Scribd
Upload
282 views61 pages

Bluetooth-Hacking - Mike Ryanhardwear

This document summarizes Mike Ryan's talk on Bluetooth hacking tools and techniques. The talk covered an overview of Bluetooth, the reverse engineering process using Bluetooth logging tools, and case studies analyzing various Bluetooth devices. Key points included how to capture Bluetooth traffic using tools like Wireshark and Ubertooth, common security issues found like lack of encryption, and how the analysis process generally involves logging device usage to decode protocols and identify encryption schemes.

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
282 views61 pages

Bluetooth-Hacking - Mike Ryanhardwear

This document summarizes Mike Ryan's talk on Bluetooth hacking tools and techniques. The talk covered an overview of Bluetooth, the reverse engineering process using Bluetooth logging tools, and case studies analyzing various Bluetooth devices. Key points included how to capture Bluetooth traffic using tools like Wireshark and Ubertooth, common security issues found like lack of encryption, and how the analysis process generally involves logging device usage to decode protocols and identify encryption schemes.

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

Bluetooth

Hacking:
Tools and Techniques
Mike Ryan
Founder
ICE9 Consulting
@mpeg4codec
#RSAC
Who is this talk for?
Bluetooth device developers

Penetration testers

Managers
Structure of the Talk
Overview of Bluetooth

RE Process and Tools

Case Studies
Bluetooth and the
Reverse Engineering Process
Reverse Engineering Process

1. Do something with the device and app

???
2. Capture the data sent via Bluetooth
3. Analyze
Sniffing Bluetooth is Hard
Pros: 100% reliable

Cons: $20,000

Disclaimer: I have never used one


Ubertooth One
Pros: $120, open source

Cons: Unreliable, BLE only

Disclaimer: I wrote most of the BLE sniffing firmware


There is a
Better Way!
01100010011
10101011101
00011101000
11100110110
11000110111
10110110000
Bluetooth Overview

App Layer App Layer


[various layers] TCP
L2CAP IP
Link Layer Ethernet LL
PHY Ethernet PHY
Host
Bluetooth Overview

App Layer
[various layers]
L2CAP HCI
Link Layer
Controller
PHY
Logging HCI
OS X packet logger
Linux Logging

$ sudo btmon -w logfile.log


Reverse Engineering Process

1. Do something with the device and app

???
Capture the data sent via Bluetooth


2.

3. Analyze
Case Studies
Case Study 1: BLE Heart Rate Monitor
82

btatt
bthci_cmd.le_long_tem_key
No encryption
Case Study 1: Conclusions

§ Wireshark is incredible
§ Getting Bluetooth logs is practical
Case Study 2: BLE Blood Pressure Monitor
Write characteristic: Phone → Device
Notify characteristic: Device → Phone
75 00 51 00 117 / 81
Conclusions: BP Monitor

§ “Hidden” serial port


§ Normal binary protocol reverse engineering
§ Look in the app

Once again – No Encryption


Firmware Update Service
Case Study 3: BLE Padlock
Wireshark
Conclusions: Padlock

§ Developers were security-minded


§ Home-grown crypto is fraught with peril
Intermission
Case Study 4: Classic Bluetooth Headset

A2DP? HFP?

Reasons
80 77 DD AF magic number
XX opcode
YY sequence number
ZZ ZZ length (16 bit little endian)
... data
CC CC checksum
“Educated guess”
Conclusions: Headset

§ The techniques apply equally well to BR and BLE


§ Ultimately boils down to basic RE
Case Study 5: BLE Credit Card
What is a Bluetooth credit card?

+ ==
Bluetooth Hacking: Tools and Techniques – Mike Ryan
tx 02be01013030310000000000000000000000008f ....001.............
tx 02bf0101000000000000000000000000000000bf ....................
tx 02ea0101000000000000000000000000000000ea ....................
tx 02c50101303000000000000000000000000000c5 ....00..............
tx 02ea0101000000000000000000000000000000ea ....................
tx 02b9010131304669727374206e616d65000000ee ....10First name....
tx 02b302013130313034666f6f6f31303b3939388f ....10104fooo10;998.
tx 02b3020238373737373f30303330300000000087 ....87777?00300.....
tx 02ea0101000000000000000000000000000000ea ....................
tx 02c50101313000000000000000000000000000c4 ....10..............
02 XX YY ZZ .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. WW
XX – opcode
YY – total number of messages
ZZ – current message
WW – checksum
Conclusions: Credit Card

§ HCI logging allows us to see encrypted data


§ Encryption isn’t a silver bullet
Case Study 6: BLE Electric Skateboard

No App!
1. Launch Ubertooth
2. Connect remote to board
3. If connection not followed, go to 1
4. Do stuff with board
5. Analyze
No Encryption
RC00000 idle
RC02002 dead man’s trigger
RC02327
RC027D6
increasing throttle
RC02AA6
RC032F4
Conclusions: Skateboard

§ Ubertooth is much harder to use than HCI logging


§ If using encryption, have to crack
Parting Thoughts
Most Common Security Problems

§ No encryption
§ Problems with home made encryption
§ Debug interfaces left behind
§ Incomplete threat modeling
Conclusions
Affordable

RE Process and Tools

Case Studies
Call to Action
Go forth and hack some Bluetooth
Bluetooth Hacking:
Tools and Techniques
https://ice9.us/
mike@ice9.us

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy