대학 연합 해킹/보안 컨퍼런스 PADOCON
“ for the Passionate Future ”
Bluetooth Hacking August 26, 2006 University Hacking & Security Frontier PADOCON
[email protected] [email protected]
목 차
Ⅰ
Bluetooth Technology and Vulnerabilities
Ⅱ
Bluetooth Hacking in Korea by PADOCON
Ⅲ
Some Advices for Bluetooth Security
Bluetooth Hacking
1
Ⅰ. Bluetooth Technology and
Vulnerabilities
Are you happy in a burning bunker?
Bluetooth Hacking
2
BT Technology Overview BT Technology - A general cable replacement for low range wireless standards (eg. IrDA) - Usage : information exchange and networking between devices (eg. vCard, PAN) - NOT WiFi! - Pairing : Mechanism for establishing long term trust between two BT devices - RFCOMM : Wireless serial port emulation (basically) - AT Commands : used to control some devices across an RFCOMM connection - Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires
Bluetooth Hacking
3
BT Technology Overview (~cont.) Core Specs v2.0 from Bluetooth SIG - Hardware based radio system + Software stack - 2.4GHz ISM - Frequency Hopping Spread Spectrum (1600 hops/s on 79 channels) - Low power consumption, short range (10~100m) - Data rates : 2 and 3 Mbps (Enhanced Data Rate) - Security is largely unchanged from 1.1 spec
BT Profiles - profiles govern how like devices talk to each other
Bluetooth Hacking
4
BT related Products BT products are everywhere~! - 무선 데스크탑 컴퓨터 (Cordless Desktop) - 인터넷 브릿지 (Internet Bridge) - 파일 전송 (File Tranfer) - 서류가방 Trick (Briefcase Trick) - 상호 회의 (Interactive Conference) - 자동 동조기 (Automatic Synchronizer) - 순간 엽서 (Instant Postcard) - Three-in-One 폰 - 헤드셋 (Ultimate Headset) - 핸즈프리 장치 (Hands-Free Car Kit) - etc. Bluetooth Hacking
5
BT Technology and Flaws Timeline
Bluetooth Hacking
6
Contemporary Bluetooth Attacks Leading group [http://trifinite.org] - leading the charge of publicly disclosed Bluetooth attacks - Bluediving(bluediving.sourceforge.net) has Linux based implementations of most of their tools
Others [@stake and TSG, and etc.] - have tackled some BT issues as well
Problems come from poor implementations - Rush to market leads to poor security - Super complicated protocol stack leads to poor security - Lack of security training for developers leads to poor security
Bluetooth Hacking
7
Common Bluetooth Vulnerabilities – Stupid Default Hard configured PIN - pairing time issue - possible attack : Car Whisperer
Profiles turned on by default - same as keeping unneeded network services from running
No authentication Poor per-profile default - eg. BT CF adapter that had the filesharing profile defaulted to world writable and shared the entire filesystems
Discoverable by default - attacker can find users because they use discoverable mode - DoS attack can occur for sucking down battery faster Bluetooth Hacking
8
Common Bluetooth Vulnerabilities – Link-Level Attacks Resetting the link key - a way to force a device to lose its link key and try and repair - basically, fake the BDADDR and repeatedly fail to bring up a secure channel, and the device will assume you “lost” the key - If a device has a default PIN, you can then automatically set up a trust relationship
Cleartext data - just like on the web
Location Based - RF, you can track people (http://braces.shmoo.com)
Bluetooth Hacking
9
Common Bluetooth Vulnerabilities – Bad Implementation Exposing functionality prior to authentication - basis for the BlueSnarf attack - AT commands are sent to the phone that retrieve the address book - The phone for some reason assumes this is OK and give you all the data
Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort to kill it - Protocol fuzzing in general is a dandy way to knock over BT devices
Bluetooth Hacking
10
Hacking Tools on BT
- trivial OBEX push attack - discovered by Marcel Holtmann - also discovered by Adam Laurie
- issuing AT commands - discovered by Martin Herfurt - possibility to cause extra costs
Bluetooth Hacking
11
Hacking Tools on BT (~cont.)
- using L2CAP echo feature - causing buffer overflows - denial of service attack
- denial of service attack - credits to Q-Nix and Collin R. Mulliner
- forced re-keying - tell partner to delete pairing - connect to unauthorized channels Bluetooth Hacking
12
Hacking Tools on BT (~cont.)
- clone a trusted device - disable encryption - force re-pairing
- fingerprinting for bluetooth - work started by Collin R. Mulliner and Martin Herfurt - based on the SDP records and OUI - important for security audits - paper with more information available
Bluetooth Hacking
13
Hacking Tools on BT (~cont.)
- Enhancing the range of a bluetooth dongle by connecting a directional antenna : as done in the Long Distance Attack
Bluetooth Hacking
14
Hacking Tools on BT (~cont.)
- Bluetooth Wireless Technology Hoover - Proof-of-Concept Application - Educational Purposes only - Phone Auditing Tool - Running on Java
Bluetooth Hacking
15
Hacking Tools on BT (~cont.) The Car Whisperer - use default PIN codes to connect to carkits - inject audio - record audio - don’t whisper and drive! - stationary directional antenna
Bluetooth Hacking
16
Hacking Tools on BT (~cont.) BlueBag - GNU/Linux Gentoo OS - v2.6 kernel + BlueZ subsystem - Custom python-based software
- Remote controlling - Monitoring - Data storage - Data gathering in crowded places and related issues Bluetooth Hacking
17
Hacking Tools on BT (~cont.)
Bluetooth Hacking
18
Ⅱ. Bluetooth Hacking in Korea by PADOCON (DEMO)
Bluetooth Hacking
19
Hacking Tool Development – Bluez Attack
00:11:22:33:44:55 00:02:32:5C:3F:22 F0:00:0C:23:43:92
00:02:32:5C:3F:22
- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)
Bluetooth Hacking
20
Various Attacks on BT Devices – Headset Injection Headset Injection - inquiring → paging - 낮은 수준의 보안 모드를 적용하는 Headset - 인증되지 않은 사용자, 인가되지 않은 장치의 접근
INQUIRING
공격서버
PAGING CONNECTION
Bluetooth Hacking
21
Various Attacks on BT Devices – Cellphone DoS 휴대폰의 보안 - 헤드셋보다 높은 수준의 보안 적용 - PIN (Personal Identification Number) : 블루투스 패스키 - 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함
L2CAP layer의 구현상의 보안 취약성 - multiplexing, segmentation 및 재조합 - 최대 64Kbytes 크기의 패킷 수신 - 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류
Bluetooth Hacking
22
Various Attacks on BT Devices – Cellphone DoS L2CAP 패킷구성 … #define SIZE 1000 #define FAKE_SIZE (SIZE-3) // (3 bytes <=> L2CAP header) … l2cap_cmd_hdr *cmd; … cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; … send(sock, buffer, SIZE, 0); … …
Bluetooth Hacking
23
Various Attacks on BT Devices – ESN Sniffing SDP (Service Discovery Protocol) - 블루투스 장비의 서비스 정보를 제공 - Hidden channel의 존재 가능성? (for developer~ ☺ )
ESN (Electronic Serial Number) Sniffing - 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유 … Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …
Bluetooth Hacking
24
Various Attacks on BT Devices – BT Wardriving Wardriving - 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것
Bluetooth Wardriving 개요 - 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분 - 장소 : 대전 대형마트(XXX), 유성 도로, 음식점 - 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트
Bluetooth Hacking
25
Various Attacks on BT Devices – BT Wardriving Bluetooth Wardriving 결과 addr
name
type
time
1 00:15:B9:B7:68:C8
Anycall
P
2006-8-20 19: 7:10
2 00:0C:78:12:96:39
BT20S
P
2006-8-20 19: 7:16
3 00:0A:3B:F6:40:22
Audio Decoder
P
2006-8-20 19: 7:20
4 00:16:CE:EF:29:53
SENSQ1
P
2006-8-20 19: 7:22
5 00:00:F0:9A:D0:93
이쁜내새끼들
P
2006-8-20 19: 8:13
6 00:12:56:3A:49:E5
LF1200
7 00:12:56:3B:97:67
[unknown]
8 00:15:B9:BC:39:26
Anycall
P
2006-8-20 19:14:29
9 00:15:B9:B9:B9:04
Anycall
P
2006-8-20 19:17:39
10 00:00:F0:9C:B4:23
Anycall
P
2006-8-20 19:17:57
11 00:07:7F:30:0B:AE
[unknown]
12 00:12:56:47:A0:B4
LF1200
13 00:12:56:00:42:30
[unknown]
14 00:15:B9:B6:AA:05
Anycall
15 00:00:F0:98:1F:C8
Bluetooth Hacking
나도연애하는데~ 풉ㅋ
P
2006-8-20 19:11:27
P
P P P P
2006-8-20 19:13:58
2006-8-20 19:18:55 2006-8-20 19:19:13 2006-8-20 19:19:54 2006-8-20 19:23:25 P 2006-8-20 19:23:49
26
Various Attacks on BT Devices – BT Wardriving 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
00:15:B9:BB:4C:72 00:12:47:01:23:45 00:00:F0:9C:3E:F4 00:05:C9:51:CD:99 00:00:F0:96:0A:76 00:00:F0:9B:CE:B8 00:02:78:0E:21:91 00:07:7F:31:01:99 00:15:B9:BB:D9:72 00:12:56:15:B3:85 00:05:C9:53:FA:2E 00:00:F0:98:FE:E2 00:12:56:9F:33:E5 00:15:B9:BE:19:0E 00:00:F0:94:A1:28 00:12:56:00:8F:92 00:05:C9:6F:6F:AD 00:12:56:46:BA:70 00:05:C9:54:CF:E1
[unknown] [unknown] Anycall [unknown] [unknown] 인생빠꾸없다 [unknown] [unknown] [unknown] [unknown] [LG]-LP3900 Anycall [unknown] Anycall [unknown] LG-KF1000 [unknown] LF1200 [LG]-LP3900
P P P P P P P P P P P P P P P P P P P
2006-8-20 19:29: 5 2006-8-20 19:29:56 2006-8-20 19:30:30 2006-8-20 19:31:12 2006-8-20 19:33:22 2006-8-20 19:33:43 2006-8-20 19:34:25 2006-8-20 19:35:16 2006-8-20 19:35:57 2006-8-20 19:36:38 2006-8-20 19:38:45 2006-8-20 19:40:16 2006-8-20 19:40:57 2006-8-20 19:43:53 2006-8-20 19:59:56 2006-8-20 20: 9: 9 2006-8-20 20:18:40 2006-8-20 20:21:39 2006-8-20 20:36: 8
-국내 블루투스 탑재 기기 이용자 증가 - 공격에 대한 대량 피해 사례는 없으나 개인정보유출에 대한 대비 필요 Bluetooth Hacking
27
Ⅲ. Some Advices for Bluetooth Security
Bluetooth Hacking
28
Plz, No more defaults~ OTL Secure Configuration PIN 번호의 수정 - 좀 더 나은 PIN 관리 수행 필요
Link Key에 대한 좀 더 나은 보안 - 좀 더 안전한 Link key의 보관 장소 필요 - 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요
Handsfree / Headset – 사용가능한 AT Commands 리스트 작성 - AT+RING, AT+CKPD, etc.
Serial Port - fuzzing 탐지 기법 구현
OBEX - 인증 상시 수행 필요 Bluetooth Hacking
29
감사합니다. Contact Point : *About presentation :
[email protected] *About included tests :
[email protected] *http://hackers.padocon.org, http://padocon.org Bluetooth Hacking
30