bluetooth [in]security [2]
TRANSCRIPT
![Page 1: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/1.jpg)
“ 0wned a mobile phone via bluetooth “y3dipsy3dips
![Page 2: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/2.jpg)
y3dipshttp://y3dips.echo.or.id
Who am I yet another “/Hacker “/ wannabe
founder of echo.or.id & Ubuntulinux.or.id
focusing in Hacking & Security since 2002
http://google.com/search?q=y3dips
![Page 3: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/3.jpg)
y3dipshttp://y3dips.echo.or.id
Overview● Point of views● Proof 0f Concept● Survive● Discussion
![Page 4: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/4.jpg)
y3dipshttp://y3dips.echo.or.id
Point 0f Views
![Page 5: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/5.jpg)
y3dipshttp://y3dips.echo.or.id
History● The name Bluetooth is derived from the 10th century
king of Denmark, Harald Bluetooth.● Early 1998 - Special Interest Group formed
– Code name Bluetooth
– Promoter Companies: Ericsson*, IBM*, Intel*, Nokia*, and Toshiba*
● May 20, 1998 - Bluetooth publicly announced ● July 26, 1999 - Bluetooth 1.0 Specification Release ● Today - Bluetooth 2.0 work is ongoing-- bluetooth.com, wikipedia.org
![Page 6: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/6.jpg)
y3dipshttp://y3dips.echo.or.id
Bluetooth ? (1) “Bluetooth wireless technology is a short-range
communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost.” -- bluetooth.com
![Page 7: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/7.jpg)
y3dipshttp://y3dips.echo.or.id
Bluetooth ? (2)● Wireless● Short-range communication● A Cable Replacement technology● Low power● Low cost● Hook together all the devices
![Page 8: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/8.jpg)
y3dipshttp://y3dips.echo.or.id
Technical Details● 2.4 GHz ISM Open Band
– Globally free available frequency– 79 MHz of spectrum = 79 channels– Frequency Hopping & Time Division Duplex
(1600 hops/second)● 10-100 Meter Range
– Class I 100 meter (300 feet)–– Class II 20 meter (60 feet)–– Class III 10 meter (30 feet)–
● uses 2.5 mW of power● 1 Mbps Gross Rate● Simultaneous Voice/Data Capable
![Page 9: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/9.jpg)
y3dipshttp://y3dips.echo.or.id
Core protocol
![Page 10: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/10.jpg)
y3dipshttp://y3dips.echo.or.id
Around Us (1)
![Page 11: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/11.jpg)
y3dipshttp://y3dips.echo.or.id
Around Us (2)
![Page 12: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/12.jpg)
y3dipshttp://y3dips.echo.or.id
Bluetooth mode● On
– disoverable – un-discoverable
● Automatic● Off
![Page 13: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/13.jpg)
y3dipshttp://y3dips.echo.or.id
Security Mode● Security Mode 1: non-secure● Security Mode 2: service level enforced security● Security Mode 3: link level enforced security
![Page 14: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/14.jpg)
y3dipshttp://y3dips.echo.or.id
Known Threat● bluejacking -- “send unsoliticed message”
● bluesmack -- “u may call it denial of service the device”
● bluesnarfing -- “read phonebook, read a message, knowing the info”
● bluebug -- “execute an AT command, full access (write/read)”
● backdoor attack -- “unused pairing attack”
Bluetooth Pairing happens when two Bluetooth enabled devices agree to communicate with one another. When this happens, the two devices join what is called a trusted pair. When one device recognizes another device in an established trusted pair, each device automatically accepts communication, bypassing the discovery and authentication process that normally happen during Bluetooth interactions.
![Page 15: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/15.jpg)
y3dipshttp://y3dips.echo.or.id
Do We Vulnerable ?
![Page 16: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/16.jpg)
y3dipshttp://y3dips.echo.or.id
Do We Vulnerable ?
-- thebunker.net
![Page 17: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/17.jpg)
y3dipshttp://y3dips.echo.or.id
Proof Of Concept
o\/\/n3d
![Page 18: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/18.jpg)
y3dipshttp://y3dips.echo.or.id
Preparation (0)● Oh my .. we need some basic at least
– first of all, sorry im doing it in linux so go get some linux distribution.
– having a bluetooth device – installing bluez at bluez.org (dont worry some of new
kernel already include it for you )– read the rest of this paper .... :p
![Page 19: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/19.jpg)
y3dipshttp://y3dips.echo.or.id
Preparation (1)● Knowing your device
![Page 20: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/20.jpg)
y3dipshttp://y3dips.echo.or.id
Preparation (2)● Knowing your device
![Page 21: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/21.jpg)
y3dipshttp://y3dips.echo.or.id
Preparation (3)● Define the pin for pairing/backdoor attack
● Waiting incoming for address
![Page 22: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/22.jpg)
y3dipshttp://y3dips.echo.or.id
Preparation (4)● have your own armory
– default ( hcitool, sdptool )– bluesnarfer– bluescanner– bluediving– bt_audit– redfang– btxml--- http://google.com/search?q=bluetooth+assessment+tools
![Page 23: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/23.jpg)
y3dipshttp://y3dips.echo.or.id
0wned (0)● reading a device info
![Page 24: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/24.jpg)
y3dipshttp://y3dips.echo.or.id
0wned (1)● Reading a “private” data
![Page 25: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/25.jpg)
y3dipshttp://y3dips.echo.or.id
0wned (2)● Deleting “private” data
![Page 26: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/26.jpg)
y3dipshttp://y3dips.echo.or.id
0wned (3)● Executing some “AT”commands (eg. make a phone call)
![Page 27: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/27.jpg)
y3dipshttp://y3dips.echo.or.id
0wned (4)● Denial of service the target
set data size to a bigger size to doin some DOS attack ( using l2ping -s Big-data-size -b Address )
![Page 28: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/28.jpg)
y3dipshttp://y3dips.echo.or.id
Next 0wned (0)● Detecting & footprint the target
![Page 29: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/29.jpg)
y3dipshttp://y3dips.echo.or.id
Next 0wned (1)● Target as an internet gateway (backdoor attack)
-- finding a DUN (dial up networking support) using sdptool
![Page 30: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/30.jpg)
y3dipshttp://y3dips.echo.or.id
Next 0wned (2)● Target as an internet gateway (backdoor attack)
-- Binding an address connecting process using pppd
![Page 31: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/31.jpg)
y3dipshttp://y3dips.echo.or.id
Next 0wned (3)● Range arent a real problem
– “ bluesniper” rifle which is developed by John Hering and his colleagues from Flexilis able to capture all bluetooth device in a mile.
-- http://www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt1/
![Page 32: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/32.jpg)
y3dipshttp://y3dips.echo.or.id
Next 0wned (4)● No need a Non-mobile device
“ blueoover” is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless.
Until now, in the past, attackers need laptops for the snarfing of other people's information
-- http://trifinite.org/trifinite_stuff_blooover.html
![Page 33: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/33.jpg)
y3dipshttp://y3dips.echo.or.id
Survive● turn off the service ● make your device into a non-discoverable state● update a firmware● using a strong pin for pairing● unpair unused device● using antivirus (updated) and firewall ● reject unknown message and connection
![Page 34: bluetooth [in]security [2]](https://reader033.vdocument.in/reader033/viewer/2022042700/5559f737d8b42aa8098b48eb/html5/thumbnails/34.jpg)
y3dipshttp://y3dips.echo.or.id
Discussion