December 13, 2008

To Blue, ot not to Blue: That is the Question

I spent part of last and this year researching about Bluetooth security, and recently I have been promoting the need to focus on securing Bluetooth technologies at a personal and enterprise level. I've presented about it in several private and public events all over the world, such as Meitsec 2008, II Jornadas CCN-CERT, or SANS London 2008.

An event-independent English version of the presentation (requested by multiple attendees) is available here!

The most critical aspect is that Bluetooth devices are being extensively used to exchange private and sensitive information in the form of data and voice, and the control is mainly on the hands of end users. If you do not enable an enterprise (or even personal) security program for these devices and communication channels at the same level you do with the rest of your infrastructure, you will be dealing against Bluetooth-related security incidents soon, especially on targeted attacks. Start by adding Bluetooth detection capabilities, and integrate this technology in your penetration tests and incident handling procedures.

Although it has been tough traveling around with two laptops, plus the USRP, multiple omni and directional antennas, cables, several Bluetooth dongles, plus the victim cellphones and headsets... just to run the demo, it has been a well worth experience! The demonstration focuses on showing the audience the Bluetooth activity around, discovering the undiscoverable (Bluetooth hidden devices), and injecting and eavesdropping audio from a headset The initial threat was published by Spill and Bittau, then popularized by Josh Wright, and in my opinion it is not getting enough attention. A demo is well worth a thousand words! ;)

Something that took my attention in one of the events was the little impact the presentation and demo had on part of the audience, as it seems it didn't increase the awareness and paranoid level about the current threats. It is in our hands (as end users and organizations) to improve the security capabilities we demand from the Bluetooth vendors. Most of the time, I see the audience changing the Bluetooth settings on their phones and PDA's as I move through the material ;)

This time, the security recommendations are not based on expensive or complex solutions, such as the latest and greatest Bluetooth IDS/IPS that costs more than 100K €. You simply need to follow common sense practices and precautions to get a reasonable level of protection (check the last part of the presentation), and understand the major threats and weaknesses, especially on Bluetooth devices with limited capabilities, such as car kits, headsets, keyboard and mouse, etc.

Enjoy it and... Happy Blue Christmas!
Raul Siles



Blogger Alberto said...

Gracias, aunque se me ha hecho corta. ¿Sólo te dio tiempo a hablar del descubrimiento de dispositivos ocultos y de los ataques a Manos Libres?

5:05 AM  
Blogger Raul Siles said...

Alberto, well-known as a mobile and Bluetooth security researcher, writes in asking (in Spanish - previous comment) that the presentation was... well, short :)

I agree that the presentation material is short, as the main focus was on the practical side.

The demo was focused on going over the whole attack from scratch, that is, showing that the device was hidden, run the USRP to identify part of the BD_ADDR, use four USB Bluetooth devices ("the octopus") to brute-force its presence and find the second part of the BD_ADDR, and then, finally, establish a connection to the device (hands-free headset) using its default pin and capture (& inject) audio.

Overall, 60-90 minutes depending on the event.

2:24 AM  
Blogger Alberto said...

Thanks. I see now that the talk was focused on the practical demo, which is very interesting.

It may take some time to discover hidden devices with the USRP technique but that's a demo I would like to see.

It's very cool that you used hands-free devices instead of other Bluetooth devices because most of the time they are active-but-not-connected they are hidden. However, as far as I know, if the hands-free headset is connected to a mobile phone at that moment it's not possible to connect from other device because Bluetooth only supports one connection per profile, doesn't it?

Thanks for your response.

1:12 PM  
Blogger Raul Siles said...

It takes some time to discover hidden devices, but not too much...

Getting the LAP with the USRP is immediate if the device is involved in a communication.

Getting the NAP+UAP (like the OUI) using the "octopus" (4 Bluetooth dongles) and the OUI's list from the BNAP,BNAP project is a matter of minutes (1-15 mins.) depending on what is the position of the OUI for the target device on the BNAP list.

Of course, it must be an OUI in the BNAP list; if not, the only option using this method would be to brute-force the OUI, and that would take much more time.

12:51 AM  
Blogger Raul Siles said...

Regarding your second comment, that I forgot to cover in my previous response, you're right: the beauty of these devices is that they are always hidden unless you force them to be visible during the boot process for pairing purposes.

Most of these devices only accept one connection, as you mentioned. In a real-world attack scenario, the attacker would need to interrupt the current connection, for example using a BD_ADDR spoofing attack with a wrong link key, in order to establish his own (and unique) connection with the target device.

12:04 PM  

Post a Comment

<< Home