Professional Documents
Culture Documents
#ho $e are
%dam &aurie
C"' o( he Bunker "ecure Hosting &td) Co*+aintainer o( %pache*""& D,FC'- "ta((.'rganiser +aintainer and core de/eloper o( the &inu0 Bluetooth "tack Blue1 "ecurity 2esearcher Founder o( tri(inite)org
Bluetooth Hacking Full Disclosure @ 21C3
+arcel Holtmann
+artin Her(urt
'utline 314
Bluetooth 5ntroduction History echnology '/er/ie$ he Blue"nar( %ttack he Helo+oto %ttack he BlueBug %ttack Bluetooone &ong*Distance %ttacking
'utline 324
Blooo/er Blueprinting D'" %ttacks "ni((ing Bluetooth $ith hcidump Conclusions &essons tought Feedback . Discussion
#ire replacement technology &o$ po$er "hort range 16m * 166m 2)7 8H9 1 +b.s data rate
Bluetooth "58
rade %ssociation Founded 1::; '$ns < &icenses 5= 5ndi/idual membership (ree =romoter members: %gere> ,ricsson> 5B+> 5ntel> +icroso(t> +otorola> -okia and oshiba Consumer http:..$$$)bluetooth)com echnical http:..$$$)bluetooth)org
History 314
Blue?acking
,arly adopters abuse @-ame@ (ield to send message -o$ more commonly send @Business Card@ $ith message /ia 'B,A @ oothing@ * Casual se0ual liasons
History 324
Bluesnar(ing
#ireless echnologies Congress> "indel(ingen> 8ermany BugtraB> Full Disclosure Houses o( =arliament &ondon !nderground
History 334
Bluesnar(ing
%ppointments 5mages -ames> %ddresses> -umbers =5-s and other codes 5mages
=hone Book
History 374
Bluebugging
CeB5 Hano/er
Create unauthorised connection to serial pro(ile Full access to % command set 2ead.#rite access to "+" store 2ead.#rite access to =hone Book
History 3C4
,mbedded de/ices -e$ process (or telecom industry Firm$are updates a/ailable D316i tested 'E
+otorola committed to (i0 kno$n /ulnerabilities "ony ,ricsson publicly stated Fall problems (i0edG
Bluetooth echnology
5"+ band at 2)7 8H9 H: channels 1D66 hops per second +ulti*"lot packets
Bluetooth =iconet
'ne master per piconet !p to se/en acti/e sla/es '/er 266 passi/e members are possible +aster sets the hopping seBuence rans(er rates o( H21 Ebit.sec
Bluetooth "catternet
+aster in one and sla/e in another piconet "la/e in t$o di((erent piconets 'nly master in one piconet "catternet support is optional
Bluetooth %rchitecture
Hard$are layer
2adio> Baseband and &ink +anager %ccess through Host Controller 5nter(ace
=ro(ile implementations
Bluetooth "tack
%pplication speci(ic security mechanisms
Bluetooth "ecurity
%ll security routines are inside the Bluetooth chip -othing is transmitted in Fplain te0tG
5nter(ace (or link manager security routines =art o( the HC5 speci(ication ,asy inter(ace -o (urther encryption o( pin codes or keys
"ecurity +odes
"ecurity mode 1
"ecurity mode 2
"ecurity mode 3
A5M Blue2)+TCD A(:DSL HBH:!0 Aficio A('00* 8LSA 5ianect Blue +SD* *o4ia '2!0 8ricsson T$/m Anycom LA* Access (oint
HC5 and &2C%= "D=> 2FC'++> B-,=> C+ => H5D=> HC2= and %ID = 'B,A and C%=5
"ecurity Commands
HC5JCreateJ-e$J!nitJEey HC5JK2eadL#riteMJ=inJ ype HC5JK2eadL#riteLDeleteMJ"toredJ&inkJEey HC5JK2eadL#riteMJ%uthenticationJ,nable HC5JK2eadL#riteMJ,ncryptionJ+ode HC5J%uthenticationJ2eBuested HC5J"etJConnectionJ,ncryption HC5JChangeJ&ocalJ&inkJEey HC5J+asterJ&inkJEey
=airing Functions
,/ents
Commands
First connection
314 HC5J=inJCodeJ2eBuest 324 HC5J=inJCodeJ2eBuestJ2eply 334 HC5J&inkJEeyJ-oti(ication
Further connections
314 HC5J&inkJEeyJ2eBuest 324 HC5J&inkJEeyJ2eBuestJ2eply 334 HC5J&inkJEeyJ-oti(ication 3optional4
Blue"nar(
obe0app 3FreeB"D4 =!&& kno$n ob?ects instead o( =!"H -o authentication 5r+C 3"peci(ications (or 5r +obile Communications4
e)g) telecom.pb)/c(
,ricsson 2C26m> 3:m> D; "ony ,ricsson D;i> D16> 11616 -okia D316> D316i> ;:16> ;:16i
Bluetooth Hacking Full Disclosure @ 21C3
Helo+oto
2eBuires entry in @De/ice History@ 'B,A =!"H to create entry Connect 2FC'++ to Hands(ree or Headset
8ot inspired (rom %dam@s Blue"nar( $hich has been $ritten about on slashdot ried to (igure out ho$ %dam did it 3no purpose* built tools a/ailable4 Found BlueBug
8ot on slashdot at the end o( +arch 2667 eamed up $ith %dam in %pril 2667 Iarious media citations =resentation at Blackhat and D,FC'- in %ugust 2667 Full Disclosure at 21C3 in December 2667 3no$P4
Bluetooth Hacking Full Disclosure @ 21C3
%s mentioned earlier)))
BlueBug is based on % Commands 3%"C55 erminal4 Iery common (or the con(iguration and control o( telecommunications de/ices High le/el o( control)))
Call control 3turning phone into a bug4 "ending.2eading.Deleting "+" 2eading.#riting =honebook ,ntries "etting For$ards *N causing costs on the /ulnerable phonesP
Ho$ comePQ
Iarious +anu(acturers poorly implemented the Bluetooth security mechanisms !npublished ser/ices on 2FC'++ channels
-okia has Buite a lot o( models 3D316> D316i> ;:16> ;:16i>)))4 "ony ,ricsson ;Di> D16> ))) +otorola has similar problems 3see Helo+oto4
Bluetooth Hacking Full Disclosure @ 21C3
Bluetooone
,nhancing the range o( a Bluetooth dongle by connecting a directional antenna *N as done in the &ong Distance %ttack 'riginal idea (rom +ike 'utmesguine 3%uthor o( Book: F#i*Fi oysG4 "tep by "tep instruction on tri(inite)org
Beginning o( %ugust 2667 3right a(ter D,FC'- 124 ,0periment in "anta +onica Cali(ornia +odi(ied Class*1 Dongle "nar(ing.Bugging Class*2 de/ice 3-okia D316i4 (rom a distance o( 1>H; km 31)61 miles4
Blooo/er * Bluetooth #ireless echnology Hoo/er =roo(*o(*Concept %pplication ,ducational =urposes only =hone %uditing ool 2unning on Ra/a
R2+, +5D= 2)6 5mplemented R"2*;2 3Bluetooth %=54 -okia DD66> -okia HD16> -okia DDH6> ))) "eries D6 "iemens "DC "ony,ricsson =:66 )))
2eading phonebooks #riting phonebook entries 2eading.decoding "+" stored on the de/ice 3buggy))4 "etting Call (or$ard 3prede() -umber4 S7: 133H H661 5nitiating phone call 3prede() -umber4 6;66 2;7;2;3
Blueprinting is (ingerprinting Bluetooth #ireless echnology inter(aces o( de/ices his $ork has been started by Collin 2) +ulliner and +artin Her(urt 2ele/ant to all kinds o( applications
2eleased paper and tool at 21C3 in December 2667 in Berlin 3again> no$P4
Bluetooth Hacking Full Disclosure @ 21C3
Blueprinting * Ho$
2ecordHandle 2FC'++ channel number %dding it all up 32ecHandle1TChannel14S 32ecHandle2TChannel24S)))S32ecHandlenTChanneln4 First three bytes re(er to manu(acturer 35,,, '!54
Blue"mack
"ignal channel reBuest.response &2C%= signal + ! is unkno$n -o open &2C%= channel needed
Blue"mack
E H#+ #ommand: #reate #onnection A030!F03000 B plen !$ 0000: .' !e $$ 'd 0e 00 !" cc 02 00 00 00 0! G H#+ 81ent: #ommand Status A030fB plen % 0000: 00 0! 0 0% G H#+ 81ent: #onnect #omplete A030$B plen !! 0000: 00 2/ 00 .' !d $2 'd 0e 00 0! 00 E A#L data: handle 03002/ fla<s 0302 dlen 2" L2#A(AsB: 8cho reH: dlen 20 0000: % %' %0 %" %/ %a %. %c %d %e %f 0 ! 2 00!0: ' 0 " G H#+ 81ent: *um.er of #ompleted (ac4ets A03!$B plen 0000: 0! 2/ 00 0! 00 G A#L data: handle 03002/ fla<s 0302 dlen 2" L2#A(AsB: 8cho rsp: dlen 20 0000: % %' %0 %" %/ %a %. %c %d %e %f 0 ! 2 00!0: ' 0 " E H#+ #ommand: Disconnect A030!F03000'B plen $ 0000: 2/ 00 !$ G H#+ 81ent: #ommand Status A030fB plen % 0000: 00 0! 0' 0% G H#+ 81ent: Disconn #omplete A030 B plen % 0000: 00 2/ 00 !' @@2m@@@@@@@@@ @@@@ @B@@@2m@@@@
82,H+I7LM*&(J)ST U56-
Conclusions
"peci(ics under -D% "ecurity ,0pert 8roup mailing list bluetooth)org more open areas
trifinite.org
trifinite.group
%dam &aurie 3the Bunker "ecure Hosting4 +arcel Holtmann 3Blue14 Collin +ulliner 3mulliner)org4 im Hurman 3=entest4 +ark 2o$e 3=entest4 +artin Her(urt 3tri(inite)org4 "pot 3"ony4
Contact us /ia 21c3@tri(inite)org 3group alias (or %dam> +arcel and +artin4