Hacking Bluetooth enabled mobile phones and beyond Full Disclosure

Adam Laurie Marcel Holtmann Martin Herfurt

21C3: he !sual "uspects

21st Chaos Communication Congress December 27th to 29th, 2004 Berliner Congress Center, Berlin, Germany
Bluetooth Hacking Full Disclosure @ 21C3

#ho $e are

%dam &aurie

C"' o( he Bunker "ecure Hosting &td) Co*+aintainer o( %pache*""& D,FC'- "ta((.'rganiser +aintainer and core de/eloper o( the &inu0 Bluetooth "tack Blue1 "ecurity 2esearcher Founder o( tri(inite)org
Bluetooth Hacking Full Disclosure @ 21C3

+arcel Holtmann

+artin Her(urt

'utline 314

Bluetooth 5ntroduction History echnology '/er/ie$ he Blue"nar( %ttack he Helo+oto %ttack he BlueBug %ttack Bluetooone &ong*Distance %ttacking

Bluetooth Hacking Full Disclosure @ 21C3

'utline 324

Blooo/er Blueprinting D'" %ttacks "ni((ing Bluetooth $ith hcidump Conclusions &essons tought Feedback . Discussion

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth 5ntroduction 314

#ire replacement technology &o$ po$er "hort range 16m * 166m 2)7 8H9 1 +b.s data rate

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth 5ntroduction 324

Bluetooth "58

rade %ssociation Founded 1::; '$ns < &icenses 5= 5ndi/idual membership (ree =romoter members: %gere> ,ricsson> 5B+> 5ntel> +icroso(t> +otorola> -okia and oshiba Consumer http:..$$$)bluetooth)com echnical http:..$$$)bluetooth)org

Bluetooth Hacking Full Disclosure @ 21C3

History 314

Blue?acking

,arly adopters abuse @-ame@ (ield to send message -o$ more commonly send @Business Card@ $ith message /ia 'B,A @ oothing@ * Casual se0ual liasons

Bluetooth Hacking Full Disclosure @ 21C3

History 324

Bluesnar(ing

First publicised by +arcel Holtmann> 'ctober 2663

#ireless echnologies Congress> "indel(ingen> 8ermany BugtraB> Full Disclosure Houses o( =arliament &ondon !nderground

%dam &aurie> % & Digital> -o/ember 2663

@"nar(@ * net$orking slang (or @unauthorised copy@

Bluetooth Hacking Full Disclosure @ 21C3

History 334

Bluesnar(ing

Data he(t Calendar

%ppointments 5mages -ames> %ddresses> -umbers =5-s and other codes 5mages

=hone Book

Bluetooth Hacking Full Disclosure @ 21C3

History 374

Bluebugging

First publicised by +artin Her(urt> +arch 2667

CeB5 Hano/er

Create unauthorised connection to serial pro(ile Full access to % command set 2ead.#rite access to "+" store 2ead.#rite access to =hone Book

Bluetooth Hacking Full Disclosure @ 21C3

History 3C4

Full Disclosure a(ter 13 months

+ore time (or manu(acturers to (i0

,mbedded de/ices -e$ process (or telecom industry Firm$are updates a/ailable D316i tested 'E

-okia claims to ha/e (i0ed all /ulnerable de/ices

+otorola committed to (i0 kno$n /ulnerabilities "ony ,ricsson publicly stated Fall problems (i0edG

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth echnology

Data and /oice transmission

%C& data connections "C' and e"C' /oice channels

"ymmetric and asymmetric connections FreBuency hopping

5"+ band at 2)7 8H9 H: channels 1D66 hops per second +ulti*"lot packets

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth =iconet

Bluetooth de/ices create a piconet

'ne master per piconet !p to se/en acti/e sla/es '/er 266 passi/e members are possible +aster sets the hopping seBuence rans(er rates o( H21 Ebit.sec

Bluetooth 1)2 and ,D2 3aka 2)64

%dapti/e FreBuency Hopping rans(er rates up to 2)1 +bit.sec

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth "catternet

Connected piconets create a scatternet

+aster in one and sla/e in another piconet "la/e in t$o di((erent piconets 'nly master in one piconet "catternet support is optional

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth %rchitecture

Hard$are layer

2adio> Baseband and &ink +anager %ccess through Host Controller 5nter(ace

Hard$are abstraction "tandards (or !"B and !%2

Host protocol stack

&2C%=> 2FC'++> B-,=> %ID = etc)

=ro(ile implementations

"erial =ort> Dialup> =%-> H5D etc)

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth "tack
%pplication speci(ic security mechanisms

Bluetooth host security mechanisms

"ecurity mechanisms on the Bluetooth chip

Bluetooth Hacking Full Disclosure @ 21C3

Bluetooth "ecurity

&ink manager security

%ll security routines are inside the Bluetooth chip -othing is transmitted in Fplain te0tG

Host stack security

5nter(ace (or link manager security routines =art o( the HC5 speci(ication ,asy inter(ace -o (urther encryption o( pin codes or keys

Bluetooth Hacking Full Disclosure @ 21C3

"ecurity +odes

"ecurity mode 1

-o acti/e security en(orcement

"ecurity mode 2

"er/ice le/el security 'n de/ice le/el no di((erence to mode 1

"ecurity mode 3

De/ice le/el security ,n(orce security (or e/ery lo$*le/el connection

Bluetooth Hacking Full Disclosure @ 21C3

&inu0 and Bluetooth

# hciconfig -a hci0: Type: USB BD Address: 00:02: B:A!:"": 2 A#L MTU: $"%:" S#& MTU: '%:" U( )U**+*, (S#A* +S#A* )- .ytes:/0' acl:$2! sco:0 e1ents:%2 errors:0 T- .ytes:" !" acl:222 sco:0 commands:0 errors:0 2eatures: 03ff 03ff 03". 03fe 03/. 03f/ 0300 03"0 (ac4et type: DM! DM$ DM DH! DH$ DH H5! H52 H5$ Lin4 policy: )S6+T#H H&LD S*+22 (A)7 Lin4 mode: SLA58 A##8(T *ame: 9#asira B#$:MM9 #lass: 03!e0!00 Ser1ice #lasses: *et;or4in<= )enderin<= #apturin<= &.>ect Transfer De1ice #lass: #omputer= Uncate<ori?ed H#+ 5er: !@2 A032B H#+ )e1: 03 2/ LM( 5er: !@2 A032B LM( Su.1er: 03 2/ Manufacturer: #am.rid<e Silicon )adio A!0B # hcitool scan Scannin< @@@ 00:0%:08:2!:0':2D 00:0!:8#:$A:% :"' 00:0%:0':'$:02:%D 00:A0: 0:AD:22:02 00:80:0$:0%:'D:$' 00:"0:$0:0':0":/2 00:0':#':#%:0":20

A5M Blue2)+TCD A(:DSL HBH:!0 Aficio A('00* 8LSA 5ianect Blue +SD* *o4ia '2!0 8ricsson T$/m Anycom LA* Access (oint

Bluetooth Hacking Full Disclosure @ 21C3

"ni((ing $ith hcidump

2ecording o( HC5 packets

Commands> e/ents> %C& and "C' data packets

'nly (or local connections Decoding o( higher layer protocols

HC5 and &2C%= "D=> 2FC'++> B-,=> C+ => H5D=> HC2= and %ID = 'B,A and C%=5

-o sni((ing o( baseband or radio tra((ic

Bluetooth Hacking Full Disclosure @ 21C3

"ecurity Commands

HC5JCreateJ-e$J!nitJEey HC5JK2eadL#riteMJ=inJ ype HC5JK2eadL#riteLDeleteMJ"toredJ&inkJEey HC5JK2eadL#riteMJ%uthenticationJ,nable HC5JK2eadL#riteMJ,ncryptionJ+ode HC5J%uthenticationJ2eBuested HC5J"etJConnectionJ,ncryption HC5JChangeJ&ocalJ&inkJEey HC5J+asterJ&inkJEey

Bluetooth Hacking Full Disclosure @ 21C3

=airing Functions

,/ents

HC5J&inkJEeyJ-oti(ication HC5J&inkJEeyJ2eBuest HC5J=inJCodeJ2eBuest

Commands

HC5J&inkJEeyJ2eBuestJ2eply HC5J&inkJEeyJ2eBuestJ-egati/eJ2eply HC5J=inJCodeJ2eBuestJ2eply HC5J=inJCodeJ2eBuestJ-egati/eJ2eply

Bluetooth Hacking Full Disclosure @ 21C3

Ho$ =airing #orks

First connection
314 HC5J=inJCodeJ2eBuest 324 HC5J=inJCodeJ2eBuestJ2eply 334 HC5J&inkJEeyJ-oti(ication

Further connections
314 HC5J&inkJEeyJ2eBuest 324 HC5J&inkJEeyJ2eBuestJ2eply 334 HC5J&inkJEeyJ-oti(ication 3optional4

Bluetooth Hacking Full Disclosure @ 21C3

Blue"nar(

ri/ial 'B,A =!"H channel attack

obe0app 3FreeB"D4 =!&& kno$n ob?ects instead o( =!"H -o authentication 5r+C 3"peci(ications (or 5r +obile Communications4

5n(rared Data %ssociation

e)g) telecom.pb)/c(

,ricsson 2C26m> 3:m> D; "ony ,ricsson D;i> D16> 11616 -okia D316> D316i> ;:16> ;:16i
Bluetooth Hacking Full Disclosure @ 21C3

Helo+oto

2eBuires entry in @De/ice History@ 'B,A =!"H to create entry Connect 2FC'++ to Hands(ree or Headset

-o %uthentication reBuired Full % command set access

+otorola I;6> IC00> ID00 and ,3:;

Bluetooth Hacking Full Disclosure @ 21C3

BlueBug History 314

First presentation in February 2667

FH "al9burg @Forum 5E 2667@ "picing up a presentation about #ardri/ing

8ot inspired (rom %dam@s Blue"nar( $hich has been $ritten about on slashdot ried to (igure out ho$ %dam did it 3no purpose* built tools a/ailable4 Found BlueBug

Based on % Commands *N not 'B,A

Bluetooth Hacking Full Disclosure @ 21C3

BlueBug History 324

Fieldtrial at CeB5 2667

Booth close to the restrooms *N many people there ,/en =olicemen O4

8ot on slashdot at the end o( +arch 2667 eamed up $ith %dam in %pril 2667 Iarious media citations =resentation at Blackhat and D,FC'- in %ugust 2667 Full Disclosure at 21C3 in December 2667 3no$P4
Bluetooth Hacking Full Disclosure @ 21C3

BlueBug Facts 314

%s mentioned earlier)))

BlueBug is based on % Commands 3%"C55 erminal4 Iery common (or the con(iguration and control o( telecommunications de/ices High le/el o( control)))

Call control 3turning phone into a bug4 "ending.2eading.Deleting "+" 2eading.#riting =honebook ,ntries "etting For$ards *N causing costs on the /ulnerable phonesP

Bluetooth Hacking Full Disclosure @ 21C3

BlueBug Facts 324

Ho$ comePQ

Iarious +anu(acturers poorly implemented the Bluetooth security mechanisms !npublished ser/ices on 2FC'++ channels

-ot announced /ia "D=

Connecting to unpublished H" ser/ice $ithout pairingP

-okia has Buite a lot o( models 3D316> D316i> ;:16> ;:16i>)))4 "ony ,ricsson ;Di> D16> ))) +otorola has similar problems 3see Helo+oto4
Bluetooth Hacking Full Disclosure @ 21C3

Bluetooone

,nhancing the range o( a Bluetooth dongle by connecting a directional antenna *N as done in the &ong Distance %ttack 'riginal idea (rom +ike 'utmesguine 3%uthor o( Book: F#i*Fi oysG4 "tep by "tep instruction on tri(inite)org

Bluetooth Hacking Full Disclosure @ 21C3

&ong*Distance %ttacking 3Blue"niper4

Beginning o( %ugust 2667 3right a(ter D,FC'- 124 ,0periment in "anta +onica Cali(ornia +odi(ied Class*1 Dongle "nar(ing.Bugging Class*2 de/ice 3-okia D316i4 (rom a distance o( 1>H; km 31)61 miles4

Bluetooth Hacking Full Disclosure @ 21C3

Blooo/er *#hat is itQ

Blooo/er * Bluetooth #ireless echnology Hoo/er =roo(*o(*Concept %pplication ,ducational =urposes only =hone %uditing ool 2unning on Ra/a

R2+, +5D= 2)6 5mplemented R"2*;2 3Bluetooth %=54 -okia DD66> -okia HD16> -okia DDH6> ))) "eries D6 "iemens "DC "ony,ricsson =:66 )))

Bluetooth Hacking Full Disclosure @ 21C3

Blooo/er* #hat does it doQ

Blooo/er is per(orming the BlueBug attack

2eading phonebooks #riting phonebook entries 2eading.decoding "+" stored on the de/ice 3buggy))4 "etting Call (or$ard 3prede() -umber4 S7: 133H H661 5nitiating phone call 3prede() -umber4 6;66 2;7;2;3

-ot $orking $ell on -okia phones :3 but on some D16

=lease use this application responsiblyP

For research purposes onlyP #ith permission o( o$ner

Bluetooth Hacking Full Disclosure @ 21C3

Blueprinting #hat is itQ

Blueprinting is (ingerprinting Bluetooth #ireless echnology inter(aces o( de/ices his $ork has been started by Collin 2) +ulliner and +artin Her(urt 2ele/ant to all kinds o( applications

"ecurity auditing De/ice "tatistics %utomated %pplication Distribution

2eleased paper and tool at 21C3 in December 2667 in Berlin 3again> no$P4
Bluetooth Hacking Full Disclosure @ 21C3

Blueprinting * Ho$

Hashing 5n(ormation (rom =ro(ile ,ntries

2ecordHandle 2FC'++ channel number %dding it all up 32ecHandle1TChannel14S 32ecHandle2TChannel24S)))S32ecHandlenTChanneln4 First three bytes re(er to manu(acturer 35,,, '!54

Bluetooth De/ice %ddress

,0ample o( Blueprint 00:60:57@2621543

Bluetooth Hacking Full Disclosure @ 21C3

Blue"mack

!sing &2C%= echo (eature

"ignal channel reBuest.response &2C%= signal + ! is unkno$n -o open &2C%= channel needed

Bu((er o/er(lo$ Denial o( ser/ice attack

Bluetooth Hacking Full Disclosure @ 21C3

Blue"mack
E H#+ #ommand: #reate #onnection A030!F03000 B plen !$ 0000: .' !e $$ 'd 0e 00 !" cc 02 00 00 00 0! G H#+ 81ent: #ommand Status A030fB plen % 0000: 00 0! 0 0% G H#+ 81ent: #onnect #omplete A030$B plen !! 0000: 00 2/ 00 .' !d $2 'd 0e 00 0! 00 E A#L data: handle 03002/ fla<s 0302 dlen 2" L2#A(AsB: 8cho reH: dlen 20 0000: % %' %0 %" %/ %a %. %c %d %e %f 0 ! 2 00!0: ' 0 " G H#+ 81ent: *um.er of #ompleted (ac4ets A03!$B plen 0000: 0! 2/ 00 0! 00 G A#L data: handle 03002/ fla<s 0302 dlen 2" L2#A(AsB: 8cho rsp: dlen 20 0000: % %' %0 %" %/ %a %. %c %d %e %f 0 ! 2 00!0: ' 0 " E H#+ #ommand: Disconnect A030!F03000'B plen $ 0000: 2/ 00 !$ G H#+ 81ent: #ommand Status A030fB plen % 0000: 00 0! 0' 0% G H#+ 81ent: Disconn #omplete A030 B plen % 0000: 00 2/ 00 !' @@2m@@@@@@@@@ @@@@ @B@@@2m@@@@

82,H+I7LM*&(J)ST U56-

@B@@@ $ % 82,H+I7LM*&(J)ST U56-

B@@ @@@@ @B@@

Bluetooth Hacking Full Disclosure @ 21C3

Conclusions

Bluetooth is a secure standard 3per se4

=roblems at application le/el =re*release testing at !=F 3!n=lugFest4

Cooperation $ith Bluetooth "58

"peci(ics under -D% "ecurity ,0pert 8roup mailing list bluetooth)org more open areas

Better communication channels (or e0ternal testers

+andatory security at application le/el

Bluetooth Hacking Full Disclosure @ 21C3

trifinite.org

http:..tri(inite)org. &oose association o( B security e0perts Features

trifinite.blog trifinite.stu(( trifinite.album trifinite.group

Bluetooth Hacking Full Disclosure @ 21C3

trifinite.group

%dam &aurie 3the Bunker "ecure Hosting4 +arcel Holtmann 3Blue14 Collin +ulliner 3mulliner)org4 im Hurman 3=entest4 +ark 2o$e 3=entest4 +artin Her(urt 3tri(inite)org4 "pot 3"ony4

Bluetooth Hacking Full Disclosure @ 21C3

Uuestions . Feedback . %ns$ers

Contact us /ia 21c3@tri(inite)org 3group alias (or %dam> +arcel and +artin4

Bluetooth Hacking Full Disclosure @ 21C3