Download - Bluetooth Hacking Padocon
![Page 1: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/1.jpg)
대학대학 연합연합 해킹해킹//보안보안 컨퍼런스컨퍼런스 PADOCON PADOCON
“ for the Passionate Future ”Bluetooth HackingBluetooth Hacking
August 26, 2006 University Hacking & Security Frontier
PADOCON [email protected]@padocon.org
![Page 2: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/2.jpg)
1Bluetooth Hacking
Bluetooth Technology and VulnerabilitiesⅠ
목목 차차
Bluetooth Hacking in Korea by PADOCONⅡ
Some Advices for Bluetooth SecurityⅢ
![Page 3: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/3.jpg)
2Bluetooth Hacking
Ⅰ. Bluetooth Technology and Vulnerabilities
Are you happy in a burning bunker?
![Page 4: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/4.jpg)
3Bluetooth Hacking
BT Technology OverviewBT Technology Overview
BT Technology- A general cable replacement for low range wireless standards (eg. IrDA)- Usage : information exchange and networking between devices
(eg. vCard, PAN)
- NOT WiFi!
- Pairing : Mechanism for establishing long term trust between two BT devices
- RFCOMM : Wireless serial port emulation (basically)
- AT Commands : used to control some devices across an RFCOMMconnection
- Discoverable mode : when a device wants to be found, it will respond to other devices sending inquires
![Page 5: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/5.jpg)
4Bluetooth Hacking
BT Technology Overview (~cont.)BT Technology Overview (~cont.)
Core Specs v2.0 from Bluetooth SIG- Hardware based radio system + Software stack- 2.4GHz ISM
- Frequency Hopping Spread Spectrum
(1600 hops/s on 79 channels)
- Low power consumption, short range (10~100m)
- Data rates : 2 and 3 Mbps (Enhanced Data Rate)
- Security is largely unchanged from 1.1 spec
BT Profiles - profiles govern how like devices talk to each other
![Page 6: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/6.jpg)
5Bluetooth Hacking
BT related ProductsBT related Products
BT products are everywhere~!- 무선 데스크탑 컴퓨터 (Cordless Desktop)
- 인터넷 브릿지 (Internet Bridge)
- 파일 전송 (File Tranfer)
- 서류가방 Trick (Briefcase Trick)
- 상호 회의 (Interactive Conference)
- 자동 동조기 (Automatic Synchronizer)
- 순간 엽서 (Instant Postcard)
- Three-in-One 폰
- 헤드셋 (Ultimate Headset)
- 핸즈프리 장치 (Hands-Free Car Kit)
- etc.
![Page 7: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/7.jpg)
6Bluetooth Hacking
BT Technology and Flaws TimelineBT Technology and Flaws Timeline
![Page 8: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/8.jpg)
7Bluetooth Hacking
Contemporary Bluetooth Attacks Contemporary Bluetooth Attacks
Leading group [http://trifinite.org]- leading the charge of publicly disclosed Bluetooth attacks
- Bluediving(bluediving.sourceforge.net) has Linux based
implementations of most of their tools
Others [@stake and TSG, and etc.]- have tackled some BT issues as well
Problems come from poor implementations- Rush to market leads to poor security
- Super complicated protocol stack leads to poor security
- Lack of security training for developers leads to poor security
![Page 9: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/9.jpg)
8Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Stupid DefaultStupid Default
Hard configured PIN- pairing time issue
- possible attack : Car Whisperer
Profiles turned on by default- same as keeping unneeded network services from running
No authentication
Poor per-profile default- eg. BT CF adapter that had the filesharing profile defaulted
to world writable and shared the entire filesystems
Discoverable by default - attacker can find users because they use discoverable mode
- DoS attack can occur for sucking down battery faster
![Page 10: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/10.jpg)
9Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– LinkLink--Level AttacksLevel Attacks
Resetting the link key- a way to force a device to lose its link key and try and repair
- basically, fake the BDADDR and repeatedly fail to bring up a
secure channel, and the device will assume you “lost” the key
- If a device has a default PIN, you can then automatically set up
a trust relationship
Cleartext data- just like on the web
Location Based - RF, you can track people
(http://braces.shmoo.com)
![Page 11: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/11.jpg)
10Bluetooth Hacking
Common Bluetooth Vulnerabilities Common Bluetooth Vulnerabilities –– Bad ImplementationBad Implementation
Exposing functionality prior to authentication- basis for the BlueSnarf attack
- AT commands are sent to the phone that retrieve the address book
- The phone for some reason assumes this is OK and give you all
the data
Packet-o-death - Bluesmack sends a big l2ping packet to the device in an effort
to kill it
- Protocol fuzzing in general is a dandy way to knock over BT
devices
![Page 12: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/12.jpg)
11Bluetooth Hacking
Hacking Tools on BT Hacking Tools on BT
- trivial OBEX push attack
- discovered by Marcel Holtmann
- also discovered by Adam Laurie
- issuing AT commands
- discovered by Martin Herfurt
- possibility to cause extra costs
![Page 13: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/13.jpg)
12Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- using L2CAP echo feature
- causing buffer overflows
- denial of service attack
- denial of service attack
- credits to Q-Nix and Collin R. Mulliner
- forced re-keying
- tell partner to delete pairing
- connect to unauthorized channels
![Page 14: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/14.jpg)
13Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- clone a trusted device
- disable encryption
- force re-pairing
- fingerprinting for bluetooth
- work started by Collin R. Mulliner and Martin Herfurt
- based on the SDP records and OUI
- important for security audits
- paper with more information available
![Page 15: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/15.jpg)
14Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- Enhancing the range of a bluetooth dongle by connecting a
directional antenna : as done in the Long Distance Attack
![Page 16: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/16.jpg)
15Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
- Bluetooth Wireless Technology Hoover
- Proof-of-Concept Application
- Educational Purposes only
- Phone Auditing Tool
- Running on Java
![Page 17: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/17.jpg)
16Bluetooth Hacking
Hacking Tools on BT (~cont.)Hacking Tools on BT (~cont.)
The Car Whisperer- use default PIN codes
to connect to carkits
- inject audio
- record audio
- don’t whisper and drive!
- stationary directional antenna
![Page 18: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/18.jpg)
17Bluetooth Hacking
Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)
BlueBag- GNU/Linux Gentoo OS
- v2.6 kernel + BlueZ subsystem
- Custom python-based software
- Remote controlling
- Monitoring
- Data storage
- Data gathering in crowded places and related issues
![Page 19: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/19.jpg)
18Bluetooth Hacking
Hacking Tools on BT (~cont.) Hacking Tools on BT (~cont.)
![Page 20: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/20.jpg)
19Bluetooth Hacking
Ⅱ. Bluetooth Hacking in Korea by PADOCON
(DEMO)
![Page 21: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/21.jpg)
20Bluetooth Hacking
Hacking Tool Development Hacking Tool Development –– BluezBluez AttackAttack
00:11:22:33:44:5500:02:32:5C:3F:22F0:00:0C:23:43:92
00:02:32:5C:3F:22
- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)
![Page 22: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/22.jpg)
21Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– Headset InjectionHeadset Injection
Headset Injection- inquiring → paging
- 낮은 수준의 보안 모드를 적용하는 Headset
- 인증되지 않은 사용자, 인가되지 않은 장치의 접근
INQUIRING
PAGING
CONNECTION
공격서버
![Page 23: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/23.jpg)
22Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS
휴대폰의 보안
- 헤드셋보다 높은 수준의 보안 적용
- PIN (Personal Identification Number) : 블루투스 패스키
- 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함
L2CAP layer의 구현상의 보안 취약성
- multiplexing, segmentation 및 재조합
- 최대 64Kbytes 크기의 패킷 수신
- 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류
![Page 24: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/24.jpg)
23Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– CellphoneCellphone DoSDoS
L2CAP 패킷구성
…#define SIZE 1000 #define FAKE_SIZE (SIZE-3)// (3 bytes <=> L2CAP header) …l2cap_cmd_hdr *cmd; …cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; …send(sock, buffer, SIZE, 0); ……
![Page 25: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/25.jpg)
24Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– ESN SniffingESN Sniffing
SDP (Service Discovery Protocol)- 블루투스 장비의 서비스 정보를 제공
- Hidden channel의 존재 가능성? (for developer~ ☺ )
ESN (Electronic Serial Number) Sniffing- 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유
…Manufacturer: XXXXX-ABCD CO. LTD Model: 123 Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00] +GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS …
![Page 26: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/26.jpg)
25Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
Wardriving- 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것
Bluetooth Wardriving 개요
- 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분
- 장소 : 대전 대형마트(XXX), 유성 도로, 음식점
- 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트
![Page 27: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/27.jpg)
26Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
Bluetooth Wardriving 결과
addr name type time
1 00:15:B9:B7:68:C8 Anycall P 2006-8-20 19: 7:10
2 00:0C:78:12:96:39 BT20S P 2006-8-20 19: 7:16
3 00:0A:3B:F6:40:22 Audio Decoder P 2006-8-20 19: 7:20
4 00:16:CE:EF:29:53 SENSQ1 P 2006-8-20 19: 7:22
5 00:00:F0:9A:D0:93 이쁜내새끼들 P 2006-8-20 19: 8:13
6 00:12:56:3A:49:E5 LF1200 P 2006-8-20 19:11:27
7 00:12:56:3B:97:67 [unknown] P 2006-8-20 19:13:58
8 00:15:B9:BC:39:26 Anycall P 2006-8-20 19:14:29
9 00:15:B9:B9:B9:04 Anycall P 2006-8-20 19:17:39
10 00:00:F0:9C:B4:23 Anycall P 2006-8-20 19:17:57
11 00:07:7F:30:0B:AE [unknown] P 2006-8-20 19:18:55
12 00:12:56:47:A0:B4 LF1200 P 2006-8-20 19:19:13
13 00:12:56:00:42:30 [unknown] P 2006-8-20 19:19:54
14 00:15:B9:B6:AA:05 Anycall P 2006-8-20 19:23:25
15 00:00:F0:98:1F:C8 나도연애하는데~ 풉ㅋ P 2006-8-20 19:23:49
![Page 28: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/28.jpg)
27Bluetooth Hacking
Various Attacks on BT Devices Various Attacks on BT Devices –– BT BT WardrivingWardriving
16 00:15:B9:BB:4C:72 [unknown] P 2006-8-20 19:29: 517 00:12:47:01:23:45 [unknown] P 2006-8-20 19:29:5618 00:00:F0:9C:3E:F4 Anycall P 2006-8-20 19:30:3019 00:05:C9:51:CD:99 [unknown] P 2006-8-20 19:31:1220 00:00:F0:96:0A:76 [unknown] P 2006-8-20 19:33:2221 00:00:F0:9B:CE:B8 인생빠꾸없다 P 2006-8-20 19:33:4322 00:02:78:0E:21:91 [unknown] P 2006-8-20 19:34:2523 00:07:7F:31:01:99 [unknown] P 2006-8-20 19:35:1624 00:15:B9:BB:D9:72 [unknown] P 2006-8-20 19:35:5725 00:12:56:15:B3:85 [unknown] P 2006-8-20 19:36:3826 00:05:C9:53:FA:2E [LG]-LP3900 P 2006-8-20 19:38:4527 00:00:F0:98:FE:E2 Anycall P 2006-8-20 19:40:1628 00:12:56:9F:33:E5 [unknown] P 2006-8-20 19:40:5729 00:15:B9:BE:19:0E Anycall P 2006-8-20 19:43:5330 00:00:F0:94:A1:28 [unknown] P 2006-8-20 19:59:5631 00:12:56:00:8F:92 LG-KF1000 P 2006-8-20 20: 9: 932 00:05:C9:6F:6F:AD [unknown] P 2006-8-20 20:18:4033 00:12:56:46:BA:70 LF1200 P 2006-8-20 20:21:3934 00:05:C9:54:CF:E1 [LG]-LP3900 P 2006-8-20 20:36: 8
-국내 블루투스 탑재 기기 이용자 증가
- 공격에 대한 대량 피해 사례는 없으나
개인정보유출에 대한 대비 필요
![Page 29: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/29.jpg)
28Bluetooth Hacking
Ⅲ. Some Advices for Bluetooth Security
![Page 30: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/30.jpg)
29Bluetooth Hacking
PlzPlz, No more defaults~ , No more defaults~ OTL OTL Secure ConfigurationSecure Configuration
PIN 번호의 수정
- 좀 더 나은 PIN 관리 수행 필요
Link Key에 대한 좀 더 나은 보안
- 좀 더 안전한 Link key의 보관 장소 필요
- 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요
Handsfree / Headset – 사용가능한 AT Commands 리스트 작성
- AT+RING, AT+CKPD, etc.
Serial Port
- fuzzing 탐지 기법 구현
OBEX
- 인증 상시 수행 필요
![Page 31: Bluetooth Hacking Padocon](https://reader035.vdocuments.mx/reader035/viewer/2022081401/5571f1fd49795947648bee97/html5/thumbnails/31.jpg)
30Bluetooth Hacking
감사합니다.
Contact Point :*About presentation : [email protected]*About included tests : [email protected]*http://hackers.padocon.org, http://padocon.org