable replacement for low range wireless standards (eg. IrDA)- Usage : information exchange and networking between devices
(eg. vCard, PAN)
- NOT WiFi!
- Pairing : Mechanism for establishing long term trust between two BT devices
- RFCOMM : Wireless serial port emulation (basically)
- AT Commands : used to control some devices across an RFCOMMconnection
- Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires
4Bluetooth Hacking
BT Technology Overview (~cont.)BT Technology Overview (~cont.)
Core Specs v2.0 from Bluetooth SIG- Hardware based radio system + Software stack- 2.4GHz ISM
- Frequency Hopping Spread Spectrum
(1600 hops/s on 79 channels)
- Low power consumption, short range (10~100m)
- Data rates : 2 and 3 Mbps (Enhanced Data Rate)
- Security is largely unchanged from 1.1 spec
BT Profiles - profiles govern how like devices talk to each other
5Bluetooth Hacking
BT related ProductsBT related Products
BT products are everywhere~!- 무선 데스크탑 컴퓨터 (Cordless Desktop)
- 인터넷 브릿지 (Internet Bridge)
- 파일 전송 (File Tranfer)
- 서류가방 Trick (Briefcase Trick)
- 상호 회의 (Interactive Conference)
- 자동 동조기 (Automatic Synchronizer)
- 순간 엽서 (Instant Postcard)
- Three-in-One 폰
- 헤드셋 (Ultimate Headset)
- 핸즈프리 장치 (Hands-Free Car Kit)
- etc.
6Bluetooth Hacking
BT Technology and Flaws TimelineBT Technology and Flaws Timeline
7Bluetooth Hacking
Contemporary Bluetooth Attacks Contemporary Bluetooth Attacks
Leading group [http://trifinite.org]- leading the charge of publicly disclosed Bluetooth attacks
- Bluediving(bluediving.sourceforge.net) has Linux based
implementations of most of their tools
Others [@stake and TSG, and etc.]- have tackled some BT issues as well
Problems come from poor implementations- Rush to market leads to poor security
- Super complicated protocol stack leads to poor security
- Lack of security training for developers leads to poor security
8Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Stupid DefaultStupid Default
Hard configured PIN- pairing time issue
- possible attack : Car Whisperer
Profiles turned on by default- same as keeping unneeded network services from running
No authentication
Poor per-profile default- eg. BT CF adapter that had the filesharing profile defaulted
to world writable and shared the entire filesystems
Discoverable by default - attacker can find users because they use discoverable mode
- DoS attack can occur for sucking down battery faster
9Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– LinkLink--Level AttacksLevel Attacks
Resetting the link key- a way to force a device to lose its link key and try and repair
- basically, fake the BDADDR and repeatedly fail to bring up a
secure channel, and the device will assume you “lost” the key
- If a device has a default PIN, you can then automatically set up
a trust relationship
Cleartext data- just like on the web
Location Based - RF, you can track people
(http://braces.shmoo.com)
10Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Bad ImplementationBad Implementation
Exposing functionality prior to authentication- basis for the BlueSnarf attack
- AT commands are sent to the phone that retrieve the address book
- The phone for some reason assumes this is OK and give you all
the data
Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort
to kill it
- Protocol fuzzing in general is a dandy way to knock over BT
devices
11Bluetooth Hacking
Hacking Tools on BT Hacking Tools on BT
- trivial OBEX push attack
- discovered by Marcel Holtmann
- also discovered by Adam Laurie
- issuing AT commands
- discovered by Martin Herfurt
- possibility to cause extra costs
12Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- using L2CAP echo feature
- causing buffer overflows
- denial of service attack
- denial of service attack
- credits to Q-Nix and Collin R. Mulliner
- forced re-keying
- tell partner to delete pairing
- connect to unauthorized channels
13Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- clone a trusted device
- disable encryption
- force re-pairing
- fingerprinting for bluetooth
- work started by Collin R. Mulliner and Martin Herfurt
- based on the SDP records and OUI
- important for security audits
- paper with more information available
14Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- Enhancing the range of a bluetooth dongle by connecting a
directional antenna : as done in the Long Distance Attack
15Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- Bluetooth Wireless Technology Hoover
- Proof-of-Concept Application
- Educational Purposes only
- Phone Auditing Tool
- Running on Java
16Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
The Car Whisperer- use default PIN codes
to connect to carkits
- inject audio
- record audio
- don’t whisper and drive!
- stationary directional antenna
17Bluetooth Hacking
Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)
BlueBag- GNU/Linux Gentoo OS
- v2.6 kernel + BlueZ subsystem
- Custom python-based software
- Remote controlling
- Monitoring
- Data storage
- Data gathering in crowded places and related issues
18Bluetooth Hacking
Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)
19Bluetooth Hacking
Ⅱ. Bluetooth Hacking in Korea by PADOCON
(DEMO)
20Bluetooth Hacking
Hacking Tool Development Hacking Tool Development –– BluezBluez AttackAttack
00:11:22:33:44:5500:02:32:5C:3F:22F0:00:0C:23:43:92
00:02:32:5C:3F:22
- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)
21Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– Headset InjectionHeadset Injection
Headset Injection- inquiring → paging
- 낮은 수준의 보안 모드를 적용하는 Headset
- 인증되지 않은 사용자, 인가되지 않은 장치의 접근
INQUIRING
PAGING
CONNECTION
공격서버
22Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS
휴대폰의 보안
- 헤드셋보다 높은 수준의 보안 적용
- PIN (Personal Identification Number) : 블루투스 패스키
- 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함
L2CAP layer의 구현상의 보안 취약성
- multiplexing, segmentation 및 재조합
- 최대 64Kbytes 크기의 패킷 수신
- 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류
23Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS
L2CAP 패킷구성
…#define SIZE 1000 #define FAKE_SIZE (SIZE-3)// (3 bytes <=> L2CAP header) …l2cap_cmd_hdr *cmd; …cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; …send(sock, buffer, SIZE, 0); ……
24Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– ESN SniffingESN Sniffing
SDP (Service Discovery Protocol)- 블루투스 장비의 서비스 정보를 제공
- Hidden channel의 존재 가능성? (for developer~ ☺ )
ESN (Electronic Serial Number) Sniffing- 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유
…Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …
25Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
Wardriving- 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것
Bluetooth Wardriving 개요
- 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분
- 장소 : 대전 대형마트(XXX), 유성 도로, 음식점
- 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트
26Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
Bluetooth Wardriving 결과
addr name type time
1 00:15:B9:B7:68:C8 Anycall P 2006-8-20 19: 7:10
2 00:0C:78:12:96:39 BT20S P 2006-8-20 19: 7:16
3 00:0A:3B:F6:40:22 Audio Decoder P 2006-8-20 19: 7:20
4 00:16:CE:EF:29:53 SENSQ1 P 2006-8-20 19: 7:22
5 00:00:F0:9A:D0:93 이쁜내새끼들 P 2006-8-20 19: 8:13
6 00:12:56:3A:49:E5 LF1200 P 2006-8-20 19:11:27
7 00:12:56:3B:97:67 [unknown] P 2006-8-20 19:13:58
8 00:15:B9:BC:39:26 Anycall P 2006-8-20 19:14:29
9 00:15:B9:B9:B9:04 Anycall P 2006-8-20 19:17:39
10 00:00:F0:9C:B4:23 Anycall P 2006-8-20 19:17:57
11 00:07:7F:30:0B:AE [unknown] P 2006-8-20 19:18:55
12 00:12:56:47:A0:B4 LF1200 P 2006-8-20 19:19:13
13 00:12:56:00:42:30 [unknown] P 2006-8-20 19:19:54
14 00:15:B9:B6:AA:05 Anycall P 2006-8-20 19:23:25
15 00:00:F0:98:1F:C8 나도연애하는데~ 풉ㅋ P 2006-8-20 19:23:49
27Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
16 00:15:B9:BB:4C:72 [unknown] P 2006-8-20 19:29: 517 00:12:47:01:23:45 [unknown] P 2006-8-20 19:29:5618 00:00:F0:9C:3E:F4 Anycall P 2006-8-20 19:30:3019 00:05:C9:51:CD:99 [unknown] P 2006-8-20 19:31:1220 00:00:F0:96:0A:76 [unknown] P 2006-8-20 19:33:2221 00:00:F0:9B:CE:B8 인생빠꾸없다 P 2006-8-20 19:33:4322 00:02:78:0E:21:91 [unknown] P 2006-8-20 19:34:2523 00:07:7F:31:01:99 [unknown] P 2006-8-20 19:35:1624 00:15:B9:BB:D9:72 [unknown] P 2006-8-20 19:35:5725 00:12:56:15:B3:85 [unknown] P 2006-8-20 19:36:3826 00:05:C9:53:FA:2E [LG]-LP3900 P 2006-8-20 19:38:4527 00:00:F0:98:FE:E2 Anycall P 2006-8-20 19:40:1628 00:12:56:9F:33:E5 [unknown] P 2006-8-20 19:40:5729 00:15:B9:BE:19:0E Anycall P 2006-8-20 19:43:5330 00:00:F0:94:A1:28 [unknown] P 2006-8-20 19:59:5631 00:12:56:00:8F:92 LG-KF1000 P 2006-8-20 20: 9: 932 00:05:C9:6F:6F:AD [unknown] P 2006-8-20 20:18:4033 00:12:56:46:BA:70 LF1200 P 2006-8-20 20:21:3934 00:05:C9:54:CF:E1 [LG]-LP3900 P 2006-8-20 20:36: 8
-국내 블루투스 탑재 기기 이용자 증가
- 공격에 대한 대량 피해 사례는 없으나
개인정보유출에 대한 대비 필요
28Bluetooth Hacking
Ⅲ. Some Advices for Bluetooth Security
29Bluetooth Hacking
PlzPlz, No more defaults~ , No more defaults~ OTL OTL Secure ConfigurationSecure Configuration
PIN 번호의 수정
- 좀 더 나은 PIN 관리 수행 필요
Link Key에 대한 좀 더 나은 보안
- 좀 더 안전한 Link key의 보관 장소 필요
- 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요
Handsfree / Headset – 사용가능한 AT Commands 리스트 작성
- AT+RING, AT+CKPD, etc.
Serial Port
- fuzzing 탐지 기법 구현
OBEX
- 인증 상시 수행 필요
30Bluetooth Hacking
감사합니다.
Contact Point :*About presentation : [email protected]*About included tests : [email protected]*http://hackers.padocon.org, http://padocon.org