대학 연합 해킹/보안 컨퍼런스 PADOCON

“ for the Passionate Future ”

Bluetooth Hacking
August 26, 2006
University Hacking & Security Frontier
PADOCON
drwx@padocon.org
binish@padocon.org
 목 차

Ⅰ Bluetooth Technology and Vulnerabilities

Ⅱ Bluetooth Hacking in Korea by PADOCON

Ⅲ Some Advices for Bluetooth Security

1
Bluetooth Hacking
 Ⅰ. Bluetooth Technology and
Vulnerabilities

Are you happy in a burning

bunker?

2
Bluetooth Hacking
 BT Technology Overview

BT Technology
- A general cable replacement for low range wireless standards (eg. IrDA)
- Usage : information exchange and networking between devices
(eg. vCard, PAN)
- NOT WiFi!
- Pairing : Mechanism for establishing long term trust between two
BT devices
- RFCOMM : Wireless serial port emulation (basically)
- AT Commands : used to control some devices across an RFCOMM
connection
- Discoverable mode : when a device wants to be found, it will respond
to other devices sending inquires

3
Bluetooth Hacking
 BT Technology Overview (~cont.)

Core Specs v2.0 from Bluetooth SIG

- Hardware based radio system + Software stack
- 2.4GHz ISM
- Frequency Hopping Spread Spectrum
(1600 hops/s on 79 channels)
- Low power consumption, short range (10~100m)
- Data rates : 2 and 3 Mbps (Enhanced Data Rate)
- Security is largely unchanged from 1.1 spec

BT Profiles
- profiles govern how like devices talk to each other

4
Bluetooth Hacking
 BT related Products

BT products are everywhere~!

- 무선 데스크탑 컴퓨터 (Cordless Desktop)
- 인터넷 브릿지 (Internet Bridge)
- 파일 전송 (File Tranfer)
- 서류가방 Trick (Briefcase Trick)
- 상호 회의 (Interactive Conference)
- 자동 동조기 (Automatic Synchronizer)
- 순간 엽서 (Instant Postcard)
- Three-in-One 폰
- 헤드셋 (Ultimate Headset)
- 핸즈프리 장치 (Hands-Free Car Kit)
- etc.
5
Bluetooth Hacking
 BT Technology and Flaws Timeline

6
Bluetooth Hacking
 Contemporary Bluetooth Attacks

Leading group [http://trifinite.org]

- leading the charge of publicly disclosed Bluetooth attacks
- Bluediving(bluediving.sourceforge.net) has Linux based
implementations of most of their tools

Others [@stake and TSG, and etc.]

- have tackled some BT issues as well

Problems come from poor implementations

- Rush to market leads to poor security
- Super complicated protocol stack leads to poor security
- Lack of security training for developers leads to poor security

7
Bluetooth Hacking
 Common Bluetooth Vulnerabilities – Stupid Default

Hard configured PIN

- pairing time issue
- possible attack : Car Whisperer

Profiles turned on by default

- same as keeping unneeded network services from running

No authentication

Poor per-profile default

- eg. BT CF adapter that had the filesharing profile defaulted
to world writable and shared the entire filesystems

Discoverable by default
- attacker can find users because they use discoverable mode
- DoS attack can occur for sucking down battery faster
8
Bluetooth Hacking
 Common Bluetooth Vulnerabilities
– Link-Level Attacks

Resetting the link key

- a way to force a device to lose its link key and try and repair
- basically, fake the BDADDR and repeatedly fail to bring up a
secure channel, and the device will assume you “lost” the key
- If a device has a default PIN, you can then automatically set up
a trust relationship

Cleartext data
- just like on the web

Location Based
- RF, you can track people
(http://braces.shmoo.com)

9
Bluetooth Hacking
 Common Bluetooth Vulnerabilities
– Bad Implementation

Exposing functionality prior to authentication

- basis for the BlueSnarf attack
- AT commands are sent to the phone that retrieve the address book
- The phone for some reason assumes this is OK and give you all
the data

Packet-o-death
- Bluesmack sends a big l2ping packet to the device in an effort
to kill it
- Protocol fuzzing in general is a dandy way to knock over BT
devices

10
Bluetooth Hacking
 Hacking Tools on BT

- trivial OBEX push attack

- discovered by Marcel Holtmann
- also discovered by Adam Laurie

- issuing AT commands
- discovered by Martin Herfurt
- possibility to cause extra costs

11
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

- using L2CAP echo feature

- causing buffer overflows
- denial of service attack

- denial of service attack

- credits to Q-Nix and Collin R. Mulliner

- forced re-keying
- tell partner to delete pairing
- connect to unauthorized channels

12
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

- clone a trusted device

- disable encryption
- force re-pairing

- fingerprinting for bluetooth

- work started by Collin R. Mulliner and Martin Herfurt
- based on the SDP records and OUI
- important for security audits
- paper with more information available

13
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

- Enhancing the range of a bluetooth dongle by connecting a

directional antenna : as done in the Long Distance Attack

14
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

- Bluetooth Wireless Technology Hoover

- Proof-of-Concept Application
- Educational Purposes only
- Phone Auditing Tool
- Running on Java

15
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

The Car Whisperer

- use default PIN codes
to connect to carkits
- inject audio
- record audio
- don’t whisper and drive!
- stationary directional antenna

16
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

BlueBag
- GNU/Linux Gentoo OS
- v2.6 kernel + BlueZ subsystem
- Custom python-based software

- Remote controlling
- Monitoring
- Data storage
- Data gathering in crowded places and related issues
17
Bluetooth Hacking
 Hacking Tools on BT (~cont.)

18
Bluetooth Hacking
 Ⅱ. Bluetooth Hacking
in Korea by PADOCON
(DEMO)

19
Bluetooth Hacking
 Hacking Tool Development – Bluez Attack

00:11:22:33:44:55
00:02:32:5C:3F:22
F0:00:0C:23:43:92

00:02:32:5C:3F:22

- v2.6 kernel + BlueZ subsystem (Bluez-util, Bluez-lib, btsco, and etc.)

20
Bluetooth Hacking
 Various Attacks on BT Devices – Headset Injection

Headset Injection
- inquiring → paging
- 낮은 수준의 보안 모드를 적용하는 Headset
- 인증되지 않은 사용자, 인가되지 않은 장치의 접근

INQUIRING

공격서버 PAGING

CONNECTION

21
Bluetooth Hacking
 Various Attacks on BT Devices – Cellphone DoS

휴대폰의 보안
- 헤드셋보다 높은 수준의 보안 적용
- PIN (Personal Identification Number) : 블루투스 패스키
- 인가되지 않은 장치의 접근의 PIN 요청에 대해 취약함

L2CAP layer의 구현상의 보안 취약성

- multiplexing, segmentation 및 재조합
- 최대 64Kbytes 크기의 패킷 수신
- 패킷 사이즈 길이 검사 (packet size boundary checking) 수행 오류

22
Bluetooth Hacking
 Various Attacks on BT Devices – Cellphone DoS

L2CAP 패킷구성
…
#define SIZE 1000
#define FAKE_SIZE (SIZE-3)
// (3 bytes <=> L2CAP header)
…
l2cap_cmd_hdr *cmd;
…
cmd = (l2cap_cmd_hdr *) buffer;
cmd->code = L2CAP_ECHO_REQ;
cmd->ident = 1;
cmd->len = FAKE_SIZE;
…
send(sock, buffer, SIZE, 0);
…
…

23
Bluetooth Hacking
 Various Attacks on BT Devices – ESN Sniffing

SDP (Service Discovery Protocol)

- 블루투스 장비의 서비스 정보를 제공
- Hidden channel의 존재 가능성? (for developer~ ☺ )

ESN (Electronic Serial Number) Sniffing

- 최근 제품에는 ESN이 암호화되어 출시되나 구제품의 경우 문제 보유

…
Manufacturer: XXXXX-ABCD CO. LTD
Model: 123
Revision: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00]
ESN: M6500C-kdv-40991 1 [Jan 00 2005 16:00:00]
+GCAP: +CIS707-A, CIS-856, +MS, +ES, +DS, +FCLASS
…

24
Bluetooth Hacking
 Various Attacks on BT Devices – BT Wardriving

Wardriving
- 자동차를 이용하거나 걸어다니면서 취약점을 테스트하는 것

Bluetooth Wardriving 개요
- 시간 : 2006년 8월 20일 19시 47분 ~ 20시 40분
- 장소 : 대전 대형마트(XXX), 유성 도로, 음식점
- 방법 : pairing mode 블루투스 제품 스캐닝 및 DoS 가능성 테스트

25
Bluetooth Hacking
 Various Attacks on BT Devices – BT Wardriving

Bluetooth Wardriving 결과

addr name type time

1 00:15:B9:B7:68:C8 Anycall P 2006-8-20 19: 7:10
2 00:0C:78:12:96:39 BT20S P 2006-8-20 19: 7:16
3 00:0A:3B:F6:40:22 Audio Decoder P 2006-8-20 19: 7:20
4 00:16:CE:EF:29:53 SENSQ1 P 2006-8-20 19: 7:22
5 00:00:F0:9A:D0:93 이쁜내새끼들 P 2006-8-20 19: 8:13
6 00:12:56:3A:49:E5 LF1200 P 2006-8-20 19:11:27
7 00:12:56:3B:97:67 [unknown] P 2006-8-20 19:13:58
8 00:15:B9:BC:39:26 Anycall P 2006-8-20 19:14:29
9 00:15:B9:B9:B9:04 Anycall P 2006-8-20 19:17:39
10 00:00:F0:9C:B4:23 Anycall P 2006-8-20 19:17:57
11 00:07:7F:30:0B:AE [unknown] P 2006-8-20 19:18:55
12 00:12:56:47:A0:B4 LF1200 P 2006-8-20 19:19:13
13 00:12:56:00:42:30 [unknown] P 2006-8-20 19:19:54
14 00:15:B9:B6:AA:05 Anycall P 2006-8-20 19:23:25
15 00:00:F0:98:1F:C8 나도연애하는데~ 풉ㅋ P 2006-8-20 19:23:49

26
Bluetooth Hacking
 Various Attacks on BT Devices – BT Wardriving

16 00:15:B9:BB:4C:72 [unknown] P 2006-8-20 19:29: 5

17 00:12:47:01:23:45 [unknown] P 2006-8-20 19:29:56
18 00:00:F0:9C:3E:F4 Anycall P 2006-8-20 19:30:30
19 00:05:C9:51:CD:99 [unknown] P 2006-8-20 19:31:12
20 00:00:F0:96:0A:76 [unknown] P 2006-8-20 19:33:22
21 00:00:F0:9B:CE:B8 인생빠꾸없다 P 2006-8-20 19:33:43
22 00:02:78:0E:21:91 [unknown] P 2006-8-20 19:34:25
23 00:07:7F:31:01:99 [unknown] P 2006-8-20 19:35:16
24 00:15:B9:BB:D9:72 [unknown] P 2006-8-20 19:35:57
25 00:12:56:15:B3:85 [unknown] P 2006-8-20 19:36:38
26 00:05:C9:53:FA:2E [LG]-LP3900 P 2006-8-20 19:38:45
27 00:00:F0:98:FE:E2 Anycall P 2006-8-20 19:40:16
28 00:12:56:9F:33:E5 [unknown] P 2006-8-20 19:40:57
29 00:15:B9:BE:19:0E Anycall P 2006-8-20 19:43:53
30 00:00:F0:94:A1:28 [unknown] P 2006-8-20 19:59:56
31 00:12:56:00:8F:92 LG-KF1000 P 2006-8-20 20: 9: 9
32 00:05:C9:6F:6F:AD [unknown] P 2006-8-20 20:18:40
33 00:12:56:46:BA:70 LF1200 P 2006-8-20 20:21:39
34 00:05:C9:54:CF:E1 [LG]-LP3900 P 2006-8-20 20:36: 8

-국내 블루투스 탑재 기기 이용자 증가

- 공격에 대한 대량 피해 사례는 없으나

개인정보유출에 대한 대비 필요

27
Bluetooth Hacking
 Ⅲ. Some Advices
for Bluetooth Security

28
Bluetooth Hacking
 Plz, No more defaults~ OTL Secure Configuration

PIN 번호의 수정
- 좀 더 나은 PIN 관리 수행 필요

Link Key에 대한 좀 더 나은 보안
- 좀 더 안전한 Link key의 보관 장소 필요
- 장치가 갑자기 Link key를 잃을 경우 경고 발생 필요

Handsfree / Headset – 사용가능한 AT Commands 리스트 작성

- AT+RING, AT+CKPD, etc.

Serial Port
- fuzzing 탐지 기법 구현

OBEX
- 인증 상시 수행 필요
29
Bluetooth Hacking
 감사합니다.
Contact Point :
*About presentation : drwx@padocon.org
*About included tests : binish@padocon.org
*http://hackers.padocon.org, http://padocon.org
30
Bluetooth Hacking