Bluetooth Hacking1

11 09 2007

Author

Gautam Sarswat

JIITU NOIDA

 

Bluetooth Introduction

Wire replacement technology

Low power

Short range 10m – 100m

2.4 GHz

1 Mb/s data rate

Bluetooth SIG

– Trade Association

– Founded 1998

– Owns & Licenses IP

– Individual membership free

– Promoter members: Agere, Ericsson, IBM, Intel,

Microsoft, Motorola, Nokia and Toshiba

– Consumer http://www.bluetooth.com

– Technical http://www.bluetooth.org

 

Bluetooth Technology

Data and voice transmission

ACL data connections

SCO and eSCO voice channels

Symmetric and asymmetric connections

Frequency hopping

ISM band at 2.4 GHz

79 channels

1600 hops per second

Multi-Slot packets

 

 

Bluetooth Piconet

Bluetooth devices create a piconet

One master per piconet

Up to seven active slaves

Over 200 passive members are possible

Master sets the hopping sequence

Transfer rates of 721 Kbit/sec

Bluetooth 1.2 and EDR (aka 2.0)

Adaptive Frequency Hopping

Transfer rates up to 2.1 Mbit/sec

 

 

Bluetooth Scatternet

Connected piconets create a scatternet

Master in one and slave in another piconet

Slave in two different piconets

Only master in one piconet

Scatternet support is optional

bt2.jpg

 

 

Bluetooth Architecture

Hardware layer

Radio, Baseband and Link Manager

Access through Host Controller Interface

– Hardware abstraction

– Standards for USB and UART

Host protocol stack

L2CAP, RFCOMM, BNEP, AVDTP etc.

Profile implementations

Serial Port, Dialup, PAN, HID etc.

 

    Bluetooth Stack

    bt1.jpg

     

 

Bluetooth Security

Link manager security

All security routines are inside the Bluetooth chip

Nothing is transmitted in “plain text”

Host stack security

Interface for link manager security routines

Part of the HCI specification

Easy interface

No further encryption of pin codes or keys

 

 

    Security Modes

    Security mode 1

    No active security enforcement

    Security mode 2

    Service level security

    On device level no difference to mode 1

    Security mode 3

    Device level security

    Enforce security for every low-level connection

 

    Linux and Bluetooth

    # hciconfig -a

    hci0: Type: USB

    BD Address: 00:02:5B:A1:88:52 ACL MTU: 384:8 SCO MTU: 64:8

    UP RUNNING PSCAN ISCAN

    RX bytes:9765 acl:321 sco:0 events:425 errors:0

    TX bytes:8518 acl:222 sco:0 commands:75 errors:0

    Features: 0xff 0xff 0×8b 0xfe 0×9b 0xf9 0×00 0×80

    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3

    Link policy: RSWITCH HOLD SNIFF PARK

    Link mode: SLAVE ACCEPT

    Name: ‘Casira BC3-MM’

    Class: 0×1e0100

    Service Classes: Networking, Rendering, Capturing, Object Transfer

    Device Class: Computer, Uncategorized

    HCI Ver: 1.2 (0×2) HCI Rev: 0×529 LMP Ver: 1.2 (0×2) LMP Subver: 0×529

    Manufacturer: Cambridge Silicon Radio (10)

    # hcitool scan

    Scanning …

    00:04:0E:21:06:FD AVM BlueFRITZ! AP-DSL

    00:01:EC:3A:45:86 HBH-10

    00:04:76:63:72:4D Aficio AP600N

    00:A0:57:AD:22:0F ELSA Vianect Blue ISDN

    00:E0:03:04:6D:36 Nokia 6210

    00:80:37:06:78:92 Ericsson T39m

    00:06:C6:C4:08:27 Anycom LAN Access Point

    Sniffing with hcidump

    Recording of HCI packets

    – Commands, events, ACL and SCO data packets

    Only for local connections

    Decoding of higher layer protocols

    – HCI and L2CAP

    – SDP, RFCOMM, BNEP, CMTP, HIDP, HCRP and AVDTP

    – OBEX and CAPI

    No sniffing of baseband or radio traffic

 

    Security Commands

    HCI_Create_New_Unit_Key

    HCI_{Read|Write}_Pin_Type

    HCI_{Read|Write|Delete}_Stored_Link_Key

    HCI_{Read|Write}_Authentication_Enable

    HCI_{Read|Write}_Encryption_Mode

    HCI_Authentication_Requested

    HCI_Set_Connection_Encryption

    HCI_Change_Local_Link_Key

    HCI_Master_Link_Key

 

    Pairing Functions

    Events

    HCI_Link_Key_Notification

    HCI_Link_Key_Request

    HCI_Pin_Code_Request

    Commands

    HCI_Link_Key_Request_Reply

    HCI_Link_Key_Request_Negative_Reply

    HCI_Pin_Code_Request_Reply

    HCI_Pin_Code_Request_Negative_Reply

 

    How Pairing Works

    First connection

    (1) HCI_Pin_Code_Request

    (2) HCI_Pin_Code_Request_Reply

    (3) HCI_Link_Key_Notification

    Further connections

    (1) HCI_Link_Key_Request

    (2) HCI_Link_Key_Request_Reply

    (3) HCI_Link_Key_Notification (optional)

 

    BlueSnarf

    Trivial OBEX PUSH channel attack

    – obexapp (FreeBSD)

    – PULL known objects instead of PUSH

    – No authentication

    Infrared Data Association

    – IrMC (Specifications for Ir Mobile Communications)

    e.g. telecom/pb.vcf

    Ericsson R520m, T39m, T68

    Sony Ericsson T68i, T610, Z1010

    Nokia 6310, 6310i, 8910, 8910i

 

    HeloMoto

    Requires entry in ‘Device History’

    OBEX PUSH to create entry

    Connect RFCOMM to Handsfree or Headset

    – No Authentication required

    – Full AT command set access

    Motorola V80, V5xx, V6xx and E398

 

    Blooover -What is it?

    Blooover – Bluetooth Wireless Technology Hoover

    Proof-of-Concept Application

    Educational Purposes only

    Phone Auditing Tool

    Running on Java

    J2ME MIDP 2.0

    Implemented JSR-82 (Bluetooth API)

    Nokia 6600, Nokia 7610, Nokia 6670, … Series 60

    Siemens S65

    SonyEricsson P900 …

 

    Blooover- What does it do?

    Blooover is performing the BlueBug attack

    – Reading phonebooks

    – Writing phonebook entries

    – Reading/decoding SMS stored on the device (buggy..)

    – Setting Call forward (predef. Number) +49 1337 7001

    – Initiating phone call (predef. Number) 0800 2848283

    Not working well on Nokia phones :( but on some T610

    Please use this application responsibly!

    – For research purposes only!

    – With permission of owner

 

    Blueprinting – What is it?

    Blueprinting is fingerprinting Bluetooth Wireless

    Technology interfaces of devices

    Blueprinting – How

    Hashing Information from Profile Entries

    – RecordHandle

    – RFCOMM channel number

    – Adding it all up (RecHandle1*Channel1)+

    (RecHandle2*Channel2)+…+(RecHandlen*Channeln)

    Bluetooth Device Address

    – First three bytes refer to manufacturer (IEEE OUI)

    Example of Blueprint

    00:60:57@2621543

 

    BlueSmack

    Using L2CAP echo feature

    – Signal channel request/response

    – L2CAP signal MTU is unknown

    – No open L2CAP channel needed

    Buffer overflow

    Denial of service attack

    BlueSmack

    < HCI Command: Create Connection (0×01|0×0005) plen 13

    0000: b6 1e 33 6d 0e 00 18 cc 02 00 00 00 01 ..2m………

    > HCI Event: Command Status (0×0f) plen 4

    0000: 00 01 05 04 ….

    > HCI Event: Connect Complete (0×03) plen 11

    0000: 00 29 00 b6 1d 32 6d 0e 00 01 00 .)…2m….

    < ACL data: handle 0×0029 flags 0×02 dlen 28

    L2CAP(s): Echo req: dlen 20

    0000: 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 EFGHIJKLMNOPQRST

    0010: 55 56 57 58 UVWX

    > HCI Event: Number of Completed Packets (0×13) plen 5

    0000: 01 29 00 01 00 .)…

    > ACL data: handle 0×0029 flags 0×02 dlen 28

    L2CAP(s): Echo rsp: dlen 20

    0000: 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 EFGHIJKLMNOPQRST

    0010: 55 56 57 58 UVWX

    < HCI Command: Disconnect (0×01|0×0006) plen 3

    0000: 29 00 13 )..

    > HCI Event: Command Status (0×0f) plen 4

    0000: 00 01 06 04 ….

    > HCI Event: Disconn Complete (0×05) plen 4

    0000: 00 29 00 16 .)..

« »


Actions

Information

Leave a comment