Bluetooth Defense Kit

1
Bluetooth Defense Kit

• Bruce Potter
• with help from Will Davis
• August, 2006

2
Dont Believe Anything I Say

• "Do not believe in anything simply because you
  have heard it. Do not believe in anything simply
  because it is spoken and rumored by many. Do not
  believe in anything simply because it is found
  written in your religious books. Do not believe
  in anything merely on the authority of your
  teachers and elders. Do not believe in traditions
  because they have been handed down for many
  generations. But after observation and analysis,
  when you find that anything agrees with reason
  and is conducive to the good and benefit of one
  and all, then accept it and live up to it. -
  Buddha
• By Day, Senior Associate for Booz Allen Hamilton
• By Night, Founder of The Shmoo Group and restorer
  of hopeless Swedish cars

3
Cut to the Chase

• The most effective way to prevent Bluetooth
  attacks
• Turn off discoverable mode
• We have no code to release today
• Tried to implement BT Defense capability with no
  reverse engineering, non-device specific, and no
  vendor assistance turned out to be very
  difficult
• Damn near every Bluetooth vulnerability to date
  is an implementation error, not a break in the
  protocol
• The protocol is complicated and hard to implement

4
Anecdotal IP Stack Versus BT Stack

• The BT stack is a complicated animal with MUCH
  less prior art than Ethernet/IP (going on 30
  years)
• Wanted to make my own BT stack diagram for this
  talk, I turned to some books and
  images.google.com
• Apparently there are several hundred different
  Bluetooths based on the results searching for BT
  Stack

5
IP Stack

• http//docs.sun.com/source/806-4075/images/ipov.fi
  g88.epsi.gif

6
IP Stack

• http//www.industrialethernetu.com/images/TCIP.gif

7
IP Stack

• http//en.wikipedia.org/wiki/Internet_protocol_sui
  te

8
Bluetooth Stack

• http//www.htwm.de/lec/twiki/pub/Public/Bluetooth
  Stack/protocol_stack.jpg

9
Bluetooth Stack

• http//www.palowireless.com/bluearticles/images/st
  ack.jpeg

10
Bluetooth Stack?

• http//www.fh-bochum.de/fb3/sr-lab/uploads/RTEmagi
  cC_bt-stack.gif.gif

11
Bluetooth Crash Course

• 2.4 GHz, Frequency Hopping, Personal Area Network
  Technology
• NOT WiFi!
• Pairing - Mechanism for establishing long term
  trust between two BT devices
• RFCOMM - Wireless serial port emulation
  (basically)

12
Bluetooth Crash Course

• AT Commands - You remember these, right? Used to
  control some devices across an RFCOMM connection
• Discoverable mode - When a device wants to be
  found, it will respond to other devices sending
  inquires
• Service Discovery - A bit like port scanning, but
  the remote end doesnt try to hide anything
  (Service Discovery Protocol, SDP)

13
State of the Union

• Current version of Bluetooth Core Spec is 2.0
• Enhanced Data Rate (EDR) now allows for up to
  3Mb/s with basically the same power consumption
• Security is largely unchanged from 1.1 spec
• As of Nov 2005, 9.5 Million BT radios were being
  shipped each week
• At that rate, thats one radio for every 8 people
  on the planet each year
• 9.5 million was up from 4.75 million just 4
  months prior
• Makes WiFi look pretty wimpy from a market
  penetration (closest guess I can make is 200
  million WiFi chips/year, about 40 of the of BT
  chips
• Profiles govern how like devices talk to each
  other
• In the past, a confusing experience now we have
  icons to clear things up

14
Common Deployment Scenarios

• Unlike WiFi, Bluetooth has generally stayed where
  it was supposed to
• Mobility - Cell phones and ear buds, car hands
  free kits, network access
• Every state that passes no handheld cell use
  laws impacts BT sales positively
• Cable replacement - mouse, keyboard, camera
• New uses - printers, mp3 players, etc
• While there is a network access profile, very few
  products to use it (ie T-Mobile didnt ditch
  WiFi hotspots in favor of Bluetooth Hotspots)
• Performance can be well, just horrible

15
The Industry Players (a subset)

• BT Stack Vendors
• WIDCOMM (common with first wave of radios)
• Toshiba
• Microsoft (going to be REAL common soon)
• CSR
• Extended Systems
• Open Interface
• Bluez (Open Source)

• BT Chip Manufactures
• CSR
• Broadcom
• TI
• Infineon

16
In order to defend, we must first understand the
threats
Probe him and learn where his strength is
abundant and where deficient - Sun Tzu
17
Contemporary Bluetooth Attacks and Vulnerabilities

• Trifinite.org has been leading the charge of
  publicly disclosed Bluetooth attacks
• Others such as _at_stake and TSG have tackled some
  BT security issues as well
• Most of what has been really damaging have been
  poor implementations
• Rush to market leads to poor security
• Super complicated protocol stack leads to poor
  security
• Lack of security training for developers leads to
  poor security
• Trifinite.org has lots of attack tools
• Bluediving (bluediving.sourceforge.net) has Linux
  based impls of most of their tools
• Ill let Major do demos of his tools hes better
  at it than I

18
The Real Risk?

• Shhhh dont tell anyone, but there hasnt been a
  huge impact on global commerce or enterprise
  security due to wireless insecurity (WiFi or
  Bluetooth)
• Hell, sales of the Sidekick went up after Paris
  Sidekick got 0wn3d
• Does that excuse us from dealing with this
  problem?
• No
• Is Bluetooth security still an issue for those
  worried about targeted attacks?
• Yes
• Should we temper our response to ensure we stay
  within the bounds of reality?
• Absolutely

19
Why so Little Interest in Bluetooth Security?

• Honestly, we havent yet solved the discovery
  problem
• WiFi device discovery is what blew open the WiFi
  Security world
• When Shipley gave his talk at DefCon 9, the
  community was at a tipping point (to use a buzz
  word)
• Free/open software and about 300 worth of gear
  allowed us to find every 802.11 device within a
  1/4 mile radios
• To have the same kind of success with BT, you
  have to spend about 10k
• 10k is a lot of disposable income to kick around
• Without finding the device, you cant attack it
• Not sexy enough yet

20
Breakdown of the Current Attacks and
Vulnerabilities
21
Stupid Defaults

• Hard configured PINs - Only an issue at pairing
  time, but allows for attacks like Car Whisperer
• For the BT virgins in the audience, the PIN is
  _only_ used at pairing time, not for every comms
  initiation
• No authentication - duh! Even for things like
  automatic vCard acceptance (Sony) this is sketchy
  at best.
• Profiles turned on by default - This is the same
  as keeping unneeded network services from running
• If you dont need it, dont run it (dont expose
  it)
• A quick demo of service discovery of audience
  equipment

22
More Stupid Defaults

• Poor per-profile default - Each profile is like
  an application it can have bad defaults
• Ie I had a Belkin BT CF adapter that had the
  filesharing profile defaulted to world writeable
  and shared the entire filesystems
• Discoverable by default - Why make it that much
  easier for an attacker?
• Anyone been attacked in non-discoverable mode by
  an unknown device?
• Also, discoverable mode sucks down battery faster
• Audience demo

23
Shedding Some Light on Discovery

• Seriously the best defense is keeping
  discoverable mode off

24
Link-Level Attacks

• Resetting the link key - In Shaked and Wools
  Paper (http//www.eng.tau.ac.il/yash/Bluetooth/)
  they describe a way to force a device to lose
  its link key and try and repair
• Basically, fake the BDADDR and repeatedly fail to
  bring up a secure channel, and the device will
  assume you lost the link key
• If a device has a default PIN, you can then
  automatically set up a trust relationship
• Cleartext data - Just like on the web, sometimes
  people forget to encrypt what they should encrypt
  
• Usually need a protocol analyzer to make use of
  this

25
Location Tracking

• Location Based - Its RF.. You can track people.
  Not much you can do about it
• http//braces.shmoo.com - We tracked attendees
  while they were at BlackHat USA 2004
• Had about 64 individuals we tracked for 2 days.
  Only a few hundred lines of code plus 4 laptops
  pretty cheap
• For some, location tracking is a plus
• Aalborg Zoo is using Bluetags to track kids
  Legoland using something similar

26
Human Interface Issues

• Lack of feedback and control/config options for
  the user
• Go ahead try to modify the profiles available on
  your phone or PDA (Macs actually do this pretty
  well)
• Rogue devices
• A name is not an authentication credential. Dont
  trust a device just b/c its friendly name is
  something you recognize
• But.. What other ways are there to identify a
  device?
• Social engineering
• Change the name of your phone to something
  confusing (such as PIN1234) and then attempt to
  pair with random devices you might actually get
  someone to do it.

27
Bad Implementation

• Exposing functionality prior to authentication -
  This is the basis for the BlueSnarf attack
• AT commands are sent to the phone that retrieve
  the address book
• The phone for some reason assumes this is OK and
  gives you all the data
• Packet-o-death - Dear God havent we learned
  this problem yet?
• Bluesmack sends a big l2ping packet to the device
  in an effort to kill it
• Protocol fuzzing in general is a dandy way to
  knock over BT devices (and pretty damn easy to
  implement)

28
Bluetooth Defense Techniques

• Great now we need to figure out how to defend
  Bluetooth
• Enterprise security tools are largely geared
  towards the infrastructure
• With BT there is no real infrastructure
• Many devices that touch the enterprise are not
  corp owned
• We havent even figured out how to secure WiFi
  clients yet
• HotSpot Defense Kit was a reasonable success
  (even if v2 never materialized)
• Many host-based network security products now
  attempt rogue AP detection
• Bluetooth is more prevalent, and the deployment
  scenarios are far more varied
• All the more reason to work to lock it down
• User needs a way to protect themselves from bad
  implementations

29
BT Defense - Some Advice

• Security products need to be usable
• Theres a corollary here that says in
  complicated and emerging technologies, only users
  can recognize attacks
• Another corollary says that products rushed to
  market dont have the best security
• It turns out, like rogue access point defense,
  this is not rocket science but yet its not a
  readily available capability for the user
• Hell, its not readily available for developers
  either

30
Defense Mechanism - User Notification and
Authorization

• User should have the ability to be notified and
  authorize all connections and connection types
• Inquiry scans (discovery), service discovery,
  RFCOMM connections, any particular profile thats
  being accessed
• I can sit in a bar all day and search for
  discoverable devices without being detected..
  Thats just silly
• Architecturally needs to be non-bypassable
• User should have the ability to whitelist based
  on MAC addr, device key, or other values

31
Defense Mechanism - Configuration Options

• Limiting access of trusted devices - Just because
  youve paired with a device doesnt mean it
  should be able to do _everything_
• Per profile limits, connection limits, etc..
• Changing PINs
• Even some of the PIN helpers are pretty lame.
• Must have better PIN management
• Better protection of Link Keys
• More secure storage of Link Keys (TPM?)
• If a device suddenly loses its Link Key, red
  alert should be sounded

32
Defense Mechanism - Profile Specific Guidance

• For all devices, if new profiles suddenly are
  offered, dont allow the connection
• Ie if your headset was just a headset yesterday,
  but now has OBEX and file transfer support, you
  may be under attack by a Linux box
• Handsfree/Headset - Whitelist AT commands that
  can be used (ATRING, ATCKPD, etc)
• Serial Port - Implement fuzzing detection
• OBEX - Require auth _always_
• File Access - Sanity checks for data leaving the
  device

33
Defense Mechanism - Signature Based IDS

• Some of the attack tools these days stick out
  like a sore thumb
• As Madden would say, they run it up the gut
• We should be looking for these footprints
• Due to the nature of Bluetooth, this would have
  to be on a per device basis (a central monitoring
  infrastructure such as WIDS wont work)
• Ie alert/shutdown BT on attempts to get
  telecom/pb.vcfcal.vcsdevinfo.txt without
  authentication

34
Stack Changes Needed to Implement BT Defense

• Ability to whitelist BDADDRs
• Sure they can be spoofed, but its a start
• Ability to scan connecting devices to verify the
  device is the type and specie of device you
  expect
• This kind of connect back is much more socially
  acceptable in wireless PANs
• Allows for device profiling
• Notification hooks
• At all sensitive points discussed before, provide
  hooks to audit actions and make decisions based
  on those actions

35
Bluetooth Defense Kit - Demo

• HAHAHA!
• http//bluetooth.shmoo.com/ for source code once
  we get something working
• Probably going to focus on IPC hooking to
  intercept and modify low level BT-related messages

36
Before We Finish Up.. Summer of Code, TSG Style

• The Shmoo Group was given the opportunity to
  mentor 4 projects under the Google Summer of Code
• http//code.google.com/soc/
• Firekeeper (Student Jan Wrobel, Mentor Len
  Sassman)
• Browser-level Intrusion Detection via rulesets
  designed to detect and block malicous websites
  (neat, given Jeremiah Grossmans talk)
• Prototype available on firekeeper.mozdev.org
• GPGGreasemonkey (Student Kerry McKay, Mentor
  Bruce Potter)
• Client side mail encryption for webmail via FFX
  ext.
• Currently have implementation for Gmail and Yahoo
• svn checkout svn//e.shmoo.com/var/repos/gpgwebma
  il

37
(No Transcript)
38
SOC

• Online Rainbow Tables Lookup (Student Keith
  Larimore, Mentor Freshman)
• Focused on increasing speed
• Completed Basic search capabilities with Web
  interface, queuing, completion emails
• In progress DNS query Interface
• Open Security Framework (Student Soren
  Bleikertz,MentorPravir Chandra)
• A framework to simplify network security analysis

39
Summary/Questions?