DEF CON 27 - DAMIEN CAUQUIL - defeating bluetooth low energy 5 prng for fun and jamming
1. ra
Defea ng Bluetooth Low
Energy PRNG
for fun and jamming
Damien ”virtualabs” Cauquil | DEF CON
2. ra
Who am I ?
• Security Evangelist @ digital.security
• Senior Security Researcher
• Main developer of BtleJack (a BLE swiss-army tool)
virtualabs
/
4. ra
Bluetooth Low Energy Protocol
Origins
Bluetooth Low Energy has been introduced in as Bluetooth
Smart, in Bluetooth Core Specifica ons version . .
Evolved since then: version . ( ), version . ( ), version
( ) and version . ( )
/
5. ra
Bluetooth Low Energy Protocol
Security mechanisms
• Pairing: key exchange with PIN code, OOB or ECDH
• Secure connec ons: encrypted and authen cated
communica on
• Channel Selec on Algorithm: not a security mechanism, but
makes sniffing complicated
/
6. ra
Bluetooth Low Energy Protocol
Known a acks (BLE <= . )
• Sniffing: stealing secrets sent through non-secure and secure
BLE connec ons
• Jamming: disrup ng an exis ng BLE connec on
• Hijacking: taking over an exis ng BLE connec on
/
8. ra
Bluetooth Low Energy Protocol
BtleJack
• Swiss-army knife to perform Bluetooth Low Energy a acks
• Compa ble with Micro:Bit and other nRF boards
/
9. ra
New features introduced in BLE
• Be er throughput (up to Mbps)
• Be er range (up to feet – meters)
• Improved coexistence
/
10. ra
New features introduced in BLE
Be er throughput / be er range
BLE adds two new PHYs:
• Mbps uncoded PHY: twice the speed of BLE .x
• LE Coded PHY: range × ( kbps) or range × ( kbps)
/
13. ra
New features introduced in BLE
Improved coexistence
BLE also adds a new Channel Selec on Algorithm (CSA # )
• Designed to replace the old algorithm:
Channeln+ = (Channeln + hopInc) mod
• PRNG-based: more ”random” than CSA #
/
14. ra
New features introduced in BLE
Improved coexistence
BLE adds a ChSel bit in the adver sing channel PDU header:
/
15. ra
New features introduced in BLE
Consequences regarding known a acks
• A completely different hopping pa ern ( -hop instead of
-hop sequence) is used
• We won’t be able to sniff, jam or hijack BLE devices
• We need a new hardware that supports BLE new PHYs
/
18. ra
BLE PRNG overview
• It uses a channel iden fier as a seed
• It relies on basic opera ons (add, mul ply, xor, bit
permuta ons)
• Channel remapping is performed if not all channels are in use
/
19. ra
BLE PRNG overview
Channel Iden fier
Channel iden fier is first computed from Access Address, as
described in the specs:
/
25. ra
Breaking this PRNG
I see some flaws in here ...
• channelIden fier is computed from Access Address ... which
is PUBLIC !
/
26. ra
Breaking this PRNG
I see some flaws in here ...
• channelIden fier is computed from Access Address ... which
is PUBLIC !
• Next value is generated from a COUNTER, not from some
previous internal state !
/
27. ra
Breaking this PRNG
From unknown bits to , easy peasy
Access Address is broadcasted in every packet!
/
28. ra
Breaking this PRNG
PRNG ? really ?
prn_e = PRNG(channelIdentifier, counter)
• channelIden fier is constant
• it generates a fixed sequence of values, indexed by
counter
/
31. ra
Breaking this PRNG
Waht do we need to break it ?
• Consider channelIden fier as known
• We are le with an unknown -bit counter
/
32. ra
Breaking this PRNG
Waht do we need to break it ?
• Consider channelIden fier as known
• We are le with an unknown -bit counter
• If we can figure out where we are in the sequence of
values, we would find out this counter value
/
34. ra
Ge ng informa on from RF
As an a acker, we can only monitor an exis ng BLE connec on and:
• determine WHEN a packet is sent over a specific channel
• determine the me spent between two packets transmi ed
on two channels
/
35. ra
Ge ng informa on from RF
Channels are not -bit values
If all data channels are used:
channel = prn_e mod
else:
channel = remappingIndex[ (N×prn_e)
]
/
36. ra
First approach: using a sieve
• Pre-requisite: we know the hopInterval used for the target
connec on (i.e. me spent between two hops)
• Our goal: to eliminate every possible candidate in the
smallest number of rounds
/
37. ra
First approach: using a sieve
How it works
Considering a counter of , we compute channel C from PRNG
with this candidate counter, and wait for a valid packet
/
38. ra
First approach: using a sieve
How it works
Once a valid packet received, we compute the next channel (C )
and we wait for a valid packet again:
/
39. ra
First approach: using a sieve
How it works
We deduce the me spent between these two packets:
/
41. ra
First approach: using a sieve
How it works
We then sieve the sequence of channels to only keep poten al
candidate indexes:
Sequence = {..., C , ..., C
N hops
, ...}
And we end up with a list of candidate counter values at T
(between and , most of the me)
/
42. ra
First approach: using a sieve
How it works
Then, we consider the first candidate and:
• we compute C and C
/
43. ra
First approach: using a sieve
How it works
Then, we consider the first candidate and:
• we compute C and C
• we wait for a packet on channel C
/
44. ra
First approach: using a sieve
How it works
Then, we consider the first candidate and:
• we compute C and C
• we wait for a packet on channel C
• we wait for another packet on channel C
/
45. ra
First approach: using a sieve
How it works
Then, we consider the first candidate and:
• we compute C and C
• we wait for a packet on channel C
• we wait for another packet on channel C
• we deduce the number of hops
/
46. ra
First approach: using a sieve
How it works
Then, we consider the first candidate and:
• we compute C and C
• we wait for a packet on channel C
• we wait for another packet on channel C
• we deduce the number of hops
• we sieve our list of candidates to only keep the matching ones
/
47. ra
First approach: using a sieve
How it works
Repeat un l one candidate le !
(This is the counter value at T )
/
48. ra
First approach: using a sieve
Implementa on (video)
Since I did not have a BLE compa ble device, I simulated this
a ack:
-> Attacker waited 21 hops until a packet arrived on channel 0
>> Filtering candidates ...
-> Candidate 20476 removed
-> Candidate 45108 removed
-> Remaining candidates: 22967
>> Found initial counter: 22967
INFO: Attack required 209 hops
/
51. ra
Guessing the hop interval
Using our previous measures
hopInterval = GCD(δT , δT , δT , ...)
/
52. ra
Guessing the hop interval
Simula ng (again)
$ python3 csa2-hopinter-simulate.py
[system] Hop interval: 2220
Deduced hop interval after 2 deltas: 8880
Deduced hop interval after 3 deltas: 4440
Deduced hop interval after 4 deltas: 4440
Deduced hop interval after 5 deltas: 2220
Deduced hop interval after 6 deltas: 2220
[...]
Deduced hop interval after 10 deltas: 2220
/
53. ra
Guessing the hop interval
Efficiency
# of measures approx. success rate Max. me required (s)
%
%
%
%
%
%
/
56. ra
Improving Btlejack
Channel map and hopInterval recovery
• Btlejack can do the job but only for Mbps uncoded PHY
• I modified Btlejack to compute hopInterval while mapping
channels
• This GCD-based technique works pre y well =)
/
57. ra
Improving Btlejack
Example output
# btlejack -f 0x9af4493f -5 -d /dev/ttyACM2
BtleJack version 2.0
[i] Using cached parameters (created on 2019-07-23 00:47:59)
[i] Detected sniffers:
> Sniffer #0: fw version 2.0
[i] Synchronizing with connection 0x9af4493f ...
✓ CRCInit: 0x6f1c40
✓ Channel Map = 0x0774ea8a3c
✓ Hop interval = 160
/
59. ra
Improving Btlejack
Implemen ng our sieve a ack on counter
I implemented this algorithm and tested it:
• First round went pre y well: I got about candidates
filtered
/
60. ra
Improving Btlejack
Implemen ng our sieve a ack on counter
I implemented this algorithm and tested it:
• First round went pre y well: I got about candidates
filtered
• Next rounds messed up: I was not able to guess the counter
value
/
61. ra
Improving Btlejack
Implemen ng our sieve a ack on counter
Filter out candidates took a hell of a me, thus inducing
a delay !
(Sor ng algorithms did not help)
/
63. ra
Improving Btlejack
Re-designing our sieve a ack
To solve this problem, I moved from a sieve to a pa ern-matching
algorithm:
• Measure first (number of hops between different
consecu ve channels)
/
64. ra
Improving Btlejack
Re-designing our sieve a ack
To solve this problem, I moved from a sieve to a pa ern-matching
algorithm:
• Measure first (number of hops between different
consecu ve channels)
• You end up with δT values (δT to δT )
/
65. ra
Improving Btlejack
Re-designing our sieve a ack
To solve this problem, I moved from a sieve to a pa ern-matching
algorithm:
• Measure first (number of hops between different
consecu ve channels)
• You end up with δT values (δT to δT )
• Look for this hopping pa ern in our sequence and deduce
counter
/
73. ra
Conclusion
Bluetooth Low Energy CSA # PRNG is weak:
• It is not really a PRNG
• bits out of can be easily guessed from a public value
• The last bits compose a counter that is periodically
incremented
/
74. ra
Conclusion
This PRNG:
• is thought to improve coexistence, not security
• is designed to be easily implemented on low-power devices
/
75. ra
Conclusion
• We should use Nordic’s nRF rather than the old
nRF
• S ll a lot of work to port BtleJack to this pla orm
• But luckily, Marcus Meng has done a great job with nRF
/