1. TJ OConnor Nate Grunzweig David Brasefield

2. The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. http://www.cdcr.ca.gov/News/Images/overcrowding/MuleCreek_071906v1.jpg

3.  Think about… this device knows  Who you talked to last  Where you have been  Your email  Your texts from last night  And we don’t give it any protection  But it could be worse…  There are some things that just shouldn’t be mobile devices….

4. Should a credit card system really have a radio whose main design constraint is to cost < $2?

5. What happens on iPad release day if you jam 2.4?

6.  Heart-rate monitors, glucometers, respirators, hearing aids, patient data  Should this stuff really rely on a framework built for inexpensive cost instead of security?

7. This guy meets with a hospital floor of Bluetooth™ enabled heart rate readers? Can you DOS a floor of Nurses?

11.  Average consumer communication devices become vulnerable…  Nokia 6310 Bluebug  iPhone SDP Attack  Broadcom WiFi Drivers

12.  ….I see targets.  Many vectors for attack.  Quick rush to market.  Unlikely average consumer will update (firm|soft)ware.

13.  Goal is to have it cost less than $300  Goal is to always be connected to your network

14.  Lots of great work done on Bluetooth / WiFi Intrusion Detection  Virginia Tech doing a lot of great anomaly / signature detection on attacks.  Signatures are obvious and easy…..  Unauthenticated RFCOMM connect to 13; followed by AT Commands == BlueBug

15. http://www.blackhat.com/presentations/bh-usa-09/MAHAFFEY/BHUSA09- Mahaffey-MobileFuzzing-PAPER.pdf 1. Discover WiFi MAC Address passively. 2. MAC + 1 = Bluetooth Address 3. Send Malformed SDP Packet to BT Address 4. Read your texts from last night.

16.  Starting to get really popular  See Mahaffey’s paper at Blackhat 2009  Makes really evil things possible like device driver exploits

17.  We really don’t know what is out there.  We need to collect mobile device zero day.  Take lessons learned from wired IDS  Honeypots for the win!

18. Necessary to examine all vectors to analyze an attack. - Attacker jams 3G to force user on WiFi - Passively observes WiFi Traffic to find MAC - Begins Bluetooth Fuzzing - Finds Vulnerability - Listens to Lindsey Lohan’s Voicemail

19.  Bluetooth  WiFi  GPS  Infrared  Zigbee  WiMax  (2|3)G,  CDMA, EDGE

20.  Applications  Integrated Browsers ▪ Mobile Safari ▪ BlackBerry ® Browser  Bundled Software  3 rd Party Applications  Homebrew Apps

21.  Bluetooth MAC Address  Registered OUI  04:1E:64:xx:xx:xx tells us you are an iPhone  Discoverability  RFComm Ports  UUID16 : 0x0003 – RFCOMM –  L2CAP (PSM) Ports  UUID16 : 0x0100 - L2CAP  Service Discover Profile (SDP)

22. sdptool browse --l2cap 00:23:6C:60:21:12 Attribute Identifier : 0x1 - ServiceClassIDList Data Sequence UUID16 : 0x111f - HandsfreeAudioGateway UUID16 : 0x1203 - GenericAudio Attribute Identifier : 0x2 - ServiceRecordState Integer : 0x0 Attribute Identifier : 0x4 - ProtocolDescriptorList Data Sequence UUID16 : 0x0100 - L2CAP Data Sequence UUID16 : 0x0003 - RFCOMM Channel/Port (Integer) : 0x8

23.  MAC Address  Registered OUI again  may be increment of BT  Wireless Fingerprints  TCP Fingerprints  POF, Queso  TCP SERVICES  Banner Grabs  UDP SERVICES

24. Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419. BlackBerry9630/4.7.1.40 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 MOT-L6/0A.52.45R MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1

25.  Introduce a whole new realm….

26. A realm that we just can’t keep up with…..

27.  Do we emulate all of this, while still inviting attacks and logging?  Emulate Bluetooth  Emulate WiFi / TCP / UDP  GPS  Match all the signatures.

28. …lot of open source tools to make a audit device signature  Btaudit  Nmap  Sdptool  POF  Hcitools

29. … open source tools together for traffic generation  bccmd  Scapy  PyBluez  POF

30. …lot of open source tools to log interaction with devices  Wireshark  Kismet  tpcdump  Spectools  gpsd

32.  bccmd – utility for flashing Cambridge Silicon Radios  Written by Marcel Holtmann and Adam Laurie  Allows us to flash a $25 dongle into anything

33. # Bind a Bluetooth RFCOMM Socket server_sock=BluetoothSocket( RFCOMM ) server_sock.bind((dev,PORT_ANY)) server_sock.listen(1) # Advertise a vulnerable Bluetooth Phonebook advertise_service( server_sock, "Contacts", service_classes = [ SERIAL_PORT_CLASS ], profiles = [ SERIAL_PORT_PROFILE ] ) client_sock, client_info = server_sock.accept()

34.  Willing to pay Windows Tax for AirPcap TX card.  One of few cards able to change MAC OUI  Supported Traffic Injection via Compat- Wireless (zd1211rw); you’ll just need to add the USB Vendor ID.

35.  So easy, even Army officers can write packet injection code…  Total Packet Manipulation Library  Supports multiple protocols  Supports Bluetooth / WiFi Code  Great references and examples out there  Scapy TCP Finite State Machines  Adam Pridgen over at TheCoverOfNight.com

36. # Create an 802.11 Packet dnsResp = Dot11(type = "Data", FCfield = "from- DS”, addr1 = addr1, addr2 = addr2) # Append DNS Reply to 802.11 Packet dnsResp /= DNS(id = id, qt = qt, qd = qd, an = DNSRR(rrname = rrname, ttl = ttl, rdata=rdata)) # Send Packet sendp(dnsResp)

37. # Use POF to impersonate a TCP SYN from # SymbianOS phone pkt = p0f_impersonate(IP(dst='www.shmoocon.or g')/ TCP(sport=1025, dport=80, flags=’S'), osgenre='SymbianOS') send(pkt)

38.  Mimicking users is difficult.  LARIAT project up at MIT.  We can’t just fire off wget scripts to www.kittenwar.com, www.ilovekats.com to pretend to be a college student. www.kittenwar.comwww.ilovekats.com

39.  In honeyM, you can select a profile….  University Student  Top Secret Government Agent  My Mom  Corporate Employee

40.  Top Secret Government Agents do things like VPN, SSH, use PKI… (no really, they do.)  Corporate employees do things like browsing financial news, logging into webmail.  University students do things like….. (well university student things)  Don’t even ask about my Mom.

44.  Any communications activity to the device is suspect.  Doesn’t mean every Bluetooth NAME_REQ is bad though… this happens all the time.  How do we reduce false positives in logging?

46.  Is this just a malformed 802.11 frame or is it more?

47.  Recording all Bluetooth hci layer information.

48.  Everyone would have a Bluetooth Protocol Analyzer for logging Piconets.

49.  Oh look, Al Qaeda just got bluebugged.

50.  Kismet-NG now supports Spectools traffic as a plugin.  Can correlate spectrum activity to management frames. Auxiliary/wireless/dos_ctf_flood

51.  Unique legal constraints to mobile device honeyclients not found on wired networks  Typically we relied on Expressed Consent or Trespasser Consent to allow us to capture on a honeyclient.  Unfortunately we cannot get the entire consent of all users on 2.4GHz.

52.  Can only do full BT packet capture with specialized equipment  CATC Merlin  Frontline  USRP

53.  Subject to chaff  What if I just send a 1,000,000 packets to obscure my actual attack?  These are the same problems for wired honeypots.

54.  Make the targets so attractive, nobody thinks it is a honeyclient  #hcitool scan - Paris Hilton’s iPhone

55.  Mobile Device attacks are dynamic, relying on multiple vectors for attack.  We can use honeyclients to discover novel attacks on mobile devices.

56. TJ OConnor www.itoc.usma.edu terrence.oconnor@usma.edu Nathan Grunzweig nathan.grunzweig@usma.edu David Brasefield david.brasefield@usma.edu