bluetooth [in]security
TRANSCRIPT
Bluetooth [in]securitySecurity Center of Excellence
#whoami
Jiggyasu Sharma
• A secuirty N00b• I hack for bread and b33r• I write [crape]• I shoot [by camera]
Agenda
• To discus whatever we all know
Bluetooth
• Bluetooth is a wireless technology standard for exchanging data over short distances (using short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485 GHz) from fixed and mobile devices, and building personal area networks (PANs). (wiki)
History
• Named on 10th century king Herald Bluetooth• Proposed by Jim Kardach• In 1997• A system which communicate b/w phone and comp• BSIG
Capability
• Wireless• Short Range• Less energy• Cheap• Personal• Easy• Multipoint• Frequency hopping• [in]secure
Where is being used
• Phone/Computer/Camera/Speaker• Watch/Fitness Band/Car/door locks• Cooker/coffee machine/trimer/dryer• Medical devices : ventilator/blood glucose monitor• Payment solution• 7 Million Devices
Types
• Classic (since 1997)• V-1• V-2• V-3
• Smart (since 2010)• V-4.0• V-4.1• V-4.2
Difference
• Both can not communicate to each other• PHY and DLL are completely difference• High level protocol reuse [L2CAP…]
Bluetooth Low Energy
Protocol Stack
PHY Layer
• FSK, +/- 250 kHz, 1 Mbit/sec• 40 channels in 2.4 GHz• Hopping
PHY Channels
• 40 channels • 0-39• Advertising – 3• Data -37
Hoping
• Hope along 37 data channels• One data packet per channel• Next channel = (channel + hop increment) mod 37
• 3 → 10 → 17 → 24 → 31 → 1 → 8 → 15 → …• hop increment = 7
Link Layer
How to sniff
• Its Hard (actually)
Ubertooth
• Open source h/w• Bluetooth sniffer• Ubertooth One• Cheapest in existing solutions
Block diagram
Capturing Packates
• Configure CC2400• Follow connections according to hop pattern• Hand off bits to ARM MCU
Encryption
• Provided by link layer• Encrypts and MACs PDU• AES-CCM
Key Exchange Protocol
• Three stage process• 3 pairing methods• Just Works• 6-digit PIN• OOB
• “None of the pairing methods provide protection against a passive eavesdropper” -Bluetooth Core Spec
Cracking the TK
Using Crackle
Total time to crack: < 1 second
• TK -> STK• STK -> LTK• LTK -> Session keys
• And its passive
LTK Reuse
Let’s just do it...
• Do not believe me without a DeMo...
Required setup
• Bluetooth pairing devices (BLE/BTLE capable)• Ubertooth One• Linux system (Ubuntu/Kali works well)• Ubertooth config• Kismet• Wireshark• Crackle
Prerequisite
prerequisites that Ubuntu needs
prerequisites that Ubuntu needs
prerequisites that Ubuntu needs
Now we need PyUSB
• for add python access to USB ports
PyUSB to be downloaded
PyUSB to be downloaded
PyUSB to be downloaded
bluetooth base band libraries (lib-btbb)• needed for the ubertooth to decode bluetooth packets
install lib-btbb
install lib-btbb
install lib-btbb
install lib-btbb
install lib-btbb
install lib-btbb
Install ubertooth tools
• ubertooth basic functionality for spectrum analyzing, bluetooth sniffing and firmware updates
install Ubertooth Basic Tools
install Ubertooth Basic Tools
install Ubertooth Basic Tools
install Ubertooth Basic Tools
install ubertooth-follow tool
• plugin for a linux program
install Ubertooth-follow Toolsinstall Ubertooth-follow Tools
install Ubertooth-follow Toolsinstall Ubertooth-follow Tools
install Ubertooth-follow Toolsinstall Ubertooth-follow Tools
install Ubertooth-follow Toolsinstall Ubertooth-follow Tools
Ubertooth Spectrum Analyzing (before Kismet)• Connect the ubertooth one to your USB port• If you are using a virtual machine, enable it on the Devices/Usb Ports and seek the ubertooth one• Two green LEDs (RST and 1.8V) and the red LED (USB LED) that indicates Ubertooth can communicate via USB port.
Plug Ubertooth to USB
launch the ubertooth spectrum analyzer
launch the ubertooth spectrum analyzer
launch the ubertooth spectrum analyzer
Kismet
• Install kismet default• Then ubertooth plugin
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
Kismet Connection
The final step of the kismet install
Kismet Config
Kismet Config
Kismet Config
Kismet Config
compile and install the kismet plugin to enable kismet capture bluetooth packets
Install Kismet Plugin
Install Kismet Plugin
Install Kismet Plugin
Install Kismet Plugin
launch kismet and configure ubertooth plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
Launch Kismet for Ubertooth Plugin
install wireshark with wireshark bluetooth baseband plugin for the file captured by kismet to be analyzed.
Install Wireshark BTBB plugin
Install Wireshark BTBB plugin
Install Wireshark BTBB plugin
Install Wireshark BTBB plugin
Install Wireshark BTBB plugin
Install Wireshark BTBB plugin
and finally we can open pcapbtbb files
Open captured pcapBTBB file
Open captured pcapBTBB file
Open captured pcapBTBB file
Decrypt Bluetooth packets
• Crackle
Handle pcap file to crackleisaias@ubuntu:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcapTK found: 000000ding ding ding, using a TK of 0! Just Cracks(tm)Warning: packet is too short to be encrypted (1), skippingLTK found: 7f62c053f104a5bbe68b1d896a2ed49cDone, processed 712 total packets, decrypted 3
To listen in on future communications between the two devices : using LTK captured
isaias@ubuntu:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49cWarning: packet is too short to be encrypted (1), skippingWarning: packet is too short to be encrypted (2), skippingWarning: could not decrypt packet! Copying as is..Warning: could not decrypt packet! Copying as is..Warning: could not decrypt packet! Copying as is..Warning: invalid packet (length to long), skippingDone, processed 297 total packets, decrypted 7
On the goOn the go
References
• http://ubertooth.sourceforge.net/ • https://github.com/greatscottgadgets/ubertooth/ • https://www.kismetwireless.net/ • http://tools.kali.org/wireless-attacks/crackle • http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133
Thank you all, and Special thanks to…• Philips and team• Minatee Mishra• Anirudh Duggal• Sanjog Panda• Pardhiv Reddy• Ajay Pratap Singh• Geethu Arvind
Questions? Apart from...