The security mechanisms Known vulnerabilities Tools that are used Live demonstration Who is investigating Adam Laurie CSO of The Bunker Secure Hosting Ltd. DEFCON staff and organizer Maintainer of the Linux Bluetooth stack Marcel Holtmann Martin Herfurt
Security researcher Founder of trifinite.org What is this about What is Bluetooth Bluetooth SIG Trade association Founded 1998 Owns and licenses IP Bluetooth technology A general cable replacement Using the ISM band at 2.4 GHz Protocol stack and application profiles How it works Data and voice transmission ACL data connections SCO and eSCO voice channels Piconet and scatternet topology Frequency hopping 79 channels 1600 hops per second Creating the topology Hopping sequence defines the piconet

Master defines the hopping sequence Up to seven active slaves Scatternet creation Bluetooth architecture Hardware layer Radio, Baseband and Link Manager Access through the Host Controller Interface Standards for USB and UART Host protocols L2CAP, SDP, RFCOMM, BNEP, AVDTP etc. Serial Port Profile, Dialup, PAN, A2DP, HID etc. Application profiles Bluetooth stack Application specific security mechanisms Bluetooth host security mechanisms Security mechanisms on the Bluetooth chip Bluetooth security Link manager security All security routines are on-chip Nothing is transmitted in “plain text” Interface to the link manager security Part of the HCI specification Easy interface No further encryption of pin codes or keys Host stack security Bluetooth link keys Needed for authentication Used for encryption SAFER+ (128 bit block cipher) Generated by pairing process Passkey (1-16 alphanumeric characters) Random number (from device internal clock) BD_ADDR of piconet master Security modes Security mode 1 No active security enforcement Security mode 2 Service level security On device level no difference to mode 1 Security mode 3 Device level security Enforce security for every low-level connection Security commands Settings HCI_{Read|Write|Delete}_Stored_Link_Key HCI_{Read|Write _Authentication_Enable HCI_{Read|Write}_Encryption_Mode Actions HCI_Authentication_Requested HCI_Set_Connection_Encryption HCI_Change_Connection_Link_Key Pairing functions Events HCI_Pin_Code_Request HCI_Link_Key_Request HCI_Link_Key_Notification Responses HCI_Pin_Code_Request_[Negative_]Reply HCI_Link_Key_Request_[Negative_]Reply How pairing works First connection (1) > HCI_Pin_Code_Request (2) < HCI_Pin_Code_Request_Reply (3) > HCI_Link_Key_Notification Further connections (1) > HCI_Link_Key_Request (2) < HCI_Link_Key_Request_Reply (3) > HCI_Link_Key_Notification (optional) How to avoid pairing vCard Contacts IrMC OBEX OBEX Push Profile Channel 3 Channel 4 Synchronization Profile Security Manager RFCOMM L2CAP BlueSnarf Trivial OBEX push attack Pull knows objects instead of pushing No authentication Published in October 2003 Discovered by Marcel Holtmann Also discovered by Adam Laurie Published in November 2003 Field tests at London Underground etc. BlueBug Issuing AT commands Use hidden and unprotected channels Full control over the phone Motivation from the BlueSnarf attack Public field test a CeBIT 2004 Discovered by Martin Herfurt Possibility to cause extra costs HeloMoto Requires entry in “My Devices” Use OBEX push to create entry No full OBEX exchange needed Connect to headset/handsfree channel No authentication required Full access with AT command Discovered by Adam Laurie Authentication abuse Create pairing Authenticate for benign task Force authentication Use security mode 3 if needed Connect to unauthorized channels Serial Port Profile Dialup Networking OBEX File Transfer BlueSmack Using L2CAP echo feature Signal channel request and response L2CAP signal MTU is unknown No open L2CAP channel needed.

Download pdf Bluetooth Hacking Full Disclosure