SlideShare a Scribd company logo

Hacking bluetooth enabled mobile phones and beyond.pdf

B
boliti9570

This pdf will teach you how to hack bluetooth enabled phones and beyond

Technology
1 of 32
Download to read offline
Adam Laurie, Marcel Holtmann, Martin Herfurt Hacking Bluetooth enabled mobile phones and beyond – Full Disclosure Blackhat Security Briefings April 1st 2005, Amsterdam, the Netherlands
Adam Laurie, Marcel Holtmann, Martin Herfurt Who we are ● Adam Laurie – CSO of The Bunker Secure Hosting Ltd. – Co-Maintainer of Apache-SSL – DEFCON Staff/Organiser ● Marcel Holtmann – Maintainer and core developer of the Linux Bluetooth Stack BlueZ ● Martin Herfurt – Security Researcher – Founder of trifinite.org
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Technology Overview ● Bluetooth SIG – Trade Association – Founded 1998 – Owns & Licenses IP – Individual membership free – Promoter members: Agere, Ericsson, IBM, Intel, Microsoft, Motorola, Nokia and Toshiba – Consumer http://www.bluetooth.com – Technical http://www.bluetooth.org
Adam Laurie, Marcel Holtmann, Martin Herfurt
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Technology ● Data and voice transmission ● ACL data connections ● SCO and eSCO voice channels ● Symmetric and asymmetric connections ● Frequency hopping ● ISM band at 2.4 GHz ● 79 channels ● 1600 hops per second ● Multi-Slot packets
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Piconet ● Bluetooth devices create a piconet ● One master per piconet ● Up to seven active slaves ● Over 200 passive members are possible ● Master sets the hopping sequence ● Transfer rates of 721 Kbit/sec ● Bluetooth 1.2 and EDR (aka 2.0) ● Adaptive Frequency Hopping ● Transfer rates up to 2.1 Mbit/sec
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Scatternet ● Connected piconets create a scatternet ● Master in one and slave in another piconet ● Slave in two different piconets ● Only master in one piconet ● Scatternet support is optional
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Architecture ● Hardware layer ● Radio, Baseband and Link Manager ● Access through Host Controller Interface – Hardware abstraction – Standards for USB and UART ● Host protocol stack ● L2CAP, RFCOMM, BNEP, AVDTP etc. ● Profile implementations ● Serial Port, Dialup, PAN, HID etc.
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Stack Security mechanisms on the Bluetooth chip Bluetooth host security mechanisms Application specific security mechanisms
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Security ● Link manager security ● All security routines are inside the Bluetooth chip ● Nothing is transmitted in “plain text” ● Host stack security ● Interface for link manager security routines ● Part of the HCI specification ● Easy interface ● No further encryption of pin codes or keys
Adam Laurie, Marcel Holtmann, Martin Herfurt Security Mode ● Security mode 1 ● No active security enforcement ● Security mode 2 ● Service level security ● On device level no difference to mode 1 ● Security mode 3 ● Device level security ● Enforce security for every low-level connection
Adam Laurie, Marcel Holtmann, Martin Herfurt Linux and Bluetooth # hciconfig -a hci0: Type: USB BD Address: 00:02:5B:A1:88:52 ACL MTU: 384:8 SCO MTU: 64:8 UP RUNNING PSCAN ISCAN RX bytes:9765 acl:321 sco:0 events:425 errors:0 TX bytes:8518 acl:222 sco:0 commands:75 errors:0 Features: 0xff 0xff 0x8b 0xfe 0x9b 0xf9 0x00 0x80 Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 Link policy: RSWITCH HOLD SNIFF PARK Link mode: SLAVE ACCEPT Name: 'Casira BC3-MM' Class: 0x1e0100 Service Classes: Networking, Rendering, Capturing, Object Transfer Device Class: Computer, Uncategorized HCI Ver: 1.2 (0x2) HCI Rev: 0x529 LMP Ver: 1.2 (0x2) LMP Subver: 0x529 Manufacturer: Cambridge Silicon Radio (10) # hcitool scan Scanning ... 00:04:0E:21:06:FD AVM BlueFRITZ! AP-DSL 00:01:EC:3A:45:86 HBH-10 00:04:76:63:72:4D Aficio AP600N 00:A0:57:AD:22:0F ELSA Vianect Blue ISDN 00:E0:03:04:6D:36 Nokia 6210 00:80:37:06:78:92 Ericsson T39m 00:06:C6:C4:08:27 Anycom LAN Access Point
Adam Laurie, Marcel Holtmann, Martin Herfurt Sniffing with hcidump ● Recording of HCI packets – Commands, events, ACL and SCO data packets ● Only for local connections ● Decoding of higher layer protocols – HCI and L2CAP – SDP, RFCOMM, BNEP, CMTP, HIDP, HCRP and AVDTP – OBEX and CAPI ● No sniffing of baseband or radio traffic
Adam Laurie, Marcel Holtmann, Martin Herfurt Security Commands ● HCI_Create_New_Unit_Key ● HCI_{Read|Write}_Pin_Type ● HCI_{Read|Write|Delete}_Stored_Link_Key ● HCI_{Read|Write}_Authentication_Enable ● HCI_{Read|Write}_Encryption_Mode ● HCI_Authentication_Requested ● HCI_Set_Connection_Encryption ● HCI_Change_Local_Link_Key ● HCI_Master_Link_Key
Adam Laurie, Marcel Holtmann, Martin Herfurt Pairing Functions ● Events ● HCI_Link_Key_Notification ● HCI_Link_Key_Request ● HCI_Pin_Code_Request ● Commands ● HCI_Link_Key_Request_Reply ● HCI_Link_Key_Request_Negative_Reply ● HCI_Pin_Code_Request_Reply ● HCI_Pin_Code_Request_Negative_Reply
Adam Laurie, Marcel Holtmann, Martin Herfurt How pairing works ● First connection (1) HCI_Pin_Code_Request (2) HCI_Pin_Code_Request_Reply (3) HCI_Link_Key_Notification ● Further connections (1) HCI_Link_Key_Request (2) HCI_Link_Key_Request_Reply (3) HCI_Link_Key_Notification (optional)
Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSnarf ● Trivial OBEX PUSH channel attack – PULL known objects instead of PUSH – No authentication ● Infrared Data Association – IrMC (Specifications for Ir Mobile Communications) ● e.g. telecom/pb.vcf ● Sony Ericsson T68, T68i, R520m, T610, Z1010 ● Nokia 6310, 6310i, 8910, 8910i ● Devicelist on bluestumbler.org
Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSnarf++ ● Trivial OBEX PUSH channel attack – Connect to Sync, FTP or BIP UUID/target – No authentication – Contents Browseable – Full read/write access – External Media Storage ● *new* for BlackHat – Number of devices affected not known
Adam Laurie, Marcel Holtmann, Martin Herfurt BlueBump ● Forced Re-keying – Authenticate for benign task (e.g. vCard exchange) – Force authentication if required (Mode 3) ● Partner deletes pairing – Hold connection open – Request Link Key Exchange ● Connect to unauthorised Channels – Serial Profile, OBEX FTP, etc. ● *new* for BlackHat
Adam Laurie, Marcel Holtmann, Martin Herfurt HeloMoto ● Requires entry in 'My Devices' ● OBEX PUSH to create entry ● Connect RFCOMM to Handsfree or Headset – No Key required – Full AT command set access ● Motorola V80, V5xx, V6xx and E398
Adam Laurie, Marcel Holtmann, Martin Herfurt BlueBug ● Issuing AT Commands to covert service – BlueBug is based on AT Commands (ASCII Terminal) ● Very common for the configuration and control of telecommunications devices – High level of control... ● Call control (turning phone into a bug) ● Sending/Reading/Deleting SMS ● Reading/Writing Phonebook Entries ● Setting Forwards ● -> causing costs on the vulnerable phones!
Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooone ● Enhancing the range of a Bluetooth dongle by connecting a directional antenna -> as done in the Long Distance Attack ● Original idea from Mike Outmesguine (Author of Book: “Wi-Fi Toys” ● Step by Step instruction on trifinite.org
Adam Laurie, Marcel Holtmann, Martin Herfurt Long-Distance Attacking ● Beginning of August 2004 (right after DEFCON 12) ● Experiment in Santa Monica California ● Modified Class-1 Dongle Snarfing/Bugging Class-2 device (Nokia 6310i) from a distance of 1,78 km (1.01 miles)
Adam Laurie, Marcel Holtmann, Martin Herfurt Blooover -What is it? ● Blooover - Bluetooth Wireless Technology Hoover ● Proof-of-Concept Application ● Educational Purposes only ● Phone Auditing Tool ● Running on Java – J2ME MIDP 2.0 – Implemented JSR-82 (Bluetooth API) – Nokia 6600, Nokia 7610, Nokia 6670, ... Series 60 Siemens S65 SonyEricsson P900 ...
Adam Laurie, Marcel Holtmann, Martin Herfurt Blooover- What does it do? ● Blooover is performing the BlueBug attack – Reading phonebooks – Writing phonebook entries – Reading/decoding SMS stored on the device (buggy..) – Setting Call forward (predef. Number) +49 1337 7001 – Initiating phone call (predef. Number) 0800 2848283 ● Not working well on Nokia phones :( but on some T610 ● Please use this application responsible! – Not with phones of strangers...
Adam Laurie, Marcel Holtmann, Martin Herfurt Blueprinting – What is it? ● Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of devices ● This work has been started by Collin R. Mulliner and Martin Herfurt ● Relevant to all kinds of applications – Security auditing – Device Statistics – Automated Application Distribution ● Released paper and tool at 21C3 in December 2004 in Berlin
Adam Laurie, Marcel Holtmann, Martin Herfurt Blueprinting - How ● Hashing Information from Profile Entries – RecordHandle – RFCOMM channel number – Adding it all up (RecHandle1 *Channel1 )+ (RecHandle2 *Channel2 )+...+(RecHandlen *Channeln ) ● Bluetooth Device Address – First three bytes refer to manufacturer ● Example of Blueprint 00:60:57@2621543
Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSmack ● Using L2CAP echo feature – Signal channel request/response – L2CAP signal MTU is unknown – No open L2CAP channel needed ● Buffer overflow ● Denial of service attack
Adam Laurie, Marcel Holtmann, Martin Herfurt Conclusions ● Bluetooth is a secure standard (per se) – Problems at application level ● Cooperation with Bluetooth SIG – Pre-release testing at UPF (UnplugFests) – Better communication channels for external testers ● Security Expert Group mailing list ● bluetooth.org more open areas – Mandatory security at application level
Adam Laurie, Marcel Holtmann, Martin Herfurt trifinite.org ● http://trifinite.org/ ● Loose association of BT security experts ● Features – trifinite.blog – trifinite.stuff – trifinite.album – trifinite.group
Adam Laurie, Marcel Holtmann, Martin Herfurt trifinite.group ● Adam Laurie (the Bunker Secure Hosting) ● Marcel Holtmann (BlueZ) ● Collin Mulliner (mulliner.org) ● Tim Hurman (Pentest) ● Mark Rowe (Pentest) ● Martin Herfurt (trifinite.org) ● Spot (Sony)
Adam Laurie, Marcel Holtmann, Martin Herfurt Questions / Feedback / Answers ● Contact us via blackhat@trifinite.org (group alias for Adam, Marcel and Martin)

Recommended

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Homeautomation
HomeautomationHomeautomation
Homeautomation
anshul parmar
 
Homeautomation
HomeautomationHomeautomation
Homeautomation
Anmol Bagga
 
2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things
VOIP2DAY
 
R K 2 Bluetooth Technologies
R K 2 Bluetooth TechnologiesR K 2 Bluetooth Technologies
R K 2 Bluetooth Technologies
Saurav Kumar
 
Hacking Backtrak Mobile
Hacking Backtrak MobileHacking Backtrak Mobile
Hacking Backtrak Mobile
Novizul Evendi
 
bluetooth technology
bluetooth technology bluetooth technology
bluetooth technology
deepak kumar
 
Bluetooth
BluetoothBluetooth
Bluetooth
Fahim Faysal
 

Recommended

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Homeautomation
HomeautomationHomeautomation
Homeautomation
anshul parmar
 
Homeautomation
HomeautomationHomeautomation
Homeautomation
Anmol Bagga
 
2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things
VOIP2DAY
 
R K 2 Bluetooth Technologies
R K 2 Bluetooth TechnologiesR K 2 Bluetooth Technologies
R K 2 Bluetooth Technologies
Saurav Kumar
 
Hacking Backtrak Mobile
Hacking Backtrak MobileHacking Backtrak Mobile
Hacking Backtrak Mobile
Novizul Evendi
 
bluetooth technology
bluetooth technology bluetooth technology
bluetooth technology
deepak kumar
 
Bluetooth
BluetoothBluetooth
Bluetooth
Fahim Faysal
 
Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
DefconRussia
 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol review
Fabio Pietrosanti
 
Bluetooth, Infrared
Bluetooth, InfraredBluetooth, Infrared
Bluetooth, Infrared
Prashant Priyam
 
Bluetooth - Comprehensive Presentation
Bluetooth - Comprehensive PresentationBluetooth - Comprehensive Presentation
Bluetooth - Comprehensive Presentation
Muhammed Afsal Villan
 
Bluetooth1
Bluetooth1Bluetooth1
Bluetooth1
Vikas Bansal
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
Felipe Prado
 
PPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor NetworksPPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor Networks
Siya Agarwal
 
Far South Networks - an introduction
Far South Networks - an introductionFar South Networks - an introduction
Far South Networks - an introduction
Clarotech_Events
 
Bluetooth Technology & Security
Bluetooth Technology & SecurityBluetooth Technology & Security
Bluetooth Technology & Security
Himangshu Hazra
 
Crouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English VersionCrouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English Version
Crouzet
 
Presentatie Alcom - Meetup
Presentatie Alcom - Meetup Presentatie Alcom - Meetup
Presentatie Alcom - Meetup
Jesse van Doren
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
Nitesh Malviya
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
iruldaworld
 
BluetoothSecurity.ppt
BluetoothSecurity.pptBluetoothSecurity.ppt
BluetoothSecurity.ppt
ssuser1d7ef1
 
BluetoothSecurity.ppt
BluetoothSecurity.pptBluetoothSecurity.ppt
BluetoothSecurity.ppt
georgejustymirobi1
 
Bluetooth Aplication
Bluetooth AplicationBluetooth Aplication
Bluetooth Aplication
Er Bhaduri
 
bluetooth-security
bluetooth-securitybluetooth-security
bluetooth-security
Anand Dhana
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
CODE BLUE
 
The design of electronic license plate recognition terminal system based on n...
The design of electronic license plate recognition terminal system based on n...The design of electronic license plate recognition terminal system based on n...
The design of electronic license plate recognition terminal system based on n...
冠宇 陳
 
UETS – Universal Ethernet Telecommunications Services
UETS – Universal Ethernet Telecommunications ServicesUETS – Universal Ethernet Telecommunications Services
UETS – Universal Ethernet Telecommunications Services
Agustin Argelich Casals
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
Mark Billinghurst
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
vincent683379
 

More Related Content

Similar to Hacking bluetooth enabled mobile phones and beyond.pdf

Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
DefconRussia
 
PPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor NetworksPPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor Networks
Siya Agarwal
 
Crouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English VersionCrouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English Version
Crouzet
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
iruldaworld
 
Bluetooth Aplication
Bluetooth AplicationBluetooth Aplication
Bluetooth Aplication
Er Bhaduri
 

Similar to Hacking bluetooth enabled mobile phones and beyond.pdf (20)

Alexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)securityAlexander Bolshev, Alexander Malinovsky - HART (in)security
Alexander Bolshev, Alexander Malinovsky - HART (in)security
 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol review
 
Bluetooth, Infrared
Bluetooth, InfraredBluetooth, Infrared
Bluetooth, Infrared
 
Bluetooth - Comprehensive Presentation
Bluetooth - Comprehensive PresentationBluetooth - Comprehensive Presentation
Bluetooth - Comprehensive Presentation
 
Bluetooth1
Bluetooth1Bluetooth1
Bluetooth1
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
PPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor NetworksPPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor Networks
 
Far South Networks - an introduction
Far South Networks - an introductionFar South Networks - an introduction
Far South Networks - an introduction
 
Bluetooth Technology & Security
Bluetooth Technology & SecurityBluetooth Technology & Security
Bluetooth Technology & Security
 
Crouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English VersionCrouzet Automation - em4 Ethernet brochure, English Version
Crouzet Automation - em4 Ethernet brochure, English Version
 
Presentatie Alcom - Meetup
Presentatie Alcom - Meetup Presentatie Alcom - Meetup
Presentatie Alcom - Meetup
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
 
BluetoothSecurity.ppt
BluetoothSecurity.pptBluetoothSecurity.ppt
BluetoothSecurity.ppt
 
BluetoothSecurity.ppt
BluetoothSecurity.pptBluetoothSecurity.ppt
BluetoothSecurity.ppt
 
Bluetooth Aplication
Bluetooth AplicationBluetooth Aplication
Bluetooth Aplication
 
bluetooth-security
bluetooth-securitybluetooth-security
bluetooth-security
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
 
The design of electronic license plate recognition terminal system based on n...
The design of electronic license plate recognition terminal system based on n...The design of electronic license plate recognition terminal system based on n...
The design of electronic license plate recognition terminal system based on n...
 
UETS – Universal Ethernet Telecommunications Services
UETS – Universal Ethernet Telecommunications ServicesUETS – Universal Ethernet Telecommunications Services
UETS – Universal Ethernet Telecommunications Services
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
Neo4j
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Recently uploaded (20)

The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 

Hacking bluetooth enabled mobile phones and beyond.pdf

  • 1. Adam Laurie, Marcel Holtmann, Martin Herfurt Hacking Bluetooth enabled mobile phones and beyond – Full Disclosure Blackhat Security Briefings April 1st 2005, Amsterdam, the Netherlands
  • 2. Adam Laurie, Marcel Holtmann, Martin Herfurt Who we are ● Adam Laurie – CSO of The Bunker Secure Hosting Ltd. – Co-Maintainer of Apache-SSL – DEFCON Staff/Organiser ● Marcel Holtmann – Maintainer and core developer of the Linux Bluetooth Stack BlueZ ● Martin Herfurt – Security Researcher – Founder of trifinite.org
  • 3. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Technology Overview ● Bluetooth SIG – Trade Association – Founded 1998 – Owns & Licenses IP – Individual membership free – Promoter members: Agere, Ericsson, IBM, Intel, Microsoft, Motorola, Nokia and Toshiba – Consumer http://www.bluetooth.com – Technical http://www.bluetooth.org
  • 4. Adam Laurie, Marcel Holtmann, Martin Herfurt
  • 5. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Technology ● Data and voice transmission ● ACL data connections ● SCO and eSCO voice channels ● Symmetric and asymmetric connections ● Frequency hopping ● ISM band at 2.4 GHz ● 79 channels ● 1600 hops per second ● Multi-Slot packets
  • 6. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Piconet ● Bluetooth devices create a piconet ● One master per piconet ● Up to seven active slaves ● Over 200 passive members are possible ● Master sets the hopping sequence ● Transfer rates of 721 Kbit/sec ● Bluetooth 1.2 and EDR (aka 2.0) ● Adaptive Frequency Hopping ● Transfer rates up to 2.1 Mbit/sec
  • 7. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Scatternet ● Connected piconets create a scatternet ● Master in one and slave in another piconet ● Slave in two different piconets ● Only master in one piconet ● Scatternet support is optional
  • 8. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Architecture ● Hardware layer ● Radio, Baseband and Link Manager ● Access through Host Controller Interface – Hardware abstraction – Standards for USB and UART ● Host protocol stack ● L2CAP, RFCOMM, BNEP, AVDTP etc. ● Profile implementations ● Serial Port, Dialup, PAN, HID etc.
  • 9. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Stack Security mechanisms on the Bluetooth chip Bluetooth host security mechanisms Application specific security mechanisms
  • 10. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooth Security ● Link manager security ● All security routines are inside the Bluetooth chip ● Nothing is transmitted in “plain text” ● Host stack security ● Interface for link manager security routines ● Part of the HCI specification ● Easy interface ● No further encryption of pin codes or keys
  • 11. Adam Laurie, Marcel Holtmann, Martin Herfurt Security Mode ● Security mode 1 ● No active security enforcement ● Security mode 2 ● Service level security ● On device level no difference to mode 1 ● Security mode 3 ● Device level security ● Enforce security for every low-level connection
  • 12. Adam Laurie, Marcel Holtmann, Martin Herfurt Linux and Bluetooth # hciconfig -a hci0: Type: USB BD Address: 00:02:5B:A1:88:52 ACL MTU: 384:8 SCO MTU: 64:8 UP RUNNING PSCAN ISCAN RX bytes:9765 acl:321 sco:0 events:425 errors:0 TX bytes:8518 acl:222 sco:0 commands:75 errors:0 Features: 0xff 0xff 0x8b 0xfe 0x9b 0xf9 0x00 0x80 Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 Link policy: RSWITCH HOLD SNIFF PARK Link mode: SLAVE ACCEPT Name: 'Casira BC3-MM' Class: 0x1e0100 Service Classes: Networking, Rendering, Capturing, Object Transfer Device Class: Computer, Uncategorized HCI Ver: 1.2 (0x2) HCI Rev: 0x529 LMP Ver: 1.2 (0x2) LMP Subver: 0x529 Manufacturer: Cambridge Silicon Radio (10) # hcitool scan Scanning ... 00:04:0E:21:06:FD AVM BlueFRITZ! AP-DSL 00:01:EC:3A:45:86 HBH-10 00:04:76:63:72:4D Aficio AP600N 00:A0:57:AD:22:0F ELSA Vianect Blue ISDN 00:E0:03:04:6D:36 Nokia 6210 00:80:37:06:78:92 Ericsson T39m 00:06:C6:C4:08:27 Anycom LAN Access Point
  • 13. Adam Laurie, Marcel Holtmann, Martin Herfurt Sniffing with hcidump ● Recording of HCI packets – Commands, events, ACL and SCO data packets ● Only for local connections ● Decoding of higher layer protocols – HCI and L2CAP – SDP, RFCOMM, BNEP, CMTP, HIDP, HCRP and AVDTP – OBEX and CAPI ● No sniffing of baseband or radio traffic
  • 14. Adam Laurie, Marcel Holtmann, Martin Herfurt Security Commands ● HCI_Create_New_Unit_Key ● HCI_{Read|Write}_Pin_Type ● HCI_{Read|Write|Delete}_Stored_Link_Key ● HCI_{Read|Write}_Authentication_Enable ● HCI_{Read|Write}_Encryption_Mode ● HCI_Authentication_Requested ● HCI_Set_Connection_Encryption ● HCI_Change_Local_Link_Key ● HCI_Master_Link_Key
  • 15. Adam Laurie, Marcel Holtmann, Martin Herfurt Pairing Functions ● Events ● HCI_Link_Key_Notification ● HCI_Link_Key_Request ● HCI_Pin_Code_Request ● Commands ● HCI_Link_Key_Request_Reply ● HCI_Link_Key_Request_Negative_Reply ● HCI_Pin_Code_Request_Reply ● HCI_Pin_Code_Request_Negative_Reply
  • 16. Adam Laurie, Marcel Holtmann, Martin Herfurt How pairing works ● First connection (1) HCI_Pin_Code_Request (2) HCI_Pin_Code_Request_Reply (3) HCI_Link_Key_Notification ● Further connections (1) HCI_Link_Key_Request (2) HCI_Link_Key_Request_Reply (3) HCI_Link_Key_Notification (optional)
  • 17. Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSnarf ● Trivial OBEX PUSH channel attack – PULL known objects instead of PUSH – No authentication ● Infrared Data Association – IrMC (Specifications for Ir Mobile Communications) ● e.g. telecom/pb.vcf ● Sony Ericsson T68, T68i, R520m, T610, Z1010 ● Nokia 6310, 6310i, 8910, 8910i ● Devicelist on bluestumbler.org
  • 18. Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSnarf++ ● Trivial OBEX PUSH channel attack – Connect to Sync, FTP or BIP UUID/target – No authentication – Contents Browseable – Full read/write access – External Media Storage ● *new* for BlackHat – Number of devices affected not known
  • 19. Adam Laurie, Marcel Holtmann, Martin Herfurt BlueBump ● Forced Re-keying – Authenticate for benign task (e.g. vCard exchange) – Force authentication if required (Mode 3) ● Partner deletes pairing – Hold connection open – Request Link Key Exchange ● Connect to unauthorised Channels – Serial Profile, OBEX FTP, etc. ● *new* for BlackHat
  • 20. Adam Laurie, Marcel Holtmann, Martin Herfurt HeloMoto ● Requires entry in 'My Devices' ● OBEX PUSH to create entry ● Connect RFCOMM to Handsfree or Headset – No Key required – Full AT command set access ● Motorola V80, V5xx, V6xx and E398
  • 21. Adam Laurie, Marcel Holtmann, Martin Herfurt BlueBug ● Issuing AT Commands to covert service – BlueBug is based on AT Commands (ASCII Terminal) ● Very common for the configuration and control of telecommunications devices – High level of control... ● Call control (turning phone into a bug) ● Sending/Reading/Deleting SMS ● Reading/Writing Phonebook Entries ● Setting Forwards ● -> causing costs on the vulnerable phones!
  • 22. Adam Laurie, Marcel Holtmann, Martin Herfurt Bluetooone ● Enhancing the range of a Bluetooth dongle by connecting a directional antenna -> as done in the Long Distance Attack ● Original idea from Mike Outmesguine (Author of Book: “Wi-Fi Toys” ● Step by Step instruction on trifinite.org
  • 23. Adam Laurie, Marcel Holtmann, Martin Herfurt Long-Distance Attacking ● Beginning of August 2004 (right after DEFCON 12) ● Experiment in Santa Monica California ● Modified Class-1 Dongle Snarfing/Bugging Class-2 device (Nokia 6310i) from a distance of 1,78 km (1.01 miles)
  • 24. Adam Laurie, Marcel Holtmann, Martin Herfurt Blooover -What is it? ● Blooover - Bluetooth Wireless Technology Hoover ● Proof-of-Concept Application ● Educational Purposes only ● Phone Auditing Tool ● Running on Java – J2ME MIDP 2.0 – Implemented JSR-82 (Bluetooth API) – Nokia 6600, Nokia 7610, Nokia 6670, ... Series 60 Siemens S65 SonyEricsson P900 ...
  • 25. Adam Laurie, Marcel Holtmann, Martin Herfurt Blooover- What does it do? ● Blooover is performing the BlueBug attack – Reading phonebooks – Writing phonebook entries – Reading/decoding SMS stored on the device (buggy..) – Setting Call forward (predef. Number) +49 1337 7001 – Initiating phone call (predef. Number) 0800 2848283 ● Not working well on Nokia phones :( but on some T610 ● Please use this application responsible! – Not with phones of strangers...
  • 26. Adam Laurie, Marcel Holtmann, Martin Herfurt Blueprinting – What is it? ● Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of devices ● This work has been started by Collin R. Mulliner and Martin Herfurt ● Relevant to all kinds of applications – Security auditing – Device Statistics – Automated Application Distribution ● Released paper and tool at 21C3 in December 2004 in Berlin
  • 27. Adam Laurie, Marcel Holtmann, Martin Herfurt Blueprinting - How ● Hashing Information from Profile Entries – RecordHandle – RFCOMM channel number – Adding it all up (RecHandle1 *Channel1 )+ (RecHandle2 *Channel2 )+...+(RecHandlen *Channeln ) ● Bluetooth Device Address – First three bytes refer to manufacturer ● Example of Blueprint 00:60:57@2621543
  • 28. Adam Laurie, Marcel Holtmann, Martin Herfurt BlueSmack ● Using L2CAP echo feature – Signal channel request/response – L2CAP signal MTU is unknown – No open L2CAP channel needed ● Buffer overflow ● Denial of service attack
  • 29. Adam Laurie, Marcel Holtmann, Martin Herfurt Conclusions ● Bluetooth is a secure standard (per se) – Problems at application level ● Cooperation with Bluetooth SIG – Pre-release testing at UPF (UnplugFests) – Better communication channels for external testers ● Security Expert Group mailing list ● bluetooth.org more open areas – Mandatory security at application level
  • 30. Adam Laurie, Marcel Holtmann, Martin Herfurt trifinite.org ● http://trifinite.org/ ● Loose association of BT security experts ● Features – trifinite.blog – trifinite.stuff – trifinite.album – trifinite.group
  • 31. Adam Laurie, Marcel Holtmann, Martin Herfurt trifinite.group ● Adam Laurie (the Bunker Secure Hosting) ● Marcel Holtmann (BlueZ) ● Collin Mulliner (mulliner.org) ● Tim Hurman (Pentest) ● Mark Rowe (Pentest) ● Martin Herfurt (trifinite.org) ● Spot (Sony)
  • 32. Adam Laurie, Marcel Holtmann, Martin Herfurt Questions / Feedback / Answers ● Contact us via blackhat@trifinite.org (group alias for Adam, Marcel and Martin)