Click to edit Master title style Buzzing Smart Devices

Similar documents
Aditya Gupta presents: Hacking Bluetooth Low Energy for Internet of Things

PM0257. BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines. Programming manual. Introduction

Developer & maintainer of BtleJuice. Having fun with Nordic's nrf51822

CIS 700/002 : Special Topics : Bluetooth: With Low Energy comes Low Security

Wireless Sensor Networks BLUETOOTH LOW ENERGY. Flavia Martelli

Bluetooth low energy technology Bluegiga Technologies

Bluetooth LE 4.0 and 4.1 (BLE)

DEEP ARMOR. Hands-on Exploitation & Hardening of Wearable and IoT Platforms. Sumanth Naropanth & Sunil Kumar

Hacking challenge: steal a car!

Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix

nblue TM BR-MUSB-LE4.0-S2A (CC2540)

Inside Bluetooth Low Energy

Introduction to Bluetooth Low Energy

KST3300 Firmware Specification

When is Bluetooth not Bluetooth?

UART HCI Bluetooth Module for Linux BT860

Bluetooth Low Energy Protocol Stack

Digital Design W/S Arduino 101 Bluetooth Interfacing

Outsmarting Bluetooth Smart. Mike Ryan. isec Patners. CanSecWest. Mar 14, 2014

Internet of Things Bill Siever. New Applications. Needs. Wearables. Embedded Smarts. Simple to Setup. Networking w/ Long Battery Life (Low Power)

SMART Technologies. Introducing bluetooth low energy and ibeacon

Application Note v1.2

nrf Connect Bluetooth low energy

Silicon Valley LAB Intern Report. Hyunjung KIM Youngsong KIM

Bluetooth Mesh. Johan Hedberg

Performance Evaluation of Bluetooth Low Energy Communication

Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

nblue TM BR-LE4.0-S2A (CC2540)

Tap BLE API Documentation

Bluegiga Bluetooth Smart Software v.1.3 5/28/2014 1

Beetle. Sharing, flexibility and access control for Bluetooth Low Energy. Amit Levy James Hong Laurynas Riliskis Philip Levis Keith Winstein

Digital Design W/S Arduino 101 Bluetooth Interfacing

Hacking BLE Bicycle Locks for Fun & A Small Profit

Using the BT85x Series with Linux and Windows Relevant to Laird # BT850-SA, BT850-ST, BT851, and associated DVKs

Energy Efficient Mobile Compu4ng Building low power sensing devices with Bluetooth low energy. Simo Veikkolainen Nokia May 2014

BT121 Bluetooth Smart Ready Module. May 2015

Bluetooth Low Energy CC2540/41 Mini Development Kit User s Guide

Sensor-to-cloud connectivity using Sub-1 GHz and

Security. Nelli Gordon and Sean Vakili May 10 th 2011

Bluetooth 5 Presenter Tomas O Raghallaigh )

BLE121LR Bluetooth Smart Long Range Module 5/12/2014 1

Bluetooth. Bluetooth Radio

Texas Instruments Tech Day Bluetooth Low Energy CC2540. ANT+ CC2570 and CC2571

Beetle: Operating System Support for the Internet of Things

BLE Command Line Interface Document

kcenergy User Guide DRAFT EDITION Introduction Serial Data Communications Hardware Supported Bluetooth Profiles

A Real-Time BLE enabled ECG System for Remote Monitoring

CISS Communication Protocol Bluetooth LE

kcenergy User Guide Introduction Hardware

BlueCore. Operation of Bluetooth v2.1 Devices. Application Note. Issue 7

BLUEGIGA BLUETOOTH SMART SOFTWARE

AN980: BLUETOOTH SMART SDK

ATSAMB11 BluSDK SMART Example Profiles Application User's Guide

BLUETOOTH SMART READY SOFTWARE

Bluetooth Smart Development with Blue Gecko Modules. Mikko Savolainen October 2015

Real-time Bluetooth Device Detection with Blue Hydra. Granolocks Zero_Chaos

Taking Advantage of Bluetooth for Communications and More by Hunyue Yau

Page 1 of 6. nblue BR-XB-LE4.0-D2A Summary Datasheet Copyright BlueRadios, Inc.

BLUETOOTH LOW ENERGY: THE DEVELOPER'S HANDBOOK BY ROBIN HEYDON

Unencrypted Mouse Packet

Warsztaty praktyczne :00-16:00

Controlling electrical home appliances, using Bluetooth Smart Technology (October 2015) Pedro José Vieira da Silva

MOBILE COMPUTING 4/3/18. Bluetooth. Bluetooth. CSE 40814/60814 Spring 2018

Bluetooth Low Energy (Bluetooth Smart)

Renesas PE-HMI1 Synergy S7 with Clarinox SPP Application

IoT The gift that keeps on giving

Developing Accessories for the Apple HomeKit Ecosystem. November 2016

Beetle: Many-to-many communication in Bluetooth LE. Amit Levy, Laurynas Riliskis, Philip Levis, David Mazières, and Keith Winstein

The challenge with IoT

Use of ISP1880 Accelero-Magnetometer, Temperature and Barometer Sensor

Bluetooth Vulnerability Assessment

BT121 Bluetooth Smart Ready Module. July 2016

5 things you want to know about Bluetooth 5

WIRELESS EVIL TWIN ATTACK

Adafruit Feather nrf52840 Express

Multi-link support for up to four simultaneous connections in any combination of roles

BLE010V5 1. (Based on CSR1010) Bluetooth Modules. User s Manual V1.5

Network Processor GATT

Shiningintl Bluetooth Mesh Solutions. Bluetooth smart home

Bluetooth Core Specification v5.1

BLE as Active RFID. Tutorial presented by Jeffrey Dungen at IEEE RFID 2017

All Your Locks are BLEong to Us

TI SimpleLink dual-band CC1350 wireless MCU

Using Network Analyzer Tool to Monitor Bluetooth Mesh Traffic

AIR FORCE INSTITUTE OF TECHNOLOGY

ENVIRONMENTAL SENSING PROFILE

CISS - Connected Industrial Sensor Solution

BLE MODULE SPECIFICATIONS

Network Encryption 3 4/20/17

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

BlueMod+S42/Central Software User Guide

BLUEGIGA BLUETOOTH SMART SOFTWARE

QSG108: Getting Started with Silicon Labs Bluetooth Software

The Future of Lighting Is Smart. Martin Mueller Roger Sexton

CS123 - Communication

Objectives of the Bluetooth Technology

Master Projekt 2. Autor: Heiner Perrey. Performance Analysis of Bluetooth Low Energy with Merkle s Puzzle. Date: May 20, 2012

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Network Guide for Listen Everywhere

Transcription:

Click to edit Master title style Buzzing Smart Devices Smart Watch Hacking 1

Click to edit Master title style I Have A Question.? 2

Click to edit Master title style Why CATS Everywhere?????? Cats are Evil 3

Click to edit Master title style Era of Mouse Source: memegenerator 4

Click to edit Master title style About me Anti- Cat Person Security Researcher at Payatu Software Labs Hardware Maker Intel Software Innovator Occasional Artist 5

Click Agenda to edit Master title style Introduction to Bluetooth Bluetooth Attacks Passive and Active Analysis Man-In-The-Middle Fuzzing Mobile Attacks Static Analysis Active Analysis Hardware Attacks Hardware Analysis Debug interface Flash protection bypass 6

Click to edit Master title style Bluetooth Low Energy 7

Click What to is Bluetooth edit Master Low title Energy: style Bluetooth is a most commonly used wireless communication protocol, especially in mobile phones, smart devices and many more As the name says, It consumes Low power and resource for it s operations. It is completely different from your traditional Bluetooth Classic. Since it is Low power, devices can operate without battery for years and forever with energy harvesters Since most devices has Bluetooth, It is Interoperable. 8

Click Specifications to edit Master of Bluetooth title style LE Low latency connection (3ms) Low power (15ma peak transmit, 1uA sleep) Designed to send small packet of data (opposed to streaming) 128bit AES CCM GFSK @ 2.4 GHz Adaptive Frequency Hopping 37+3 Data + Broadcast Channels 9

Click Bluetooth edit LE Master Stack title style Image Source: Bluetooth Specification 10

Click How Bluetooth edit Master LE connects? title style Image source: When Encryption is Not Enough 11

Click Roles to in edit Bluetooth Master LE title style Image source: When Encryption is Not Enough 12

Click to edit Master title style GAP and GATT 13

Click Generic to edit Access Master Profile title style GAP controls connections and advertising Two ways to send advertising Advertising Data Payload Mandatory and periodically transmitted out by peripheral Scan Response Payload An optional secondary payload that can be requested by the central. It usually contains little more data than advertising packet The peripheral stops advertising as and when the connection is established 14

Click Generic to edit Attribute Master Profile title style GATT Defines the communication semantics between the client and the server Comes into play when the connection is established Uses concepts called Profiles, Services and Characteristics Uses ATT (Attribute) Protocol Stores services, characteristics in lookup table using 16-bit IDs for each entry 15

Click Profiles, to edit Services Master and title Characteristics style Profile Predefined collection of services compiled by either Bluetooth SIG Peripheral designers Service May contain one or more characteristics Used to break up data in different entities Identified by 16-bit or 128-bit UUID Characteristic Encapsulates single data point Identified by 16-bit or 128-bit UUID 16

Click to edit Master title style Previous Attacks 17

Click to edit Master title style 18

Click to edit Master title style 19

Click to edit Master title style 20

Click to edit Master title style 21

Click to edit Master title style Bluetooth LE Security 22

Click Security to edit in LEMaster title style Security of Bluetooth LE resides in GAT and GAP layer of the protocol Security is enclosed in these three methods Connecting Pairing Bonding 23

Click Security to edit in LEMaster title style Connecting is the act of establishing a communication link. No pairing or bonding is required to communicate over Bluetooth LE 24

Click Security to edit in LEMaster title style Pairing is the act of exchanging keys after connection, typically to set up and maintain an encrypted connection 25

Click Security to edit in LEMaster title style Bonding is the act of storing the exchanged keys after pairing, typically to re-establish an encrypted connection without needing to exchange these keys again. 26

Click Connect to edit in LEMaster title style Most smart devices works till connecting and doesn t provide pairing/bonding because of so many external reasons. Like a Light bulb cannot have a keypad or display to enter keys. 27

Click Pairing to in edit Bluetooth Master title LE style These are different methods by which pairing can be estabilished Just Works (000000) Numeric Comparison (Yes/No) Passkey (6-digit) Out-of-Band Image Source: Bluetooth Specifications 28

Click Key Exchange to edit Master in Bluetooth title style LE Pairing involves a series of key exchanges to encrypt the pairing process and ultimately all communication. The keys include: Short Term Key (STK), used to initially encrypt the connection for further key exchange. An algorithm with numerous inputs, including a 128-bit TK, is used to generate the same STK on both central and peripheral devices; the STK in its entirety is never exchanged. Long Term Key (LTK), used to encrypt the connection after pairing, and is stored to encrypt all future connections between bonded devices. It is only exchanged after initial encryption using the STK. 29

Click to edit Master title style Tools of Trade 30

Click Ubertooth edit One Master title style Bluetooth Sniffer and injector 2.4 GHz transmit and receive capabilities Open source By Great Scott Gadgets Easily integrates with Wireshark Image Source: /////////////// 31

Click CSR 4.0 to edit Dongle Master title style Bluetooth Adapter 2.4 GHz transmit and receive capabilities Supports BLE 4.0 Freely Available on online shopping sites Low Cost effective, Comes in 4-8$ Easily integrates with Wireshark Image Source: /////////////// 32

Click Soft-Tools to edit Master title style GATTTOOL GATTACKER BTLEJUICE BLUEDIVING BLUEAH Image Source: /////////////// 33

Click GATTTOOL to edit Master title style It is a part of bluez framework It can connect to a Bluetooth device and can read/write to the characteristics It has interactive and non-interactive mode Command: gatttool I b <MAC> Other commands like characteristics, charread-hnd, char-write-req are available. 34

Click GATTACKER to edit Master title style This is my favorite Bluetooth MiTM tool It needs two Bluetooth interface and act as proxy Image Source: https://github.com/securing/gattacker 35

Click to edit Master title style Labs 36

Click to edit Master title style Bluetooth - Labs 37

Click Step 1 to : edit RECON Master title style Get use to hcitool and hciconfig to gain more information about the device Commands: hciconfig hci0 reset hcitool lescan hcitool leinfo <MAC> 38

Click Step 2 to : edit Connect Master title style Use GATTTOOL to connect to the device and understand how to read and write to it Commands: gatttool I b <mac> characteristics char-read-hnd <handle> char-write-req <handle> <data> 39

Click Step 3 to : edit MiTMMaster title style You can use either gattacker or btlejuice Configure two machine with Bluetooth Dongle Connect your app and the device to the proxy and perform some operation to log the data 40

Click Step 4 to : edit Replay Master title style Now with the data you analyzed, perform a replay/relay attack from gatttool Or alternatively you can also use a app called as nrf connect. 41

Click Step 5 to : edit FuzzMaster title style Since you know the format of the data which controls the watch Use exploit framework to fuzz the handle and see if you can see any reactions in the watch. Find all the vulnerable data. 42

Click to edit Master title style Mobile App - Labs 43

Click Step 1 to : edit Disassemble Master title style Use jadx in the VM to disassemble the apk. Look for information like characteristics, writedata and other gatt related class Understand how data are being transmitted 44

Click Step 2 to : edit Active Master Analysis title style Use things like logcat and internal memory to gain some meaningful information Use Frida to hook to the class which is responsible for the GATT write and read operation 45

Click Step 3 to : edit Look Master for Firmware title style update Repeat the previous steps for information related to firmware update and the mechanism on which it is done 46

Click to edit Master title style Hardware - Demo Labs 47

Click Step 1 to : edit Disassemble Master title style Open the smart watch. Identify various parts in it. Look for any test pads/pins which is labeled as TX/RX or SWDIO/SWCLK It could be labelled in different names too. These are the debug and log ports for the watch 48

Click Step 2 to : edit Access Master the debug title style ports Connect the Debug port of the watch to the debugger. Try to read the internal memory or read other information of the device. 49

Click Step 3 to : edit Extract Master the title firmware style If the flash memory is locked, search for any exploits. just like you would for a software exploits. Run the Flash protection bypass to extract the firmware and analyze 50

Click Step 3 to : edit Play Master with the title firmware style Use visual inspection and figure out how different parts are connected to it. Try to port your own code. You can make it as a HiD device or program your own watch. 51

Click Conclusion to edit Master title style Start with basic recon on the mobile app or the Bluetooth dump. Perform MiTM to understand the data that goes to the device Fuzz it Open the hardware, check for hardware ports and extract the firmware. 52

Click Reference to edit Master title style https://learn.adafruit.com/introduction-to-bluetooth-lowenergy/introduction http://research.worksap.com/research/ble-1/ https://en.wikipedia.org/wiki/bluetooth_low_energy https://developer.bluetooth.org/technologyoverview/pages/profil es.aspx#gatt https://github.com/greatscottgadgets/ubertooth/wiki/capturing- BLE-in-Wireshark http://lacklustre.net/projects/crackle/ https://github.com/securing/gattacker https://github.com/digitalsecurity/btlejuice 53

Click to edit Master title style Mouse life matters too - Arun Magesh 54

Click to edit Master title style Thank You 55

Click to edit Master title style Contact: arun.m@payatu.com @marunmagesh 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback