NSA Playset: Bluetooth Smart - HITB · Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia,...
Transcript of NSA Playset: Bluetooth Smart - HITB · Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia,...
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
1
NSA Playset: Bluetooth Smart
Mike RyaniSEC Partners
Hack In The Box MalaysiaOctober 16, 2014
A presentation in five acts
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
2
Standard Note
Bluetooth Smart == BLE
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
4
The NSA Playset
⇀ NSA ANT catalog⇀ Sweet codenames!
⇁ DEITYBOUNCE⇁ NIGHTSTAND
⇀ Playset codenames⇁ TWILIGHTVEGETABLE⇁ SLOTSCREAMER⇁ DUCHESSRIDE
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
5
Bluetooth Capabilities
⇀ Ubertooth⇀ Crackle⇀ BlueZ
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
6
Capabilities: Ubertooth
⇀ Discovering undiscoverable devices⇀ Rudimentary classic BT sniffing⇀ Robust BLE sniffing⇀ (WIP) BLE transmit
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
7
Capabilities: Crackle
⇀ Cracking BLE key exchange⇀ Decrypting data
Needs to be paired with a sniffer, like Ubertooth
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
8
Capabilities: BlueZ
⇀ Fully functional BR and BLE stack⇀ Able to act as master AND slave (BLE)⇀ Multipurpose utilities: recon
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
9
Existing Capabilities
⇀ Not bad for zero effort!
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
10
ANT Catalog: Bluetooth
⇀ Even the NSA doesn't care about Bluetooth⇁ Yeah, right
⇀ We don't have the full catalog⇀ Ellisys
⇁ more like elli$y$ amirite
ABSENT?!
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
11
Implied Bluetooth Capabilities
⇀ Headset interception⇀ Surveillance of movement (tracking)⇀ Stack exploitation / RCE⇀ Keyboards → Now we're talking!
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
12
Keyboards and Mice
⇀ Keystroke surveillance⇀ Keystroke injection (BlueDucky?)
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
13
TINYALAMO
⇀ Keystroke injection!⇀ Duckyscript!
DEMO
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
16
BLE in a nutshell
⇀ Master and slave⇀ Advertising
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
17
Advertising Data
⇀ BD ADDR: 48-bits⇀ 16-bit Service UUIDs: 0x1812 (HID service)⇀ Appearance: 962 (Mouse)⇀ Complete Local Name: Bad Mouse
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
18
BLE in a nutshell
⇀ Master and slave⇀ Advertising⇀ Link layer connections⇀ Pairing and encryption⇀ HID
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
20
Targets
OS must support HID over GATT⇀ Android 4.4 (Bluedroid)⇀ iOS 7/8 (iPad only)⇀ Mac OS 10.9+⇀ Linux / BlueZ 5 (Fedora 20, Arch, NOT Ubuntu)⇀ Windows 8 and Windows Phone 8
Not supported: BB 10, Android < 4.4
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
21
Do BLE Keyboards Exist?
⇀ Yes, finally! (I think)⇀ BLE mice totally exist
HID is HID is HID
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
22
HID Encryption
⇀ HID spec requires encryption⇀ Link layer authenticated encryption⇀ Pairing != Encryption
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
24
Encryption Attacks
⇀ Crack encryption, recover key⇀ Exploit implementation flaw
⇁ Encryption downgrade⇁ Opportunistic downgrade⇁ Forced re-pairing
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
26
Crack Encryption
⇀ Least invasive⇀ Downside: Must observe pairing⇀ Bonus: keystroke surveillance
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
28
Opportunistic Downgrade
⇀ More invasive⇀ Distinguishable from legit keyboard⇀ Relies on OS bugs
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
30
Forced Unpairing
⇀ Most invasive⇀ Least broadly applicable
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
31
Naming Names
⇀ Not yet!⇀ Two out of five OSes are vulnerable
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
32
Act V
BUILDING THE ATTACKS
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
33
Ingredients
⇀ Regular Bluetooth dongle⇀ HCI_USER_SOCKET⇀ Scapy⇀ PyBT⇀ Wee bit of Python glue⇀ Ubertooth (optional)
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
34
HCI and HCI_USER_SOCKET
⇀ All Bluetooth dongles speak HCI⇀ You can sniff this with recent Wireshark⇀ You can send totally illegal stuff this way⇀ HCI_USER_SOCKET – speak HCI from userspace
⇁ Linux 3.13 – all recent distros!
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
35
Scapy
⇀ Framework for constructing packets⇀ Added extensive Bluetooth support
⇁ HCI, L2CAP, SM, ATT, GATT⇁ s = BluetoothUserSocket()
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
36
PyBT
⇀ I accidentally a Bluetooth stack⇀ BLE, SM (pairing), key management⇀ GATT client and server⇀ Roles: Central and Peripheral⇀ central = LE_Central()
⇀ periph = LE_Peripheral()
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
37
Ubertooth
⇀ Pull host and HID device addresses out of the air⇀ Nobody uses BLE private addresses correctly⇀ Nobody⇀ Not always necessary (hcitool lescan)
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
38
Putting it all together
⇀ Ubertooth grabs BD ADDR⇀ Launch PyBT
⇁ Talks to dongle via HCI_USER_SOCKET⇁ Builds packets with Scapy
⇀ Advertise with address of mouse⇀ Wait for connection, send “no key” message⇀ Profit!
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
39
URL ME BRO
⇀ https://github.com/mikeryan/PyBT⇀ https://bitbucket.org/mikeryan1/scapy
⇀ Older stuff⇁ https://github.com/mikeryan/crackle⇁ https://github.com/greatscottgadgets/ubertooth
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
40
Thanks
⇀ Marcel Holtmann⇀ Mike Ossmann / Dominic Spill / Ubertooth team⇀ Marcel Holtmann
⇀ Hack In The Box!
41
Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014
41
Thank You
Mike Ryan
@mpeg4codec
https://lacklustre.net/