BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT...
Transcript of BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT...
![Page 1: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/1.jpg)
Stealthily Access Your Android Phones:
Bypass the Bluetooth Authentication
by Sourcell Xu and Xin Xin
#BHUSA @BLACKHATEVENTS
BlueRepli
![Page 2: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/2.jpg)
#BHUSA @BLACKHATEVENTS
Who we are
HatLab
(Hack Any Thing)
Xin Xin
Sourcell Xu• IoT security researcher• fO-000/bluescan• Discovered of the BlueRepli• [email protected]
• Hardware hacker• Make the BlueRepli a convenient hardware tool• [email protected]
DBAPP Security
@DS_HatLab
![Page 3: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/3.jpg)
#BHUSA @BLACKHATEVENTS
Chaotic Scenes of Privacy
• Self-starting 7000 times
and read the phone book
in one hour.
• Access phone files
25,000 times in 10 minutes.
![Page 4: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/4.jpg)
#BHUSA @BLACKHATEVENTS
Could it be Worse?
No malicious
or rogue apps
installed
Android system
Wi-Fi NFC
Bluetooth
Mobile Network
No touchPBAP (Phone Book Access Profile)
MAP (Message Access Profile)
![Page 5: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/5.jpg)
#BHUSA @BLACKHATEVENTS
What’s Bluetooth Profile?
PCE (Phonebook Client Equipment)
PSE (Phonebook Server Equipment)
MSE (Message Server Equipment)
MCE (Message Client Equipment)
PBAP
MAP
![Page 6: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/6.jpg)
#BHUSA @BLACKHATEVENTS
Previous Research: BadBluetooth
• Require a malicious app with Bluetooth Permission
has been installed on the victim’s Android phone.
• PBPA and MAP require the Bluetooth device to be initiator and the phone to be the acceptor, which is opposite to the attack flow. This make the attack less stealthy.
![Page 7: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/7.jpg)
#BHUSA @BLACKHATEVENTS
What can BlueRepli do?
for almost all Android phones for a well-known manufacture
(may be affected 100 million devices)
fake short
message
victim 1 victim 2
attack
deceived
• Only one interaction with the victim
• The attacker can make this
interaction very deceptive.
contacts, call logs, short messages
• Totally Stealthily
attack
contacts, call logs, short messages
attack
or
![Page 8: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/8.jpg)
#BHUSA @BLACKHATEVENTS
Two Dialog Boxes During Access to PBAP and MAP
Pairing Request Profile Access Request
How to bypass? How to bypass?
1 2
![Page 9: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/9.jpg)
#BHUSA @BLACKHATEVENTS
Why does the Pairing Request pop up?
Connect
New link key New link key
• Future authentication
• Traffic encryption
Shared
No valid link key
Secure Simple Pairing
![Page 10: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/10.jpg)
#BHUSA @BLACKHATEVENTS
The default IO capabilities of AOSP is DisplayYesNo
![Page 11: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/11.jpg)
#BHUSA @BLACKHATEVENTS
Bypass the Pairing Request Dialog Box
![Page 12: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/12.jpg)
#BHUSA @BLACKHATEVENTS
![Page 13: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/13.jpg)
#BHUSA @BLACKHATEVENTS
Side Effect of the Just Works Model
NoInputNoOutput Just Works Temporary Bond
![Page 14: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/14.jpg)
#BHUSA @BLACKHATEVENTS
Why does the Profile Access Request pop up?
No address
![Page 15: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/15.jpg)
#BHUSA @BLACKHATEVENTS
![Page 16: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/16.jpg)
#BHUSA @BLACKHATEVENTS
Bypass the Profile Access Request Dialog Box
Address dependent?
PBAP
MAP
![Page 17: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/17.jpg)
#BHUSA @BLACKHATEVENTS
Side Effect of the Just Works Model
NoInputNoOutput Just Works
Temporary BondPBAP and MAP access
permission cleared
com.android.bluetooth
![Page 18: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/18.jpg)
#BHUSA @BLACKHATEVENTS
Forge CoD to prevent passing BT_BOND_STATE_NONE
![Page 19: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/19.jpg)
#BHUSA @BLACKHATEVENTS
Persistent Bond Cause Just Works not to be automatically accepted
![Page 20: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/20.jpg)
#BHUSA @BLACKHATEVENTS
ㄟ( ▔, ▔ )ㄏThe method for
bypassing Pairing
Request(Temporary Bond)
The method for bypassing
Profile Access Request(Forge Address and CoD)
The two methods are mutually exclusive
![Page 21: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/21.jpg)
#BHUSA @BLACKHATEVENTS
Turnaround ( ̄︶ ̄)↗ No BT_BOND_STATE_NONE
No BOND_NONE
No Permission clear
![Page 22: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/22.jpg)
#BHUSA @BLACKHATEVENTS
This is the whole picture of BlueRepli
for almost all Android phones for a well-known manufacture
(may be affected 100 million devices)
fake short
message
victim 1 victim 2
attack
deceived
• One interaction with the victim
• The attacker can make this
interaction very deceptive.
contacts, call logs, short messages
• Totally Stealthily
attack
contacts, call logs, short messages
attack
or
![Page 23: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/23.jpg)
#BHUSA @BLACKHATEVENTS
Command Line Tool
Hardware Tool
![Page 24: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/24.jpg)
#BHUSA @BLACKHATEVENTS
Should we based on RaspberryPi ?
No battery support.Low integration, jumper wire everywhere.HDMI is not a good idea for portable device.SPI is too slow for higher resolution LCD panel.We just want a challenge.
Linux Python Bluetooth
![Page 25: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/25.jpg)
#BHUSA @BLACKHATEVENTS
Single Cortex-A7@ 1.2GHzIntegrated 128MB DDR3SDIO & UART for basebandRGB Parallel Interface for LCDAXP203 PMU for Li-ion battery
2.4GHz Wi-Fi on SDIO interfaceSupported by Nexmon
BR/LE 5.0 on UART interfaceSupported by InternalBlue
Actually this is an image of BCM4343S
Choose the solution.
![Page 26: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/26.jpg)
#BHUSA @BLACKHATEVENTS
Porting the bootloader an OS
Buildroot & U-Boot & Linux
![Page 27: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/27.jpg)
#BHUSA @BLACKHATEVENTS
Coding the GUI Interface.
![Page 28: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/28.jpg)
#BHUSA @BLACKHATEVENTS
Making a 3D printed shell.
![Page 29: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/29.jpg)
#BHUSA @BLACKHATEVENTS
The video demo
![Page 30: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/30.jpg)
#BHUSA @BLACKHATEVENTS
More security issues in the Bluetooth Profiles
A2DP CIP FTP HCRP ICP OPP SDAP WAPB
ATT CTP GAVDP HDP LAP PAN SAP UDI
AVRCP DIP GAP HFP MESH PBAP SYNCH ESDP
BIP DUN GATT HID MAP PXP SyncML VCP
BPP FAX GOEP HSP OBEX SPP VDP TAP
![Page 31: BlueRepli...#BHUSA @BLACKHATEVENTS Who we are HatLab (Hack Any Thing) Xin Xin Sourcell Xu • IoT security researcher • fO-000/bluescan • Discovered of the BlueRepli • sourcell.xu@dbappsecurity.com.cn](https://reader035.fdocuments.in/reader035/viewer/2022063019/5fdf29308ef556498b69bc06/html5/thumbnails/31.jpg)
#BHUSA @BLACKHATEVENTS
Thank you!
Any questions?