 So now in 10th. No a chart 2015 day 5. I have with me on stage Tal Melamed. He's an application security expert with a long history in the field He will probably tell you about in a minute and he's going to talk about Bluetooth low energy key security issues Please please give a very warm welcome to Tal Melamed Hi, everyone. Can you hear me? Yeah, great Okay So I'm tall application security expert so In this talk I'm going to explain about what is BLE Where is the risk in all that work? I mean where is the risk in having these BLE devices will speak in a second I'm going to talk about some security key security aspects like the security manager the Billy pairing and the gut and Then I'm going to dive into the application level of it and see how we can man in the middle Bluetooth devices and use it to Hack either the device or the mobile app that communicates with it. I've got some devices here. I hope They will work In real time. We'll see some cool tools that are available today for for the use for the men in the middle and we'll talk about some possible counter counter measures and What's next? So just a little about me I'm tall. I work at apps and clubs as the name says we deal with Secure ops or we our goal is to secure all the apps in the world Apps I mean web applications client desktop application mobile application and IOT And this is part of the IOT that I'm talking about about 12 years in the field of information security working at some Companies security companies like checkpoint and RSA and others and Part of what I'm doing is developing security content for training for training purposes whether it's secure coding for developers hacking for hackers and Awareness for Who else needs it? You can follow me at my personal website at my github or through LinkedIn Just about the word about apps and clubs we deal with all the all the industry vectors We have clients from biggest Organizations like Intel and Microsoft's to small startups where we work on really cool cool things like I don't know biometric logins and things like that and you can see us at In the past five years in all the black hat Vegas events and the OSP events And other cool hacking conferences like Shah, but this is the first time Okay, so let's start with what is Billy I'll just mention Billy Billy, but what is it really? So Billy is an abbreviation for Bluetooth low energy It's the successor of the normal Bluetooth that we all heard of It's called also Bluetooth smart. It's part of the Bluetooth for specifications and in design to be power-efficient It's smaller much easier to implement and It it's supposed to last longer So why did the Bluetooth come with the BLE because as we can see today We got IOT's everywhere IOT's I mean in every aspect houses wearables, etc Medical everything so there was a need for a protocol that can support the the scale this type of scale which will be cost-effective and efficient and Will last long so by 2021 They're supposed to be according to Gartner or something 48 billion IOT devices and They're estimated them Third of all the devices would be based on Bluetooth. So we've got a wide range of devices to hack and secure What what is the difference between the BLE and the Bluetooth classic? So they are different completely different they talk on the same spectrum at 2.5 gigahertz But they have different as architecture the BLE is working in a master-slave kind of mode we'll see it They have different module parameters channels the format of the packets are totally different and On top of that they cannot communicate with each other. So it's not That BLE devices supports also communication with BT the Blues classic Nope, you have to buy new ones And if you have them you probably have to buy new ones soon after you hear this talk Okay, so I told you why why the change so Good power consumption and cost it's very cheap You can look on AliExpress or whatever and find locks Cheaps and everything Bluetooth ease that costs five from Ten cents to $100 So where the risk in all of that? So of course in the industry if we go to the most Maybe one of the most important ones for medical industry. So also they already managed to hack some medical equipment like the diabetic Insulin pumps so you can imagine what they can do if we go to our own lives We can see it now everywhere. So there's a thermometer Insulin pump that attached to your body If you can just pump someone from remote that could be dangerous We've got Everywhere, this is now the most common thing you can find online is the Bluetooth devices locks. I've got one here I hope it will work. Sometimes they don't work that well Especially if you buy them from AliExpress So we've got all these locks and they're all very secure because they're locks. They're physical not only technical not Technological but after all also be bluetooth have the software layer upon above it And this is what where we come and we see that they are not so tough after all of course Open watch and other gadgets to open your door your garage door your home door You don't have to talk about sound and the most part We have also inhalers Medical inhalers That Also are smart today. Someone has to be smart if they're using it So let's talk Shortly about the Architecture what how does it work? So three layers we can summit that that way we have the controller layer where the Physical Engineering stuff the radio control connection linking. I'm not in hardware guy Radio testing and of course the interface for the host so the interface is how The components are going to talk with the physical layers and on the host We have the it sits on top of the radio and it provides API to the application We have some components there like the security manager and other Components that we're going to shortly discuss soon and we've got the app player Where this is where the app come? So the interface to the host and they communicate with Billy components Scanning pairing encrypting hopefully and Other things that Bluetooth devices can do music camera, etc So the security manager part of the host Part of the architecture it has three main Goals it is doing the it is in charge of the pairing feature exchange the short key term key generation and key distribution it has built-in some built-in security functions and For example AS 128 and It is it uses a key exchange For transferring keys between the device and the client the client could be a mobile app or another device or some hardware or etc and They it uses asymmetric Kim the asymmetric key model where they have private key and public key So it sounds a little secure. Is it really secure? So the problem comes in the pairing the most the the problem that reveals the apps for For this expose the apps for that risks for the risks. So we've got the pairing We said the pairing the pairing is made between the smart device to the mobile app or some other app in order to Encrypt their communication link between them so they can speak privately and no one else will be able to listen The key that can be used also to sign and verify data Random address resolution and some other parts that Bluetooth provides The The pair the pairing process is a three-phase process. First of all the device. So Now I'm going to say device. I'm going to use this smart bracelet. You can't see from behind. Just believe me and then the Other one will be One second. Okay, the Apple show The screen of the app of the mobile phone on the screen as soon So they are going to communicate with each other and while the pairing they exchange the pairing feature Possibilities because some devices and this is the the next slide I'm going to talk about the three types of pairing they have so after after they They changed their pairing feature features they go with the chosen one and then The device or the app one of them Generates a key if we're talking about the Bluetooth for 4.0, it's going to be the legacy pairing which is the same pairing that was in the Bluetooth classic and from 4.1 to Bluetooth 5 they're going to they're using secure connections. This is it's It's called that way and they're using long-term key. This is much more secure Key exchange or key generation and then they transport the keys between them so they can encrypt the link so pairing We have three types of pairing Which is really how do the device determine how to create the key so we have the first Most common one legacy one just works this is This is its name. They branded it just works When you go and check why it just works then you find out that the key is zero. So of course it just works I could do it myself The other way Method is the six digit pin could be also for digit pin. I think Anyway, if your device have a screen and only then because you have to see the pin Then sometimes if both of the devices communicate has this the six pin digit Then you can one device can display a pin serial I don't know a pin number and then you have to Manually click it on the other device type it on the other device. So this is going to generate the key The temporary key so they can communicate with each other Okay, six digits One million options We can brute force it, of course. I'm not going to show I'm going to brute force it. It's already shown by Mike Ryan On black hat I think You can see his great presentation on black hat and He shows how all the Bluetooth pairing model is Not so good It's not working really secure and The other option the third one is out of band out of band means they are the devices that communicate with each other They transfer the key on a different protocol different Spectrum But Supposed to be secure because the key is going over a different channel. So no one's listening it to it. Hopefully Like NFC or something like that. So for that to work both devices have to support this New smartphones maybe support NFC, but most Bluetooth devices doesn't support NFC because they are Bluetooth devices so I Actually, haven't seen one that using it Hopefully they're not just saying that but there are some ways to do that so Bluetooth says none of the pairing methods provide protection again passive eavesdropper Great. Thank you for letting us know You could come up with something that does protect against a passive eavesdropper But I'm sorry, don't worry because the next version will support electric curve and if you helmet for key exchange Okay, great. That's really great. They understood the problem that but the problem for me is that I already bought the devices so My devices are using BT Bluetooth BLE 4.0. So they are not secure So from all that I didn't understand are they secure or not secure so in practice We test a lot of IOT devices BLE devices and at least 80% or about 80% of the smart devices doesn't use the cryptographic possibilities of the of the protocol and they just work and They don't use the encryption. They don't use the verification and They let the app handle everything so but the problem is that the app mobile app cannot control everything because the app doesn't have Control over the operation level or let's say the device So if it's a mobile device the app usually cannot control the Bluetooth features of the of the device because it it is it is installed on a device random device So As I said, they're not really secure why I don't have to tell you why things are not secure Because probably the most common answer is because it's easier to do it that way Okay, so the next Next part of the Bluetooth The BLE that we'll talk about is the most important for me Is the gut a generic attribute profile? This is like a scheme used to communicate between BLE devices like so they know what to expect build on top of the attribute protocol Server the gut server, which is one device and stores data receiving from other devices and then it is to communicate with the device I'll show you how it works and They organize it does this scheme or organize of data and objects in profiles characters Characteristics and services so it's going to be something like what looks something like that. I have a service. Let's say It has a heart monitor So how does the app that communicates with it know that? It has a heart monitor So it tells there is this gut profiling It tells the mobile app or everyone that wants to listen Okay, I've got this service. It's a heart rate This is the name the script or This is the property you can write to it read to it or notify Notify is like registering and receiving constant data You can in the The architectures had or the developers needed to decide whether you can do Act on this service read this service or write to it authenticated or not and Etc other services line up. So what is the typical flow? The typical flow for Communication between the mobile app and the smart device. So this is the smart device now I want to pair my mobile up to it So usually just I turn it on and then it just Advertise itself. Hi. I'm a Bluetooth device. Someone wants to connect to me These are my services and characteristics and you can Connect to me then on the mobile app to connect to communicate with it I will start by some app or using the Built-in feature of the mobile app to scan for BLE devices. You'll start seeing BLE devices in the range Once you select an advertise The application will try to start reading all the services and characteristics and built Your profile on the mobile on the BLE device With what it can operate on Communication is determined. I mean the device is identified according to its MAC address So if you have the same device with different MAC addresses, this is how they're going to determine which device is it? Which is cool because then we have Mac spoofing and After they are paired they have This they have an encrypted link and then they can start communicating with each other, but maybe this is a little Complicated let me simplify How it looks so this is a BLE device. I am a BLE device and this is me Thank you for showing me all your services and Whatever I can do so at this point I Have I told you that the device is just publishing advertising itself So at this point what I do just to start looking around I download a BLE scanner randomly from from App Store or Play Store and Then I can start Scan for services or for a BLE devices. I don't need any Special app or anything for it. I download BLE scanner click on scan I see all the scan all the BLE devices and then I can connect to To them some of them might need requires some further Authentication will discuss that and then I can see something like this all the device information attributes and services and I can start Reading them or calling them so I can just connect to one of your devices Probably they have this is very common just to see the battery level. So I'm going to see is there a battery level here Some I can read the specification of the device and it will tell me the battery level of the of the device You can see there are all these UUIDs there What are they? What are they doing? I don't know but it's Specification name so you can take this name Because you don't know what all these services over here. You can see battery service So what are all these custom services and generic attributes? Well, you don't know what they do so he just copied this number and Then you Google it or you go into Bluetooth and then you have all the specification Okay, if you see the xxx as 1811 then this is a alert notification service. So, you know what it is used for and This is how you can learn about the device services. So now Let's see if it works great Okay, so I'm going to Launch the Billy scanner Yeah, okay, so now I'm going to scan Don't know who's blank is someone around here Let's see if I can try that okay, so I've got this eye tag It's a simple BLE device where you can put on your dog or your wallet or something and then you can track it Okay, so you think you have a designated app that only this app knows so you need to put in a serial number or something like that And then you can you're the only one that can use it, but no I can just scan it Billy so I'm coming I hope So I hope to find some Billy device I'll connect to it Sorry, you can't see this So this is not I'm talking. Okay So you don't you don't know what I'm talking about Okay, so this is my mobile okay, and Then I'm scanning for devices for BLE devices Hopefully to find my My device let's see if I can find it you can see the numbers Telling you how far is it from the device? The problem with BLE that they are not working that good anyway Especially those you buy it Aliexpress Okay, I don't know. Maybe it's some I'm not going to do anything So I'm just clicking on the device. It tries to connect not sure if it's going to connect to it and then I'm going to see all the services Okay, there it is. So I can I'm connecting to To this I tag it's as I told you it's a general application BLE scanning Let's hope that it works now. It tries to read all the services That they are that the device is providing Never mind, let's go on. I'll show you better stuff Okay Let's go on. So anyway, I can connect to most of the devices and then Start starting them over Google or over Bluetooth And the problem is that most devices do not apply any Authentication to their services so you can just register or write to any device that you can find and scan Okay, so let's talk about men in the middle so this is how a normal man in the middle will work right we have the mobile app and the Bluetooth device and Then we come in the middle This is men in the middle. So this is not going to work on Bluetooth because Bluetooth can only up do one Bluetooth thingy. So If it advertises itself, it cannot commune connect to a device and vice versa. So I have a BLE adapter or an app and I want to connect to the Bluetooth device But then I will not be able also to connect to the mobile app because I can do only one thing So for that I have to have a different architecture for men in the middle So this is something like how it's going to work. I Have two BLE adapters. They are here. You can't see them. I don't want to disconnect them I'll show you in a second one will connect to the mobile app the other one will connect to the Bluetooth device and Then they just have to communicate with each other I will use a different protocol because the Bluetooth Possibilities are over for me. So I'm going to show you tools or how you can do it over WebSocket so the Components are Connected to the BLE devices and they communicate with each other over WebSocket. This is how we create them in the middle So how do we start this doing this? So we we buy I love Ali express. Yes We buy two dongles CSR 4.0. These are Bluetooth BLE adapters and One will work as the master and one will work as a slave you can buy them at two seventy dollars Including shipping so that's not a problem and then What I'll do is I'll download Kalidinox VM or any other VM that you like and I will connect One to this virtual machine and the other to the other virtual machine now I have two machines everyone has its own dongle and they will be used one to connect to the mobile app and one will connect to the the smart device So after I did that there are some basic commands that you need to know or to work on The machine to see that you are connected. So HCI config Is to see the interfaces of the BLE So you see the address they have the MAC address and if they are running or not you can You can use HCI config HCI the interface and then up down to start and Close it HCI tool is another tool that lets you scan for BLE devices, so you just type HCI Tool at least can and you start seeing devices We have got we have got tool another tool command line. They are coming with the libraries that you need to install Got tool you can Read characteristics from a device after you connect to it So got tool and the MAC address of the device to communicate to connect to it and then you can read and write to it from the command line and We have some cool tools that already Implemented everything so we don't need to do it ourselves. So the first Great tool is Gattaker And these tools lets you or gives you the ability to use the architecture that I discussed earlier When you communicate over web socket So now I'm going to show you How I'm going to how I'm using it This tool in order to See or do man in the middle between the mobile device and the smart device the smart BLE device and As part of that I'm going to show you how you can use Tools like prop burp don't know if you're familiar with burp is My best friend as an application security expert. It helps you. It's a proxy tool that lets you See intercept the the communication over HTTP and HTTPS and Web sockets Let's see how that looks Okay, so I showed you I connect one Device one VM to The BLE adapter the other way around I connect one adapter to the Virtual machine just checking that it works. Yeah, you can see I can scan for devices and Then on the other I'm going to connect the other adapter Then I need to if I have more than one interface for BLE then I need to specify which of the interfaces I'm going to use Sorry one second. So here I'm going to tell him where is the slave? What is the IP of the slave machine? So then they will know how to communicate with each other of a web socket Then I'm just going to start the slave on one VM and Start scanning on the other Virtual machine here. You can see on the bottom of virtual machine. You can see all the services Where the gut profiles that it collected you can see some devices Power watch plus lock S and here some other device a me I yj The master Device stores all these characteristics and gut profiles on the on the disk so I can use them So now this is how I'm going to use to do the men in the middle. I'm going to do This is the files that the scans stored. So I'm going to advertise myself so I'm going to connect to the mobile device and then because I know all its characteristics and Profiles I will pretend to be it so I will just advertise them Myself because I already connected to the device So it cannot Advertise anymore because it already paired so if you're for example pair a device to your app Then you scan again from a different device You will not be able to see the device the the smart device because it is already paired So it does not advertise anymore So I'm just going to advertise it And wait for the the other the app to come to connect to it. So of course If I'm using a different Mac address and the user already Paired once before to the device Then it will see a different device if it if he will he or she will notice because it depends on the app how it presents it but of course there is a possibility to max booth your To spoof your Mac address so they will automatically communicate So this is the device. Sorry one second slower. This is the device I'm going to start the power sensor up. This is a designated app to communicate with this port bracelet and Then I will scan for device now I see the power watch but this power watch is not the actual power watch It's it's the one that I copied cloned and then Advertised myself so in a second you will be able to see here on the upper VM all the traffic that goes between the mobile the smart device to the mobile app and Here you will see it as hexed values. So this app has a feature of sport activities. So I can count Jumping ropes. So I will not jump now, but when I recorded it I had to flip this thing in the air. So I'm just going to count it and You can see that in some hex version I will I can see the data coming from the device to the mobile app. So this is just passive, right? I can only see this But there are two other you can see also here the watch small There are other ways to to do the Active men in the middle one is by hooking to a service or using a real-time modification. So Now I pre hooked a Service so what it will do it will just Raise up the increase the numbers so I can you can see here that I did the treadmill hook all it does is Locating this Sorry one second Locating this notification event according to its characteristics. I know it starts with 97 something something and then I will replace this string with this hex hex a string and What will happen is that? The next time I can really show off Of my hard work So I'm going to do the same With this with the hook Okay, so I'm adding the the smart device the billy device now. I'm going to do the treadmill and then When I'll start you can see the hook that I Just did so I'm now going to do a lot of sport and I Can really show off of my hard. Yeah, thank you Running not so tiring though So you can see it keeps on counting I can do of course whatever now I can I'm showing you How you you can manipulate numbers, but of course it can be other Severe things Okay, so now I'm adding burp burp as I mentioned is a proxy tool Great tool that helps you man in the middle web sockets and HATPS. So this is web socket So I'm going to use the same I'll just Let tell burp to listen to the right sport and interface and then I'm going to do the same and then you can see all the traffic already in burp Burp has the ability to do on the fly manipulation so This time I'm going to do sit-ups and then You can see all the data transfer through burp. I don't have to do anything myself. I can intercept. Let me Run it further. I can intercept the request just modify it and then Hit the forward and then I will do a lot of push-ups You can't see my my squares here But because it's on the fly then the next request will Will tell it on 11 not on three million Okay, so this is why we do the hooks so it will permanently work Okay, so this is thanks to got hacker Okay, the other tool is beetles juice Another man in the middle framework also has a web interface really cool tool Gives you also the ability to reply With through the interface so the attacker tool now has also the ability to reply but you need to dump a Request and then replay it here. You have the reply feature on the web interface So I'll try to do a live demo. It's going to be nicer Okay Okay, so can you see my screen great Beetlejuice proxy on one ready The Beetlejuice master on the other you can see that they are connected I'll put the mobile up here Okay, so now I can browse to the Beetlejuice interface. Let's just do like this here. I can select the Target device so I'm going to connect to my power watch now what happens is that It tries to read all the services and characteristics Okay connected so now I'm going to use the same app that I showed you before the power sensor and Device Great, so I think they're already connected because the same Mac address. Yeah, okay So now the cool feature is you cannot see that but from this wristband Brasslet I can You can look here in a second Yeah, I can Take pictures. Okay, so Let's see if it works Yeah, hi, so one second There you go. So it great. So I took a picture now. I have the request on this I Think it's this one. So I'm going just going to reply it one second. Okay All right. Oh So you can see them together So here you can see I can take pictures from my computer now Yeah Let's take one picture of you No, no. Yeah, you want some? Yeah Okay, so It's going to be tough And three two one Great. Sorry guys. Yeah This is not okay. So one cool thing and the other one is even nicer Because what you can't see but I'm closing the app. So it's closed, right? But now I Can also and let's hope it works Okay, great So it's a mute Can you hear it so I can also Switch songs Yeah disconnected one second So as I told you the only thing problem with BLE that it gets disconnected Okay, again, I'm connected. Let's try again. Okay. Yeah So we got some other songs and then our victim Goes to sleep or to a meeting and but we just got this Let's even do This yeah, so I'm going to a meeting my phone is locked Or something and then someone who sits nearby because you have to have the proximity Just recorded the request and then starts it in the middle of the of the meeting So it's really cool. Thank you Okay, so we could use the mobile device to hack into the Mobile app sorry the smart device to hack into the mobile device We bypass the app Because the app has permissions on the device to start the music to start to take pictures and whatnot So we are using the BLE layer to target the mobile app to hack into the Device so we already showed the demo Okay last words So I applied for another conference different conference totally different they have even have cocktails and galas but the problem was that you had to submit a paper and If you had over six pages, then it would cost you one thousand and ten dollars for each page really so What I did so they have galas in me, but really guys you must do the math first I just would minus nine I have minus nine pages so Thanks Got a free ticket. Yeah Also to a gala didn't go Okay, so We saw that we can we cannot protect BLE point 4.0 because it's in the device So what we can do is if we're building apps is to put some security Into the app as a security application security person We have some rules of thumb of course Do not rely on what's coming from the user And force access control so if you're going to now start downloading the scanner up and scan each other devices On you. Yeah If the the app is smart enough, then it will require an access control to access some services also do input validation and There is some features that can be done using the BLE technique or exposing the BLE pairing Model just in a secure more secure way is that for example in order to Pair to a device you first need to click it physically click it for I don't know three seconds And then you have five seconds to pair So it adds a more security. Of course the app should Properly warn you if you're Using a different Mac if you're it comes across the same device with a different Mac address and Do not rely on the on the BLE and creep sign verify data in transit I must say thank especially Slavo Mir for his tool got hacker. He also contributed to this To didn't start initial of the research also thanks to Damian and Mike You can see there are great tools and talks Hacklue and black hat and I'm going to discuss further this Or past discuss this talk in other conferences. You can see So Yeah, Bluetooth is vulnerable against if drops But hopefully if we're going to get the next versions of Bluetooth BLE devices, they aren't going to be 4.2 or 5 which are now really embarrassing They are much more secure. So because they use known encryption crypto libraries and algorithms and they didn't not in Decided by themselves how to create new ones And use the also the application side Thank you very much for coming and for staying for the last way You can contact me Thank you, you can contact me at this email if you want Questions, thank you very much. Tell if you have any questions Please line up at the microphones as it is already has already started training stay inside ask a few questions Come on up to the microphones Yeah, first one. Thank you Hello, hi, you showed an attack With this bracelet you were showing and I was curious whether there was no pairing involved at all Or if you could like replay values that were somehow encrypted Not sure I understood the question. You're asking if it I had to pair it with a pin or something Right. No, so just works Because it's a very really shitty device, right? Yeah, but most of the devices most of them I mean, maybe the most new ones will not be but most of the the devices that you get Well, you'll just pair to them and go So but when you pair right them, isn't there some kind of encryption going on on the yeah Yeah, there is an encryption and I told you at the beginning also Asymmetric key and key exchange, but The problem is that When I do the FMN in the middle, I first connect myself To the device so it doesn't really matter. I'm not showing how you can hack Ability communication link although it's possible already showed by Mike Ryan. He also has a tool for it You can download it from luster.net Where you can actually brute force Paired communication or jam and already paired a communication in order to establish a new one and then hacking to it But just I wanted to show you the application level of the application side of it. Thank you very much. Thank you Next question, please more a comment One thing also the device who shouldn't do is sending out data that you already can use Fitbit is known for sending out how many steps to take Always so you get the name of the device and how many steps it take on that day without any Interaction with the device other than scanning Yeah Not sure I understand the question It's more what's going wrong with it. Yeah. Yeah. Yeah, so All the information without even asking. Yeah, so if I showed you that the problem is that Today the Bluetooth just tells you Hello, I'm a Bluetooth. This is what I can do. Just use it free Connect to it and though you think that you can think that these there isn't an Designated up that only it can work with the with the device. This is not true I could do all all of these from an almost scanner Billy scanner generic one. I'll just need to know the exact Packets to sends or data to send to it or to read from how to read to it from it Yeah, next question, please. Hi How do you? Do what you did on an existing connection. So what's the deal of? Sorry, or how do you okay? So if there is an already established compare devices are paired So you cannot do it at the moment because I told you that once you the device is paired It can no longer do anything else. So I Told the other guy that there is a way to jam Our Communication over Bluetooth. So in that way the communication is jammed and deep air And then you have to come in the middle and do that like if you've tried it. It's actually really hard to like yeah, you can Broadcast noise on the spectrum, but that's pretty much all you can do and it's not very reliable as a way to do yeah, so you have some limitations with Bluetooth you also have to have the proximity and So it's not that easy as it looks, but if you're already in the middle, then you can do bad stuff. Thank you. Thank you Any further questions? No, apparently not. So please give another warm round of applause. Thank you. Thank you everyone