Bluetooth Vulnerability Assessment

Similar documents
175 Lakeside Ave, Room 300A Phone: (802) Fax: (802) /18/2017

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Modern Honey Network 11/16/ Lakeside Ave, Room 300A Phone: (802) Fax: (802)

NETWORK SECURITY. Ch. 3: Network Attacks

CIS 700/002 : Special Topics : Bluetooth: With Low Energy comes Low Security

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Digital Test. Coverage Index

Hacking challenge: steal a car!

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Aditya Gupta presents: Hacking Bluetooth Low Energy for Internet of Things

Real-time Bluetooth Device Detection with Blue Hydra. Granolocks Zero_Chaos

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

LiveMIC. Bluetooth Wireless Microphone P/N NSRXRM3C2MSX USER GUIDE

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Iphone 5 Manual Charger Not Work After Update

Users Guide. IDBLUE.HF and IDBLUE.UHF. IDBLUE Support

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

PerkinElmer s Force Multiplier Pilot Program

SAMSUNG ELECTRONICS RESERVES THE RIGHT TO CHANGE PRODUCTS, INFORMATION AND SPECIFICATIONS WITHOUT NOTICE. Products and specifications discussed

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

SMART Technologies. Introducing bluetooth low energy and ibeacon

Manual Iphone 5 Bluetooth Pairing Problems. With Macbook Pro >>>CLICK HERE<<<

Smart Device Connection Manual for Android

AirServer Connect User Guide

Bose Soundlink Wireless Mobile Speaker Will Not Pair

A Framework for Optimizing IP over Ethernet Naming System

Ios 6 Manual Ipad 2 Wifi Problemi >>>CLICK HERE<<<

The Smarter Balanced Technology Strategy Framework and Testing Device Requirements EXECUTIVE SUMMARY

Bluetooth Mini Keyboard Paired But Not Connected Android

How To Use Bluetooth Of Ipod Touch Off Without Power Button

iphone, ipad & ipod troubleshooting guide

Iphone Bluetooth Setup 4s How To Use Push. Notifications >>>CLICK HERE<<<

1-7 Attacks on Cryptosystems

Generation Bluetooth Not Working

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

VIRTUAL REALITY ALIEN ATTACK GAME. Item No Owner s Manual

Click to edit Master title style Buzzing Smart Devices

VictronConnect manual

Sync Manually Greyed Out Ipod Touch Apps Screen

Repair Guide Htc One X Wifi Problems After Update

Getting started with the FP-NET-6LPBLE1 function pack for 6LoWPAN IoT node connection to a smartphone via BLE interface

Harmony Smart Keyboard

GENERAL SET-UP & APP GENERAL SET-UP & APP PAIRING/SYNCING FEATURES BATTERY ACCOUNT & DEVICE SETTINGS PRIVACY WARRANTY. For IOS:

INTRODUCTION... 2 GETTING STARTED...

Iphone Usb Tethering Windows 7 No Internet. Access >>>CLICK HERE<<<

CHI Easy Access: Register From on the CHI Network

How To Reset Locked Ipod Touch To Factory Settings Without Computer

Manual Iphone 5 Charger Cable Not Working Ios 7 Update

GENERAL SET-UP & APP PAIRING/SYNCING FEATURES BATTERY ACCOUNT & DEVICE SETTINGS PRIVACY WARRANTY GENERAL SET-UP & APP ANDROID

A senior design project on network security

Texas Division How to Login and Register for My IT Support and ServiceNow

ipad How to use the ipad Getting Started with the basics FHS Gabriel Hill 3/31/2011

At&t phone wont picture messages. At&t phone wont picture messages.zip

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Please Manually Power Up This Phone Droid X

Lexar Media Manager User Guide

Avaya Scopia Mobile Android Release (SP12)

Application Analysis: Fitbit

Chapter 11: Networks

SMARTWATCH WITH ACTIVITY AND SLEEP TRACKER

How To Force Restore A Computer That Won Boot Up After System

SmartBeacon-USB/USB-E

WaveWare STG SIP to TAP Gateway

Why Does My Ipad Mini Not Stay Connected To

Five9 Supervisor App for ipad

Iphone 3gs Wont Connect To Wifi Unable To Join Network

Chapter 11: It s a Network. Introduction to Networking

Manual Iphone 5 Bluetooth Not Working With Macbook Via

Panoramic Talking Camera

IPad Wireless Switch Interface

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Why Wont My Iphone 5 Bluetooth Connect To My Macbook Pro

Amazon Echo Forensics

iphone/ipad Connection Manual

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

Lenovo ideapad 330S ideapad 330S-14AST ideapad 330S-14AST U ideapad 330S-14AST D ideapad 330S-15AST ideapad 330S-15AST U ideapad 330S-15AST D

ios 9.3 ipads & iphones What you need to know! Jere Minich, APCUG Advisor, Region 5 Program Chair, Lake-Sumter Computer Society

AAD - ASSET AND ANOMALY DETECTION DATASHEET

Paypal Users Guide Pdf Samsung Galaxy S4 Active

Model 3000 Series Bluetooth User s Manual. May 2017 Revision 2

100% Satisfaction. Guaranteed

How To Restart Ios 6 Update Ipad 2 Siri >>>CLICK HERE<<<

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

1. Press "Speed Test" to find out your actual uplink and downlink speed.

Denial of Service and Distributed Denial of Service Attacks

Wireless LAN Security (RM12/2002)

Update Manual Ios Unable To Verify >>>CLICK HERE<<<

How To Setup Bluetooth Iphone 4s Ringtones On Windows >>>CLICK HERE<<<

How To Manually Sync An Ipod Touch 4g Screen Distortion

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

How To Use Bluetooth Of Ipod Touch Facetime On My

ECCouncil Certified Ethical Hacker. Download Full Version :

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Table Of Content 1. What s in the box 3 2. About the unit 4 3. Getting started 5 4. Networking options 6 5. Turning on the MTC-5000 Unit 7 6.

Proximity FAQ Version 1.12

Android Bluetooth Pin Code Change Sim Card Blackberry

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Transcription:

Bluetooth Vulnerability Assessment 175 Lakeside Ave, Room 300A 04/20/2017 Phone: (802) 865-5744 http://lcdiblog.champlain.edu/ Fax: (802) 865-6446

Disclaimer: This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Contents Introduction... 2 Background... 2 Purpose and Scope... 2 Terminology... 3 Methodology and Methods... 4 Equipment Used... 4 Analysis... 5 BlueHydra... 5 Btlejuice... 6 L2ping... 7 Results... 7 BlueHydra... 7 Btlejuice... 8 L2ping... 8 Conclusion... 9 Further Work... 9 References... 11 Bluetooth Vulnerability Assessment Page 1 of 12

Introduction The Bluetooth Vulnerability Assessment project evaluated the capabilities and vulnerabilities of the increasingly popular wireless protocol, Bluetooth. The objective of this project was to determine what information could be gathered from Bluetooth devices and if the devices themselves could be exploited using open source tools currently available to the public. Two such tools our team had decided to use were Econocom Digital Security s Btlejuice and Pwnie Express s BlueHydra. Another tool we used was a command in Linux called l2ping. All of the tools brought unique capabilities to the project and allowed us to assess and exploit vulnerabilities within the Bluetooth protocol. Background The LCDI has been conducting research into the Bluetooth protocol and its vulnerabilities since the spring of 2016. Last semester s research team was broken down into two groups: one team worked with Btlejuice by Econocom Digital Security and the other with Pwnie Express s BlueHydra. Btlejuice is a framework developed for performing Man-in-the-Middle attacks on Bluetooth Smart devices. Last semester s team utilized Btlejuice to help unlock a Schlage Sense Smart Deadbolt by intercepting signals from an authorized smartphone and resending them from an unauthorized laptop. However, the team ran into issues after updating the firmware on the lock and phone, limiting their ability to manipulate the lock. They were only able to unlock the deadbolt once with the laptop, but afterwards were unable to unlock it with either the phone or the laptop. This semester we hoped to discern if it was still possible to exploit this vulnerability, or if the vulnerability was addressed in the latest firmware update. BlueHydra uses the device discovery service from the bluez library and an Ubertooth One adapter in order to find classic and low energy Bluetooth devices within a certain proximity. The BlueHydra team had two goals for the previous fall semester: to use BlueHydra and the Ubertooth One to find Bluetooth devices outside of discovery mode and to see if they could track a person throughout a building. In both aspects, the team encountered issues. This was attributed to a communication fault between the Ubertooth One and BlueHydra. Purpose and Scope Since Bluetooth capable devices are becoming increasingly available, it is important to stay on top of vulnerabilities within the Bluetooth protocol itself. The Bluetooth Vulnerability Assessment project is assessing any vulnerabilities and determining how they can be exploited. Bluetooth Vulnerability Assessment Page 2 of 12

Research Questions 1. What sort of information can be gathered from Bluetooth devices using BlueHydra and Btlejuice? 2. What vulnerabilities can be observed in Bluetooth devices as a result of information gathering? 3. What kinds of exploits can be run against our Bluetooth devices? 4. Is it possible to disable the use or connection of Bluetooth devices? Terminology Bluetooth- is a method of wireless connection that allows for data transfer over short distances between devices. l2ping- is a Linux command that allows a user to send packets to a Bluetooth enabled device through its layer two address. This command was used to send thousands of packets to our Bluetooth devices in an attempt to overload them and either block a connection, block their function, or shutdown the device. BlueHydra- is a Bluetooth discovery program meant to find and report on Bluetooth devices using Bluetooth Classic or Bluetooth Low Energy. It runs on the bluez Linux library. It also uses a physical device called an Ubertooth to discover these devices. Btlejuice- is a framework designed to expedite the process of performing man in the middle attacks against Bluetooth devices. It contains a core program, an interception proxy, and a dedicated web interface designed to make the attacks easy to view and execute. Bluetooth Low Energy- Designed to run with minimal power consumption, Bluetooth Low Energy also known as BLE or Bluetooth Smart, is a short range wireless personal area network. It is commonly used in small devices such as fitness trackers, Bluetooth enabled toys, security devices, and home entertainment products. Media Access Control (MAC) Address- The media access control address, or MAC address, is a physical address assigned to a device by the manufacturer. These addresses are most commonly 48 bits with the first 24 bits identifying the manufacturer and the last 24 identifying the individual device. Denial of Service- A denial of service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack is sent by one person or system while an attack by two or more people is known as a distributed denial of service attack (DDoS). DoS attacks are accomplished through different methods. One of these methods involves saturating the target with external communications requests to overload the machine so it can't respond to requests from legitimate users. By using up all of the target's resources, it can no longer provide its intended service. Bluetooth Vulnerability Assessment Page 3 of 12

Ping Flood- is a method of a DoS attack where the target is sent a ping multiple times (in the hundreds or thousands) without waiting for a response and within a very short interval. The objective is to overflow the target and cause it to fail. Generic Attribute Profile (GATTs)- is used by the Bluetooth protocol to define the way two Bluetooth Low Energy devices transfer data back and forth with concepts called services and characteristics. GATT makes use of the Attribute Protocol (ATT) to store Services, Characteristics, and related data in a table with 16-bit IDs for each entry in the table. Methodology and Methods Before working with our Bluetooth tools, each member of the team conducted research into the Bluetooth Protocol and its possible vulnerabilities. With a basic understanding of the protocol, we started learning how to use BlueHydra and Btlejuice. Based on each tool's functionality, we began the project by using BlueHydra to take advantage of its Bluetooth scanning ability. We secured a set of Bluetooth capable devices with different versions of Bluetooth and used BlueHydra to discover pertinent details about each, such as their Bluetooth version and Bluetooth MAC address. Table 1 below contains the details we gathered about each of the devices. Midway through the semester, we discovered the l2ping command in Linux, which sends Bluetooth packets to a specified device using its Bluetooth MAC address. We used these devices and tools as a baseline throughout the project. Armed with the specifics about our Bluetooth devices, we transitioned to working with Btlejuice in an attempt to intercept Bluetooth communications and exploit them. Equipment Used The devices listed below, are all of the devices used for testing purposes: Table 1: Bluetooth Device List Name Device Type Hardware Specification Anker Bluetooth Keyboard Bluetooth 3.0 Keyboard Apple Watch Sport Watch Bluetooth 4.0 Fitbit Surge Fitness Watch Bluetooth 4.0 Moto 360 Smart Watch Smart Watch Bluetooth 4.0 Bose Soundlink Mini Speaker Bluetooth 3.0 UE Boom Gen 2 Speaker Bluetooth 4.2 Bluetooth Vulnerability Assessment Page 4 of 12

UE Boom Gen 1 Speaker Bluetooth 4.0 Nexus 7 Tablet Tablet Bluetooth 3.0 iphone 6S Smart Phone Bluetooth 4.0 iphone 7 Smart Phone Bluetooth 4.0 Samsung Galaxy Prime Smart Phone Bluetooth 4.0 Samsung Galaxy S7 Smart Phone Bluetooth 4.2 Lenovo IdeaPad P400 Touch Toshiba Satellite C55t- B5110 Ubertooth One (2) Laptop Laptop Monitoring and Development Platform Kali Linux Kali Linux RP-SMA RF Connector CC2591 RF Front End CC2400 Wireless Transceiver LPC175x ARM Cortex-M3 Microcontroller with Full-Speed USB 2.0. USB A Plug Kinivo Adapter (2) Bluetooth Adapter Bluetooth 4.0 Analysis BlueHydra We devised several test situations for BlueHydra in a number of different environments to observe its consistency. The tool itself was easy to use and analyze. Figure 1 below provides an example of BlueHydra in use. The screenshot depicts all of the columns organized in a neat and evenly spaced manner. One feature we utilized within BlueHydra was rearranging the order in which devices were displayed on the screen. By using the s key and pressing enter we were able to move the columns to the right as needed, changing the order of the columns and allowing for greater organization and observation. This was especially useful because BlueHydra is a live scanning tool, meaning it is being updated every few seconds with new information. Reorganizing the columns made interpreting the live data easier on the eye. Bluetooth Vulnerability Assessment Page 5 of 12

Figure 1: BlueHydra in use Btlejuice Much like the team from last semester, we encountered the most problems when using Btlejuice. Installation of the tool revealed several problems including the fact that node-legacy must be installed in order for Btlejuice to reference Node.js libraries properly. The program does not operate on the current version of Node.js. Once we had Btlejuice installed properly, we ran into a problem with our proxy. The web proxy would not relay Bluetooth communications through itself as intended. Rather, the proxy would connect to the device you specified and essentially hijack that connection for itself leaving the controller (the ipad in the case of the smart lock) out of the connection. We tried many configurations in an attempt to coerce the proxy into functioning. This included spoofing the Bluetooth Addresses of our Kinivo Bluetooth Adapters using the command line tool Spooftooph, a utility that automates the spoofing of Bluetooth devices. Our configurations included spoofing one of the devices to get a baseline result, spoofing one as the ipad and not spoofing the other, spoofing one as the lock and not the other, and spoofing one as the lock and one as the ipad. Finally we attempted all possible connections using each of these configurations with no resolution to our proxy issue. Please reference the diagram below in Figure 2 for a visual representation of the proxy problem. Bluetooth Vulnerability Assessment Page 6 of 12

Figure 2: Btlejuice Proxy Problem Network Diagram L2ping The latest tool to the Bluetooth Vulnerability Assessment team s repertoire is l2ping. The team learned about l2ping after researching the Bluesmack attack, which is a DoS attack for Bluetooth devices. L2ping was designed as a system administration tool which sends an echo request to a designated Bluetooth MAC address. For the purpose of our vulnerability testing, we used l2ping to disrupt and shut down vulnerable Bluetooth devices. Results BlueHydra One of the first questions we wanted to explore was what pieces of information could be intercepted using the various tools at our disposal. With BlueHydra, we are able to receive various types of useful information including the manufacturer, Bluetooth version, MAC address, and device name. With the MAC addresses we collected, we transitioned into using Btlejuice with the intent of intercepting Bluetooth data as it was being live broadcasted. Blue Hydra is capable of intercepting a wide variety of Bluetooth data, including data created by ibeacon devices. ibeacon devices transmit location based data through BLE; this transmission allows for BlueHydra to Bluetooth Vulnerability Assessment Page 7 of 12

gather information on the range of the device and its approximate location. Unfortunately, we could not get this feature to function properly. Btlejuice BtleJuice allowed us to view some of the same devices we found and identified using BlueHydra, but offered limited success in the interception of Bluetooth data. Despite the varied configurations of spoofing, we were not able to obtain packets that could then be used to replay the GATTs on the lock to have it lock or unlock. The only GATTs we did obtain were in some instances where we would receive eight packets, as shown in Figure 3. All of them were read GATTs and could not be used in any meaningful way. The appearance of these packets were not consistent either. On occasion, they would appear and on others they would not. At one point, we received a pop up from Btlejuice alerting us that a packet had been intercepted (the 2b 00 as seen in Figure 3 below). However, there was no action that could be taken with those packets. One thing to note is that all of the packets which Btlejuice intercepted actually appeared before initiating interception. Figure 3: Btlejuice GATT interception L2ping Using l2ping, we attacked our devices by sending packet floods to their specific Bluetooth MAC addresses. This attack yielded results against our Fitbit Blaze watch and our Anker Keyboard. We also tested against a Samsung Galaxy s7 connected to a UE Boom Gen2 speaker which had a small effect on the audio signal. Further testing of our remaining Bluetooth devices provided no noticeable effect. At first, the Blaze was put in pair mode and l2ping ran against it. After 343 packets came through, the device itself crashed and completed a full power cycle (restarted). The test was run again and it was discovered that the Fitbit could be sent packets and disabled without being in pair mode (i.e. while not searching for a new connection). The Fitbit could be disabled at any time using this command. In order to restore the device to its Bluetooth Vulnerability Assessment Page 8 of 12

prior status of not being vulnerable to the attack while not in pair mode, the Fitbit would need a full power reset. Once the device powered back on it could no longer be flooded with pings while not in pair mode. We created a similar event with the Anker keyboard where we were able to ping the keyboard repeatedly in pair mode, to the point where a full power cycle was needed to restore functionality to the device. This flood against the keyboard required roughly 3000 packets. Our testing revealed that l2ping s effectiveness was varied in terms of the devices it could be used against. If the device openly accepted and attempted to process those packets, it would slow the device down to the point where it would either be severely disrupted or in some cases (e.g. the Anker Keyboard) it would completely disallow connections to the device until a full power cycle was given to it. Different situations gave way to different devices being vulnerable. Much of the time, if a device was in pair mode, it was vulnerable. Conclusion Upon completion of testing, the Bluetooth Vulnerability Assessment team made significant strides in identifying weaknesses in the Bluetooth protocol. Using BlueHydra we were able to sniff device specific information from visible devices within our testing environment. We were able capture read packets of a Bluetooth Schlage Deadbolt using Btlejuice, but were unable to successfully create a man-in-the-middle attack and control the lock remotely from an unpaired device. Lastly, using the l2ping command we were able to create disruptions in functionality of devices and in some cases render a device useless until it went through a complete power cycle. Further Work The team has done extensive testing with BlueHydra, Btlejuice and l2ping. We have tested numerous devices with each tool and have determined the effectiveness of each. Btlejuice is a tool with which we have been wholly unsuccessful. The only steps moving forward with using that tool would be reverse engineering the application itself to discover how it works and why it is not functioning as expected. The phone apps and devices we have used might also need to be reverse engineered to determine if Btlejuice is a tool that can even exploit a device like the Schlage Smart Sense Deadbolt. If the LCDI were to continue the Bluetooth Vulnerability Assessment project they would need a group of individuals comfortable reverse engineering software and troubleshooting the issues the previous teams have encountered. BlueHydra could be tested further with dedicated ibeacons since as of now the tool is not reporting the precise location of devices which have integrated ibeacons. L2ping is a simple tool that could be tested against new devices, as they roll out into the Bluetooth Vulnerability Assessment Page 9 of 12

market. It is the recommendation of this team to research and explore using new tools because, to date, we have exhausted all efforts working with the ones used in this project. They have been extensively researched, tested, and modified and their conclusions have been reached. Bluetooth Vulnerability Assessment Page 10 of 12

References Bluetooth. (2017, April 29). Retrieved May 2, 2017, from https://en.wikipedia.org/wiki/bluetooth Blue Hydra (2017, Feb 24). Retrieved from https://github.com/pwnieexpress/blue_hydra Bluetooth Low Energy. (n.d.). Retrieved May 2, 2017, from https://www.bluetooth.com/what-is-bluetoothtechnology/how-it-works/low-energy Caquile, Damien (2017, Jan 17). BtleJuice Bluetooth Smart (LE) Man-in-the-Middle framework, Retrieved from https://github.com/digitalsecurity/btlejuice Denial of Service. (2015, February 3). Retrieved May 2, 2017, from https://www.owasp.org/index.php/denial_of_service Designer. (n.d.). Retrieved from https://www.fitbit.com/surge?gclid=ckeuo5pu_tecfudldqodxpshbw&%3bdclid=ciqzrzp U_tECFeu8swodpx4NsA G., & Z. (n.d.). Real-time Bluetooth Device Detection with Blue Hydra. Retrieved March 7, 2017, from https://media.defcon.org/def%20con%2024/def%20con%2024%20presentations/defco N-2 4-Granolocks-Zero-Chaos-Bluehydra-Realtime-Blutetooth-Detection-UPDATED.pdf Krasnyansky, M., Holtmann, M., & Faerber, N. (2002, January 22). L2ping. Retrieved May 2, 2017, from http://linuxcommand.org/man_pages/l2ping1.html MAC address. (2017, May 01). Retrieved May 2, 2017, from https://en.wikipedia.org/wiki/mac_address Ping Flood (ICMP Flood). (n.d.). Retrieved May 2, 2017, from https://www.incapsula.com/ddos/attackglossary/ping-icmp-flood.html S. (2016, August 7). More on Blue Hydra. Retrieved March 7, 2017, from http://www.sportsfirings.com/?p=14877 Bluetooth Vulnerability Assessment Page 11 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback