SlideShare a Scribd company logo

DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf

Felipe Prado
Felipe Prado

DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf

Technology
1 of 35
Download to read offline
1 Extracting the painful (blue)tooth Matteo Beccaro • Security Consultant at Secure Network • Technical Research Leader at Opposing Force, Physical Security division of Secure Network • @_bughardy_ { Matteo Collura • Student at Politecnico di Torino (www.polito.it) • Electronic Engineer • Researcher in several fields • @eagle1753 {
2 Who we are… Matteo Beccaro • Security Consultant at Secure Network • Technical Research Leader at Opposing Force, Physical Security division of Secure Network • @_bughardy_ {
3 Who are we… Matteo Collura • Student at Politecnico di Torino • Electronic Engineer • Researcher in different fields concerning security (NFC, bluetooth) • Now focusing on social skills (NLP, social engineering..) • @eagle1753 {
Index
What the hell is Bluetooth? • Wireless standard for exchanging data over short distances. • Short wavelength UHF: 2.4 – 2.485 GHz • 79 channels (usually) + Adaptive Frequency Hopping • Name coming from Harald Bluetooth • Scandinavian humor...
Layer protocol architecture What the hell is Bluetooth? Core protocols Cable replacement protocols Telephony control protocols Adopted protocols So many different stacks! LMP, L2CAP, SDP are mandatory!
• So many updates! • 1.0: Mandatory BD_ADDR • 1.1: IEEE Standard (2002) • 1.2: Adaptive frequency-hopping spread spectrum resistance to interferences and eavesdropping (theorically ) • 2.0: EDR (optional) for faster data transfer, GFSK+PSK modulation • 2.1: Secure Simple Pairing, Extended Inquiry Response What the hell is Bluetooth? Version 1: Version 2:
• So many updates! • 3.0: Alternative MAC/PHYs for high data transfer, Unicast Connectionless Data • 4.0: Includes now Bluetooth Low Energy protocol (or Smart) • 4.1: Limited discovery time, lower consumptions, LE link layer topology • 4.2: LE Data packet extension, LE «secure» connections, Link Layer privacy (really?) What the hell is Bluetooth? Version 4: Version 3:
1. Index Index
Known and unknown risks.. • BlueSnarf, by Holtmann & Laurie Bluetooth implementation on mobile phones and pocket palms Late 2003When? What? Why? «(in)security» of OBEX protocol No authentication neededEasy GET requests to common files (calendar, contacts..) No prompts on the user’s side
Known and unknown risks.. • BlueBug, by Adam Laurie & Martin Herfurt Bluetooth implementation on mobile phones, especially Symbian OS 2004 @DEFCON12When? What? Why? Security loophole No secure auth prior to v2.0 Control device thorugh plain serial connection Download items via OBEX protocol w/out prompts
Known and unknown risks.. • Legacy (prior to v2.0) pairing procedure Encryption Algorithm Referred to Device B
Known and unknown risks.. • Legacy (prior to v2.0) authentication procedure Previously evaluated Link Key Referred to Device B Encryption Algorithm
Known and unknown risks.. • Secure simple pairing
Known and unknown risks.. • BlueChop, following BlueSnarf Master must support multiple connections It disrupts any bluetooth piconet from the outside Spoof a random slave out of the piconet Contact the master Confusion of the master’s internal state Piconet disruption What? Provided
Known and unknown risks.. • Bluetooth LE encryption bypass, by Mark Ryan: – Eavesdropping vs Decrypting – 3 different keys needed to estabilish a connection, TK, STK, LTK – If we are able to save the key exchange procedure, we are done • What if I get TK? Pairing TK STK LTK
Known and unknown risks.. • TK, 128 bit AES key, depends on the pairing mode: • Bruteforce is the way. Intel i7, just one core less than 1 sec • The whole procedure may be computed offline Just Works 6-digit PIN Out Of Band (OOB) TK = 0 TK = 128-bit number TK = #fuckyourself TK STK LTK 42
Officially introduced with Android 5.0 it enables to unlock the smartphone without user interaction if at least one of the following conditions apply: The smartphone is in range of a previous saved NFC tag. The smartphone is within a certain location. The smartphone recognize the face of the owner, which must be previously saved. A previous enabled bluetooth device is connected to the smartphone The smartphone is in contact with a body. NFC Unlock Location Unlock Bluetooth Unlock Face Unlock Body Unlock SmartUnlock…
Bluetooth Unlock This may be the most interesting and most used function of all the above. The user set a paired bluetooth device as Trusted, and from now on every time that device is linked to the smartphone the lockscreen is bypassed. Good, so what is the problem? Bluetooth Unlock…
In Android < 5.1 the LK ( LinkKey ) is not checked to verify the Bluetooth device. Bluetooth Unlock…
Bluetooth Unlock…
Now the question is: How to get the 4 bytes of the MAC address required? Two possible solutions: Bruteforce Slow Expensive Not such a good idea Sniffing Requires vicinity Target can become aware Authentication process is required Bluetooth Unlock…
Slow We cannot bruteforce the MAC address offline, we need to try a new connection everytime Expensive We can speed it up parallelizing it but costs increase. Not such a good idea 42 bits will defentely requires too much time. { { { Bruteforce…
Requires vicinity Target must be near enough for our ubertooth to intercept packets Target can become aware Target can be suspicious of strange guy with big antenna(s) Auth process is required Usually only 3 bytes of MAC address are transmitted { { { Sniffing…
Hybrid is always the solution Android automatically sends out ‘beacons’ of paired BT devices. The trusted device must be a paired device We can intercept beacons to retrive 3 bytes of the MAC address Bruteforce the remaining… 1 bytes = 256 possible MAC addresses Our approach…
<video demo> Demo Time!
Android 5.1 adds a new nice feature... New findings...
Demo Time! <video demo>
Is it fixed? It depends… Android >= 5.1 SmartUnlock is fixed API are still vulnerable Android <= 5.0.X SmartUnlock is not fixed API are vulnerable New findings...
API does not have a safe method to check if a device is connected with a proper LK Android Security Team told us that there is a method for this, but it was not yet in SDK, as 27th April, 2015. And it still not present New findings...
Why fixing the API is important if SmartUnlock function is fixed? 3rd party applications! Demo time! Demo Time!
Index 1. Index 4. Future works…
Bluetooth is everywhere, we are focusing on: IoT Devices Smart Locks Fit Band etc Future Works...
Thank you
Q&A Time…

Recommended

DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE
DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEEDEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE
DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEEFelipe Prado
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityRamasubbu .P
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityShantanu Krishna
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]securitysecurityxploded
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth SecurityNikhil Raj
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 

Recommended

DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE
DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEEDEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE
DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEEFelipe Prado
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityRamasubbu .P
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityShantanu Krishna
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]securitysecurityxploded
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Securityh_marvin
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth SecurityNikhil Raj
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITYJay Nagar
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless networkSyed Ubaid Ali Jafri
 
Wireless security
Wireless securityWireless security
Wireless securityAurobindo Nayak
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network SecurityGyana Ranjana
 
Attendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQLAttendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQLSanjay Kumar
 
Bluetooth network-security-seminar-report
Bluetooth network-security-seminar-reportBluetooth network-security-seminar-report
Bluetooth network-security-seminar-reportROHIT SAGAR
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyFReeze FRancis
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and securityAdel Zalok
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
blutooth based smart sensor network
blutooth based smart sensor networkblutooth based smart sensor network
blutooth based smart sensor networkMaulik Patel
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...IDES Editor
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefencePrakashchand Suthar
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairingGuy Vinograd ☁
 
Bluetooth
BluetoothBluetooth
BluetoothFahim Faysal
 

More Related Content

What's hot

BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITYJay Nagar
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network SecurityGyana Ranjana
 
Attendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQLAttendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQLSanjay Kumar
 
Bluetooth network-security-seminar-report
Bluetooth network-security-seminar-reportBluetooth network-security-seminar-report
Bluetooth network-security-seminar-reportROHIT SAGAR
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyFReeze FRancis
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and securityAdel Zalok
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityAyoma Wijethunga
 
blutooth based smart sensor network
blutooth based smart sensor networkblutooth based smart sensor network
blutooth based smart sensor networkMaulik Patel
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...IDES Editor
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 

What's hot (20)

BLUETOOTH SECURITY
BLUETOOTH SECURITYBLUETOOTH SECURITY
BLUETOOTH SECURITY
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
Wireless security
Wireless securityWireless security
Wireless security
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Attendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQLAttendance System using ESP8266(Wi-Fi) with MySQL
Attendance System using ESP8266(Wi-Fi) with MySQL
 
Bluetooth network-security-seminar-report
Bluetooth network-security-seminar-reportBluetooth network-security-seminar-report
Bluetooth network-security-seminar-report
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
 
Pentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network SecurityPentesting Wireless Networks and Wireless Network Security
Pentesting Wireless Networks and Wireless Network Security
 
blutooth based smart sensor network
blutooth based smart sensor networkblutooth based smart sensor network
blutooth based smart sensor network
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 

Similar to DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf

IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackPriyanka Aash
 
Bluetooth Technology
Bluetooth TechnologyBluetooth Technology
Bluetooth TechnologyManish Sharma
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsEric Larcheveque
 
Bluetooth Secure Simple Pairing Using NFC Part 1
Bluetooth Secure Simple Pairing Using NFC Part 1 Bluetooth Secure Simple Pairing Using NFC Part 1
Bluetooth Secure Simple Pairing Using NFC Part 1 NFC Forum
 
A Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksA Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksDavid González Romero
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016joebursell
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...Priyanka Aash
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great againEric Larcheveque
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaEC-Council
 
Bluetooth
BluetoothBluetooth
Bluetoothshwet28
 

Similar to DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf (20)

IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
Bluetooth Technology
Bluetooth TechnologyBluetooth Technology
Bluetooth Technology
 
IoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutionsIoT summit - Building flexible & secure IoT solutions
IoT summit - Building flexible & secure IoT solutions
 
Bluetooth Secure Simple Pairing Using NFC Part 1
Bluetooth Secure Simple Pairing Using NFC Part 1 Bluetooth Secure Simple Pairing Using NFC Part 1
Bluetooth Secure Simple Pairing Using NFC Part 1
 
A Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless NetworksA Comprehensive Approach to Secure Group Communication in Wireless Networks
A Comprehensive Approach to Secure Group Communication in Wireless Networks
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
Bluetooth 27 01-12 PPT
Bluetooth 27 01-12 PPTBluetooth 27 01-12 PPT
Bluetooth 27 01-12 PPT
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon Sonya
 
Teknologi Bluetooth
Teknologi BluetoothTeknologi Bluetooth
Teknologi Bluetooth
 
Bluetooth
BluetoothBluetooth
Bluetooth
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf

  • 1. 1 Extracting the painful (blue)tooth Matteo Beccaro • Security Consultant at Secure Network • Technical Research Leader at Opposing Force, Physical Security division of Secure Network • @_bughardy_ { Matteo Collura • Student at Politecnico di Torino (www.polito.it) • Electronic Engineer • Researcher in several fields • @eagle1753 {
  • 2. 2 Who we are… Matteo Beccaro • Security Consultant at Secure Network • Technical Research Leader at Opposing Force, Physical Security division of Secure Network • @_bughardy_ {
  • 3. 3 Who are we… Matteo Collura • Student at Politecnico di Torino • Electronic Engineer • Researcher in different fields concerning security (NFC, bluetooth) • Now focusing on social skills (NLP, social engineering..) • @eagle1753 {
  • 5. What the hell is Bluetooth? • Wireless standard for exchanging data over short distances. • Short wavelength UHF: 2.4 – 2.485 GHz • 79 channels (usually) + Adaptive Frequency Hopping • Name coming from Harald Bluetooth • Scandinavian humor...
  • 6. Layer protocol architecture What the hell is Bluetooth? Core protocols Cable replacement protocols Telephony control protocols Adopted protocols So many different stacks! LMP, L2CAP, SDP are mandatory!
  • 7. • So many updates! • 1.0: Mandatory BD_ADDR • 1.1: IEEE Standard (2002) • 1.2: Adaptive frequency-hopping spread spectrum resistance to interferences and eavesdropping (theorically ) • 2.0: EDR (optional) for faster data transfer, GFSK+PSK modulation • 2.1: Secure Simple Pairing, Extended Inquiry Response What the hell is Bluetooth? Version 1: Version 2:
  • 8. • So many updates! • 3.0: Alternative MAC/PHYs for high data transfer, Unicast Connectionless Data • 4.0: Includes now Bluetooth Low Energy protocol (or Smart) • 4.1: Limited discovery time, lower consumptions, LE link layer topology • 4.2: LE Data packet extension, LE «secure» connections, Link Layer privacy (really?) What the hell is Bluetooth? Version 4: Version 3:
  • 10. Known and unknown risks.. • BlueSnarf, by Holtmann & Laurie Bluetooth implementation on mobile phones and pocket palms Late 2003When? What? Why? «(in)security» of OBEX protocol No authentication neededEasy GET requests to common files (calendar, contacts..) No prompts on the user’s side
  • 11. Known and unknown risks.. • BlueBug, by Adam Laurie & Martin Herfurt Bluetooth implementation on mobile phones, especially Symbian OS 2004 @DEFCON12When? What? Why? Security loophole No secure auth prior to v2.0 Control device thorugh plain serial connection Download items via OBEX protocol w/out prompts
  • 12. Known and unknown risks.. • Legacy (prior to v2.0) pairing procedure Encryption Algorithm Referred to Device B
  • 13. Known and unknown risks.. • Legacy (prior to v2.0) authentication procedure Previously evaluated Link Key Referred to Device B Encryption Algorithm
  • 14. Known and unknown risks.. • Secure simple pairing
  • 15. Known and unknown risks.. • BlueChop, following BlueSnarf Master must support multiple connections It disrupts any bluetooth piconet from the outside Spoof a random slave out of the piconet Contact the master Confusion of the master’s internal state Piconet disruption What? Provided
  • 16. Known and unknown risks.. • Bluetooth LE encryption bypass, by Mark Ryan: – Eavesdropping vs Decrypting – 3 different keys needed to estabilish a connection, TK, STK, LTK – If we are able to save the key exchange procedure, we are done • What if I get TK? Pairing TK STK LTK
  • 17. Known and unknown risks.. • TK, 128 bit AES key, depends on the pairing mode: • Bruteforce is the way. Intel i7, just one core less than 1 sec • The whole procedure may be computed offline Just Works 6-digit PIN Out Of Band (OOB) TK = 0 TK = 128-bit number TK = #fuckyourself TK STK LTK 42
  • 18. Officially introduced with Android 5.0 it enables to unlock the smartphone without user interaction if at least one of the following conditions apply: The smartphone is in range of a previous saved NFC tag. The smartphone is within a certain location. The smartphone recognize the face of the owner, which must be previously saved. A previous enabled bluetooth device is connected to the smartphone The smartphone is in contact with a body. NFC Unlock Location Unlock Bluetooth Unlock Face Unlock Body Unlock SmartUnlock…
  • 19. Bluetooth Unlock This may be the most interesting and most used function of all the above. The user set a paired bluetooth device as Trusted, and from now on every time that device is linked to the smartphone the lockscreen is bypassed. Good, so what is the problem? Bluetooth Unlock…
  • 20. In Android < 5.1 the LK ( LinkKey ) is not checked to verify the Bluetooth device. Bluetooth Unlock…
  • 22. Now the question is: How to get the 4 bytes of the MAC address required? Two possible solutions: Bruteforce Slow Expensive Not such a good idea Sniffing Requires vicinity Target can become aware Authentication process is required Bluetooth Unlock…
  • 23. Slow We cannot bruteforce the MAC address offline, we need to try a new connection everytime Expensive We can speed it up parallelizing it but costs increase. Not such a good idea 42 bits will defentely requires too much time. { { { Bruteforce…
  • 24. Requires vicinity Target must be near enough for our ubertooth to intercept packets Target can become aware Target can be suspicious of strange guy with big antenna(s) Auth process is required Usually only 3 bytes of MAC address are transmitted { { { Sniffing…
  • 25. Hybrid is always the solution Android automatically sends out ‘beacons’ of paired BT devices. The trusted device must be a paired device We can intercept beacons to retrive 3 bytes of the MAC address Bruteforce the remaining… 1 bytes = 256 possible MAC addresses Our approach…
  • 27. Android 5.1 adds a new nice feature... New findings...
  • 29. Is it fixed? It depends… Android >= 5.1 SmartUnlock is fixed API are still vulnerable Android <= 5.0.X SmartUnlock is not fixed API are vulnerable New findings...
  • 30. API does not have a safe method to check if a device is connected with a proper LK Android Security Team told us that there is a method for this, but it was not yet in SDK, as 27th April, 2015. And it still not present New findings...
  • 31. Why fixing the API is important if SmartUnlock function is fixed? 3rd party applications! Demo time! Demo Time!
  • 33. Bluetooth is everywhere, we are focusing on: IoT Devices Smart Locks Fit Band etc Future Works...