DirtyTooth:it’sonlyRock’n’Roll,

butIlikeit!

ChemaAlonso(chema@11paths.com)

PabloGonzález(pablo@11paths.com)

IosebaPalop(ioseba.palop@11paths.com)

JorgeRivera(jorge.rivera@11paths.com)

ÁlvaroNuñez-Romero(alvaro.nunezromero@11paths.com)

ExecutiveSummary

Bluetoothcommunicationsareontheincrease.Millionsofusersusethetechnologytoconnect toperipherals thatsimplifyandprovidegreatercomfortandexperience.ThereisatrickorhackforiOS10.2.1andearlierthattakesadvantageofthemanagementoftheprofilescausingagreat impactontheprivacyofmillionsofuserswhouseBluetooth technology daily. From the iOS device information leakcausedbytheincorrectmanagementofprofiles,alotofinformationabouttheuserandtheirbackgroundmaybeobtained.

1.Bluetoothdevices

Bluetoothdeviceshaveundergoneaproliferation.Itsusewithperipheralshasmeantthat theexpansionanduseof technologyhave rocketed in recentyears.Keyboards,mice,speakers,hands-freekitsandawholerangeofdevicesuseBluetoothtechnologytoprovidewirelesscommunicationtousersandimprovetheusabilityofperipheralsandentertainmentelements.

Allmodernoperatingsystemssupportandintegratethetechnology.MobileoperatingsystemssuchasAndroid,iOSandWindowsPhoneprovidevariouswaysofinteractingwiththedifferentelementsmentionedabove.

1.1-VersionsofBluetooth

Bluetoothtechnologyhasbeencontinuallyevolvingovertheyears.Thefollowingtableshowsthedifferentversionsandupdates:

Version Yearofintroduction

Bluetoothv1.0 1999

Bluetoothv1.1 2002

Bluetoothv1.2 2003

Bluetoothv2.0+EDR 2004

Bluetoothv2.1+EDR 2007

Bluetoothv3.0+HS 2009

Bluetoothv4.0 2010

Bluetoothv5.0 2016-2017

Table1:VersionsofBluetoothtechnology

Version2.1incorporatesanimportantfunctionforthisresearch-thepossibilityofnotenteringthePINcodetoenablepairingofdevices.Audiodevicessuchasspeakersorheadphoneswithversion2.1ofBluetoothdonotrequireuserstoenteraPINinordertoeffectpairing.

2.-BluetoothProfiles

WhenadevicewantstouseaseriesoffunctionsviaBluetooth,aprofileisrequiredtopermit said functions. A profile is simply a specification of functions that can beperformedviaaBluetoothconnection,thatis,adescriptionoftheactionsthatcanbeperformedviatheconnectionwiththeassociatedprofile.

ThereareawidevarietyofBluetoothprofiles.Theofficiallistcontains31profiles,whichprovide various functions such as access to contacts,messages from thedevice, the

abilitytousehands-free,sendaudiotoadeviceandsoon.Therangeoffunctions isgrowingconstantly.

2.1-BluetoothProfilesoniOS

TheiOSoperatingsystemsupportsaseriesofspecificBluetoothprofiles.Thefollowingarethedifferentprofilessupportedbythedifferentdevices:

1. Hands-FreeProfile(HFP1.6).

2. PhoneBookAccessProfile(PBAP)

3. AdvancedAudioDistributionProfile(A2DP)

4. Audio/VideoRemoteControlProfile(AVRCP1.4)

5. PersonalAreaNetworkProfile(PAN)

6. HumanInterfaceDeviceProfile(HID)

7. MessageAccessProfile(MAP)

Device HFP1.6 PBAP A2DP AVRCP1.4 PAN HID MAP

iPhone4andlater

Yes Yes Yes Yes Yes Yes Yes

iPhone3GS Yes Yes Yes Yes Yes Yes -

iPhone3G Yes Yes Yes Yes Yes - -

iPhoneOriginal

Yes Yes - - - - -

iPad2andlater

Yes - Yes Yes Yes Yes -

iPad(1stGeneration)

- - Yes Yes Yes Yes -

iPodTouch(4th

Generation)

Yes - Yes Yes Yes Yes -

iPodTouch(2ndand3rdGeneration)

- - Yes Yes Yes Yes -

Table2:ProfilessupportedondifferentAppledevices

3.-Hack:DirtyTooth

Bluetoothprofilesaccessdifferentmobileresources,soitisessentialthatproperpermissionsmanagementisavailablefromtheoperatingsystem.Bluetoothallowsadevicetorundifferentprofiles,switchingbetweenthem.

Theoperatingsystemnotifiesyouwhenthereisaprofilechangeonadevicethatispairedwiththemobiledevice. In this research,a testwascarriedouton the iOSandAndroidoperatingsystemsandeachgaveverydifferentresults.

Whenadeviceislinkedtoamobileandtheformerchangesitsprofile,twocircumstancesmayoccur. The first is that the operating system detects the change of profile and therefore offunctionsanddatatowhichthelinkeddevicecanaccessandaskstheusertoaccepttheprofilechange.Thistakestheformofasecurenotification,sothattheuserrealizesthattheconnectedBluetoothdevicewantstoaccessanotherprofileand,therefore,theprivateinformationontheterminal. The second circumstance is that the operating system does not detect the profilechangeandallowsittobeaccomplishedwithoutnotifyingtheuser.

ThissecondcircumstancehasbeendetectediniOSoperatingsystemsandhasbeendefinedasDirtyTooth.ThistrickorhackallowsanattackertoimpersonatetheA2DPprofileofaspeakersothatauser's iOSdeviceconnectsassuming it tobea speaker.A fewmomentsafterpairing,without having to enter a PIN, the device changes its profile to another. The iOS operatingsystemdoes not notify this change and allows the attacker to access and download privateinformationfromthedevice.

3.1-Diagram

Beforedetailingthe implementation,thefollowing isaschematicexampleofwhat isusedintheimplementationofDirtyTooth.Thediagramisvalidforboththesoftwareandthehardwareversionsofthetrick.

Figure1:FlowdiagramofDirtyToothoniPhone

WhentheiOSsystemdetectsaBluetoothsignal,theusercanvisualizethedevicewithwhichitwantstoconnectandascenariolikethefollowingwillbeobserved:

Figure2:DiscoveryofaRogueSpeaker

ThespeakerthatappearsintheBluetoothdiscoveryisannouncingtheA2DPprofile,aprofiletoplayaudioviatheBluetoothconnection.Whentheuserclicksonit,thepairingiscompleted,withnoneedforaPINinversionsBluetooth2.1orhigher.

Inthefollowingimage,youcanseehowtheheadphonesiconshowsintheupperrightcorner.ThedevicethatsupplantsaspeakerforafewsecondshasanA2DPprofile.

Figure3:DevicesetupLinkedtotheA2DPProfile

Afterafewseconds,theattacker'sdevicecanchangeitsprofiletoaPBAPprofileforexample.Ifthishappens,iOSwillperformtheprofilechangewithoutdisplayinganytypeofnotificationtotheuser.Thisisthemomentwhentheattackercanaccessthecontactlistanddownloadit.

Figure4:SwitchtoPBAPprofilewithautomaticcontactssynchronization

NotetheexistenceofasetupfaultorweaknessiniOS.Whentheprofilechangeiscarriedoutwithoutnotification,thesynchronizationofcontacts isenabledbydefault,givingaccesstotheattacker.

Thetrickorhackcanbeextendedtootherprofiles,astheoperatingsystemdoesnotrequestauthorizationtochangetheprofile. InthecaseofaMAPprofile, inordertoaccessthemessagesonthemobiledevice,aswitchdisplaystosynchronizemessages,butinthiscaseitisdisabledbydefault,onthecontrarytowhathappensinthecaseofthePBAPprofile.Inotherwords,thetricktakesadvantageofthelackofauthorizationtochangeprofileandthedefaultsettingstosynchronizeelementsonthedeviceviatheBluetoothconnection.

TheelementsthatcanbedownloadedfromthemobiledeviceviatheDirtyToothhackareanyelementsthatmaybeaccessedviatheprofiletowhichithasbeenchanged.APBAPprofileallows:

1. The request for and download of contacts from the device. This enables apotentialattackertoextractallinformationfromthecontactsdirectoryoftheiOSoperatingsystem.TheformatinwhichtheyareextractedcanvarybetweenVCard2.1and3.0.

2. Therequestforanddownloadofcallhistory,incomingandoutgoing,fromthedevice.ThisenablesapotentialattackertoextractthecallregisterfromtheiOSoperating system. The format inwhich they are extracted can vary betweenVCard2.1and3.0.

Informationextractedwith theattacker'sRoguedevicecanbesentvia Internet toaserver under the attacker’s control. Thus connecting iPhone devices with an audiodevice,evenhands-free,withBluetoothisathreattouserprivacy.

TheinformationthatcanbeextractedfromtheterminalviaaPBAPprofileisasfollows:

1. Peopletowhomtheuserrelates.

2. Theuser'sphonenumber.

3. Companieswithwhichtheuserrelates.

4. Emailaddresses.

5. Thecardowner'scontactinformation.

6. Thecallhistory.

7. Thephysicaladdressesofthepeopleassociatedwiththecontactcard.

ThisinformationcanbeprocessedontheInternettoachieveagreaterlevelofdetailandknowledge.

3.1.1-SoftwareImplementation

ThefirstapproachtotakeadvantageoftheDirtyToothhackwasmadeviaasoftwareimplementation.Tocarryoutthehackthefollowingcomponentswereused:

1. RaspberryPi3ModelB.

1. 1.2GHz64-bitquad-coreARMv8CPU

2. Bluetooth4.1module

3. BluetoothLowEnergy(BLE)

2. PyBluez.APythonmodulethatextendsBluetoothfunctionalityinPython.AccesstotheresourcesisprovidedbyBluetoothtechnology.

3. PyOBEX.ThispackagemustbeinstalledfollowingtheinstallationofPyBluezandimplementsthefeaturesoftheOBEXprotocol.

HereistheoperationoralgorithmimplementedtoperformDirtyTooth:

1. A.bashrcfilewasused,whichonstartingtheRaspberryPi3identifiesthenamewithwhichtheBluetoothmodulewill issuethesignalandclass.Thefollowinglinesareaddedattheendofthefile:

1. pulseaudio-D

2. #sudo-upipulseaudio-D

3. sudohciconfighci0name"NAMEHERE"

4. sudohciconfighci0class0x240418

5. sudohciconfighci0sspmode1

6. sudohciconfighci0piscan

7. sudo/usr/bin/hacktooth/dirtytooth.py&

Asyoucansee,thehciconfigcommandistheonethatdefinestheclassoftheprofilethatisofferedviaBluetooth.

2. Optionpulseaudio-Dallowstheexecutionofpulseaudiodaemon.ThesspmodeallowsthemodulesetuptospecifytheneedtoenteraPINinthepairingprocessbetweenspeakerandtheiPhone.Bysettingitto1,itwillnotaskforaPIN,aslongastheBluetoothdeviceversionisequivalenttothe2.1implementationorhigher.

3. Thedirtytooth.pyfileisinchargeofautomatingtheactionsoncethepairingisdone.Inthefirstinstancethedeviceispairedthankstothecommandsenteredinthe.bashrcfile.

4. Onceadeviceispaired,thedirtytooth.pyfileislaunched.ThisfilewillmaketherequestbychangingtheclassUUID.ThisisthemomentthatthehackentersiOS,astheoperatingsystemneitherprohibitsitnornotifiestheuser.

Looking more closely at the last point of the algorithm, we must emphasize thatdirtytooth.pyhasafunctionthatexploitstheBluetoothconnection,viathePBAPprofile,toobtainfiles.

Figure5.ObtainingdataviaPBAP

Ontheotherhand,thefunctionisusedtoobtainthelistofcontactsinVCardformatandthecallregisterinthesameformat.

Figure6:GetlistofcontactsandcallrecordsviaPBAP

Thesoundcontinues to function, so theuserdoesnotdetectany leakageofprivateinformationfromthedevice.ThefilesaretemporarilystoredbeforebeingsenttothebackendviaanInternetconnectionontheRaspberryforsomefiles,asyoucanseeintheimage:

Figure7:FilesextractedfromtheiPhone

Analyzing the file and format obtained the following information can be found. It isimportanttodetectthattheUIDwithavalueof0belongstotheVCardineveryiPhoneandtothephonenumberandpersonalinformationoftheowneroftheiPhone.

Figure8:UIDwith0belongstoownerofiPhone

3.1.2-HardwareImplementation

Forthehardwareimplementationofthehack,arealBluetoothspeakerwasused.Thespeakerwasequippedwithaseriesofmodulesthatprovidedifferentfunctions:

1. ABluetoothmodulethatwillsupplanttherealspeaker

2. ThecoreofthesystemisaTeensyboardwithamicroSDconnector.TheTeensywasprogrammedwiththeTeensyduinoframeworkinordertomakeuseofthecollectionoflibrariesavailableforArduino.

3. A2G/GPRSAdafruitmodulewasusedfortheInternetconnectionoftheboard.

WiththeBluetoothmodule,therealspeakerwillbesupplantedandtheA2DPprofileconnectionoffered.ThecoreisresponsibleforchangingtheprofiletoPBAPwhentheconnection has been established with the iPhone. At this moment, thanks to theDirtyTooth hack, access to the iPhone contacts and call history will be given. Asillustratedbelow:

Figure9:DirtyToothhackhardwarescheme

3.2-SystemsProven

InthecaseofthePBAPprofile,thelistofprovensystemsagreeswiththemodelsofiOSdevicesthathavetelephonefunctions,i.e.theiPhone.Themodelsthatcanbeusedinthehackare:

1. iPhone3G.

2. iPhone3GS.

3. iPhone4/4S.

4. iPhone5/5S.

5. iPhone6/6S/Plus6/Plus6S.

6. iPhone7/Plus7.

Currently,alliOSoperatingsystems,compatiblewiththelistofpreviousmodels,canbeusedwithDirtyTooth.ThecurrentversionoftheoperatingsysteminthereleaseofthisdocumentisiOS10.2.1.

3.3-Scopeandpossibilities

ThedatathatcanbeobtainedviatheDirtyToothhackare:

1. Peopletowhomtheuserrelates.

2. Theuser'sphonenumber.

3. Companieswithwhichtheuserrelates.

4. Emailaddresses.

5. Thecardowner'scontactinformation.

6. Thecallhistory.

7. Thephysicaladdressesofpeopleassociatedtothecontactscard.

Afterprocessing this information,more relevant informationmightbeobtained.Thefollowingisthetypeofdatathatcanbederivedandobtainedfromacontacttheft:

1. ImagesfromFacebookprofiles.

2. Nameoftelephoneoperator.

3. AfirstlevelofrelationshipwithcompaniesandemployeesviaLinkedIn.

4. MACWifiadapteraddress.

5. OSandmodelofterminal,APT-oriented.

6. Geographicallocationoflandlinenumbers.

7. Ownersofthelandlinenumbers.

8. Interaction with the Telegram/WhatsApp API for image discovery, statusinformationandconnectiontime.

4.-Conclusions

TheBluetoothconnectionofiPhoneswithperipheralssuchasspeakers,headphonesorsound equipment imply risk for the user's privacy as these elements could extractprivateinformationfromtheiPhone,withouttheuserbeingawareofit.

TheDirtyToothhackenablesanattacker toextractprivate information fromthe iOSdeviceandtoknowtheuser'srelationshipsandenvironment,aswellasdatasuchas:

1. Peopletowhomtheuserrelates.

2. Theuser’stelephonenumber.

3. Companieswithwhichtheuserrelates.

4. Emailaddresses.

5. Thecardowner'scontactinformation.

6. Thecallhistory.

7. Thephysicaladdressesofpeopleassociatedtothecontactscard.

Thehackortrickputsusers'privacyatrisk.TheiOSoperatingsystemdoesnotnotifytheprofilechangeandallowstheexecutionofthefunctionsandactionsassociatedwiththenewprofile,sothattheusers'dataareatriskofbeingstolenbyapotentialattacker.

Uploadingtheinformationtoaservercontrolledbytheattackerallowstheinformationtobeprocessed toattainagreater levelofdetail. Information canbeexploitedandmuchinformationcanbeobtainedfromtheperson'srelationships.

Inotherwords,DirtyToothisatrickorhackthatcantakeadvantageofthisaccesibilityconfiguration.It'sasimplyaccesibilityconfigurationpotentiallydangerous.

5.-References

• iOSProfiles–Bluetooth.https://support.apple.com/es-la/HT204387• Specification Bluetooth. Requirements PIN.

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-121r1.pdf

• iOS10.2.1Security.https://support.apple.com/es-es/HT207482• Specification of Profiles. Bluetooth.

https://www.bluetooth.com/specifications/profiles-overview• Bluez Libray Specification. https://people.csail.mit.edu/albert/bluez-

intro/c212.html• Components:BlueCreationBC127.https://www.sparkfun.com/products/11927• Teensy.https://www.pjrc.com/teensy/

• 2G/GPRS Adafruit. https://learn.adafruit.com/adafruit-fona-mini-gsm-gprs-cellular-phone-module/overview

• RemoteDebbuggingBluetooth.http://www.prometec.net/bt-hc06/• PyBluez.https://github.com/karulis/pybluez