Bluetooth [in]security
•Download as PPTX, PDF•
9 likes•1,877 views
Presented by Jiggyasu Sharma in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information
![Bluetooth [in]security
Security Center of Excellence](https://image.slidesharecdn.com/bluetoothinsecurity-160203162816/85/Bluetooth-in-security-1-320.jpg)
![#whoami
Jiggyasu Sharma
• A secuirty N00b
• I hack for bread and b33r
• I write [crape]
• I shoot [by camera]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Bluetooth [in]security
Similar to Bluetooth [in]security (20)
More from securityxploded
More from securityxploded (20)
Recently uploaded
Recently uploaded (20)
Bluetooth [in]security
- 1. Bluetooth [in]security Security Center of Excellence
- 2. #whoami Jiggyasu Sharma • A secuirty N00b • I hack for bread and b33r • I write [crape] • I shoot [by camera]
- 3. Agenda • To discus whatever we all know
- 4. Bluetooth • Bluetooth is a wireless technology standard for exchanging data over short distances (using short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485 GHz) from fixed and mobile devices, and building personal area networks (PANs). (wiki)
- 5. History • Named on 10th century king Herald Bluetooth • Proposed by Jim Kardach • In 1997 • A system which communicate b/w phone and comp • BSIG
- 6. Capability • Wireless • Short Range • Less energy • Cheap • Personal • Easy • Multipoint • Frequency hopping • [in]secure
- 7. Where is being used • Phone/Computer/Camera/Speaker • Watch/Fitness Band/Car/door locks • Cooker/coffee machine/trimer/dryer • Medical devices : ventilator/blood glucose monitor • Payment solution • 7 Million Devices
- 8. Types • Classic (since 1997) • V-1 • V-2 • V-3 • Smart (since 2010) • V-4.0 • V-4.1 • V-4.2
- 9. Difference • Both can not communicate to each other • PHY and DLL are completely difference • High level protocol reuse [L2CAP…]
- 11. Protocol Stack
- 12. PHY Layer • FSK, +/- 250 kHz, 1 Mbit/sec • 40 channels in 2.4 GHz • Hopping
- 13. PHY Channels • 40 channels • 0-39 • Advertising – 3 • Data -37
- 14. Hoping • Hope along 37 data channels • One data packet per channel • Next channel = (channel + hop increment) mod 37 • 3 → 10 → 17 → 24 → 31 → 1 → 8 → 15 → … • hop increment = 7
- 15. Link Layer
- 16. How to sniff • Its Hard (actually)
- 17. Ubertooth • Open source h/w • Bluetooth sniffer • Ubertooth One • Cheapest in existing solutions
- 19. Block diagram
- 20. Capturing Packates • Configure CC2400 • Follow connections according to hop pattern • Hand off bits to ARM MCU
- 21. Encryption • Provided by link layer • Encrypts and MACs PDU • AES-CCM
- 22. Key Exchange Protocol • Three stage process • 3 pairing methods • Just Works • 6-digit PIN • OOB • “None of the pairing methods provide protection against a passive eavesdropper” -Bluetooth Core Spec
- 23. Cracking the TK
- 24. Using Crackle Total time to crack: < 1 second
- 25. • TK -> STK • STK -> LTK • LTK -> Session keys • And its passive
- 26. LTK Reuse
- 27. Let’s just do it... • Do not believe me without a DeMo...
- 28. Required setup • Bluetooth pairing devices (BLE/BTLE capable) • Ubertooth One • Linux system (Ubuntu/Kali works well) • Ubertooth config • Kismet • Wireshark • Crackle
- 29. Prerequisite
- 30. prerequisites that Ubuntu needs
- 31. prerequisites that Ubuntu needs
- 32. prerequisites that Ubuntu needs
- 33. Now we need PyUSB • for add python access to USB ports
- 34. PyUSB to be downloaded
- 35. PyUSB to be downloaded
- 36. PyUSB to be downloaded
- 37. bluetooth base band libraries (lib-btbb) • needed for the ubertooth to decode bluetooth packets
- 38. install lib-btbb
- 39. install lib-btbb
- 40. install lib-btbb
- 41. install lib-btbb
- 42. install lib-btbb
- 43. install lib-btbb
- 44. Install ubertooth tools • ubertooth basic functionality for spectrum analyzing, bluetooth sniffing and firmware updates
- 45. install Ubertooth Basic Tools
- 46. install Ubertooth Basic Tools
- 47. install Ubertooth Basic Tools
- 48. install Ubertooth Basic Tools
- 49. install ubertooth-follow tool • plugin for a linux program
- 50. install Ubertooth-follow Tools install Ubertooth-follow Tools
- 51. install Ubertooth-follow Tools install Ubertooth-follow Tools
- 52. install Ubertooth-follow Tools install Ubertooth-follow Tools
- 53. install Ubertooth-follow Tools install Ubertooth-follow Tools
- 54. Ubertooth Spectrum Analyzing (before Kismet) • Connect the ubertooth one to your USB port • If you are using a virtual machine, enable it on the Devices/Usb Ports and seek the ubertooth one • Two green LEDs (RST and 1.8V) and the red LED (USB LED) that indicates Ubertooth can communicate via USB port.
- 55. Plug Ubertooth to USB
- 56. launch the ubertooth spectrum analyzer
- 57. launch the ubertooth spectrum analyzer
- 58. launch the ubertooth spectrum analyzer
- 60. Kismet • Install kismet default • Then ubertooth plugin
- 72. The final step of the kismet install
- 73. Kismet Config
- 74. Kismet Config
- 75. Kismet Config
- 76. Kismet Config
- 77. compile and install the kismet plugin to enable kismet capture bluetooth packets
- 82. launch kismet and configure ubertooth plugin
- 83. Launch Kismet for Ubertooth Plugin
- 84. Launch Kismet for Ubertooth Plugin
- 85. Launch Kismet for Ubertooth Plugin
- 86. Launch Kismet for Ubertooth Plugin
- 87. Launch Kismet for Ubertooth Plugin
- 88. Launch Kismet for Ubertooth Plugin
- 89. Launch Kismet for Ubertooth Plugin
- 90. Launch Kismet for Ubertooth Plugin
- 91. Launch Kismet for Ubertooth Plugin
- 92. Launch Kismet for Ubertooth Plugin
- 93. Launch Kismet for Ubertooth Plugin
- 94. Launch Kismet for Ubertooth Plugin
- 95. Launch Kismet for Ubertooth Plugin
- 96. Launch Kismet for Ubertooth Plugin
- 97. install wireshark with wireshark bluetooth baseband plugin for the file captured by kismet to be analyzed.
- 98. Install Wireshark BTBB plugin
- 99. Install Wireshark BTBB plugin
- 100. Install Wireshark BTBB plugin
- 101. Install Wireshark BTBB plugin
- 102. Install Wireshark BTBB plugin
- 103. Install Wireshark BTBB plugin
- 104. and finally we can open pcapbtbb files
- 105. Open captured pcapBTBB file
- 106. Open captured pcapBTBB file
- 107. Open captured pcapBTBB file
- 108. Decrypt Bluetooth packets • Crackle
- 109. Handle pcap file to crackle isaias@ubuntu:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcap TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3
- 110. To listen in on future communications between the two devices : using LTK captured isaias@ubuntu:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c Warning: packet is too short to be encrypted (1), skipping Warning: packet is too short to be encrypted (2), skipping Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: invalid packet (length to long), skipping Done, processed 297 total packets, decrypted 7
- 111. On the go On the go
- 112. References • http://ubertooth.sourceforge.net/ • https://github.com/greatscottgadgets/ubertooth/ • https://www.kismetwireless.net/ • http://tools.kali.org/wireless-attacks/crackle • http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133
- 113. Thank you all, and Special thanks to… • Philips and team • Minatee Mishra • Anirudh Duggal • Sanjog Panda • Pardhiv Reddy • Ajay Pratap Singh • Geethu Arvind