TJ OConnor Nate Grunzweig David Brasefield
The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.
Think about… this device knows Who you talked to last Where you have been Your Your texts from last night And we don’t give it any protection But it could be worse… There are some things that just shouldn’t be mobile devices….
Should a credit card system really have a radio whose main design constraint is to cost < $2?
What happens on iPad release day if you jam 2.4?
Heart-rate monitors, glucometers, respirators, hearing aids, patient data Should this stuff really rely on a framework built for inexpensive cost instead of security?
This guy meets with a hospital floor of Bluetooth™ enabled heart rate readers? Can you DOS a floor of Nurses?
Average consumer communication devices become vulnerable… Nokia 6310 Bluebug iPhone SDP Attack Broadcom WiFi Drivers
….I see targets. Many vectors for attack. Quick rush to market. Unlikely average consumer will update (firm|soft)ware.
Goal is to have it cost less than $300 Goal is to always be connected to your network
Lots of great work done on Bluetooth / WiFi Intrusion Detection Virginia Tech doing a lot of great anomaly / signature detection on attacks. Signatures are obvious and easy….. Unauthenticated RFCOMM connect to 13; followed by AT Commands == BlueBug
Mahaffey-MobileFuzzing-PAPER.pdf 1. Discover WiFi MAC Address passively. 2. MAC + 1 = Bluetooth Address 3. Send Malformed SDP Packet to BT Address 4. Read your texts from last night.
Starting to get really popular See Mahaffey’s paper at Blackhat 2009 Makes really evil things possible like device driver exploits
We really don’t know what is out there. We need to collect mobile device zero day. Take lessons learned from wired IDS Honeypots for the win!
Necessary to examine all vectors to analyze an attack. - Attacker jams 3G to force user on WiFi - Passively observes WiFi Traffic to find MAC - Begins Bluetooth Fuzzing - Finds Vulnerability - Listens to Lindsey Lohan’s Voic
Bluetooth WiFi GPS Infrared Zigbee WiMax (2|3)G, CDMA, EDGE
Applications Integrated Browsers ▪ Mobile Safari ▪ BlackBerry ® Browser Bundled Software 3 rd Party Applications Homebrew Apps
Bluetooth MAC Address Registered OUI 04:1E:64:xx:xx:xx tells us you are an iPhone Discoverability RFComm Ports UUID16 : 0x0003 – RFCOMM – L2CAP (PSM) Ports UUID16 : 0x L2CAP Service Discover Profile (SDP)
sdptool browse --l2cap 00:23:6C:60:21:12 Attribute Identifier : 0x1 - ServiceClassIDList Data Sequence UUID16 : 0x111f - HandsfreeAudioGateway UUID16 : 0x GenericAudio Attribute Identifier : 0x2 - ServiceRecordState Integer : 0x0 Attribute Identifier : 0x4 - ProtocolDescriptorList Data Sequence UUID16 : 0x L2CAP Data Sequence UUID16 : 0x RFCOMM Channel/Port (Integer) : 0x8
MAC Address Registered OUI again may be increment of BT Wireless Fingerprints TCP Fingerprints POF, Queso TCP SERVICES Banner Grabs UDP SERVICES
Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419. BlackBerry9630/ Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 MOT-L6/0A.52.45R MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1
Introduce a whole new realm….
A realm that we just can’t keep up with…..
Do we emulate all of this, while still inviting attacks and logging? Emulate Bluetooth Emulate WiFi / TCP / UDP GPS Match all the signatures.
…lot of open source tools to make a audit device signature Btaudit Nmap Sdptool POF Hcitools
… open source tools together for traffic generation bccmd Scapy PyBluez POF
…lot of open source tools to log interaction with devices Wireshark Kismet tpcdump Spectools gpsd
bccmd – utility for flashing Cambridge Silicon Radios Written by Marcel Holtmann and Adam Laurie Allows us to flash a $25 dongle into anything
# Bind a Bluetooth RFCOMM Socket server_sock=BluetoothSocket( RFCOMM ) server_sock.bind((dev,PORT_ANY)) server_sock.listen(1) # Advertise a vulnerable Bluetooth Phonebook advertise_service( server_sock, "Contacts", service_classes = [ SERIAL_PORT_CLASS ], profiles = [ SERIAL_PORT_PROFILE ] ) client_sock, client_info = server_sock.accept()
Willing to pay Windows Tax for AirPcap TX card. One of few cards able to change MAC OUI Supported Traffic Injection via Compat- Wireless (zd1211rw); you’ll just need to add the USB Vendor ID.
So easy, even Army officers can write packet injection code… Total Packet Manipulation Library Supports multiple protocols Supports Bluetooth / WiFi Code Great references and examples out there Scapy TCP Finite State Machines Adam Pridgen over at TheCoverOfNight.com
# Create an Packet dnsResp = Dot11(type = "Data", FCfield = "from- DS”, addr1 = addr1, addr2 = addr2) # Append DNS Reply to Packet dnsResp /= DNS(id = id, qt = qt, qd = qd, an = DNSRR(rrname = rrname, ttl = ttl, rdata=rdata)) # Send Packet sendp(dnsResp)
# Use POF to impersonate a TCP SYN from # SymbianOS phone pkt = p0f_impersonate(IP(dst=' g')/ TCP(sport=1025, dport=80, flags=’S'), osgenre='SymbianOS') send(pkt)
Mimicking users is difficult. LARIAT project up at MIT. We can’t just fire off wget scripts to to pretend to be a college student.
In honeyM, you can select a profile…. University Student Top Secret Government Agent My Mom Corporate Employee
Top Secret Government Agents do things like VPN, SSH, use PKI… (no really, they do.) Corporate employees do things like browsing financial news, logging into webmail. University students do things like….. (well university student things) Don’t even ask about my Mom.
Any communications activity to the device is suspect. Doesn’t mean every Bluetooth NAME_REQ is bad though… this happens all the time. How do we reduce false positives in logging?
Is this just a malformed frame or is it more?
Recording all Bluetooth hci layer information.
Everyone would have a Bluetooth Protocol Analyzer for logging Piconets.
Oh look, Al Qaeda just got bluebugged.
Kismet-NG now supports Spectools traffic as a plugin. Can correlate spectrum activity to management frames. Auxiliary/wireless/dos_ctf_flood
Unique legal constraints to mobile device honeyclients not found on wired networks Typically we relied on Expressed Consent or Trespasser Consent to allow us to capture on a honeyclient. Unfortunately we cannot get the entire consent of all users on 2.4GHz.
Can only do full BT packet capture with specialized equipment CATC Merlin Frontline USRP
Subject to chaff What if I just send a 1,000,000 packets to obscure my actual attack? These are the same problems for wired honeypots.
Make the targets so attractive, nobody thinks it is a honeyclient #hcitool scan - Paris Hilton’s iPhone
Mobile Device attacks are dynamic, relying on multiple vectors for attack. We can use honeyclients to discover novel attacks on mobile devices.
TJ OConnor Nathan Grunzweig David Brasefield