Upload
marcus-milward
View
224
Download
5
Tags:
Embed Size (px)
Citation preview
1
Bluetooth SecurityBEN CUMBER
KYLE SWENSON
2Overview
Introduction to Bluetooth Protocol stack
Profiles
Proliferation and Applications
Security Past attacks
Current state of the art Known vulnerabilities
Examples; Demonstration
Future attacks
Hardening Options: Mitigating the Risk
Conclusion
3Introduction to Bluetooth
Convenience
IEEE 802.15.1 : Personal Area Network Defines the medium access control (MAC) mechanisms
Baseband/ Physical
2.4 GHz ( Same as Wi-Fi)
Adaptive Frequency Hopping
Currently Maintained by the Bluetooth Special Interest Group (SIG)
4Introduction to Bluetooth: Protocols
http://www.mnl.com/images/thelink/bluetooth_fig2.gif
Mandatory Bluetooth Protocols
Link Manager Protocol
Logical Link Control and Adaptation Protocol (L2CAP)
Service Discovery Protocol (SDP)
Audio Streaming Protocols
RFCOMM (Most common)
http://upload.wikimedia.org/wikipedia/commons/9/9f/Bluetooth_protokoly.svg
5Relevant Bluetooth Profiles
Human Interface Device (HID) Built off the USB HID
specification Includes RTUs, data acquisition
equipment Audio Control and Distribution
Bluetooth headset phone control and audio streaming
Object Exchange (OBEX) Allows file transfer, contact
transfer
Bluetooth Profiles
Defines how a device uses the Bluetooth protocols
All built on core Bluetooth stack
Widespread integration and interoperability.
Defines the authentication and encryption (if any)
6Bluetooth Security Mechanisms
Pairing: usually requires user verification, version dependent
Bonding: allows for seamless reconnection after two devices have been paired
Based off a link-key generated during the pairing process
If either device forgets the link-key, then it is renegotiated automatically
Plaintext negotiation of encryption key
Encryption:
Completely optional, dependent upon device capability.
7Bluetooth Security: The MAC Address Basis for all Bluetooth communication
All devices are required to at least respond to direct connection requests, regardless of discoverability setting
Assumed to be unique
With the right module, it’s easy to imitate a legitimate device.
Specification doesn’t define behavior when two devices have the same MAC address
Part of the MAC address is allocated by the SIG/IEEE
Publicly available
Other part is assigned by the manufacturer
8Bluetooth Security: The MAC Address
Lower Address Portion (LAP)
Mandatory part of baseband communication
Upper Address Portion (UAP)
Contains time delay information for frequency hopping.
Non-significant Address Portion
UAP + NAP form the organizationally unique identifier
Once the MAC address has been determined, the device is potentially compromised
9Known Exploits
BlueRanger
Uses the required direct connection response to gauge relative distance through the integrity of the link
SpoofTooph
Scans for discoverable devices
Clones the device
Imitates MAC address, profiles, services, names, and other “unique” characteristics
BTCrack
How it works:
Observe a pairing
Guess a 4-16 digit pin
Check to see if the hashed value of the pin matches the hashed value that you observed.
10Known Exploits
BlueBugging – Control a remote smartphone
Making/forwarding calls, sending and receiving text messages.
Snarfing – Retrieve contacts or calendar
Uses the OBEX Push Profile
OBEX Push doesn’t require any authentication
Carwhisperer – Uses vehicular audio profiles
Send audio messages to driver
Listen to conversations in the vehicle
vCardBlaster (Virtual Business Card)
Contains contact information
Sends a continuous stream of vCards using Bluetooth
Bluetooth v4.0 has already been exploited
11Collecting Information
Ubertooth One A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3
microcontroller attached via USB
$120 module, allows sniffing of Bluetooth traffic
Able to export packets to Wireshark traffic, get sensitive information
Spectrum Analyzer
Simple to program, modify, and use
With some embedded systems experience and motivation, every exploit is possible
12Bluetooth and SCADA
SEL-2925 – RS-232 emulation over wireless link Convenience
Remote Telemetry and Data Acquisition Same performance degradation
as WiFi in noisy environments
Uses HID profile: simple, fast, negligible configuration
Increasingly being used for automation
Source: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf
13Hardening Bluetooth
Encrypt the data at a higher layer (application layer) in the protocol stack
Don’t use it! Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t
matter)
Bluetooth in SCADA and critical infrastructure Bluetooth was designed for convenience, not security
Other than lower power consumption, Bluetooth has no advantage over WiFi.
Integrating Bluetooth into SCADA is inappropriate- use something else
14Conclusion
Bluetooth security needs more attention Lack of appropriate tools cripples penetration testing and security
analysis
Embedded applications
Most completely omit security, assume protection in complexity
Demonstrates the need for a reliable, secure, wireless communication Security must be an integral component in the initial design process,
not added after the fact
Realize the risk when using Bluetooth for your SCADA application.
15References
http://trifinite.org/
http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/
http://en.wikipedia.org/wiki/SAFER
https://github.com/greatscottgadgets/ubertooth/releases/tag/2014-02-R2
http://openciphers.sourceforge.net/oc/index.php
http://www.hackfromacave.com/
http://en.wikipedia.org/wiki/Bluetooth
http://en.wikipedia.org/wiki/Bluetooth_protocols
http://en.wikipedia.org/wiki/Bluetooth_Special_Interest_Group
https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=40560
https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=241363
https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=174214
https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=263754
https://www.bluetooth.org/en-us/specification/adopted-specifications
http://bluetooth-pentest.narod.ru/
http://linuxpoison.blogspot.com/2008/04/discovering-and-hacking-bluetooth.html
http://pen-testing.sans.org/blog/pen-testing/2011/10/20/the-bluetooth-dilemma
http://blog.zoller.lu/2009/02/btcrack-11-final-version-fpga-support.html