This document summarizes a talk about Bluetooth security. The talk covers extending the range of Bluetooth devices, wardriving to discover Bluetooth devices, and various attacks against Bluetooth including Bluebug, Bluesnarf, attacking cars and headsets, and cracking Bluetooth pins and link keys. It also discusses vulnerabilities in Bluetooth implementations on Apple and Windows devices that can allow compromising internal networks. Throughout it emphasizes the risks of Bluetooth and gives recommendations to improve security like disabling Bluetooth when not in use and pairing devices securely.
Research and Presentation of Bluetooth Vulnerabilities at the 23C3 in Berlin. Release of BTCrack a Bluetooth Pin cracker + FPGA Implementation. Remote Root over Bluetooth demonstration.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Research and Presentation of Bluetooth Vulnerabilities at the 23C3 in Berlin. Release of BTCrack a Bluetooth Pin cracker + FPGA Implementation. Remote Root over Bluetooth demonstration.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
When doing a security assessment, observing how a device communicates with the outside world is a must. It tells you what it sends and receives, and in general let you understand if it can be attacked. We have tools and methods to do it for the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old tcp/ip?
During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action the tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like common attacks, but at the RF level. So let's hack some things belonging to the real world!
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
We all use Wifi today. You know how much money it saves for your smart-phone data usage band-width. Connecting all your computers and gadgets with cables is not just history, even if you attempt it would be impractical!
Wifi being so pervasive, also brings along tremendous security implications. Come join us to look into details of Wifi security. How to secure your wifi network? How certain wifi encryption technologies can be hacked? We would prove that with live demos!
Join us to reflect on the security aspect of this technology, discuss about it and leave with more confidence about how 'secure' your WiFi access is?
WiFiSlax es una distribución GNU/Linux diseñada y estructurada para la auditoría de seguridad, especializada en evaluaciones de seguridad inalámbrica.
Contiene una amplia lista de herramientas de seguridad y auditoría donde se incluyen escáneres de puertos, de servicios y de vulnerabilidades, herramientas para creación y diseño de exploits, ‘sniffers’, herramientas de análisis forense y herramientas para la evaluación de la seguridad de dispositivos wíreless.
En esta presentación oficial de la versión 4.0 se mostrarán una serie de importantes cambios estructurales que han permitido al grupo de desarrolladores continuar innovando en cuanto al soporte hardware tal y como han hecho en sus anteriores versiones anticipándose al resto de distribuciones. Estos cambios les han permitido mantenerse en la vanguardia en las tecnologías inalámbricas.
When doing a security assessment, observing how a device communicates with the outside world is a must. It tells you what it sends and receives, and in general let you understand if it can be attacked. We have tools and methods to do it for the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old tcp/ip?
During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action the tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like common attacks, but at the RF level. So let's hack some things belonging to the real world!
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
We all use Wifi today. You know how much money it saves for your smart-phone data usage band-width. Connecting all your computers and gadgets with cables is not just history, even if you attempt it would be impractical!
Wifi being so pervasive, also brings along tremendous security implications. Come join us to look into details of Wifi security. How to secure your wifi network? How certain wifi encryption technologies can be hacked? We would prove that with live demos!
Join us to reflect on the security aspect of this technology, discuss about it and leave with more confidence about how 'secure' your WiFi access is?
WiFiSlax es una distribución GNU/Linux diseñada y estructurada para la auditoría de seguridad, especializada en evaluaciones de seguridad inalámbrica.
Contiene una amplia lista de herramientas de seguridad y auditoría donde se incluyen escáneres de puertos, de servicios y de vulnerabilidades, herramientas para creación y diseño de exploits, ‘sniffers’, herramientas de análisis forense y herramientas para la evaluación de la seguridad de dispositivos wíreless.
En esta presentación oficial de la versión 4.0 se mostrarán una serie de importantes cambios estructurales que han permitido al grupo de desarrolladores continuar innovando en cuanto al soporte hardware tal y como han hecho en sus anteriores versiones anticipándose al resto de distribuciones. Estos cambios les han permitido mantenerse en la vanguardia en las tecnologías inalámbricas.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Bluetooth network-security-seminar-reportROHIT SAGAR
basic network to protect blue-tooth from any un-authorised persons and devices ;its vital importance is to protect and send the data with or without any encrypted key
How to save home PCs for being Zombies ?
what is it "Botnet" ?
Old presentation from 2008, XP OS context a litlle bit obsolete, but still content "real" & "actual" !
The (Io)Things you don't even need to hack. Should we worry?SecuRing
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Enterprise Developer Journey to the IoTBurr Sutter
v11 for TriJUG May 18 2015
The current hype around the Internet of Things (IoT) has led to a substantial amount of innovation thanks to open source software, open hardware, open standards, and community inspiration. In this session, we will explore how you can use open source software to incorporate the physical world (the “Things”) into your traditional enterprise IT infrastructure. We will walk the path from a typical enterprise developer’s current focus on web desktop applications to mobile and devices, specifically developer prototyping platforms like Raspberry Pi, Intel Edison, Arduino, Spark Core, and several others. Learn how to connect the physical world to your enterprise backbone via sensors and actuators.
2.4 GHz Open band
Globally available
Other devices include microwave ovens, cordless phones
Frequency hopping and Time Division Multiplexing
10 – 100 meter range
Up to 8 active devices can be in the same piconet
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
During the research on Bluetooth Security we uncovered multiple implementation vulnerabilities in Drivers, Software and Stacks. This presentation will explain the reasons and the consequences of these findings. More importingly however protocol weaknesses were discovered and shown live on stage.
http://events.ccc.de/congress/2006/Fahrplan/speakers/1290.en.html
The TLS/SSLv3 renegotiation vulnerability explainedThierry Zoller
The whitepaper explains the SSLv3/TLS renegotiation vulnerability (CVE-2009-3555) to a broader audience and goes into details about the different attack vectors possible. The whitepaper includes original research such as downgrading the client down to clear-text protocol transparently.
The paper is referenced by the US-CERT, FINCERT, RUS-CERT, Qualys, Nessus as the main reference for this vulnerability.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
3. Who we are ? – Hippies
Kevin Finistere
Former Head of Research of SNOSoft
Found Vulnerabilities in Apple, IBM, SAP,
Oracle, Symantec…
Has contributed a lot to this talk
Not here today
Thierry Zoller
Welcome home
Security Consultant @ N.runs
Found vulnerabilities in Checkpoint, Symantec,
Citrix, F-Secure, MySQL4, MacAfee, Nod32…
Don‘t like to talk about me, see for yourself.
Batteries not inlcuded.
Mad Hax0r
4. The Goal of this Talk ?
The Goal of this talk is not to:
Build myths
Show off – and not show how
The Goal of this talk is to :
Raise awareness
Make risks transparent
Paradigm Shift – Bluetooth is not only for toys
Clear the air about InqTana
5. What are we talking about today ?
[ 0x00 ] – Introduction : What is Bluetooth ?
How does it work and hold together ?
Security Modes, Paring modes
Scatternets, Piconets..
What‘s the difference to WiFi (802.11a/b/g) ?
Common Implementations of the Protocol
[ 0x01 ] – Get ready to rumble : Extending the Range
Extending the range of Bluetooth devices
Building automated reconnaissance and attack devices
Bluetooth War driving (GPS, 360°Camera)
More..
[ 0x02 ] – Attack! : Getting dirty with it
Attacking Mobile Phones / Handhelds / PDAs
Attacking Cars / Headsets / Free Hands kits
Attacking Internal Networks (0day)
Attacking the Protocol, braking the encryption (0day)
Tracking the un-trakeable and more..
6. [ 0x00 ] Introduction
What is Bluetooth ?
Invented 1995 by Ericsson, SIG formed 1998 (Bluetooth Special
Interest Group )
Bluetooth 1.0 - 1.7.1999, first devices sold in mid 2000
Named after “Harald Blauzahn”
Goal was, low-cost “cable replacement”
Personal Area Networks
Tech Specs
2.400-2.4835 GHz (WiFi, Cameras, etc..)
Frequency Hopping, up to 3200 times
per second ! (1600 in connection state)
7. [ 0x00 ] Introduction
The difference and similarities with WiFi :
Operate on the same ISM band : 2,4Ghz
WiFi 11 Channels, Bluetooth 79 Channels
Both do frequency hopping (WiFi 600 times slower)
WiFi broadcasts it’s presence every x ms
Bluetooth is a complete Framework with
Profiles and layers of protocols
Obvious: Range
8. [ 0x00 ] Introduction
What does it do for me ?
Cable Replacement
Data/Voice
Personal Area Networks
9. [ 0x00 ] Introduction
The foundation – Protocol Stack
Hardware
Software
10. [ 0x00 ] Introduction
The Bluetooth Profiles
Represent a group and defines mandatory options
Prevent compatibility issues, modular approach to BT extensions
Vertical representation of BT layer usage, handled through SDP
Object Push Profile
11. [ 0x00 ] Introduction
Typical Bluetooth Scenario (1)
Simplistic Model (ignoring security for now)
1 - User goes into a lobby and wants to read email
2 - Clicks on the PDA Email application
3 - Sends and receives Email
12. [ 0x00 ] Introduction
Typical Bluetooth Scenario (2)
Inquiry
Inquiry response
Paging (FHS)
Link establishment
Discovers
Profiles
Bluetooth
Access Point
13. [ 0x00 ] Introduction
Piconets / Scatternets
A Piconet can hold 7 active (and 255 parked) slaves and 1 master,
PTP and PTMP
Master
Slaves
Piconet 1 Piconet 3
Piconet 2
14. [ 0x00 ] Introduction
Frequency Hopping
Slaves always sync to the Master
Hop up-to 3200 times a second over 79
channels using 625 s length
Piconet agrees to a Sequence based on the
BD_ADDR and Clockoffset of the master.
(Now THIS is a unique fingerprint)
This procedure called “Paging” in Bluetoohesque
FH is the reason you can not easily sniff these BT connections.
You have to sync to the Master (or use a Spectral Analyzer and
reconstruct afterwards – Good luck)
15. [ 0x00 ] Introduction
Discoverable modes :
Discoverable :
Sends inquiry responses to all inquiries.
Limited discoverable:
Visible for a certain period of time (Implementation bugs..)
Non-Discoverable:
Never answers an inquiry scan (in theory)
Pairing modes :
Non-pairable mode :
Rejects every pairing request (LMP_not_accepted) (Plantronics)
Pairable mode :
Will pair up-on request
16. [ 0x01 ] Get ready to rumble
Extending the Range
17. [ 0x01 ] Get ready to rumble
Extending the Range
Class 3
Class 2
Class 1
Home Grown
10 M
25 M
100 M
788 M
Specification defines 3 classes :
- Class 1 - 100 mW (20 dBm)
- Class 2 - 2.5 mW (4 dBm)
- Class 3 - 1 mW (0 dBm)
Up to 2,6km are possible
Home Grown
18. [ 0x01 ] Get ready to rumble
HOW-TO
Modify class 1 dongle to accept
an aftermarket antenna.
Basic soldering skills required
Provides much more flexibility when
testing
Connects to an Laptop that
supports USB
Instant Ownage
19. [ 0x01 ] Get ready to rumble
Long Distance - Datasets
Antrum Lake, water reflection
guarantees longer ranges.
788 Meter !
An old Man stole my phone
during this test! I tracked
him with the yagi.
20. [ 0x01 ] Get ready to rumble
Long Distance - Datasets
Strassen, Luxembourg
550 Meter
Thanks Jerome Carrère
21. [ 0x01 ] Get ready to rumble
Long Distance - More More
New World record attempt
by Kevin
Use of high precision Trimble
GPS receivers will be used.
DGPS data correction for
centimeter accuracy
2,6 km !
Needs narrow antenna beam
22. [ 0x01 ] Get ready to rumble
Optimizing for Penetration (1)
Integrated Linksys Dongle
Integrated USB Cable
Metal Parabola
10 * Zoom
Laser (to be done)
23. [ 0x01 ] Get ready to rumble
Optimizing for Penetration (2)
Bundling (Parabola)
Higher penetration through walls
Glass is your friend
On board embedded device. (NSLU2)
Auto scan and attack toolkit
Experiment : Went through a building
found the device on the other side IN
another building.
24. [ 0x01 ] Get ready to rumble
PerimeterWatch – Bluetooth Wardriving
Perl Script by KF
Searches Bluetooth Devices
Takes 360°pictures
GPS coordinates
26. [ 0x02 ] Attack !
Menu du Jour :
Bluebug (AT over RFCOMM)
Bluesnarf (Obex)
Car Whisperer
Limited time, sorry..
Some 0-day :
Owning internal Networks over Bluetooth
Attacking the Protocol:
Bluecrack - BT Pin and Link key cracker
Widcomm Overflow (Broadcom merger leaves lots of vuln users that
can not patch) BTW 3.0.1.905 (../ attacks) and up to BTW 1.4.2.10
has (overflows)
27. [ 0x01 ] Get ready to rumble
Luxembourg – 1 hour Bluetooth Scan
Boulevard Royal
295 unique discoverable
Bluetooth devices
Lots of vulnerable ones
28. [ 0x01 ] Get ready to rumble
Luxembourg – 1 hour Bluetooth Scan
00:0E:9F - Audi UHV – Pin 1234
Nokia 6310 - Disaster
29. [ 0x02 ] Attack !
Implementation - Issues Galore
Pairing always enabled
Rare – few devices
Headsets (Plantronix) – Pairing Button is useless
Default Pins (0000, 1111 …)
Discovery enabled
Lots of Devices
Siemens T60 – stays in discover mode if you ping it, might be attacked
forever.
Hidden (non advertised) Services
ObexIRDA, etc Nokia, others..
30. [ 0x02 ] Attack !
Bluebug Attack – Trifinite Group
The Service that shouldn’t be there
Read phonebook
Read / Send SMS
Dial Number
Redirect Calls
Etc…
Vulnerable devices :
Nokia 6310, Nokia 6310i, Nokia 8910i, Nokia 8910, T68, Sony Ericsson
T68i, T610, T68, T68i, R520m, T610, Z1010, Z600, Motorola V80, V5xx,
V6xx and E398 and others…
31. [ 0x02 ] Attack !
Bluesnarf Attack – Trifinite Group
Basically a “get” request over OBEX Push
Obex Push usually not authenticated
Request for known files, telecom/pb.vcf
Vulnerable devices :
Nokia 6310, Nokia 6310i, Nokia 6650, Ericsson T610, Ericsson
T68, Ericsson T68i, Ericsson T630, Ericsson Z600 others…
Give me your phonebook
Ok
32. [ 0x02 ] Attack !
CarWhisperer – Martin Herfurt
Listen and Record Conversations
Eavesdrop on Headsets, Hands-Free kits
Works against Widcomm < BTW 4.0.1.1500
with no pincode required!
Root Cause :
Paring mode, discoverable, hard coded Pin.
33. [ 0x02 ] Attack !
Wireless Keyboards
If HID server (PC) accepts connections, you
might remotely control the PC. (Collin R. Mulliner)
If you have the link key :
- decryption of packets i.e. capture the keystrokes.
- connect to the PC and remotely control it
34. [ 0x02 ] Attack !
The PIN is not really that useful
The link key is !
Here’s why :
Protocol 1.2 Authentication :
35. [ 0x02 ] Attack ! – 0day
InqTana - Setting the Record straight
Kevin created a cribbled PoC Worm
named InqTana
It’s real, it’s here and it’s not an invention
of the AV industry, KF handed it over in order
for them to protect you against these types of
attacks.
ObexFTP server directory traversal exploit,malicious InputManager
and a local root exploit = remote login tty over rfcomm
NO user interaction required
Media completely missed the point and invented an obscure
conspiracy theory
Points were :
- Macs are NOT invulnerable (the flaw is patched now)
- You can own internal networks over Bluetooth
36. [ 0x02 ] Attack ! – 0day
Obex ../../../ - Owning internal networks
Apple
OSX 10.3 Tiger
OSX 10.4 Jaguar
Vanilla, delayed release
Windows
Widcomm, Toshiba,
Bluesoil, others ?
Pocket PC
Kevin: Apple asked me to not tell 10.4 was shipping vulnerable
OSX 10.3.9 patched, OSX 10.4 shipped vulnerable patched a month
after OSX 10.3.9
37. [ 0x02 ] Attack ! – 0day
MAC OS 10.3 & 10.4 Vanilla
Multi-Staged attack :
Step 1 – ObexFTP ../../../ Attack
Step 2 – Using Input Manager launches Root exploit
(then binds getty to the pda sync port)
Step 3 – Connecting to Port 3 over Rfcomm
Step 4 – Harvesting Keys
Step 5 – Owning the network,
scanning for other BT devices,
compromising them.
38. [ 0x02 ] Attack ! – 0day
MAC OS 10.3 & 10.4 Vanilla
Multi-Staged attack :
Spoofing the BD_Address of the Apple and
authenticating through stolen link key.
39. [ 0x02 ] Attack ! – 0day
Transposed to a Company
Server Room
Workstations
40. [ 0x02 ] Attack ! – 0day
Get the Code
For Hack.lu, Inqtana code release :
http://www.digitalmunition.com
Presented also in the upcoming Hacking Exposed : Wireless
41. [ 0x02 ] Attack !
BUT – The misconception vault
we have an USB policy
BT is only 10 meters
we have automatic patches
we have preset policies disabling all Wireless devices
Your internal networks are at risk.
Implement Mitigation / Monitoring
RFProtect and similar Products
42. [ 0x02 ] Attack ! – 0day
Introducing BTCrack
Hack.lu release
Cracks PIN and Linkkey
Requires values from a Pairing sniff
We can force repairing by using
various Methods
Based on the research
of Shaked and Wool
4 digits pin – 0,25 seconds
47. [ 0x02 ] Attack ! – 0day
BT Crack – Download
Give me a bit of time to fix the bugs
Will be available at http://www.nruns.com
48. [ 0x02 ] Attack !
Windows Widcomm - Buffer overflows
Video
http://www.digitalmunition.com/Widcomm.avi
File
Vulnerable versions
Widcomm Stack up to 3.x is vuln
Widcomm BTStackServer 1.4.2 .10
Widcomm BTStackServer 1.3.2 .7
Widcomm Bluetooth Communication Software 1.4.1 .03
HP IPAQ 2215
HP IPAQ 5450
50. [ 0x02 ] Attack ! – 0day
Owning the Secret Service ? ;)
MicroEarpiece – worlds smallest
Goes into the ear Tunnel
Jabra Headset - Pin Code : 0000
Seriously: You can get it at MicroEarPiece.com
Not discoverable, not in Pairing mode, got it yesterday evening, no time
51. [ 0x02 ] Attack !
Things to Remember :
Bluetooth might be a risk for your Company
Don’t accept every file you are being send, just click NO.
Disable Bluetooth if not required
Pair in “secure” places (SIG Recommendations)
Hold your Bluetooth vendor accountable for vulnerabilities!