bluetooth [in]security [2]

“ 0wned a mobile phone via bluetooth “y3dipsy3dips

y3dipshttp://y3dips.echo.or.id

Who am I yet another “/Hacker “/ wannabe

founder of echo.or.id & Ubuntulinux.or.id

focusing in Hacking & Security since 2002

http://google.com/search?q=y3dips


Overview● Point of views● Proof 0f Concept● Survive● Discussion


Point 0f Views


History● The name Bluetooth is derived from the 10th century

king of Denmark, Harald Bluetooth.● Early 1998 - Special Interest Group formed

– Code name Bluetooth

– Promoter Companies: Ericsson*, IBM*, Intel*, Nokia*, and Toshiba*

● May 20, 1998 - Bluetooth publicly announced ● July 26, 1999 - Bluetooth 1.0 Specification Release ● Today - Bluetooth 2.0 work is ongoing-- bluetooth.com, wikipedia.org


Bluetooth ? (1) “Bluetooth wireless technology is a short-range

communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost.” -- bluetooth.com


Bluetooth ? (2)● Wireless● Short-range communication● A Cable Replacement technology● Low power● Low cost● Hook together all the devices


Technical Details● 2.4 GHz ISM Open Band

– Globally free available frequency– 79 MHz of spectrum = 79 channels– Frequency Hopping & Time Division Duplex

(1600 hops/second)● 10-100 Meter Range

– Class I 100 meter (300 feet)–– Class II 20 meter (60 feet)–– Class III 10 meter (30 feet)–

● uses 2.5 mW of power● 1 Mbps Gross Rate● Simultaneous Voice/Data Capable


Core protocol


Around Us (1)


Around Us (2)


Bluetooth mode● On

– disoverable – un-discoverable

● Automatic● Off


Security Mode● Security Mode 1: non-secure● Security Mode 2: service level enforced security● Security Mode 3: link level enforced security


Known Threat● bluejacking -- “send unsoliticed message”

● bluesmack -- “u may call it denial of service the device”

● bluesnarfing -- “read phonebook, read a message, knowing the info”

● bluebug -- “execute an AT command, full access (write/read)”

● backdoor attack -- “unused pairing attack”

Bluetooth Pairing happens when two Bluetooth enabled devices agree to communicate with one another. When this happens, the two devices join what is called a trusted pair. When one device recognizes another device in an established trusted pair, each device automatically accepts communication, bypassing the discovery and authentication process that normally happen during Bluetooth interactions.


Do We Vulnerable ?


Do We Vulnerable ?

-- thebunker.net


Proof Of Concept

o\/\/n3d


Preparation (0)● Oh my .. we need some basic at least

– first of all, sorry im doing it in linux so go get some linux distribution.

– having a bluetooth device – installing bluez at bluez.org (dont worry some of new

kernel already include it for you )– read the rest of this paper .... :p


Preparation (1)● Knowing your device


Preparation (2)● Knowing your device


Preparation (3)● Define the pin for pairing/backdoor attack

● Waiting incoming for address


Preparation (4)● have your own armory

– default ( hcitool, sdptool )– bluesnarfer– bluescanner– bluediving– bt_audit– redfang– btxml--- http://google.com/search?q=bluetooth+assessment+tools


0wned (0)● reading a device info


0wned (1)● Reading a “private” data


0wned (2)● Deleting “private” data


0wned (3)● Executing some “AT”commands (eg. make a phone call)


0wned (4)● Denial of service the target

set data size to a bigger size to doin some DOS attack ( using l2ping -s Big-data-size -b Address )


Next 0wned (0)● Detecting & footprint the target


Next 0wned (1)● Target as an internet gateway (backdoor attack)

-- finding a DUN (dial up networking support) using sdptool


Next 0wned (2)● Target as an internet gateway (backdoor attack)

-- Binding an address connecting process using pppd


Next 0wned (3)● Range arent a real problem

– “ bluesniper” rifle which is developed by John Hering and his colleagues from Flexilis able to capture all bluetooth device in a mile.

-- http://www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt1/


Next 0wned (4)● No need a Non-mobile device

“ blueoover” is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless.

Until now, in the past, attackers need laptops for the snarfing of other people's information

-- http://trifinite.org/trifinite_stuff_blooover.html


Survive● turn off the service ● make your device into a non-discoverable state● update a firmware● using a strong pin for pairing● unpair unused device● using antivirus (updated) and firewall ● reject unknown message and connection


Discussion

bluetooth [in]security [2]

Technology

Transcript of bluetooth [in]security [2]