Adam Laurie, Blue Toot -pacsec-2015
Transcript of Adam Laurie, Blue Toot -pacsec-2015
![Page 1: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/1.jpg)
PacSecNovember 2015
Blue-Toot
or
”My Android Had a Little Accident...”
Adam “Major Malfunction” Laurie
![Page 2: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/2.jpg)
Who are we?• Aperture labs: www.aperturelabs.com
![Page 3: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/3.jpg)
Who are we?• Aperture labs: www.aperturelabs.com
![Page 4: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/4.jpg)
Who are we?• Aperture labs: www.aperturelabs.com
![Page 5: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/5.jpg)
Who are we?• Aperture labs: www.aperturelabs.com
![Page 6: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/6.jpg)
• Zac Franken
• Chip Monkey
• Scary Chemicals
• Bad Smells
Who are we?
![Page 7: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/7.jpg)
Who are we?• Adam Laurie
• Code Monkey
• Convert scary analogue Magic Moonbeams to lovely Digital Bits & Bytes
![Page 8: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/8.jpg)
What?
![Page 9: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/9.jpg)
What?
• Bounty programs• Pwn2own•Mobile Pwn2own
• Android NFC
• Android Bluetooth
![Page 10: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/10.jpg)
Android + NFC = Blue-toot
![Page 11: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/11.jpg)
Android + NFC = Blue-toot
![Page 12: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/12.jpg)
Android + NFC = Blue-toot
![Page 13: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/13.jpg)
Android + NFC = Blue-toot
![Page 14: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/14.jpg)
Android + NFC = Blue-toot
![Page 15: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/15.jpg)
Android + NFC = Blue-toot
![Page 16: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/16.jpg)
Android + NFC = Blue-toot
![Page 17: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/17.jpg)
Android + NFC = Blue-toot
![Page 18: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/18.jpg)
Android + NFC = Blue-toot
![Page 19: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/19.jpg)
Android + NFC = Blue-toot
![Page 20: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/20.jpg)
Android + NFC = Blue-toot
![Page 21: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/21.jpg)
Android + NFC = Blue-toot
![Page 22: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/22.jpg)
Android + NFC = Blue-toot
![Page 23: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/23.jpg)
Android + NFC = Blue-toot
![Page 24: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/24.jpg)
Android + NFC = Blue-toot
![Page 25: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/25.jpg)
Why?
• Mobile pwn2own 2013• Short Distance ($50,000):• Bluetooth, or Wi-Fi, or NFC
![Page 26: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/26.jpg)
Why?
• Mobile pwn2own 2013• Short Distance ($50,000):• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way home...
![Page 27: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/27.jpg)
Why?
• Mobile pwn2own 2013• Short Distance ($50,000):• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way home...
![Page 28: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/28.jpg)
Why?
• Mobile pwn2own 2013• Short Distance ($50,000):• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way home...• Not. Too late...
![Page 29: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/29.jpg)
Why?
•Mobile pwn2own 2014
“You are welcome to hold your vuln for Mobile Pwn2Own 2014 or to submit now to the ZDI for consideraton as a regular case.“ - ZDI
![Page 30: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/30.jpg)
Bounties
![Page 31: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/31.jpg)
Bounties
• The good:
• Reward anyone for finding bugs• Research not driven by company
![Page 32: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/32.jpg)
Bounties
• The good:
• Reward anyone for finding bugs• Research not driven by company• Big bucks - $75,000 top prize in 2014
![Page 33: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/33.jpg)
Bounties
• The bad:
• Research paid only on success• Cheaper for vendor•More expensive for researcher
• No free market – vendor sets value• Selling vulns feels wrong!• Saving vulns for bigger payof
![Page 34: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/34.jpg)
Bounties
• The ugly:
• “mobile” pwn2own not so mobile!•WiFi / NFC / Bluetooth category must be
completed in RF shielded cage• No phone network!• Jump through hoops to “win”
![Page 35: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/35.jpg)
Bounties
• The ugly:
• “winning” may be decided by coin toss• Competition is over after 1st win• 5 entries in 2014
![Page 36: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/36.jpg)
Bounties
• The ugly:
• “winning” may be decided by coin toss• Competition is over after 1st win• 5 entries in 2014• Subsequent winners given ½ prize
![Page 37: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/37.jpg)
Bounties
• The ugly:
• Next day vuln “worthless”• Unless you sell it on the black market...• Errmmm... What's the diference?
![Page 38: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/38.jpg)
Bounties
• The ugly:
• Less secure by definition:• Not all security companies will have
access to all vulns• You are only as secure as the group
covered by your preferred vendor
![Page 39: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/39.jpg)
Bounties
• The ugly:•Wassenaar
Dragos tweeted on Sept 1st:
“The frst bona fde casualty of the Wassenaar changes: HP won't be doing PWN2OWN Mobile in Japan due to new export restrctons.”
![Page 40: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/40.jpg)
The Hack
• NFC• NDEF• SmartPoster•WiFi Config• Bluetooth handover
![Page 41: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/41.jpg)
The Hack
• NFC• NDEF• Bluetooth handover• Switches on Bluetooth• Target “open” service• Obex push
• Send HCI command on established connection
![Page 42: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/42.jpg)
The Hack
• Bluetooth• Send HCI command on established
connection• Connection is always encrypted• Either side can request key change• Push new key
![Page 43: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/43.jpg)
The Hack
• Bluetooth• Push new key• New key now in target keysfile• Restart Bluetooth stack on target• Key found in keysfile at startup == TRUST!
![Page 44: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/44.jpg)
The Hack
• Bluetooth• Push new key• New key now in target keysfile• Restart Bluetooth stack on target• Key found in keysfile at startup == TRUST!
![Page 45: Adam Laurie, Blue Toot -pacsec-2015](https://reader034.fdocuments.net/reader034/viewer/2022051007/5a64c87f7f8b9ac21c8b5e3b/html5/thumbnails/45.jpg)
The Demo
• This is where it all goes horribly wrong...