Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix

Similar documents
CIS 700/002 : Special Topics : Bluetooth: With Low Energy comes Low Security

Outsmarting Bluetooth Smart. Mike Ryan. isec Patners. CanSecWest. Mar 14, 2014

PM0257. BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines. Programming manual. Introduction

Wireless Sensor Networks BLUETOOTH LOW ENERGY. Flavia Martelli

Bluetooth low energy technology Bluegiga Technologies

DEEP ARMOR. Hands-on Exploitation & Hardening of Wearable and IoT Platforms. Sumanth Naropanth & Sunil Kumar

Developer & maintainer of BtleJuice. Having fun with Nordic's nrf51822

Click to edit Master title style Buzzing Smart Devices

Aditya Gupta presents: Hacking Bluetooth Low Energy for Internet of Things

Bluetooth LE 4.0 and 4.1 (BLE)

Hacking challenge: steal a car!

Bluetooth low energy security, how good is it? Petter Myhre Bluetooth World, San Jose March 2017

nblue TM BR-MUSB-LE4.0-S2A (CC2540)

Bluegiga Bluetooth Smart Software v.1.3 5/28/2014 1

Wireless Security Security problems in Wireless Networks

Bluetooth 5 Presenter Tomas O Raghallaigh )

Using Network Analyzer Tool to Monitor Bluetooth Mesh Traffic

Guide to Wireless Communications, 3 rd Edition. Objectives

Real-time Bluetooth Device Detection with Blue Hydra. Granolocks Zero_Chaos

CS263: Wireless Communications and Sensor Networks

Unencrypted Mouse Packet

Inside Bluetooth Low Energy

BLED112 Bluetooth Smart USB Dongle 9/16/2013 1

Bluetooth Mesh. Johan Hedberg

Computer Networks II Advanced Features (T )

Beetle: Operating System Support for the Internet of Things

Sensor-to-cloud connectivity using Sub-1 GHz and

The Final Nail in WEP s Coffin

What can a small device do in modern industrial World.

Amarjeet Singh. February 7, 2012

Welcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

SMART Technologies. Introducing bluetooth low energy and ibeacon

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Bluetooth modules. Modules and turnkey solutions with embedded Bluetooth firmware and AT command

Beetle: Many-to-many communication in Bluetooth LE. Amit Levy, Laurynas Riliskis, Philip Levis, David Mazières, and Keith Winstein

Section 4 Cracking Encryption and Authentication

BLE121LR Bluetooth Smart Long Range Module 5/12/2014 1

Bluetooth: Short-range Wireless Communication

Security in NFC Readers

Internet of Things Bill Siever. New Applications. Needs. Wearables. Embedded Smarts. Simple to Setup. Networking w/ Long Battery Life (Low Power)

PAN1740 Design Guide

DASH7 ALLIANCE PROTOCOL - WHERE RFID MEETS WSN. public

Frequently Asked Questions WPA2 Vulnerability (KRACK)

The challenge with IoT

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

TLS 1.1 Security fixes and TLS extensions RFC4346

I T S E C U R I T Y K N O W - H O W

Energy Efficient Mobile Compu4ng Building low power sensing devices with Bluetooth low energy. Simo Veikkolainen Nokia May 2014

Bluetooth technology: security features, vulnerabilities and attacks Pasquale Stirparo Jan Loeschner Marco Cattani

Bluetooth Low Energy on Android

Bluetooth SIG Liaison Report May 2009

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

What Ails Our Healthcare Systems?

CS4/MSc Computer Networking. Lecture 13: Personal Area Networks Bluetooth

Overview of IEEE b Security

CS263: Wireless Communications and Sensor Networks

Jonathan Wald and Jason Zigelbaum (A project report written under the guidance of Prof.

GSM Open-source intelligence

Message acknowledgement and an optional beacon. Channel Access is via Carrier Sense Multiple Access with

Bluetooth. Bluetooth Radio

Bluetooth Low Energy Protocol Stack

5 things you want to know about Bluetooth 5

Bluetooth: Technology and Applications. Yang Bo, CTTL SYS, CAICT

BT121 Bluetooth Smart Ready Module. May 2015

The following topics describe how to configure correlation policies and rules.

Bluetooth Low Energy (Bluetooth Smart)

Introduction to Bluetooth Low Energy

Product Specification

Overview. Terminology. Password Storage

When is Bluetooth not Bluetooth?

WirelessHART: Applying Wireless Technology in Real-Time Industrial Process Control

Product Specification

Resilient IoT Security: The end of flat security models

BlueCore. Operation of Bluetooth v2.1 Devices. Application Note. Issue 7

BT-22 Product Specification

New CC430 combines leading MCU and RF technology

T Cryptography and Data Security. Lecture 11 Bluetooth Security. Outline

Connecting & Addressing Security Concerns of Bluetooth Technology in Current Scenario

Stream Ciphers. Stream Ciphers 1

Bluetooth. Quote of the Day. "I don't have to be careful, I've got a gun. -Homer Simpson. Stephen Carter March 19, 2002

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

TOBIAS ZILLNER ZIGBEE EXPLOITED THE GOOD, THE BAD AND THE UGLY

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

n-bit Output Feedback

Performance Evaluation of Bluetooth Low Energy Communication

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

ZIGBEE EXPLOITED. The good, the bad and the ugly. Tobias Zillner August 6th Cognosec 2015 Castellezgasse 16/ Vienna, Austria

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

IOActive Labs: Breaking Embedded Devices

The spear to break the security wall of S7CommPlus

ReDECTed Building an SDR based DECT sniffer. May 27 th, 2015 HITB HAXPO Marc Newlin

CC26xBxA Bluetooth Smart and IoT Module

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

nblue TM BR-LE4.0-S2A (CC2540)

Transcription:

Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix Mike Ryan isec Partners Black Hat USA Aug 01, 2013 1

Why Bluetooth Smart? Because it's appearing EVERYWHERE 2

Why Bluetooth Smart? (2) 186% YoY Growth for H1 2013 1 over 7 million Bluetooth Smart ICs were estimated to have shipped for use in sports and fitness devices in the first half of 2013 alone Analysts Forecast Bluetooth Smart to Lead Market Share in Wireless Medical and Fitness Devices 2 1 http://www.bluetooth.com/pages/press-releases-detail.aspx?itemid=170 2 http://www.bluetooth.com/pages/press-releases-detail.aspx?itemid=165 3

The Good Bluetooth Smart 4

What is Bluetooth Smart? New modulation and link layer for low-power devices vs classic Bluetooth Incompatible with classic Bluetooth devices PHY and link layer almost completely different High-level protocols the same (L2CAP, ATT) Introduced in Bluetooth 4.0 (2010) AKA Bluetooth Low Energy / BTLE 5

Protocol Stack GATT ATT L2CAP Link Layer PHY 6

PHY Layer GFSK, +/- 250 khz, 1 Mbit/sec 40 channels in 2.4 GHz Hopping 7

Hopping Hop along 37 data channels One data packet per channel Next channel = (channel + hop increment) mod 37 3 10 17 24 31 1 8 15 hop increment = 7 8

Link Layer Min of 2 bytes due to 2 byte header LLID: Control vs Data Length 9

L2CAP: A Few Bytes Octets of Bloat 10

ATT/GATT Services: groups of characteristics Characteristics Operations Everything identified by UUID 128 bit Sometimes shortened to 16 bits 11

Example GATT Service: Heart Rate Service: 0x180D Characteristic 1: 0x2A37 Heart Rate Can't read or write Notify: subscribe to updates Characteristic 2: 0x2A38 Sensor Location Readable: 8 bit int, standardized list Other characteristics: 0x2803, 0x2902,... 12

Recap GATT ATT L2CAP Link Layer PHY 13

14

15

How do we sniff it? Start at the bottom and work our way up: PC GATT ATT L2CAP Link Layer Ubertooth PHY 16

Ubertooth Block Diagram PHY layer RF Bits Link layer Bits Packets CC2591 RF Amp RF CC2400 Radio Bits LPC175x ARM MCU Packets USB 17

Capturing Packets Configure CC2400 Set modulation parameters to match Bluetooth Smart Tune to proper channel Follow connections according to hop pattern Hop increment and hop interval, sniffed from connect packet or recovered in promiscuous mode Hand off bits to ARM MCU 18

Link Layer What we have: What we want: What we know: Sea of bits Start of PDU AA CC2400 does this FO FREE 10001110111101010101 10011100000100011001 11100100110100011101 19

PHY Layer.. Link Layer.. We converted RF to packets Now what? 20

Capturing Packets... To PCAP! ubertooth-btle speaks packets libpcap dump raw packet data PPI header (similar airodump-ng and kismet) We have a DLT for Bluetooth Smart Unique identifier for the protocol Public release of Wireshark plugin Coming Soon TM 21

Wireshark Awesomeness 22

Encryption Provided by link layer Encrypts and MACs PDU AES-CCM 23

The Bad Key Exchange 24

Custom Key Exchange Protocol Three stage process 3 pairing methods Just Works TM 6-digit PIN OOB None of the pairing methods provide protection against a passive eavesdropper -Bluetooth Core Spec 25

Cracking the TK confirm = AES(TK, AES(TK, rand XOR p1) XOR p2) GREEN = we have it RED = we want it TK: integer between 0 and 999,999 Just Works TM : always 0! 26

Cracking the TK With crackle Total time to crack: < 1 second 27

And That's It TK STK STK LTK LTK Session keys KEY EXCHANGE = BR0KEN 100% PASSIVE 28

The Ugly LTK Reuse 29

LTK Reuse Good for security: pair in a faraday cage Counter-mitigation: Active attack to force re-pairing 30

Decrypting Assumption: Attacker has LTK reused! Procedure Attacker passively capturing packets Connection established Session information captured 31

Decrypting With crackle Yes, crackle does that too! crackle will decrypt a PCAP file with a pairing setup a PCAP file with an encrypted session, given an LTK 32

The Ugly: Recap Key exchange broken LTK reuse means all communication is effectively compromised 99% passive Worst case scenario: one active attack with off-the-shelf hardware 33

The Fix Secure Simple Pairing 34

My Qualifications Infosec Researcher Infosec Consultant Occasional programmer Shameless Plug: isec Partners Husband Able to grill a mean steak NOT LISTED: Cryptographer 35

Why Secure Simple Pairing? Eavesdropping protection: ECDH In production since 2007, only one weakness Downside: ECDH is expensive secp192r1: ~5 seconds on 8-bit CPU No open source implementation (until now) 36

The Five Phases of SSP 1. Public key exchange 2. Authentication Stage 1 3. Authentication Stage 2 4. Link Key Calculation 5. LMP Authentication and Encryption 37

SSP in Bluetooth Smart 1. Public key exchange 2. Authentication Stage 1: Numeric comparison only 3. Authentication Stage 2 4. Link Key Calculation 5. LMP Authentication and Encryption 38

Backward Compatibility OOB not broken Use calculated link key as 128-bit OOB data Most chips have support 39

Demo D e m o 40

Am I Affected? Probably Exception: Some vendors implement their own security on top of GATT Did they talk to a cryptographer? 41

Summary The Good: Bluetooth Smart The Bad: Key Exchange The Ugly: LTK Reuse The Fix: SSP 42

Capabilities Ubertooth Passively intercept Bluetooth Smart Promiscuous mode and injection (not discussed) Wireshark plugins crackle Crack TK's sniffed with Ubertooth Decrypt PCAP files with LTK nano-ecc: 8-bit ECDH implementation 43

Software Ubertooth and libbtbb http://ubertooth.sourceforge.net/ nano-ecc (8-bit ECDH and ECDSA) https://github.com/isecpartners/nano-ecc crackle http://lacklustre.net/projects/crackle/ 44

Thanks Mike Ossmann Dominic Spill Mike Kershaw (dragorn) #ubertooth on freenode bluez Bluetooth SIG Black Hat isec Partners 45

Thank You Mike Ryan isec Partners @mpeg4codec mikeryan@isecpartners.com http://lacklustre.net/ 46

Feedback Please scan badge when leaving Thanks again! 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback