Bluetooth Hacking Padocon

대학 연합 해킹/보안 컨퍼런스 PADOCON

“ for the Passionate Future ”

Bluetooth Hacking August 26, 2006 University Hacking & Security Frontier PADOCON [email protected] [email protected]

목 차

Ⅰ

Bluetooth Technology and Vulnerabilities

Ⅱ

Bluetooth Hacking in Korea by PADOCON

Ⅲ

Some Advices for Bluetooth Security

Bluetooth Hacking

1

Ⅰ. Bluetooth Technology and

Vulnerabilities

Are you happy in a burning bunker?

Bluetooth Hacking

2

BT Technology Overview BT Technology - A general cable replacement for low range wireless standards (eg. IrDA) - Usage : information exchange and networking between devices (eg. vCard, PAN) - NOT WiFi! - Pairing : Mechanism for establishing long term trust between two BT devices - RFCOMM : Wireless serial port emulation (basically) - AT Commands : used to control some devices across an RFCOMM connection - Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires

Bluetooth Hacking

3

BT Technology Overview (~cont.) Core Specs v2.0 from Bluetooth SIG - Hardware based radio system + Software stack - 2.4GHz ISM - Frequency Hopping Spread Spectrum (1600 hops/s on 79 channels) - Low power consumption, short range (10~100m) - Data rates : 2 and 3 Mbps (Enhanced Data Rate) - Security is largely unchanged from 1.1 spec

BT Profiles - profiles govern how like devices talk to each other

Bluetooth Hacking

4

BT related Products BT products are everywhere~! - 무선 데스크탑 컴퓨터 (Cordless Desktop) - 인터넷 브릿지 (Internet Bridge) - 파일 전송 (File Tranfer) - 서류가방 Trick (Briefcase Trick) - 상호 회의 (Interactive Conference) - 자동 동조기 (Automatic Synchronizer) - 순간 엽서 (Instant Postcard) - Three-in-One 폰 - 헤드셋 (Ultimate Headset) - 핸즈프리 장치 (Hands-Free Car Kit) - etc. Bluetooth Hacking

5

BT Technology and Flaws Timeline

Bluetooth Hacking

6

Contemporary Bluetooth Attacks Leading group [http://trifinite.org] - leading the charge of publicly disclosed Bluetooth attacks - Bluediving(bluediving.sourceforge.net) has Linux based implementations of most of their tools

Others [@stake and TSG, and etc.] - have tackled some BT issues as well

Problems come from poor implementations - Rush to market leads to poor security - Super complicated protocol stack leads to poor security - Lack of security training for developers leads to poor security

Bluetooth Hacking

7

Common Bluetooth Vulnerabilities – Stupid Default Hard configured PIN - pairing time issue - possible attack : Car Whisperer

Profiles turned on by default - same as keeping unneeded network services from running

No authentication Poor per-profile default - eg. BT CF adapter that had the filesharing profile defaulted to world writable and shared the entire filesystems

Discoverable by default - attacker can find users because they use discoverable mode - DoS attack can occur for sucking down battery faster Bluetooth Hacking

8

Common Bluetooth Vulnerabilities – Link-Level Attacks Resetting the link key - a way to force a device to lose its link key and try and repair - basically, fake the BDADDR and repeatedly fail to bring up a secure channel, and the device will assume you “lost” the key - If a device has a default PIN, you can then automatically set up a trust relationship

Cleartext data - just like on the web

Location Based - RF, you can track people (http://braces.shmoo.com)

Bluetooth Hacking

9

Common Bluetooth Vulnerabilities – Bad Implementation Exposing functionality prior to authentication - basis for the BlueSnarf attack - AT commands are sent to the phone that retrieve the address book - The phone for some reason assumes this is OK and give you all the data

Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort to kill it - Protocol fuzzing in general is a dandy way to knock over BT devices

Bluetooth Hacking

10

Hacking Tools on BT

- trivial OBEX push attack - discovered by Marcel Holtmann - also discovered by Adam Laurie

- issuing AT commands - discovered by Martin Herfurt - possibility to cause extra costs

Bluetooth Hacking

11

Hacking Tools on BT (~cont.)

- using L2CAP echo feature - causing buffer overflows - denial of service attack

- denial of service attack - credits to Q-Nix and Collin R. Mulliner

- forced re-keying - tell partner to delete pairing - connect to unauthorized channels Bluetooth Hacking

12

Hacking Tools on BT (~cont.)

- clone a trusted device - disable encryption - force re-pairing

- fingerprinting for bluetooth - work started by Collin R. Mulliner and Martin Herfurt - based on the SDP records and OUI - important for security audits - paper with more information available

Bluetooth Hacking

13

Hacking Tools on BT (~cont.)

- Enhancing the range of a bluetooth dongle by connecting a directional antenna : as done in the Long Distance Attack

Bluetooth Hacking

14

Hacking Tools on BT (~cont.)

- Bluetooth Wireless Technology Hoover - Proof-of-Concept Application - Educational Purposes only - Phone Auditing Tool - Running on Java

Bluetooth Hacking

15

Hacking Tools on BT (~cont.) The Car Whisperer - use default PIN codes to connect to carkits - inject audio - record audio - don’t whisper and drive! - stationary directional antenna

Bluetooth Hacking

16

Hacking Tools on BT (~cont.) BlueBag - GNU/Linux Gentoo OS - v2.6 kernel + BlueZ subsystem - Custom python-based software

- Remote controlling - Monitoring - Data storage - Data gathering in crowded places and related issues Bluetooth Hacking

17

Hacking Tools on BT (~cont.)

Bluetooth Hacking

18

Ⅱ. Bluetooth Hacking in Korea by PADOCON (DEMO)

Bluetooth Hacking

19

Hacking Tool Development – Bluez Attack

00:11:22:33:44:55 00:02:32:5C:3F:22 F0:00:0C:23:43:92

00:02:32:5C:3F:22

- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)

Bluetooth Hacking

20

Various Attacks on BT Devices – Headset Injection Headset Injection - inquiring → paging - 낮은 수준의 보안 모드를 적용하는 Headset - 인증되지 않은 사용자, 인가되지 않은 장치의 접근

INQUIRING

공격서버

PAGING CONNECTION

Bluetooth Hacking

21

Various Attacks on BT Devices – Cellphone DoS 휴대폰의 보안 - 헤드셋보다 높은 수준의 보안 적용 - PIN (Personal Identification Number) : 블루투스 패스키 - 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함

L2CAP layer의 구현상의 보안 취약성 - multiplexing, segmentation 및 재조합 - 최대 64Kbytes 크기의 패킷 수신 - 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류

Bluetooth Hacking

22

Various Attacks on BT Devices – Cellphone DoS L2CAP 패킷구성 … #define SIZE 1000 #define FAKE_SIZE (SIZE-3) // (3 bytes <=> L2CAP header) … l2cap_cmd_hdr *cmd; … cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; … send(sock, buffer, SIZE, 0); … …

Bluetooth Hacking

23

Various Attacks on BT Devices – ESN Sniffing SDP (Service Discovery Protocol) - 블루투스 장비의 서비스 정보를 제공 - Hidden channel의 존재 가능성? (for developer~ ☺ )

ESN (Electronic Serial Number) Sniffing - 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유 … Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …

Bluetooth Hacking

24

Various Attacks on BT Devices – BT Wardriving Wardriving - 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것

Bluetooth Wardriving 개요 - 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분 - 장소 : 대전 대형마트(XXX), 유성 도로, 음식점 - 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트

Bluetooth Hacking

25

Various Attacks on BT Devices – BT Wardriving Bluetooth Wardriving 결과 addr

name

type

time

1 00:15:B9:B7:68:C8

Anycall

P

2006-8-20 19: 7:10

2 00:0C:78:12:96:39

BT20S

P

2006-8-20 19: 7:16

3 00:0A:3B:F6:40:22

Audio Decoder

P

2006-8-20 19: 7:20

4 00:16:CE:EF:29:53

SENSQ1

P

2006-8-20 19: 7:22

5 00:00:F0:9A:D0:93

이쁜내새끼들

P

2006-8-20 19: 8:13

6 00:12:56:3A:49:E5

LF1200

7 00:12:56:3B:97:67

[unknown]

8 00:15:B9:BC:39:26

Anycall

P

2006-8-20 19:14:29

9 00:15:B9:B9:B9:04

Anycall

P

2006-8-20 19:17:39

10 00:00:F0:9C:B4:23

Anycall

P

2006-8-20 19:17:57

11 00:07:7F:30:0B:AE

[unknown]

12 00:12:56:47:A0:B4

LF1200

13 00:12:56:00:42:30

[unknown]

14 00:15:B9:B6:AA:05

Anycall

15 00:00:F0:98:1F:C8

Bluetooth Hacking

나도연애하는데~ 풉ㅋ

P

2006-8-20 19:11:27

P

P P P P

2006-8-20 19:13:58

2006-8-20 19:18:55 2006-8-20 19:19:13 2006-8-20 19:19:54 2006-8-20 19:23:25 P 2006-8-20 19:23:49

26

Various Attacks on BT Devices – BT Wardriving 16

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

00:15:B9:BB:4C:72 00:12:47:01:23:45 00:00:F0:9C:3E:F4 00:05:C9:51:CD:99 00:00:F0:96:0A:76 00:00:F0:9B:CE:B8 00:02:78:0E:21:91 00:07:7F:31:01:99 00:15:B9:BB:D9:72 00:12:56:15:B3:85 00:05:C9:53:FA:2E 00:00:F0:98:FE:E2 00:12:56:9F:33:E5 00:15:B9:BE:19:0E 00:00:F0:94:A1:28 00:12:56:00:8F:92 00:05:C9:6F:6F:AD 00:12:56:46:BA:70 00:05:C9:54:CF:E1

[unknown] [unknown] Anycall [unknown] [unknown] 인생빠꾸없다 [unknown] [unknown] [unknown] [unknown] [LG]-LP3900 Anycall [unknown] Anycall [unknown] LG-KF1000 [unknown] LF1200 [LG]-LP3900

P P P P P P P P P P P P P P P P P P P

2006-8-20 19:29: 5 2006-8-20 19:29:56 2006-8-20 19:30:30 2006-8-20 19:31:12 2006-8-20 19:33:22 2006-8-20 19:33:43 2006-8-20 19:34:25 2006-8-20 19:35:16 2006-8-20 19:35:57 2006-8-20 19:36:38 2006-8-20 19:38:45 2006-8-20 19:40:16 2006-8-20 19:40:57 2006-8-20 19:43:53 2006-8-20 19:59:56 2006-8-20 20: 9: 9 2006-8-20 20:18:40 2006-8-20 20:21:39 2006-8-20 20:36: 8

-국내 블루투스 탑재 기기 이용자 증가 - 공격에 대한 대량 피해 사례는 없으나 개인정보유출에 대한 대비 필요 Bluetooth Hacking

27

Ⅲ. Some Advices for Bluetooth Security

Bluetooth Hacking

28

Plz, No more defaults~ OTL Secure Configuration PIN 번호의 수정 - 좀 더 나은 PIN 관리 수행 필요

Link Key에 대한 좀 더 나은 보안 - 좀 더 안전한 Link key의 보관 장소 필요 - 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요

Handsfree / Headset – 사용가능한 AT Commands 리스트 작성 - AT+RING, AT+CKPD, etc.

Serial Port - fuzzing 탐지 기법 구현

OBEX - 인증 상시 수행 필요 Bluetooth Hacking

29

감사합니다. Contact Point : *About presentation : [email protected] *About included tests : [email protected] *http://hackers.padocon.org, http://padocon.org Bluetooth Hacking

30