SlideShare una empresa de Scribd logo

Defcon 18-dunning-breaking-bluetooth

Vengadanathan Srinivasan
Vengadanathan Srinivasan

Blue tooth hacking .

1 de 30
Descargar para leer sin conexión
Breaking Bluetooth By Being Bored JP Dunning DefCon 2010 © Shadow Cave LLC
JP Dunning Graduate Student: Computer Science, Virginia Tech Research Focus: Wireless and Portable Security Website: www.hackfromacave.com © Shadow Cave LLC© Shadow Cave LLC
Bluetooth ● IEEE 802.15.1 ● Low Power / Short Range ● Ad-Hoc (Piconet) ● Deployed on over 1 billions devices worldwide © Shadow Cave LLC
Obfuscation and Reconnaissance © Shadow Cave LLC
Cloning/Spoofing Profile ● Bluetooth Profile: – Device Address, Device Class, Device Name ● Bluetooth Profile Cloning: – Modify host Bluetooth Adapter profile to match the profile of another device – Done manually using hciconfig and bdaddr ● Bluetooth Profile Spoofing: – Creating a misleading profile of host Bluetooth Adapter © Shadow Cave LLC
SpoofTooph ● Automate / simplify Bluetooth profile modification process ● Useful for – Obfuscation – Impersonations – Observation ● 5 different modes © Shadow Cave LLC
SpoofTooph ● Mode 1: > spooftooph -i hci0 -s -d scan.log – Scan local area for devices – Save list of devices found – Select a device from the list to clone ● Mode 2: > spooftooph -i hci0 -r – Randomly generate Bluetooth profile ● Device Class – Random Valid Class ● Device Name - 100 most popular Ameraican names + device type ● Device Addr – Random MAC © Shadow Cave LLC
SpoofTooph ● Mode 3: > spooftooph -i hci0 -n new_name -a 00:11:22:33:44:55 -c 0x4a010c – Specify Name, Class, and Address ● Mode 4: > spooftooph -i hci0 -l scan.log – Read in previously logged scan – Select a device from the list to clone ● Mode 5: > spooftooph -i hci0 -t 10 – Incognito: Scan for devices every X seconds and clone the first profile on the list © Shadow Cave LLC
SpoofTooph © Shadow Cave LLC
Bluetooth Profiling Project ● Collect Device Name, Device Address and Device Class on as many devices as possible ● Same idea as Josh Wright's Bnap,Bnap, but collecting device profiles from others devices instead ● Collected over 1,500 device profiles so far © Shadow Cave LLC
Bluetooth Profiling Project ● Use for this data: – Mapping the address range of Bluetooth ● Improve Redfang discovery scans ● Matching address range with device model – Research – Discovering information disclosure © Shadow Cave LLC
Bluetooth Profiling Project ● Disclosure of sensitive information ● What information can be gathered from the device profile? – Can the Device Address be used to identify the device modes? – What can be extracted from the device name? © Shadow Cave LLC
Bluetooth Profiling Project ● Can the Device Address be used to identify the device modes? – Yes, the addresses used for Device Address (MAC) are the same as those used by Ethernet or ZigBee – The first 24-bits are Organizationally Unique Identifiers (OUI), registered to specific entities, often often use a subset of those address ranges for a specific model of device – The reverse can be done to attempt to guess the address based on the device model © Shadow Cave LLC
Bluetooth Profiling Project ● What can be extracted from the device name? – First Name – A first name, presumably the first name of the device owner. – Last Name – A last name, presumably the last name of the device owner. – Nickname – What appears to be a user name or 'handle'. – Location – Information that can be used to determine the location of the device. – Device Model – Identifying information that could lead to profiling the device as a specific model. © Shadow Cave LLC
Bluetooth Profiling Project ● Percentage of devices names which disclosed sensitive information (out of the 1,500 profiles collected) First Name Last Name Location Device Model Nickname / Handle 28.17% 18.76% 1.30% 70.54% 1.51% © Shadow Cave LLC
Mall Nibbling Dropping by your local mall to collect information on the cornucopia of Bluetooth devices. © Shadow Cave LLC
Mall Nibbling ● Performing Mall Nibbling: Things to Know – Come equipped with a Class 1 bluetooth dongle (cantenna attachment optional, but recommended :) ) – Obfuscate your Bluetooth interface – While device discovery takes less then 2 seconds, getting the name of the device requires a follow up request. Plan on spending at least 1 minute per location for each scan. © Shadow Cave LLC
Offensive © Shadow Cave LLC
vCardBlaster ● vCard - “Virtual Business Card” – Used to exchange personal information ● Many Bluetooth devices allow exchange of vCards – Phones, PDAs, PCs, etc © Shadow Cave LLC
vCardBlaster ● vCardBlaster is capable of sending a constant stream of vCards over Bluetooth – Users can select a single target or attack all devices in range – vCards can be specified or generated by vCardBlaster © Shadow Cave LLC
Bluetooth vCard Contact List DoS ● vCardBlaster can be used to preform a DoS on a Contact List ● Vuln: – Some devices, upon receiving a vCard, will automatically add the information to the local Contact List. – Each name provided in the vCard must be unique. – Sending a flood of vCards fills up the contact list with new false contacts © Shadow Cave LLC
vCardBlaster © Shadow Cave LLC
Blueper ● Blueper is capable of sending a constant stream of files over Bluetooth – Users can select a single target or attack all devices in range – Files can be specified or generated – User can specify file size © Shadow Cave LLC
Bluetooth OBEX Disk Cache DoS ● Blueper can be used to preform a DoS using the systems caching of file data ● Vuln: – Some devices cache files sent over Bluetooth OBEX before prompting user to accept or reject the file transfer. – Sending files over extended periods of time can fill up disk. – It can cause system crash. © Shadow Cave LLC
Blueper © Shadow Cave LLC
Pwntooth ● Suite of Bluetooth attack tools ● Designed to automate multiple attacks against multiple targets. ● Comes bundled with tools like: – Bluetooth Stack Smasher – BT_AUDIT – Bluesnrf – Blueper / vCardBlaster © Shadow Cave LLC
Pwntooth ● Pwntooth uses a user defined config file as an attack script ● This config file uses * as a wild card character for device address © Shadow Cave LLC
pwntooth.conf © Shadow Cave LLC
Pwntooth ● Default config /etc/bluetooth/pwntooth.conf ● If a address device is detected in multiple iterations of scans, the attacks listed in the config file are only run the first time ● Example: Scan area 10 times and save output to logfile.txt using default config. > pwntooth -l logfile.txt -s 10 © Shadow Cave LLC
Project Pages www.hackfromacave.com ● SpoofTooph: http://www.hackfromacave.com/projects/spooftooph.html ● Bluetooth Profiling Project: http://www.hackfromacave.com/projects/bpp.html ● vCardBlaster: www.hackfromacave.com/vcardblaster.html ● Blueper: www.hackfromacave.com/blueper.html ● Pwntooth: www.hackfromacave.com/pwntooth.html © Shadow Cave LLC

Recomendados

2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছে
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছেঅত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছে
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছেKhaled Raihan
 
BLE SMART-LOCATIONS by sodexo
BLE SMART-LOCATIONS by sodexoBLE SMART-LOCATIONS by sodexo
BLE SMART-LOCATIONS by sodexoGustavo RUEDA LÓPEZ
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
BSNL hacks
BSNL hacksBSNL hacks
BSNL hacksVengadanathan Srinivasan
 
Pwning bsnl
Pwning bsnlPwning bsnl
Pwning bsnlVengadanathan Srinivasan
 
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016Cámara de Comercio de Armenia y del Quindío
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Recomendados

2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছে
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছেঅত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছে
অত্যাধুনিক কম্পিউটারের দ্রুত অগ্রগতির মূলে রয়েছেKhaled Raihan
 
BLE SMART-LOCATIONS by sodexo
BLE SMART-LOCATIONS by sodexoBLE SMART-LOCATIONS by sodexo
BLE SMART-LOCATIONS by sodexoGustavo RUEDA LÓPEZ
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
BSNL hacks
BSNL hacksBSNL hacks
BSNL hacksVengadanathan Srinivasan
 
Pwning bsnl
Pwning bsnlPwning bsnl
Pwning bsnlVengadanathan Srinivasan
 
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016
Observatorio de Turismo en el Quindío No. 35 | Semana Santa 2016Cámara de Comercio de Armenia y del Quindío
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Android Bluetooth Introduction
Android Bluetooth IntroductionAndroid Bluetooth Introduction
Android Bluetooth IntroductionErin Yueh
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairingGuy Vinograd ☁
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
THAT_2023_BLE.pdf
THAT_2023_BLE.pdfTHAT_2023_BLE.pdf
THAT_2023_BLE.pdfRobin Schroeder
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdingershawn_merdinger
 
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor
 
Bluetooth technology
Bluetooth technologyBluetooth technology
Bluetooth technologyDeevena Dayaal
 
Connect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low EnergyConnect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low EnergyGabor Paller
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your NetworkAdam Getchell
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersVi Tính Hoàng Nam
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)punjab engineering college, chandigarh
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Damien Contreras
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Bluetooth
BluetoothBluetooth
BluetoothFahim Faysal
 

Más contenido relacionado

Similar a Defcon 18-dunning-breaking-bluetooth

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Android Bluetooth Introduction
Android Bluetooth IntroductionAndroid Bluetooth Introduction
Android Bluetooth IntroductionErin Yueh
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdingershawn_merdinger
 
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor
 
Connect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low EnergyConnect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low EnergyGabor Paller
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your NetworkAdam Getchell
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersVi Tính Hoàng Nam
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Damien Contreras
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 

Similar a Defcon 18-dunning-breaking-bluetooth (20)

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Android Bluetooth Introduction
Android Bluetooth IntroductionAndroid Bluetooth Introduction
Android Bluetooth Introduction
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
 
THAT_2023_BLE.pdf
THAT_2023_BLE.pdfTHAT_2023_BLE.pdf
THAT_2023_BLE.pdf
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
 
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
 
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epoKyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
 
Bluetooth technology
Bluetooth technologyBluetooth technology
Bluetooth technology
 
Connect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low EnergyConnect your Android to the real world with Bluetooth Low Energy
Connect your Android to the real world with Bluetooth Low Energy
 
Defending Your Network
Defending Your NetworkDefending Your Network
Defending Your Network
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
Bluetooth
BluetoothBluetooth
Bluetooth
 

Defcon 18-dunning-breaking-bluetooth

  • 1. Breaking Bluetooth By Being Bored JP Dunning DefCon 2010 © Shadow Cave LLC
  • 2. JP Dunning Graduate Student: Computer Science, Virginia Tech Research Focus: Wireless and Portable Security Website: www.hackfromacave.com © Shadow Cave LLC© Shadow Cave LLC
  • 3. Bluetooth ● IEEE 802.15.1 ● Low Power / Short Range ● Ad-Hoc (Piconet) ● Deployed on over 1 billions devices worldwide © Shadow Cave LLC
  • 5. Cloning/Spoofing Profile ● Bluetooth Profile: – Device Address, Device Class, Device Name ● Bluetooth Profile Cloning: – Modify host Bluetooth Adapter profile to match the profile of another device – Done manually using hciconfig and bdaddr ● Bluetooth Profile Spoofing: – Creating a misleading profile of host Bluetooth Adapter © Shadow Cave LLC
  • 6. SpoofTooph ● Automate / simplify Bluetooth profile modification process ● Useful for – Obfuscation – Impersonations – Observation ● 5 different modes © Shadow Cave LLC
  • 7. SpoofTooph ● Mode 1: > spooftooph -i hci0 -s -d scan.log – Scan local area for devices – Save list of devices found – Select a device from the list to clone ● Mode 2: > spooftooph -i hci0 -r – Randomly generate Bluetooth profile ● Device Class – Random Valid Class ● Device Name - 100 most popular Ameraican names + device type ● Device Addr – Random MAC © Shadow Cave LLC
  • 8. SpoofTooph ● Mode 3: > spooftooph -i hci0 -n new_name -a 00:11:22:33:44:55 -c 0x4a010c – Specify Name, Class, and Address ● Mode 4: > spooftooph -i hci0 -l scan.log – Read in previously logged scan – Select a device from the list to clone ● Mode 5: > spooftooph -i hci0 -t 10 – Incognito: Scan for devices every X seconds and clone the first profile on the list © Shadow Cave LLC
  • 10. Bluetooth Profiling Project ● Collect Device Name, Device Address and Device Class on as many devices as possible ● Same idea as Josh Wright's Bnap,Bnap, but collecting device profiles from others devices instead ● Collected over 1,500 device profiles so far © Shadow Cave LLC
  • 11. Bluetooth Profiling Project ● Use for this data: – Mapping the address range of Bluetooth ● Improve Redfang discovery scans ● Matching address range with device model – Research – Discovering information disclosure © Shadow Cave LLC
  • 12. Bluetooth Profiling Project ● Disclosure of sensitive information ● What information can be gathered from the device profile? – Can the Device Address be used to identify the device modes? – What can be extracted from the device name? © Shadow Cave LLC
  • 13. Bluetooth Profiling Project ● Can the Device Address be used to identify the device modes? – Yes, the addresses used for Device Address (MAC) are the same as those used by Ethernet or ZigBee – The first 24-bits are Organizationally Unique Identifiers (OUI), registered to specific entities, often often use a subset of those address ranges for a specific model of device – The reverse can be done to attempt to guess the address based on the device model © Shadow Cave LLC
  • 14. Bluetooth Profiling Project ● What can be extracted from the device name? – First Name – A first name, presumably the first name of the device owner. – Last Name – A last name, presumably the last name of the device owner. – Nickname – What appears to be a user name or 'handle'. – Location – Information that can be used to determine the location of the device. – Device Model – Identifying information that could lead to profiling the device as a specific model. © Shadow Cave LLC
  • 15. Bluetooth Profiling Project ● Percentage of devices names which disclosed sensitive information (out of the 1,500 profiles collected) First Name Last Name Location Device Model Nickname / Handle 28.17% 18.76% 1.30% 70.54% 1.51% © Shadow Cave LLC
  • 16. Mall Nibbling Dropping by your local mall to collect information on the cornucopia of Bluetooth devices. © Shadow Cave LLC
  • 17. Mall Nibbling ● Performing Mall Nibbling: Things to Know – Come equipped with a Class 1 bluetooth dongle (cantenna attachment optional, but recommended :) ) – Obfuscate your Bluetooth interface – While device discovery takes less then 2 seconds, getting the name of the device requires a follow up request. Plan on spending at least 1 minute per location for each scan. © Shadow Cave LLC
  • 19. vCardBlaster ● vCard - “Virtual Business Card” – Used to exchange personal information ● Many Bluetooth devices allow exchange of vCards – Phones, PDAs, PCs, etc © Shadow Cave LLC
  • 20. vCardBlaster ● vCardBlaster is capable of sending a constant stream of vCards over Bluetooth – Users can select a single target or attack all devices in range – vCards can be specified or generated by vCardBlaster © Shadow Cave LLC
  • 21. Bluetooth vCard Contact List DoS ● vCardBlaster can be used to preform a DoS on a Contact List ● Vuln: – Some devices, upon receiving a vCard, will automatically add the information to the local Contact List. – Each name provided in the vCard must be unique. – Sending a flood of vCards fills up the contact list with new false contacts © Shadow Cave LLC
  • 23. Blueper ● Blueper is capable of sending a constant stream of files over Bluetooth – Users can select a single target or attack all devices in range – Files can be specified or generated – User can specify file size © Shadow Cave LLC
  • 24. Bluetooth OBEX Disk Cache DoS ● Blueper can be used to preform a DoS using the systems caching of file data ● Vuln: – Some devices cache files sent over Bluetooth OBEX before prompting user to accept or reject the file transfer. – Sending files over extended periods of time can fill up disk. – It can cause system crash. © Shadow Cave LLC
  • 26. Pwntooth ● Suite of Bluetooth attack tools ● Designed to automate multiple attacks against multiple targets. ● Comes bundled with tools like: – Bluetooth Stack Smasher – BT_AUDIT – Bluesnrf – Blueper / vCardBlaster © Shadow Cave LLC
  • 27. Pwntooth ● Pwntooth uses a user defined config file as an attack script ● This config file uses * as a wild card character for device address © Shadow Cave LLC
  • 29. Pwntooth ● Default config /etc/bluetooth/pwntooth.conf ● If a address device is detected in multiple iterations of scans, the attacks listed in the config file are only run the first time ● Example: Scan area 10 times and save output to logfile.txt using default config. > pwntooth -l logfile.txt -s 10 © Shadow Cave LLC
  • 30. Project Pages www.hackfromacave.com ● SpoofTooph: http://www.hackfromacave.com/projects/spooftooph.html ● Bluetooth Profiling Project: http://www.hackfromacave.com/projects/bpp.html ● vCardBlaster: www.hackfromacave.com/vcardblaster.html ● Blueper: www.hackfromacave.com/blueper.html ● Pwntooth: www.hackfromacave.com/pwntooth.html © Shadow Cave LLC