Bluetooth insecurity

1. Bluetooth [in]security
Security Center of Excellence

2. #whoami
Jiggyasu Sharma
• A secuirty N00b
• I hack for bread and b33r
• I write [crape]
• I shoot [by camera]

3. Agenda
• To discus whatever we all know

4. Bluetooth
• Bluetooth is a wireless technology standard for
exchanging data over short distances (using
short-wavelength UHF radio waves in the ISM
band from 2.4 to 2.485 GHz) from fixed and
mobile devices, and building personal area
networks (PANs). (wiki)

5. History
• Named on 10th century king Herald Bluetooth
• Proposed by Jim Kardach
• In 1997
• A system which communicate b/w phone and comp
• BSIG

6. Capability
• Wireless
• Short Range
• Less energy
• Cheap
• Personal
• Easy
• Multipoint
• Frequency hopping
• [in]secure

7. Where is being used
• Phone/Computer/Camera/Speaker
• Watch/Fitness Band/Car/door locks
• Cooker/coffee machine/trimer/dryer
• Medical devices : ventilator/blood glucose
monitor
• Payment solution
• 7 Million Devices

8. Types
• Classic (since 1997)
• V-1
• V-2
• V-3
• Smart (since 2010)
• V-4.0
• V-4.1
• V-4.2

9. Difference
• Both can not communicate to each other
• PHY and DLL are completely difference
• High level protocol reuse [L2CAP…]

10. Bluetooth Low Energy

11. Protocol Stack

12. PHY Layer
• FSK, +/- 250 kHz, 1 Mbit/sec
• 40 channels in 2.4 GHz
• Hopping

13. PHY Channels
• 40 channels
• 0-39
• Advertising – 3
• Data -37

14. Hoping
• Hope along 37 data channels
• One data packet per channel
• Next channel = (channel + hop increment) mod 37
• 3 → 10 → 17 → 24 → 31 → 1 → 8 → 15 → …
• hop increment = 7

15. Link Layer

16. How to sniff
• Its Hard (actually)

17. Ubertooth
• Open source h/w
• Bluetooth sniffer
• Ubertooth One
• Cheapest in existing solutions

19. Block diagram

20. Capturing Packates
• Configure CC2400
• Follow connections according to hop pattern
• Hand off bits to ARM MCU

21. Encryption
• Provided by link layer
• Encrypts and MACs PDU
• AES-CCM

22. Key Exchange Protocol
• Three stage process
• 3 pairing methods
• Just Works
• 6-digit PIN
• OOB
• “None of the pairing methods provide protection
against a passive eavesdropper” -Bluetooth Core
Spec

23. Cracking the TK

24. Using Crackle
Total time to crack:
< 1 second

25. • TK -> STK
• STK -> LTK
• LTK -> Session keys
• And its passive

26. LTK Reuse

27. Let’s just do it...
• Do not believe me without a DeMo...

28. Required setup
• Bluetooth pairing devices (BLE/BTLE capable)
• Ubertooth One
• Linux system (Ubuntu/Kali works well)
• Ubertooth config
• Kismet
• Wireshark
• Crackle

29. Prerequisite

30. prerequisites that Ubuntu needs

31. prerequisites that Ubuntu needs

32. prerequisites that Ubuntu needs

33. Now we need PyUSB
• for add python access to USB ports

34. PyUSB to be downloaded

35. PyUSB to be downloaded

36. PyUSB to be downloaded

37. bluetooth base band libraries
(lib-btbb)
• needed for the ubertooth to decode bluetooth
packets

38. install lib-btbb

39. install lib-btbb

40. install lib-btbb

41. install lib-btbb

42. install lib-btbb

43. install lib-btbb

44. Install ubertooth tools
• ubertooth basic functionality for spectrum
analyzing, bluetooth sniffing and firmware
updates

45. install Ubertooth Basic Tools

46. install Ubertooth Basic Tools

47. install Ubertooth Basic Tools

48. install Ubertooth Basic Tools

49. install ubertooth-follow tool
• plugin for a linux program

50. install Ubertooth-follow Tools
install Ubertooth-follow Tools

51. install Ubertooth-follow Tools
install Ubertooth-follow Tools

52. install Ubertooth-follow Tools
install Ubertooth-follow Tools

53. install Ubertooth-follow Tools
install Ubertooth-follow Tools

54. Ubertooth Spectrum Analyzing
(before Kismet)
• Connect the ubertooth one to your USB port
• If you are using a virtual machine, enable it
on the Devices/Usb Ports and seek the ubertooth
one
• Two green LEDs (RST and 1.8V) and the red LED
(USB LED) that indicates Ubertooth can
communicate via USB port.

55. Plug Ubertooth to USB

56. launch the ubertooth spectrum
analyzer

57. launch the ubertooth spectrum analyzer

58. launch the ubertooth spectrum analyzer

60. Kismet
• Install kismet default
• Then ubertooth plugin

61. Kismet Connection

62. Kismet Connection

63. Kismet Connection

64. Kismet Connection

65. Kismet Connection

66. Kismet Connection

67. Kismet Connection

68. Kismet Connection

69. Kismet Connection

70. Kismet Connection

71. Kismet Connection

72. The final step of the kismet
install

73. Kismet Config

74. Kismet Config

75. Kismet Config

76. Kismet Config

77. compile and install the kismet
plugin to enable kismet capture
bluetooth packets

78. Install Kismet Plugin

79. Install Kismet Plugin

80. Install Kismet Plugin

81. Install Kismet Plugin

82. launch kismet and configure
ubertooth plugin

83. Launch Kismet for Ubertooth Plugin

84. Launch Kismet for Ubertooth Plugin

85. Launch Kismet for Ubertooth Plugin

86. Launch Kismet for Ubertooth Plugin

87. Launch Kismet for Ubertooth Plugin

88. Launch Kismet for Ubertooth Plugin

89. Launch Kismet for Ubertooth Plugin

90. Launch Kismet for Ubertooth Plugin

91. Launch Kismet for Ubertooth Plugin

92. Launch Kismet for Ubertooth Plugin

93. Launch Kismet for Ubertooth Plugin

94. Launch Kismet for Ubertooth Plugin

95. Launch Kismet for Ubertooth Plugin

96. Launch Kismet for Ubertooth Plugin

97. install wireshark with wireshark
bluetooth baseband plugin for the
file captured by kismet to be
analyzed.

98. Install Wireshark BTBB plugin

99. Install Wireshark BTBB plugin

100. Install Wireshark BTBB plugin

101. Install Wireshark BTBB plugin

102. Install Wireshark BTBB plugin

103. Install Wireshark BTBB plugin

104. and finally we can open
pcapbtbb files 

105. Open captured pcapBTBB file

106. Open captured pcapBTBB file

107. Open captured pcapBTBB file

108. Decrypt Bluetooth packets
• Crackle

109. Handle pcap file to crackle
isaias@ubuntu:~/crackle-sample# crackle -i ltk_exchange.pcap -o
decrypted.pcap
TK found: 000000
ding ding ding, using a TK of 0! Just Cracks(tm)
Warning: packet is too short to be encrypted (1), skipping
LTK found: 7f62c053f104a5bbe68b1d896a2ed49c
Done, processed 712 total packets, decrypted 3

110. To listen in on future
communications between the two
devices : using LTK captured
isaias@ubuntu:~/crackle-sample# crackle -i encrypted_known_ltk.pcap
-o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c
Warning: packet is too short to be encrypted (1), skipping
Warning: packet is too short to be encrypted (2), skipping
Warning: could not decrypt packet! Copying as is..
Warning: could not decrypt packet! Copying as is..
Warning: could not decrypt packet! Copying as is..
Warning: invalid packet (length to long), skipping
Done, processed 297 total packets, decrypted 7

111. On the go
On the go

112. References
• http://ubertooth.sourceforge.net/
• https://github.com/greatscottgadgets/ubertooth/
• https://www.kismetwireless.net/
• http://tools.kali.org/wireless-attacks/crackle
• http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133

113. Thank you all, and Special
thanks to…
• Philips and team
• Minatee Mishra
• Anirudh Duggal
• Sanjog Panda
• Pardhiv Reddy
• Ajay Pratap Singh
• Geethu Arvind

114. Questions? Apart from...