SlideShare una empresa de Scribd logo

23c3 Bluetooth hacking revisited

Thierry Zoller
Thierry Zoller

This document summarizes a talk on Bluetooth hacking. It discusses extending the range of Bluetooth devices, bypassing security through implementation bugs, and issues with the Bluetooth protocol and specifications. Topics covered include cracking the PIN and link key, key management weaknesses, tracking non-discoverable devices, and exploiting random number generators. Methods for remotely controlling devices, owning internal networks, reconstructing link keys, and forcing pairing reattempts are also outlined.

Presentaciones y charlas públicas
1 de 41
Descargar para leer sin conexión
Bluetooth Hacking revisited + Kevin Finistere & Thierry Zoller 23C3 - 2006
Bluetooth – Please just turn it off Turn off your BT please, ,no really. Yeah
The Goal of this Talk ?  The Goal of this talk is not to:  Build myths  Show off – and not show how  The Goal of this talk is to :  Raise awareness  Make risks (more) transparent  Paradigm Shift – Bluetooth is not only for toys  Show cool stuff…
What are we talking about today ?  [ 0x00 ] – Introduction : What is Bluetooth ?  Sorry this is required. Crash course..  [ 0x01 ] – Get ready to rumble : Extending the Range  Extending the range of Bluetooth devices  Building automated reconnaissance and attack devices  Bluetooth War driving (GPS, 360° Camera)  [ 0x02 ] – Implementation issues : Bypassing Security  Attacking drivers, Attacking applications  Owning Bluetooth VNC style  Attacking Internal Networks and pivoting  Bluetooth Pin to Bluetooth Passkey  [ 0x03 ] – Protocol/Specification issues : Ceci n’est pas une pipe  Cracking the Pin and the Link-key (BTCrack)  Key management, 8 bit Encryption, Collisions  Tracking the un-trackeable  Anti-Brute-forcing  Random Number generators from hell
[ 0x00 ] Introduction  Bluetooth - a few tidbits:  Operates on the non-regulated ISM band : 2,4Ghz  In general 79 Channels (Except France, Spain)  Frequency Hopping (3200/sec, 1600/sec)  Complete Framework with profiles and layers of protocols  1 Billionth BT device sold in November 2006 (source SIG)  Goals : Least cost cable replacement, low power usage
[ 0x00 ] Introduction  The foundation – Protocol Stack Hardware Software Redfang – read_remote_name() L2ping
[ 0x00 ] Introduction  “Typical” Bluetooth Scenario Inquiry Inquiry response Paging (FHS) Link establishment Discovers Profiles Bluetooth Access Point
[ 0x00 ] Introduction  Inquiry - First Contact  Predefined Hopping sequence  FHS same for all devices  Pass Paging parameters during Inquiry stage
[ 0x00 ] Introduction  Paging - Frequency Hopping Synchronization  Slaves always sync to the Master  Paging initialisation :  Slaves hop 1 Channel/sec  Master hops 3200 times/sec  Paging  Both hop 1600 times/sec  Piconet agrees to a Sequence based on parts of the BD_ADDR and Clock-offset of the master. (Nice fingerprint by the way)  FH is the reason you can not easily sniff BT traffic. You have to sync to the Master (or use a Spectral Analyzer and reconstruct afterwards – Good luck)
[ 0x00 ] Introduction  The Bluetooth Profiles  Represent a group and defines mandatory options  Prevent compatibility issues, modular approach to BT extensions  Vertical representation of BT layer usage, handled through SDP Object Push Profile
[ 0x00 ] Introduction  Different Bluetooth modes  Discoverable modes  Discoverable : Sends inquiry responses to all inquiries.  Limited discoverable: Visible for a certain period of time (Implementation bug: Sony Ericsson T60..)  Non-Discoverable:  Never answers an inquiry scan (in theory)  Pairing modes :  Non-pairable mode : Rejects every pairing request (LMP_not_accepted) (Implementation bug: Plantronic Headset..)  Pairable mode : Will pair up-on request
[ 0x01 ] Get ready to rumble  Extending the Range
[ 0x01 ] Get ready to rumble  Long Distance - Datasets  Antrum Lake, water reflection guarantees longer ranges.  788 Meters  An old Man stole my phone during this test! I tracked him with the yagi.
[ 0x01 ] Get ready to rumble  Optimizing for Penetration (1)  Integrated Linksys Dongle  Integrated USB Cable  Metal Parabola  10 * Zoom  Laser (to be done)  Experiment : Went through a building found the device on the other side IN another building.
[ 0x01 ] Get ready to rumble  Optimizing for Penetration (2)  Bundling (Parabola)  Higher penetration through walls  Glass is your friend  On board embedded device. (NSLU2)  Autonomous scan and attack toolkit  automatically scans  may attack devices  saves all the results
[ 0x01 ] Get ready to rumble  PerimeterWatch – Bluetooth Wardriving  Perl Script by KF  Searches Bluetooth Devices  Takes 360° pictures  GPS coordinates
[ 0x02 ] Implementation bugs  Implementation Bugs – Bypassing security
[ 0x02 ] Implementation bugs  Menu du Jour :  Eavesdropping on Laptops/Desktops  Remotely controlling workstations  Car Whisperer NG  Owning internal Networks over Bluetooth  Linkkey theft and abuse  Widcomm Overflows (Broadcom merger leaves lots of vuln users that can not patch) BTW 3.0.1.905 (../ attacks) and up to BTW 1.4.2.10 has overflows
[ 0x02 ] Implementation bugs  Bluetooth PIN is really a Bluetooth Passkey  Did you know ? A Bluetooth “Pin” can be more than digits…  Not aware of any implementation, all use just digits  Uses UTF8  Max 16, UTF8 char may take some off  Example :  It’s like implementing NTLM with digits only….  BTCrack would a lot more time if this would be “correctly” implemented 0xC3 0x84 0x72 0x6c 0x69 0x63 0x68Ärlich 0x30 0x31 0x032 0x330123 BT handlesUser enters
[ 0x02 ] Implementation bugs  CarWhisperer – Martin Herfurt  Listen and Record Conversations  Not that new, but what’s new :  Works against Workstations Example : Widcomm < BTW 4.0.1.1500 (No Pincode)  Kevin did a real-time patch for it  Remove the Class ID check  Root Cause : Paring mode, discoverable, hard coded Pin.
[ 0x02 ] Implementation bugs  HidAttack - Owning Bluetooth VNC Style  HID = Human Interface Device  Requires 2 HID (PSM) endpoints to act as server  2 implementations :  Keyboard connects to the HID server  HID server connects to the Keyboard  You can control the Mouse and Keyboard HID just as you were in front of the PC.  Discovered by Collin Mulliner , fixed in hidd Bluez <2.25, Widcomm, Toshiba not really tested. Yours?  Code release today : www.mulliner.org/bluetooth/hidattack01.tar.gz  Thanks Collin !
[ 0x02 ] Implementation bugs  Demo - Owning internal networks  Apple  OSX 10.3 Tiger  OSX 10.4 Jaguar Vanilla, delayed release  Windows  Widcomm, Toshiba, Bluesoil, others ?  Pocket PC  Kevin: Apple asked me to not tell 10.4 was shipping vulnerable  OSX 10.3.9 patched, OSX 10.4 shipped vulnerable patched a month after OSX 10.3.9
[ 0x02 ] Implementation bugs  Demo – Remote Root over BT  Vulnerability shown : _Directory Traversal_ in un-authenticated Obexserver (Patched)  Cause : User input validated client-side (except btftp)  ObexFTP server directory traversal exploit & malicious InputManager & local root exploit = remote login tty over rfcomm = 0WNAGE  Was possible on Windows and Pocket PC and everything that has Toshiba or Broadcom & Widcomm (estimate 90%), and most probably others too. But we choose a MAC, because…we can.  Points are : - Macs are NOT invulnerable (far from that) - You can own internal networks over Bluetooth
[ 0x02 ] Implementation bugs  Windows Widcomm - Buffer overflows
[ 0x02 ] Implementation bugs  Windows Widcomm - Buffer overflows  Vulnerable versions known to us :  Widcomm Stack up to 3.x is vuln  Widcomm BTStackServer 1.4.2 .10  Widcomm BTStackServer 1.3.2 .7  Widcomm Bluetooth Communication Software 1.4.1 .03  HP IPAQ 2215  HP IPAQ 5450
[ 0x03 ] Protocol issues They are just implementation Bugs* *This is supposed to be a joke
[ 0x03 ] Protocol issues  Menu du Jour :  Why the Pin is not that important  Unit Keys  How to find non discoverable devices  Random Number generators that may be from Hell  Link Keys  Reconstructing them  Abusing them  Re-force Pairing, Corruption  Denial of Service
[ 0x03 ] Protocol issues  The PIN is not really that useful  The link key is !  Here’s why :  Pairing mode required for PIN  The LK is enough to authenticate  Encryption (E0) calculated from the LK  We can authenticate against both sides with the same key  Protocol 1.2 Authentication :
[ 0x03 ] Protocol issues  Unit keys  Generated by the device when starting up  Based on a PRNG that may come from hell  Permanently saved and cannot be changed  Only has one key  Problem :  The SIG clearly does not recommend it’s use. A B Step1 A C Step2
[ 0x03 ] Protocol issues  How to find nondiscoverable devices passively  From the man himself: Joshua Wright  We knew read_remote_name(), now l2ping.  Target : BD_Addr : 48-bit 4. Sniff on a preset channel and wait for devices to hop by , capture the Bluetooth Preamble, extract the cannel access code (which is based on 24 bits of the BD_addr) 5. Extract Error Correction field (baseband header – CRC 10bit field) 6. Assume the first 8 bits 00 7. Brute force the remaining: 8bits 00:11:9F:C5:F1:AE
[ 0x03 ] Specification issues  Random Number Generators from Hell  Specification is not very clear about what to achieve or how to achieve it  The specification reads : Each device has a pseudo-random number generator. Pseudo-random numbers are used for many purposes within the security functions − for instance, for the challenge-response scheme, for generating authentication and encryption keys, etc. Within this specification, the requirements placed on the random numbers used are non-repeating and randomly generated For example, a non-repeating value could be the output of a counter that is unlikely to repeat during the lifetime of the authentication key, or a date/time stamp.
[ 0x03 ] Specification issues  Random Number Generators from Hell  Remember the Clock inside each Device ?  Remember that we can get the clock-offset with an simple non-authenticated inquiry ?  RND do not look very random, had no time left to investigate fully, looks horrible.  They don’t trust it themselves : The reason for using the output of and not directly choosing a random number as the key*, is to avoid possible problems with degraded randomness due to a poor implementation of the random number generator within the device. *What a great idea that would have been…
[ 0x03 ] Protocol issues  Introducing BTCrack  First presented at Hack.lu 2006  Released for 23C3  Cracks PIN and Link key  Requires values from a Pairing sniff  Imports CVS Data Available for download here now: http://www.nruns.com/security_tools.php
[ 0x03 ] Protocol issues  History  Ollie Whitehouse - 2003  Presents weaknesses of the pairing process and how it may be used crack the PIN  Shaked and Wool - 2005  Implemented and optimised the attack  Found ways to re-initiate pairing  Thierry Zoller – 2006  Win32 implementation, first public release  Tremendous help from somebody that will recognize himself
[ 0x03 ] Protocol issues  Speed - Dual-Core P4-2GHZ  BTcrack v0.3 (Hack.lu)  22.000 keys per second  BTcrack v0.5  47.000 keys per second  BTcrack v1.0  Thanks to Eric Sesterhenn  Optimised for caching, cleaning code, static funcs, removing Junk  ICC  185.000 keys per second Results : • 4 digit pin : 0.035 seconds • 5 digit pin : 0.108 seconds • 6 digit pin : 4.312 seconds • 9 digit pin : 1318 seconds
[ 0x03 ] Protocol issues  BT Crack – Behind the scenes (1) Step1 Generates (RAND) K = E22(RAND, PIN, PIN_LEN) Device A Device B Step1 K = E22(RAND, PIN, PIN_LEN) Rand Step2 Generates (RANDA) CA = RANDA xor K Step2 Generates (RANDB) CB = RANDB xor K CA CB Step3 RANDB=CA xor K LKA=E21(RANDA, ADDRA) LKB=E21(RANDB,ADDRB) LKAB=LKA xor LKB Step3 RANDB=CA xor K LKA=E21(RANDA, ADDRA) LKB=E21(RANDB,ADDRB) LKAB=LKA xor LKB Step4 SRESA = E1(CH_RANDA,ADDRB,LKAB) Step4 SRESB = E1(CH_RANDA,ADDRB,LKAB) CH_RANDA SRESB Step5 SRESA = SRESB E22 = Connection key E21 = Device key
[ 0x03 ] Protocol issues  BT Crack – Behind the scenes Pin =-1; Do { PIN++; CR_K=E22(RAND, PIN, length(PIN)); CR_RANDA = CA xor CR_K; CR_RANDB = CB xor CR_K; CR_LKA = E21 (CR_RANDA, ADDRA); CR_LKB = E21 (CR_RANDB, ADDRB); CR_LKAB = CR_LKA xor CR_LKB; CR_SRES = (CH_RAND, ADDRB, CR_LKAB); } while (CR_SRES == SRES)  Right : Shaked and Wool logic  Top : Pseudo code by Tomasz Rybicki Hackin9 04/2005
[ 0x03 ] Protocol issues  BT Crack – Demo
[ 0x03 ] Protocol issues  Link keys – What can I do with them ?  Authenticated to both devices Master & Slave with the same link key  Dump them from any Linux, Mac, Windows machine  Create a encrypted hidden stealth channel, plant the linkkey  You can decrypt encrypted traffic with the linkkey  How to force repairing ?  Shaked and Wool proposed:  Injection of LMP_Not_Accepted spoofing the Master  Before the master sends Au_rand, inject In_rand to the slave  Before the master sends Au_rand, inject random SRES messages  We propose :  Use bdaddr to change the Bd_Addr to a member, connect to the master with a unknown linkkey.
[ 0x04 ] Kick-Out  Sooooo now we have :  A quick and reliable way to get the BD_ADDR  A way to crack the Pin and the keys  What's left ?  The sniffer. It costs around 13.000$, you can get it on eBay sometimes for the 1/10 of the amount.  Assignment : Go and make one for everybody.
[ 0x04 ] Kick-Out  Things to Remember :  Bluetooth might be a risk for your Company  Risk assessment is rather complex  Don’t accept every file you are being send, just click NO.  Disable Bluetooth if not required  Pair in “secure” places (SIG Recommendations)  Don’t use Unit Keys  Hold your Bluetooth vendor accountable for vulnerabilities  Delete your pairings  Use BT 2.0 and “Simple Paring”

Recomendados

犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号akakou
 
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜Preferred Networks
 
Ansibleで始めるインフラ構築自動化
Ansibleで始めるインフラ構築自動化Ansibleで始めるインフラ構築自動化
Ansibleで始めるインフラ構築自動化dcubeio
 
CRC-32
CRC-32CRC-32
CRC-327shi
 
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)VirtualTech Japan Inc.
 
WebRTCのオーディオ処理の謎、誰か教えて!
WebRTCのオーディオ処理の謎、誰か教えて!WebRTCのオーディオ処理の謎、誰か教えて!
WebRTCのオーディオ処理の謎、誰か教えて!mganeko
 
Ansible specでテストをする話
Ansible specでテストをする話Ansible specでテストをする話
Ansible specでテストをする話KeijiUehata1
 
アプリ起動時間高速化 ~推測するな、計測せよ~
アプリ起動時間高速化 ~推測するな、計測せよ~アプリ起動時間高速化 ~推測するな、計測せよ~
アプリ起動時間高速化 ~推測するな、計測せよ~gree_tech
 

Recomendados

犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号犬でもわかる公開鍵暗号
犬でもわかる公開鍵暗号akakou
 
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜
Pythonの理解を試みる 〜バイトコードインタプリタを作成する〜Preferred Networks
 
Ansibleで始めるインフラ構築自動化
Ansibleで始めるインフラ構築自動化Ansibleで始めるインフラ構築自動化
Ansibleで始めるインフラ構築自動化dcubeio
 
CRC-32
CRC-32CRC-32
CRC-327shi
 
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)VirtualTech Japan Inc.
 
WebRTCのオーディオ処理の謎、誰か教えて!
WebRTCのオーディオ処理の謎、誰か教えて!WebRTCのオーディオ処理の謎、誰か教えて!
WebRTCのオーディオ処理の謎、誰か教えて!mganeko
 
Ansible specでテストをする話
Ansible specでテストをする話Ansible specでテストをする話
Ansible specでテストをする話KeijiUehata1
 
アプリ起動時間高速化 ~推測するな、計測せよ~
アプリ起動時間高速化 ~推測するな、計測せよ~アプリ起動時間高速化 ~推測するな、計測せよ~
アプリ起動時間高速化 ~推測するな、計測せよ~gree_tech
 
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現するゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現するKeioOyama
 
DeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using UnityDeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using UnityTakeyuki Ogura
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよshuna roo
 
一般的なチートの手法と対策について
一般的なチートの手法と対策について一般的なチートの手法と対策について
一般的なチートの手法と対策について優介 黒河
 
Python製BDDツールで自動化してみた
Python製BDDツールで自動化してみたPython製BDDツールで自動化してみた
Python製BDDツールで自動化してみたKeijiUehata1
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409稔 小林
 
Nmapの真実(続)
Nmapの真実(続)Nmapの真実(続)
Nmapの真実(続)abend_cve_9999_0001
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル) 無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル) Yuki Uchikoba
 
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイントVPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイントTakuya Takaseki
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方Daisaku Mochizuki
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかYuki Miyatake
 
Scapyで作る・解析するパケット
Scapyで作る・解析するパケットScapyで作る・解析するパケット
Scapyで作る・解析するパケットTakaaki Hoyo
 
実践イカパケット解析
実践イカパケット解析実践イカパケット解析
実践イカパケット解析Yuki Mizuno
 
FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術dena_study
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用Kioto Hirahara
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptotrmr
 
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知するAzure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知するKenjiroHirata
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPNSaitoNmiri
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesTokoroten Nakayama
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 

Más contenido relacionado

La actualidad más candente

ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現するゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現するKeioOyama
 
DeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using UnityDeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using UnityTakeyuki Ogura
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよshuna roo
 
一般的なチートの手法と対策について
一般的なチートの手法と対策について一般的なチートの手法と対策について
一般的なチートの手法と対策について優介 黒河
 
Python製BDDツールで自動化してみた
Python製BDDツールで自動化してみたPython製BDDツールで自動化してみた
Python製BDDツールで自動化してみたKeijiUehata1
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409稔 小林
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル) 無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル) Yuki Uchikoba
 
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイントVPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイントTakuya Takaseki
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方Daisaku Mochizuki
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかYuki Miyatake
 
Scapyで作る・解析するパケット
Scapyで作る・解析するパケットScapyで作る・解析するパケット
Scapyで作る・解析するパケットTakaaki Hoyo
 
実践イカパケット解析
実践イカパケット解析実践イカパケット解析
実践イカパケット解析Yuki Mizuno
 
FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術dena_study
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用Kioto Hirahara
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptotrmr
 
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知するAzure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知するKenjiroHirata
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPNSaitoNmiri
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesTokoroten Nakayama
 

La actualidad más candente (20)

ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現するゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
ゼロトラスト・アーキテクチャを無料で(やれるだけ)実現する
 
DeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using UnityDeNA TechCon2019 How to implement live streaming client using Unity
DeNA TechCon2019 How to implement live streaming client using Unity
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよ
 
一般的なチートの手法と対策について
一般的なチートの手法と対策について一般的なチートの手法と対策について
一般的なチートの手法と対策について
 
Python製BDDツールで自動化してみた
Python製BDDツールで自動化してみたPython製BDDツールで自動化してみた
Python製BDDツールで自動化してみた
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409
 
Nmapの真実(続)
Nmapの真実(続)Nmapの真実(続)
Nmapの真実(続)
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル) 無線LANデバイスについて(kernelレベル)
無線LANデバイスについて(kernelレベル)
 
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイントVPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
VPCのアウトバウンド通信を制御するためにおさえておきたい設計ポイント
 
ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方ゲームサーバ開発現場の考え方
ゲームサーバ開発現場の考え方
 
BoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうか
 
Scapyで作る・解析するパケット
Scapyで作る・解析するパケットScapyで作る・解析するパケット
Scapyで作る・解析するパケット
 
実践イカパケット解析
実践イカパケット解析実践イカパケット解析
実践イカパケット解析
 
FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術FINAL FANTASY Record Keeperのマスターデータを支える技術
FINAL FANTASY Record Keeperのマスターデータを支える技術
 
PythonによるOPC-UAの利用
PythonによるOPC-UAの利用PythonによるOPC-UAの利用
PythonによるOPC-UAの利用
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
 
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知するAzure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
Azure勉強会 20201028 azure monitor のアラートを様々なコミュニケーションツールに通知する
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSP
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
 

Similar a 23c3 Bluetooth hacking revisited

Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
 
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECDEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECFelipe Prado
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesKeerati Torach
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoguy
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?SecuRing
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
Putting an Apple IIgs BBS on the internet
Putting an Apple IIgs BBS on the internetPutting an Apple IIgs BBS on the internet
Putting an Apple IIgs BBS on the internetAndrew Roughan
 
Client Server Development – Problems in Supporting Different Wireless Platform
Client Server Development – Problems in Supporting Different Wireless PlatformClient Server Development – Problems in Supporting Different Wireless Platform
Client Server Development – Problems in Supporting Different Wireless Platformgustavoeliano
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 

Similar a 23c3 Bluetooth hacking revisited (20)

Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
SIGFOX Makers Tour - Porto
SIGFOX Makers Tour - PortoSIGFOX Makers Tour - Porto
SIGFOX Makers Tour - Porto
 
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
 
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CECDEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
DEFCON 23 - Joshua Smith - high def fuzzing - exploitation over HDMI-CEC
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
SIGFOX Makers Tour - Dublin
SIGFOX Makers Tour - DublinSIGFOX Makers Tour - Dublin
SIGFOX Makers Tour - Dublin
 
Hijacking bluetooth headsets
Hijacking bluetooth headsetsHijacking bluetooth headsets
Hijacking bluetooth headsets
 
Controlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy DevicesControlling Bluetooth Low Energy Devices
Controlling Bluetooth Low Energy Devices
 
Videoconferencing Technology Workshop
Videoconferencing Technology WorkshopVideoconferencing Technology Workshop
Videoconferencing Technology Workshop
 
098
098098
098
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
Putting an Apple IIgs BBS on the internet
Putting an Apple IIgs BBS on the internetPutting an Apple IIgs BBS on the internet
Putting an Apple IIgs BBS on the internet
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
 
Client Server Development – Problems in Supporting Different Wireless Platform
Client Server Development – Problems in Supporting Different Wireless PlatformClient Server Development – Problems in Supporting Different Wireless Platform
Client Server Development – Problems in Supporting Different Wireless Platform
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 

Más de Thierry Zoller

BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configurationThierry Zoller
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveNeo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveThierry Zoller
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothThierry Zoller
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...Thierry Zoller
 
SSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerSSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerThierry Zoller
 
The TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThe TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThierry Zoller
 

Más de Thierry Zoller (9)

BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configuration
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveNeo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - Zwave
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depth
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor Bluetooth
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
 
SSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerSSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS Scanner
 
The TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThe TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explained
 

Último

Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityHung Le
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...David Celestin
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.thamaeteboho94
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfMahamudul Hasan
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...ZurliaSoop
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxlionnarsimharajumjf
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 

Último (17)

Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 

23c3 Bluetooth hacking revisited

  • 1. Bluetooth Hacking revisited + Kevin Finistere & Thierry Zoller 23C3 - 2006
  • 2. Bluetooth – Please just turn it off Turn off your BT please, ,no really. Yeah
  • 3. The Goal of this Talk ?  The Goal of this talk is not to:  Build myths  Show off – and not show how  The Goal of this talk is to :  Raise awareness  Make risks (more) transparent  Paradigm Shift – Bluetooth is not only for toys  Show cool stuff…
  • 4. What are we talking about today ?  [ 0x00 ] – Introduction : What is Bluetooth ?  Sorry this is required. Crash course..  [ 0x01 ] – Get ready to rumble : Extending the Range  Extending the range of Bluetooth devices  Building automated reconnaissance and attack devices  Bluetooth War driving (GPS, 360° Camera)  [ 0x02 ] – Implementation issues : Bypassing Security  Attacking drivers, Attacking applications  Owning Bluetooth VNC style  Attacking Internal Networks and pivoting  Bluetooth Pin to Bluetooth Passkey  [ 0x03 ] – Protocol/Specification issues : Ceci n’est pas une pipe  Cracking the Pin and the Link-key (BTCrack)  Key management, 8 bit Encryption, Collisions  Tracking the un-trackeable  Anti-Brute-forcing  Random Number generators from hell
  • 5. [ 0x00 ] Introduction  Bluetooth - a few tidbits:  Operates on the non-regulated ISM band : 2,4Ghz  In general 79 Channels (Except France, Spain)  Frequency Hopping (3200/sec, 1600/sec)  Complete Framework with profiles and layers of protocols  1 Billionth BT device sold in November 2006 (source SIG)  Goals : Least cost cable replacement, low power usage
  • 6. [ 0x00 ] Introduction  The foundation – Protocol Stack Hardware Software Redfang – read_remote_name() L2ping
  • 7. [ 0x00 ] Introduction  “Typical” Bluetooth Scenario Inquiry Inquiry response Paging (FHS) Link establishment Discovers Profiles Bluetooth Access Point
  • 8. [ 0x00 ] Introduction  Inquiry - First Contact  Predefined Hopping sequence  FHS same for all devices  Pass Paging parameters during Inquiry stage
  • 9. [ 0x00 ] Introduction  Paging - Frequency Hopping Synchronization  Slaves always sync to the Master  Paging initialisation :  Slaves hop 1 Channel/sec  Master hops 3200 times/sec  Paging  Both hop 1600 times/sec  Piconet agrees to a Sequence based on parts of the BD_ADDR and Clock-offset of the master. (Nice fingerprint by the way)  FH is the reason you can not easily sniff BT traffic. You have to sync to the Master (or use a Spectral Analyzer and reconstruct afterwards – Good luck)
  • 10. [ 0x00 ] Introduction  The Bluetooth Profiles  Represent a group and defines mandatory options  Prevent compatibility issues, modular approach to BT extensions  Vertical representation of BT layer usage, handled through SDP Object Push Profile
  • 11. [ 0x00 ] Introduction  Different Bluetooth modes  Discoverable modes  Discoverable : Sends inquiry responses to all inquiries.  Limited discoverable: Visible for a certain period of time (Implementation bug: Sony Ericsson T60..)  Non-Discoverable:  Never answers an inquiry scan (in theory)  Pairing modes :  Non-pairable mode : Rejects every pairing request (LMP_not_accepted) (Implementation bug: Plantronic Headset..)  Pairable mode : Will pair up-on request
  • 12. [ 0x01 ] Get ready to rumble  Extending the Range
  • 13. [ 0x01 ] Get ready to rumble  Long Distance - Datasets  Antrum Lake, water reflection guarantees longer ranges.  788 Meters  An old Man stole my phone during this test! I tracked him with the yagi.
  • 14. [ 0x01 ] Get ready to rumble  Optimizing for Penetration (1)  Integrated Linksys Dongle  Integrated USB Cable  Metal Parabola  10 * Zoom  Laser (to be done)  Experiment : Went through a building found the device on the other side IN another building.
  • 15. [ 0x01 ] Get ready to rumble  Optimizing for Penetration (2)  Bundling (Parabola)  Higher penetration through walls  Glass is your friend  On board embedded device. (NSLU2)  Autonomous scan and attack toolkit  automatically scans  may attack devices  saves all the results
  • 16. [ 0x01 ] Get ready to rumble  PerimeterWatch – Bluetooth Wardriving  Perl Script by KF  Searches Bluetooth Devices  Takes 360° pictures  GPS coordinates
  • 17. [ 0x02 ] Implementation bugs  Implementation Bugs – Bypassing security
  • 18. [ 0x02 ] Implementation bugs  Menu du Jour :  Eavesdropping on Laptops/Desktops  Remotely controlling workstations  Car Whisperer NG  Owning internal Networks over Bluetooth  Linkkey theft and abuse  Widcomm Overflows (Broadcom merger leaves lots of vuln users that can not patch) BTW 3.0.1.905 (../ attacks) and up to BTW 1.4.2.10 has overflows
  • 19. [ 0x02 ] Implementation bugs  Bluetooth PIN is really a Bluetooth Passkey  Did you know ? A Bluetooth “Pin” can be more than digits…  Not aware of any implementation, all use just digits  Uses UTF8  Max 16, UTF8 char may take some off  Example :  It’s like implementing NTLM with digits only….  BTCrack would a lot more time if this would be “correctly” implemented 0xC3 0x84 0x72 0x6c 0x69 0x63 0x68Ärlich 0x30 0x31 0x032 0x330123 BT handlesUser enters
  • 20. [ 0x02 ] Implementation bugs  CarWhisperer – Martin Herfurt  Listen and Record Conversations  Not that new, but what’s new :  Works against Workstations Example : Widcomm < BTW 4.0.1.1500 (No Pincode)  Kevin did a real-time patch for it  Remove the Class ID check  Root Cause : Paring mode, discoverable, hard coded Pin.
  • 21. [ 0x02 ] Implementation bugs  HidAttack - Owning Bluetooth VNC Style  HID = Human Interface Device  Requires 2 HID (PSM) endpoints to act as server  2 implementations :  Keyboard connects to the HID server  HID server connects to the Keyboard  You can control the Mouse and Keyboard HID just as you were in front of the PC.  Discovered by Collin Mulliner , fixed in hidd Bluez <2.25, Widcomm, Toshiba not really tested. Yours?  Code release today : www.mulliner.org/bluetooth/hidattack01.tar.gz  Thanks Collin !
  • 22. [ 0x02 ] Implementation bugs  Demo - Owning internal networks  Apple  OSX 10.3 Tiger  OSX 10.4 Jaguar Vanilla, delayed release  Windows  Widcomm, Toshiba, Bluesoil, others ?  Pocket PC  Kevin: Apple asked me to not tell 10.4 was shipping vulnerable  OSX 10.3.9 patched, OSX 10.4 shipped vulnerable patched a month after OSX 10.3.9
  • 23. [ 0x02 ] Implementation bugs  Demo – Remote Root over BT  Vulnerability shown : _Directory Traversal_ in un-authenticated Obexserver (Patched)  Cause : User input validated client-side (except btftp)  ObexFTP server directory traversal exploit & malicious InputManager & local root exploit = remote login tty over rfcomm = 0WNAGE  Was possible on Windows and Pocket PC and everything that has Toshiba or Broadcom & Widcomm (estimate 90%), and most probably others too. But we choose a MAC, because…we can.  Points are : - Macs are NOT invulnerable (far from that) - You can own internal networks over Bluetooth
  • 24. [ 0x02 ] Implementation bugs  Windows Widcomm - Buffer overflows
  • 25. [ 0x02 ] Implementation bugs  Windows Widcomm - Buffer overflows  Vulnerable versions known to us :  Widcomm Stack up to 3.x is vuln  Widcomm BTStackServer 1.4.2 .10  Widcomm BTStackServer 1.3.2 .7  Widcomm Bluetooth Communication Software 1.4.1 .03  HP IPAQ 2215  HP IPAQ 5450
  • 26. [ 0x03 ] Protocol issues They are just implementation Bugs* *This is supposed to be a joke
  • 27. [ 0x03 ] Protocol issues  Menu du Jour :  Why the Pin is not that important  Unit Keys  How to find non discoverable devices  Random Number generators that may be from Hell  Link Keys  Reconstructing them  Abusing them  Re-force Pairing, Corruption  Denial of Service
  • 28. [ 0x03 ] Protocol issues  The PIN is not really that useful  The link key is !  Here’s why :  Pairing mode required for PIN  The LK is enough to authenticate  Encryption (E0) calculated from the LK  We can authenticate against both sides with the same key  Protocol 1.2 Authentication :
  • 29. [ 0x03 ] Protocol issues  Unit keys  Generated by the device when starting up  Based on a PRNG that may come from hell  Permanently saved and cannot be changed  Only has one key  Problem :  The SIG clearly does not recommend it’s use. A B Step1 A C Step2
  • 30. [ 0x03 ] Protocol issues  How to find nondiscoverable devices passively  From the man himself: Joshua Wright  We knew read_remote_name(), now l2ping.  Target : BD_Addr : 48-bit 4. Sniff on a preset channel and wait for devices to hop by , capture the Bluetooth Preamble, extract the cannel access code (which is based on 24 bits of the BD_addr) 5. Extract Error Correction field (baseband header – CRC 10bit field) 6. Assume the first 8 bits 00 7. Brute force the remaining: 8bits 00:11:9F:C5:F1:AE
  • 31. [ 0x03 ] Specification issues  Random Number Generators from Hell  Specification is not very clear about what to achieve or how to achieve it  The specification reads : Each device has a pseudo-random number generator. Pseudo-random numbers are used for many purposes within the security functions − for instance, for the challenge-response scheme, for generating authentication and encryption keys, etc. Within this specification, the requirements placed on the random numbers used are non-repeating and randomly generated For example, a non-repeating value could be the output of a counter that is unlikely to repeat during the lifetime of the authentication key, or a date/time stamp.
  • 32. [ 0x03 ] Specification issues  Random Number Generators from Hell  Remember the Clock inside each Device ?  Remember that we can get the clock-offset with an simple non-authenticated inquiry ?  RND do not look very random, had no time left to investigate fully, looks horrible.  They don’t trust it themselves : The reason for using the output of and not directly choosing a random number as the key*, is to avoid possible problems with degraded randomness due to a poor implementation of the random number generator within the device. *What a great idea that would have been…
  • 33. [ 0x03 ] Protocol issues  Introducing BTCrack  First presented at Hack.lu 2006  Released for 23C3  Cracks PIN and Link key  Requires values from a Pairing sniff  Imports CVS Data Available for download here now: http://www.nruns.com/security_tools.php
  • 34. [ 0x03 ] Protocol issues  History  Ollie Whitehouse - 2003  Presents weaknesses of the pairing process and how it may be used crack the PIN  Shaked and Wool - 2005  Implemented and optimised the attack  Found ways to re-initiate pairing  Thierry Zoller – 2006  Win32 implementation, first public release  Tremendous help from somebody that will recognize himself
  • 35. [ 0x03 ] Protocol issues  Speed - Dual-Core P4-2GHZ  BTcrack v0.3 (Hack.lu)  22.000 keys per second  BTcrack v0.5  47.000 keys per second  BTcrack v1.0  Thanks to Eric Sesterhenn  Optimised for caching, cleaning code, static funcs, removing Junk  ICC  185.000 keys per second Results : • 4 digit pin : 0.035 seconds • 5 digit pin : 0.108 seconds • 6 digit pin : 4.312 seconds • 9 digit pin : 1318 seconds
  • 36. [ 0x03 ] Protocol issues  BT Crack – Behind the scenes (1) Step1 Generates (RAND) K = E22(RAND, PIN, PIN_LEN) Device A Device B Step1 K = E22(RAND, PIN, PIN_LEN) Rand Step2 Generates (RANDA) CA = RANDA xor K Step2 Generates (RANDB) CB = RANDB xor K CA CB Step3 RANDB=CA xor K LKA=E21(RANDA, ADDRA) LKB=E21(RANDB,ADDRB) LKAB=LKA xor LKB Step3 RANDB=CA xor K LKA=E21(RANDA, ADDRA) LKB=E21(RANDB,ADDRB) LKAB=LKA xor LKB Step4 SRESA = E1(CH_RANDA,ADDRB,LKAB) Step4 SRESB = E1(CH_RANDA,ADDRB,LKAB) CH_RANDA SRESB Step5 SRESA = SRESB E22 = Connection key E21 = Device key
  • 37. [ 0x03 ] Protocol issues  BT Crack – Behind the scenes Pin =-1; Do { PIN++; CR_K=E22(RAND, PIN, length(PIN)); CR_RANDA = CA xor CR_K; CR_RANDB = CB xor CR_K; CR_LKA = E21 (CR_RANDA, ADDRA); CR_LKB = E21 (CR_RANDB, ADDRB); CR_LKAB = CR_LKA xor CR_LKB; CR_SRES = (CH_RAND, ADDRB, CR_LKAB); } while (CR_SRES == SRES)  Right : Shaked and Wool logic  Top : Pseudo code by Tomasz Rybicki Hackin9 04/2005
  • 38. [ 0x03 ] Protocol issues  BT Crack – Demo
  • 39. [ 0x03 ] Protocol issues  Link keys – What can I do with them ?  Authenticated to both devices Master & Slave with the same link key  Dump them from any Linux, Mac, Windows machine  Create a encrypted hidden stealth channel, plant the linkkey  You can decrypt encrypted traffic with the linkkey  How to force repairing ?  Shaked and Wool proposed:  Injection of LMP_Not_Accepted spoofing the Master  Before the master sends Au_rand, inject In_rand to the slave  Before the master sends Au_rand, inject random SRES messages  We propose :  Use bdaddr to change the Bd_Addr to a member, connect to the master with a unknown linkkey.
  • 40. [ 0x04 ] Kick-Out  Sooooo now we have :  A quick and reliable way to get the BD_ADDR  A way to crack the Pin and the keys  What's left ?  The sniffer. It costs around 13.000$, you can get it on eBay sometimes for the 1/10 of the amount.  Assignment : Go and make one for everybody.
  • 41. [ 0x04 ] Kick-Out  Things to Remember :  Bluetooth might be a risk for your Company  Risk assessment is rather complex  Don’t accept every file you are being send, just click NO.  Disable Bluetooth if not required  Pair in “secure” places (SIG Recommendations)  Don’t use Unit Keys  Hold your Bluetooth vendor accountable for vulnerabilities  Delete your pairings  Use BT 2.0 and “Simple Paring”