Presentation on theme: "Ben Cumber Kyle Swenson"— Presentation transcript:
1Ben Cumber Kyle Swenson Bluetooth SecurityBen CumberKyle Swenson
2Overview Introduction to Bluetooth Proliferation and Applications Protocol stackProfilesProliferation and ApplicationsSecurityPast attacksCurrent state of the artKnown vulnerabilitiesExamples; DemonstrationFuture attacksHardening Options: Mitigating the RiskConclusion
3Introduction to Bluetooth ConvenienceIEEE : Personal Area NetworkDefines the medium access control (MAC) mechanismsBaseband/ Physical2.4 GHz ( Same as Wi-Fi)Adaptive Frequency HoppingCurrently Maintained by the Bluetooth Special Interest Group (SIG)AFH = 1600 channel hops per second, determined by negotiated pseudo random sequenceBluetooth Special interest groupCorporation that licenses BluetoothTo sell, manufacture or rebrand any product with Bluetooth requires SIG membership.
4Introduction to Bluetooth: Protocols Mandatory Bluetooth ProtocolsLink Manager ProtocolLogical Link Control and Adaptation Protocol (L2CAP)Service Discovery Protocol (SDP)Audio Streaming ProtocolsRFCOMM (Most common)Link Manager protocolManages radio link between devices for the sessionL2CAPManages logical connections to higher layers with the protocol service multiplexer(PSM)Service Discovery Protocol (SDP)Standardized format for devices to list offered profiles and serveriesRFCOMMEIA RS-232 Emulation, token based, reliableMeant to be a cable replacementTransmitted in plaintext
5Relevant Bluetooth Profiles Defines how a device uses the Bluetooth protocolsAll built on core Bluetooth stackWidespread integration and interoperability.Defines the authentication and encryption (if any)Human Interface Device (HID)Built off the USB HID specificationIncludes RTUs, data acquisition equipmentAudio Control and DistributionBluetooth headset phone control and audio streamingObject Exchange (OBEX)Allows file transfer, contact transferProfiles:Widespread integration and interoperabilityOver 40 different profiles have been defined and adoptedHID:Universal plug-n-playThe idea of Virtual Cables
6Bluetooth Security Mechanisms Pairing: usually requires user verification, version dependentBonding: allows for seamless reconnection after two devices have been pairedBased off a link-key generated during the pairing processIf either device forgets the link-key, then it is renegotiated automaticallyPlaintext negotiation of encryption keyEncryption:Completely optional, dependent upon device capability.Bluetooth leaves security up to the user.Depends on short range communication which offers a little securityPairing:Enter a 4-16 digit pinVerify a pin numberIf one device doesn’t support security, just forget it.Bonding:When two devices are bonded its possible to force a pairing by injecting a few bad packets.WE WANT TO STRESS:Authentication and encryption is Profile and Device DependentEncryption and authentication is optional, but suggested
7Bluetooth Security: The MAC Address Basis for all Bluetooth communicationAll devices are required to at least respond to direct connection requests, regardless of discoverability settingAssumed to be uniqueWith the right module, it’s easy to imitate a legitimate device.Specification doesn’t define behavior when two devices have the same MAC addressPart of the MAC address is allocated by the SIG/IEEEPublicly availableOther part is assigned by the manufacturerThe MAC AddressBasis for all BT CommAffects channel hopping sequence and timingImplicitly defines seeds for pseudo-random number generation used in encryption and authentication.Devices Required to respondAll encapsulated in the Frequency Hop Synchronization packet (FHS)FHS packet completely describes communication parametersRequired response when a direct connection request is receivedContains “unique” 48-bit Bluetooth MAC, class of device, clock information, channel information, Bluetooth Version, etc.
8Bluetooth Security: The MAC Address Lower Address Portion (LAP)Mandatory part of baseband communicationUpper Address Portion (UAP)Contains time delay information for frequency hopping.Non-significant Address PortionUAP + NAP form the organizationally unique identifierOnce the MAC address has been determined, the device is potentially compromisedLAPEasily discovered as you will see in our demo.UAPCan be discovered through brute force once you know the LAP
9Known Exploits BlueRanger BTCrack SpoofTooph Uses the required direct connection response to gauge relative distance through the integrity of the linkSpoofToophScans for discoverable devicesClones the deviceImitates MAC address, profiles, services, names, and other “unique” characteristicsBTCrackHow it works:Observe a pairingGuess a 4-16 digit pinCheck to see if the hashed value of the pin matches the hashed value that you observed.BlueRangerAlso collects data on the target.Gets the relative location of the device.SpoofToophExtracts info using SDP (Service Discovery Protocol) and the Frequency Hopping Spectrum PacketCausing disconnections and MITM attacksBTCrackChallengesForcing a pairing(By injecting a bad packet)Actually observing the pairingRequires a large-bandwidth spectrum analyzer, which cost around $10,000 or the ubertooth one
10Known Exploits BlueBugging – Control a remote smartphone Making/forwarding calls, sending and receiving text messages.Snarfing – Retrieve contacts or calendarUses the OBEX Push ProfileOBEX Push doesn’t require any authenticationCarwhisperer – Uses vehicular audio profilesSend audio messages to driverListen to conversations in the vehiclevCardBlaster (Virtual Business Card)Contains contact informationSends a continuous stream of vCards using BluetoothBluetooth v4.0 has already been exploitedBlueBuggingIdea is to emulate a headsetSnarfingOBEX “Object Exchange”Often doesn’t even notify the usersvCardBlasterTarget a single user or all devices in rangeContact info can be specific or generatedUsed toFill up Disk SpaceAdd a bunch of random contacts
11Collecting Information Ubertooth OneA custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3 microcontroller attached via USB$120 module, allows sniffing of Bluetooth trafficAble to export packets to Wireshark traffic, get sensitive informationSpectrum AnalyzerSimple to program, modify, and useWith some embedded systems experience and motivation, every exploit is possibleOpen Source projectAbility to follow a specific device through its hopping scheme
12Bluetooth and SCADA SEL-2925 – RS-232 emulation over wireless link ConvenienceRemote Telemetry and Data AcquisitionSame performance degradation as WiFi in noisy environmentsUses HID profile: simple, fast, negligible configurationIncreasingly being used for automationBuilt off a commercially available Bluetooth moduleEncryption likely based off v2.1 SSP, with known vulnerabilitiesSource: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf
13Hardening BluetoothEncrypt the data at a higher layer (application layer) in the protocol stackDon’t use it!Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t matter)Bluetooth in SCADA and critical infrastructureBluetooth was designed for convenience, not securityOther than lower power consumption, Bluetooth has no advantage over WiFi.Integrating Bluetooth into SCADA is inappropriate- use something elseDon’t depend on Bluetooth protocol for securityBluetooth is vulnerable at nearly every layer in the protocol stackDevice imitation and MITM attacks are easily completed
14Conclusion Bluetooth security needs more attention Lack of appropriate tools cripples penetration testing and security analysisEmbedded applicationsMost completely omit security, assume protection in complexityDemonstrates the need for a reliable, secure, wireless communicationSecurity must be an integral component in the initial design process, not added after the factRealize the risk when using Bluetooth for your SCADA application.