Bluetooth Hacking Padocon

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Bluetooth Hacking Padocon as PDF for free.

More details

  • Words: 1,568
  • Pages: 31
대학 연합 해킹/보안 컨퍼런스 PADOCON

“ for the Passionate Future ”

Bluetooth Hacking August 26, 2006 University Hacking & Security Frontier PADOCON [email protected] [email protected]

목 차



Bluetooth Technology and Vulnerabilities



Bluetooth Hacking in Korea by PADOCON



Some Advices for Bluetooth Security

Bluetooth Hacking

1

Ⅰ. Bluetooth Technology and

Vulnerabilities

Are you happy in a burning bunker?

Bluetooth Hacking

2

BT Technology Overview BT Technology - A general cable replacement for low range wireless standards (eg. IrDA) - Usage : information exchange and networking between devices (eg. vCard, PAN) - NOT WiFi! - Pairing : Mechanism for establishing long term trust between two BT devices - RFCOMM : Wireless serial port emulation (basically) - AT Commands : used to control some devices across an RFCOMM connection - Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires

Bluetooth Hacking

3

BT Technology Overview (~cont.) Core Specs v2.0 from Bluetooth SIG - Hardware based radio system + Software stack - 2.4GHz ISM - Frequency Hopping Spread Spectrum (1600 hops/s on 79 channels) - Low power consumption, short range (10~100m) - Data rates : 2 and 3 Mbps (Enhanced Data Rate) - Security is largely unchanged from 1.1 spec

BT Profiles - profiles govern how like devices talk to each other

Bluetooth Hacking

4

BT related Products BT products are everywhere~! - 무선 데스크탑 컴퓨터 (Cordless Desktop) - 인터넷 브릿지 (Internet Bridge) - 파일 전송 (File Tranfer) - 서류가방 Trick (Briefcase Trick) - 상호 회의 (Interactive Conference) - 자동 동조기 (Automatic Synchronizer) - 순간 엽서 (Instant Postcard) - Three-in-One 폰 - 헤드셋 (Ultimate Headset) - 핸즈프리 장치 (Hands-Free Car Kit) - etc. Bluetooth Hacking

5

BT Technology and Flaws Timeline

Bluetooth Hacking

6

Contemporary Bluetooth Attacks Leading group [http://trifinite.org] - leading the charge of publicly disclosed Bluetooth attacks - Bluediving(bluediving.sourceforge.net) has Linux based implementations of most of their tools

Others [@stake and TSG, and etc.] - have tackled some BT issues as well

Problems come from poor implementations - Rush to market leads to poor security - Super complicated protocol stack leads to poor security - Lack of security training for developers leads to poor security

Bluetooth Hacking

7

Common Bluetooth Vulnerabilities – Stupid Default Hard configured PIN - pairing time issue - possible attack : Car Whisperer

Profiles turned on by default - same as keeping unneeded network services from running

No authentication Poor per-profile default - eg. BT CF adapter that had the filesharing profile defaulted to world writable and shared the entire filesystems

Discoverable by default - attacker can find users because they use discoverable mode - DoS attack can occur for sucking down battery faster Bluetooth Hacking

8

Common Bluetooth Vulnerabilities – Link-Level Attacks Resetting the link key - a way to force a device to lose its link key and try and repair - basically, fake the BDADDR and repeatedly fail to bring up a secure channel, and the device will assume you “lost” the key - If a device has a default PIN, you can then automatically set up a trust relationship

Cleartext data - just like on the web

Location Based - RF, you can track people (http://braces.shmoo.com)

Bluetooth Hacking

9

Common Bluetooth Vulnerabilities – Bad Implementation Exposing functionality prior to authentication - basis for the BlueSnarf attack - AT commands are sent to the phone that retrieve the address book - The phone for some reason assumes this is OK and give you all the data

Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort to kill it - Protocol fuzzing in general is a dandy way to knock over BT devices

Bluetooth Hacking

10

Hacking Tools on BT

- trivial OBEX push attack - discovered by Marcel Holtmann - also discovered by Adam Laurie

- issuing AT commands - discovered by Martin Herfurt - possibility to cause extra costs

Bluetooth Hacking

11

Hacking Tools on BT (~cont.)

- using L2CAP echo feature - causing buffer overflows - denial of service attack

- denial of service attack - credits to Q-Nix and Collin R. Mulliner

- forced re-keying - tell partner to delete pairing - connect to unauthorized channels Bluetooth Hacking

12

Hacking Tools on BT (~cont.)

- clone a trusted device - disable encryption - force re-pairing

- fingerprinting for bluetooth - work started by Collin R. Mulliner and Martin Herfurt - based on the SDP records and OUI - important for security audits - paper with more information available

Bluetooth Hacking

13

Hacking Tools on BT (~cont.)

- Enhancing the range of a bluetooth dongle by connecting a directional antenna : as done in the Long Distance Attack

Bluetooth Hacking

14

Hacking Tools on BT (~cont.)

- Bluetooth Wireless Technology Hoover - Proof-of-Concept Application - Educational Purposes only - Phone Auditing Tool - Running on Java

Bluetooth Hacking

15

Hacking Tools on BT (~cont.) The Car Whisperer - use default PIN codes to connect to carkits - inject audio - record audio - don’t whisper and drive! - stationary directional antenna

Bluetooth Hacking

16

Hacking Tools on BT (~cont.) BlueBag - GNU/Linux Gentoo OS - v2.6 kernel + BlueZ subsystem - Custom python-based software

- Remote controlling - Monitoring - Data storage - Data gathering in crowded places and related issues Bluetooth Hacking

17

Hacking Tools on BT (~cont.)

Bluetooth Hacking

18

Ⅱ. Bluetooth Hacking in Korea by PADOCON (DEMO)

Bluetooth Hacking

19

Hacking Tool Development – Bluez Attack

00:11:22:33:44:55 00:02:32:5C:3F:22 F0:00:0C:23:43:92

00:02:32:5C:3F:22

- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)

Bluetooth Hacking

20

Various Attacks on BT Devices – Headset Injection Headset Injection - inquiring → paging - 낮은 수준의 보안 모드를 적용하는 Headset - 인증되지 않은 사용자, 인가되지 않은 장치의 접근

INQUIRING

공격서버

PAGING CONNECTION

Bluetooth Hacking

21

Various Attacks on BT Devices – Cellphone DoS 휴대폰의 보안 - 헤드셋보다 높은 수준의 보안 적용 - PIN (Personal Identification Number) : 블루투스 패스키 - 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함

L2CAP layer의 구현상의 보안 취약성 - multiplexing, segmentation 및 재조합 - 최대 64Kbytes 크기의 패킷 수신 - 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류

Bluetooth Hacking

22

Various Attacks on BT Devices – Cellphone DoS L2CAP 패킷구성 … #define SIZE 1000 #define FAKE_SIZE (SIZE-3) // (3 bytes <=> L2CAP header) … l2cap_cmd_hdr *cmd; … cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; … send(sock, buffer, SIZE, 0); … …

Bluetooth Hacking

23

Various Attacks on BT Devices – ESN Sniffing SDP (Service Discovery Protocol) - 블루투스 장비의 서비스 정보를 제공 - Hidden channel의 존재 가능성? (for developer~ ☺ )

ESN (Electronic Serial Number) Sniffing - 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유 … Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …

Bluetooth Hacking

24

Various Attacks on BT Devices – BT Wardriving Wardriving - 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것

Bluetooth Wardriving 개요 - 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분 - 장소 : 대전 대형마트(XXX), 유성 도로, 음식점 - 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트

Bluetooth Hacking

25

Various Attacks on BT Devices – BT Wardriving Bluetooth Wardriving 결과 addr

name

type

time

1 00:15:B9:B7:68:C8

Anycall

P

2006-8-20 19: 7:10

2 00:0C:78:12:96:39

BT20S

P

2006-8-20 19: 7:16

3 00:0A:3B:F6:40:22

Audio Decoder

P

2006-8-20 19: 7:20

4 00:16:CE:EF:29:53

SENSQ1

P

2006-8-20 19: 7:22

5 00:00:F0:9A:D0:93

이쁜내새끼들

P

2006-8-20 19: 8:13

6 00:12:56:3A:49:E5

LF1200

7 00:12:56:3B:97:67

[unknown]

8 00:15:B9:BC:39:26

Anycall

P

2006-8-20 19:14:29

9 00:15:B9:B9:B9:04

Anycall

P

2006-8-20 19:17:39

10 00:00:F0:9C:B4:23

Anycall

P

2006-8-20 19:17:57

11 00:07:7F:30:0B:AE

[unknown]

12 00:12:56:47:A0:B4

LF1200

13 00:12:56:00:42:30

[unknown]

14 00:15:B9:B6:AA:05

Anycall

15 00:00:F0:98:1F:C8

Bluetooth Hacking

나도연애하는데~ 풉ㅋ

P

2006-8-20 19:11:27

P

P P P P

2006-8-20 19:13:58

2006-8-20 19:18:55 2006-8-20 19:19:13 2006-8-20 19:19:54 2006-8-20 19:23:25 P 2006-8-20 19:23:49

26

Various Attacks on BT Devices – BT Wardriving 16

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

00:15:B9:BB:4C:72 00:12:47:01:23:45 00:00:F0:9C:3E:F4 00:05:C9:51:CD:99 00:00:F0:96:0A:76 00:00:F0:9B:CE:B8 00:02:78:0E:21:91 00:07:7F:31:01:99 00:15:B9:BB:D9:72 00:12:56:15:B3:85 00:05:C9:53:FA:2E 00:00:F0:98:FE:E2 00:12:56:9F:33:E5 00:15:B9:BE:19:0E 00:00:F0:94:A1:28 00:12:56:00:8F:92 00:05:C9:6F:6F:AD 00:12:56:46:BA:70 00:05:C9:54:CF:E1

[unknown] [unknown] Anycall [unknown] [unknown] 인생빠꾸없다 [unknown] [unknown] [unknown] [unknown] [LG]-LP3900 Anycall [unknown] Anycall [unknown] LG-KF1000 [unknown] LF1200 [LG]-LP3900

P P P P P P P P P P P P P P P P P P P

2006-8-20 19:29: 5 2006-8-20 19:29:56 2006-8-20 19:30:30 2006-8-20 19:31:12 2006-8-20 19:33:22 2006-8-20 19:33:43 2006-8-20 19:34:25 2006-8-20 19:35:16 2006-8-20 19:35:57 2006-8-20 19:36:38 2006-8-20 19:38:45 2006-8-20 19:40:16 2006-8-20 19:40:57 2006-8-20 19:43:53 2006-8-20 19:59:56 2006-8-20 20: 9: 9 2006-8-20 20:18:40 2006-8-20 20:21:39 2006-8-20 20:36: 8

-국내 블루투스 탑재 기기 이용자 증가 - 공격에 대한 대량 피해 사례는 없으나 개인정보유출에 대한 대비 필요 Bluetooth Hacking

27

Ⅲ. Some Advices for Bluetooth Security

Bluetooth Hacking

28

Plz, No more defaults~ OTL Secure Configuration PIN 번호의 수정 - 좀 더 나은 PIN 관리 수행 필요

Link Key에 대한 좀 더 나은 보안 - 좀 더 안전한 Link key의 보관 장소 필요 - 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요

Handsfree / Headset – 사용가능한 AT Commands 리스트 작성 - AT+RING, AT+CKPD, etc.

Serial Port - fuzzing 탐지 기법 구현

OBEX - 인증 상시 수행 필요 Bluetooth Hacking

29

감사합니다. Contact Point : *About presentation : [email protected] *About included tests : [email protected] *http://hackers.padocon.org, http://padocon.org Bluetooth Hacking

30

Related Documents

Bluetooth Hacking Padocon
November 2019 12
Bluetooth Hacking
October 2019 24
Bluetooth
December 2019 41
Bluetooth
November 2019 42
Bluetooth
May 2020 26
Bluetooth
November 2019 35