 All right. Good afternoon, everyone. Welcome to the Dirty Tooth Talk. In addition to the published author, Chema Alonzo, right here, we have a special guest that's going to be presenting with him, Kevin Mitnick. So please welcome both of them to the Turcon stage. So you have a bird, so I'm not sure you are going to understand the talk, but very well. It's a real pleasure to be here again. I was in 2008 and the conference is being big today, so at that time we were a couple hundred people and today there are 500, so it's wonderful to see how the community is growing. And I was in the valley this week and we had a dinner and I picked up Kevin to come here to Turcon and we are going to deliver the talk together. My, I didn't want to show, to give many information about the talk, but in the end probably all of you have been reading the description of the talk and it's quite a pity because the magic is when you don't know what it is, what you are going to see. The real the real detail of the talk is this, it's only rock and roll, but I like it because it's a talk about music. How many of you like music? Okay, so let's see how many of you are breaking up to prove that your music is the better, the best, so we have, we have a present if you will connect to our device and whoever wins by playing their favorite song will get one of my lock-picking business cards. So, who wants one of these? Yeah, one of these and you just, okay, this is very easy, okay. You need to have an iPhone. No androids. These are the best, Marshall speakers. It's safe, we promise you. After the talk we are going to remove all data. If you have private information you should connect right now. We don't have any data, just ignore that comment. We don't have any data. Any volunteer? Come here, please. A big clap for her. April. Now she had some pre-knowledge of what we're going to do, so. Very simple. There is a, come here, come here. We won't bite. I want to see your private picture. Alright, go back up. See, it's connected to a Bluetooth device. It's a Bluetooth speaker. How many of you, anytime in your life, have connected to a Bluetooth speaker? Huh. Why worry? There it is. Then now. And select some music. Is it connected? Okay, so select some music. There you go. I got to play your favorite song. Hopefully we have volume turned up on here. No, that's not going to work, the speaker. Yeah, double check the connection. No, it's not connected. Go try to connect again. Yeah, dirty too. No, that's not. The other one. Yeah, sorry. Yeah, that's right. It's not showing up on hers. Killburn. There are too many speakers here. Let's see. I show it on mine. But, you know, you don't want to hear any of my music. Killburn. Yeah, probably. It's there. You are connected to a lot of Bluetooth devices, I see. Well, it's not connected. They're just turning it off and on. Any other volunteer with a real iPhone? So April, I met her in Jason Street in Beijing last week. And I don't know if she purchased her iPhone from Shenzhen, because then it's not really an iPhone. So maybe Bluetooth is messed up, so we'll see. That's a ton of device. Anybody else, by the way, have an iPhone? Connect to the Killburn. Who's connected to Killburn? Can you see it? Can you see the device? Killburn, connect to it. It's not on his either. Turn it off, no. Well, I think he just dropped my... Yeah, you don't want to pair it, no. If you turn it off, I have to reconnect to it. Okay. We're going to turn it off and on. Yeah, it's strange. Do you have it on? Sorry, they connected to the Killburn. I'm sorry. Now you can see it. All right, now try it. Wait, let's see. Do you see Killburn? Do you want to try connecting? Let me see if I see it. Well, this isn't the most difficult part. Yeah, maybe it's showing up in my devices, because I was connected to it in the past. Do you see it? Do you see it? Anybody see Bluetooth device, Killburn? Connect to Killburn and play music. It's quite simple. A good one. Drag-a-ton is forbidden. You can play any music, but drag-a-ton. Does it show that you connected to it? Can we come closer? Actually, if you are already connected, everything is done, but playing music is good. Is it there? Yes. The volume might turn all the way up. I don't know why. Have you played music? And it's weird, because I'm not seeing the device either on my phone, because I basically forgot the device and tried to re-associate. Well, okay, you already connected. Okay. See, you already connected. I already connected. A lot of people already connected. That's enough. The good point is that we wanted to listen to the music. We got another device here. They can connect to the Pi, if you want. We got another device here, which is a Raspberry Pi, which is doing exactly the same as the speaker. If you can put the audio from the audio jack, and someone connect to it, I'm going to connect to the... I got exactly the same. It's an iPhone, nothing special. And I'm going to connect to the Pi, just doing a normal click. That's a dirty-tooth speaker, if you see that on your Bluetooth list. Any of you connected to the dirty-tooth speaker? I did. Are you already connected anymore? Any connected to the device? This is interesting, so I tried to connect it. Well, it sucks when a demo doesn't work straight off the bat. Let's see how many of you have been connected. The problem is the audio, not the connection. Let me explain what has been happening behind the scenes, because it's quite interesting. One of the good things with iPhone is that it's a device that is supposed to be very secure. It has a lot of protection. It has co-signing. It has approval from Apple to install new apps. It has a very good encryption algorithm to store data into the hard drive, et cetera. The problem with devices like iPhone is that once that you connect the device to any channel, you are exposing the security. That's very easy to understand. And in iPhone, there are a lot of tricks to take information from it or to hack the device. You can do a lot of things with Siri if you are using Siri with the lock screen. You can hack the full iPhone from the Windows machine or an OS machine if it's already paired. We've seen in the past a lot of malware that was using the pairing connection with a Windows machine to childbreak the iPhone and install malware. If you are making a backup in the iCloud, you are going to have exactly the same problem if you don't have a secure mechanism to protect iCloud. We've seen a lot of celebrities having troubles with the picture that had been stolen from the iCloud. When you connect to a telecommunication network like GSM, et cetera, you can be hacked using fake BTS. We've seen in the past a lot of attacks using jammers against the 3G or 4G connection to get a 2G connection and the same with Wi-Fi, Bluetooth application, et cetera. One of the things that the iPhone has is the Bluetooth connection and the implementation that we got in iOS with the Bluetooth is quite special. It is full of usability features that you can use in your advantage if you want to extract information from a target. So, first thing is that the Bluetooth stack, that iPhone... Got it. So it took a few times of rebooting it, but we finally got it. But that's just enough. We tested, I don't know, 20 times, but the last one failed. When you're on stage, it fails, of course. In the case of iPhone, we got one implementation of the Bluetooth stack, which is the 2.1. That means that one specific feature that was added to the Bluetooth stack in 2007 that was the first version of iPhone was in there, which is the possibility of doing a Bluetooth connection with any device with a pairing token, which is good for usability because you don't need to type any token or you don't need to check a number in another device. Just click on it and you are connected. That is exactly what you've been doing a lot of time in Bluetooth speaker. Look for the Bluetooth speaker, click on it, and that's all, which is good for usability. But one problem with this is that when you get a Bluetooth connection, you are not having always the same Bluetooth connection. Exactly. And when two devices are connected over Bluetooth, what's really critical here is the profile because the profile essentially gives permissions of what that connection is allowed to do. So it's kind of like meeting a girl. You might be having the friendship profile, and then all of a sudden maybe it could switch to the friends with benefits profile. You may or may not know about it, but then if it switches to the marriage profile, you can be in big trouble. Or maybe not. I don't know. But the types of profiles, they're up here, I don't know if you can see them clearly, but it's much easier over here. We could stream audio. We can control audio-visual devices. Everyone knows about the headset profile. Connect the headsets. Hands-free for your cars. What's going to be important later on in the presentation is this profile here, the phone book access profile. And a profile I'd love this to work with, but doesn't, unfortunately, and Chema will get into this as the map profile where we can actually get access to text messages. The idea is that when we are reading that iPhone is supporting Bluetooth, in fact, what we are reading is that iPhone is supporting a set of Bluetooth profiles. In the case of iPhone on iPad, we have different profiles that are implemented. From the iPhone 4 and later, we have hands-free profile, phone book access profile, advanced audio distribution profile, audio-video, et cetera, personal data network, human interface device, and messaging audio profile, messaging access profile. All of them are available from iPhone 4 to the iPhone that we have today. And depending on the profile that you connect to any device, that device is going to be able to do a set of things on iPhone. So first thing that we got with this usability feature is... Right. So what's interesting with the iPhone over here is when you get a list of potential Bluetooth devices to connect to, it doesn't give you much information. In contrast with the Android, we get a little bit more information with the icon. It's not so much more important, but it's interesting that the Android gives you a little bit more information. Second point is that when you connect to one device, if that device wants to have a secure connection, it's going to require a temporary parent token, a parent token. That parent token is quite interesting. If you are able to read only a name in the Bluetooth list about the device you are connecting to, you are not 100% sure that you are connecting to the right device. So if someone impersonates the name or the device that you are using every day in your bathroom or in your kitchen, you are going to connect exactly to the same name. Probably it's not going to be automatic because there is protection with the physical address, but people can connect to it. On the other hand, when you have a device that requires a parent token, you are forced to look to that device and be sure that you are connecting to the right one. And normally, at least with iOS, not only does Apple have to approve access to the application because they must sign it before you can install it on your phone, but you must give explicit access to the apps, for example, to access to your phone book or your contacts here. Later, we'll show you how to bypass that. So when you connect to... You install an app and that app tries to get access to your contact list. You have an explicit permission. On the other hand, when you connect to one device, a Bluetooth device that wants to access to your contact list, the answer by default is yes. That means that without any parent token, any alert or any special permission, any device, if that device has the right Bluetooth profile, can get access to your contact list. Right. So if you do this with an Android device, Android actually pops up a message warning you that a profile has been changed. Unfortunately, it's in Spanish, right? Because I guess Spanish is better. Spanish is better, you know. Well, here we got a small video about what is the behavior in Android if one Bluetooth device is trying to get access to your contact list. So here we are opening the configuration area. It's in Spanish because Spanish is better. So right now it's the new version. It's the P. So as you can see, there is a speaker with a headset and you connect to it. It's supposed to be a Bluetooth speaker. But at some time in the future, that device decided to change the profile. Why not? You are connected to one device and you select the profile you want to use. In the next example, as you can see, Android saw a warning message saying, okay, something happening, but that device that wanted to be your friends with benefits now want to get married with you. Okay. So over here, when you're looking at the... when during the connection process, when it's doing the connection, there is like no warning here. But when it switches the profile, it actually gives an option whether or not to share the contacts. But typically what happens is nobody is actually staying on this particular screen on the phone. They've already switched to something else so they don't actually see what's happening in the background. So once they connect, it's really nothing else matters. So it's over. This is the video of exactly the same that we've seen in Android but in iPhone. As you can see, it's in a perfect Spanish. And now we are connecting to one device that is supposed to be a Bluetooth speaker. You don't have any information, just the name. So here's the speaker. You connect to it. That's it. You are already connected. Everything is perfect. No extra information on the configuration options. So we go to switch the profile and later, by default, is sharing your contact leads. If you are there when it changes, you can watch it. If not, you cannot. So this is for you. You tell it. Okay. So basically just the steps here is the device is discoverable. I am a Bluetooth speaker. It goes through the pairing process with no, you don't need a pairing pin. You're paired. And then after a few seconds, then we switch the profile. And then we get access. We switch it from the advanced audio distribution profile to the phone book profile. Then we're able to basically sync your phone book, your call log. What's your call log? Viscals, receive calls, phone numbers you call to. We're able to sync that. We're able to store the data and then exfiltrate it. Then we can actually switch back to the speaker profile. So it's a few seconds. The data is stolen. It switched back. The victim doesn't know any better. So on the Marshall speaker, what we have here is that with the original speaker, we have a Bluetooth board. This Bluetooth module actually has to be switched out. Because to access this module, it's a proprietary software. So we actually have to switch it out to a SparkFun Bluetooth module. This is kind of the diagram of the whole thing. So basically in this particular speaker, the Bluetooth module is switched out. We put a TeamCN, obviously program it with the Arduino framework. We have an SD connector. Because once the information is stolen from the device, we store it on the microSD card. And then we have a GSM module that we're able to exfiltrate the data. And what we're going to show you in a moment is we have this debug module that lets us use screen to be able to connect to the device. So we can essentially like get a shell on the device and control it that way. So over here, we'll get into this in a second. But on the device itself, we have mainbook.vcf. And what that is, is basically the contact list of the victim that we've stolen from the device. And then we have the incoming calls, the outgoing calls, the miss calls. It's stored in the device's directory. And this is a CRC32 of the MAC address. So basically for each device, it's going to be a different directory it's created, and then it's going to store the status, the mainbook, incoming, outgoing, and miss calls. What's interesting is how this is set up. If an iOS device connects, then we're going to switch the profile. If a non-IOS device connects, and we can tell by the OUI, right from Apple, if a non-IOS device connects, we just play music. We don't actually switch to the phone profile. So let's see on the demo. Yup. Let's see how many people... I'm going to have to reconnect to it, unfortunately. You'll be connected? Also. Good. Thank you for sharing your contact list with us. Let's just... But you want the business card. She already has one. Sorry, now I'm going to connect to the debug module in the Marshall speaker. So we're just waiting. It takes a second for it to come up. There we go. You're going to see the pin. Please don't connect. Yeah, unfortunately. You're a hack. Yeah. It work? No. Fuck. Okay. Is that the correct pin? Yes, I think so. Yeah, it is. Hmm. Are you already connected? No. No. Something happened in the demo. Are you connected right now? Stop messing with it. I was going to turn off the mirroring to connect to the pin, but I trust you guys to let us do the demo. Now, I don't know if I'm making a mistake by trusting an audience of hackers. But we'll see. Try it again. So hold on a second. No one's messing with it. No, it's not. Turn it off and on. I already did. Don't mess with it. Come on. Because then I can't show you how the information is stored and you just stop the demo. It doesn't make much sense. Is that the right pin? Is it 1991? Let me try 1991. I don't think it's 1991 though. It just didn't fail. I don't remember the pin. Is that it? It's 7109. 7109? I think so. Have you tried turning it off and on again? No, you are connected. No, someone's messing with it. That's not it. No, it's not connected. What's the pin? I think you can look it up. Come on. Mac OS now. Someone's messing with it from the audience. As he's looking up the pin, so basically once we connect using the debug module, what we're able to do is obviously you have to put a SIM card in the device. So mstat is a command where we can actually make sure before actually doing the attack that we have connection to the mobile operator. How you connect to the debug module is simply using screen. There you go. You just got to look on your Mac OS. You got to look in the dev directory for the actual device. And then the bot rate is well, 150 and 200. BTstat lets you look at the status of Bluetooth. And Pstat, you can see the devices that actually connected in the past. 7019. 7019. So let's try it again. One more shot. Powering failed. 7019. Is there operating system? The operating system. I was working over there, so I don't know. Let's see. You want to try paring it from yours? Yeah. Let's see if you can do it. Okay. We can continue. Okay. Very good. We'll try it from yours. We'll continue. More than 30 times. Okay. I'll explain the next slide as you're doing that if you want. Connect to the Bluetooth. Well, in this case, we did it with this specific Bluetooth speaker. And one important thing is that when you want to replace the Bluetooth stack from one speaker to put your own Bluetooth stack, you need to connect the new Bluetooth stack to the main board. And in this case, it runs a proprietary code and we needed to do reverse of the signals that were using the original Bluetooth stack. And we needed to build up this small interface to connect the things with the Arduino and the rest of the things. And in the end, what is happening, how it works is exactly like this video, which is the plan C if the demo was failing, which is like this. On the left side, we got connected. On the left side, we got the iPhone, and we are connecting to the speaker. And right now, we play music. That's all. Good music. On the right side, you can see the panel. It's a web panel. We are copying all the contact leads, the missed calls, et cetera. And we are uploading this to a panel, in a website. And as you can see, we are retrieving all the information. In the end, this information is in the format in which Apple is storing your contact leads, which is VC cards. And this is the format in which we are retrieving the information. It's a VC card. It's version 2.1. You are familiar with this format. We are now in version 3. Are you connected? One of the problems is with your Spanish keyboard. It's kind of difficult. Continue with this. All right. Great. I'm trying to figure out how to do all the character sets with his keyboard. I wasn't listening to what he said. Did you cover UID 0? Yeah, no. Okay. So, on what's cool with the VCards, what we look for first is UID 0. Why? Because that's the owner of the device. Right? So, if they store their own card, we now know who the owner is and we have their specific information, which might be email address and whatever, any other details they could put in the VCard. I also want to cover with this slide. Yeah. Okay. Connect to, we are connected. What do you need? No, it's a screen. It's a device. Sorry. No, no worries, Kevin. I can connect right now. So, one important thing is that right now we are in version three and with the phone book access profile, which is the profile that we are using in this hack, you are supposed to be able to write VCards into the device. In this case, we tried, but Apple doesn't know how to do it. So, in this case, we tried, but Apple doesn't know how to do it. So, Apple doesn't allow us to do it. But we tested only with the phone book access profile. And in the new version, which is VC3, which is the new standard that Apple is using for the new operating system, you got more information like picture, like notes, like URLs, so information, private information that you are adding to your contact list that is storing in the VC format. So, the idea is that we retrieve all contact list to the backend with your phone number, your name, your emails, whatever. And once that you got that data in backend, we do open source intelligent enrichment. So, with the phone number, we look for the Facebook profiles, for the linking account, et cetera. So, in the end, you can create a very nice map of the social life of one target. And this is the video with what is happening behind the scenes when someone connect to this speaker. The first part is exactly the same, but there are two iPhone screen. In one of them, we are going to to maintain the screen in the options of the Bluetooth device. So right now we are connecting and then on the right side we look for the option. As you can see, at the beginning, there's nothing on the website. And then it changes. So, that's the whole story. You connect to any Bluetooth device that's clicking on that and that device can be installing your data anytime. So, in order to do it easy to implement, not to be using doing reverse engineering to the to the hardware, we created something very easy, which is a distribution for the Raspberry Pi. The idea is quite simple. There is a Debian package that you install in your Raspberry Pi and the Raspberry Pi becomes a rope Bluetooth speaker and it's very easy to manage. This console, we are installing the package, then we are going to run this one-minute video, Kevin. So, then we run the service and it's working and right now it's like a normal Bluetooth speaker. The only thing that you need to do is to put a real speaker in the audio jack and the rest is exactly the same. You connect to the speaker and at some point Raspberry Pi is going to change the profile to play music. We are going to play the video that we've been seeing before. Quite simple. Let's do the connection to the Raspberry Pi. Okay. We lost it, probably, but let me see if I saw the shell first we're disconnected. Okay. Lots of devices. Lots of different devices. So, which one do you want to look at? The latest one? Anyone. So, we'll look at that. It's a file, yes. Oh, okay. This is a file. I mean, it used to be on the device. Yeah. Okay. Oh, nine. That's a date. Two. Just looking at anything. Oh, this is mine. Yeah. This is my phone. Great. Yeah. That's my girlfriend's number back there. Yes. Yeah. Yeah. Oh, this is the call log. Oh, okay. Yeah. So now she has to change the number. Yeah. Let me see the contact list here. Is what's cooler, though, is once you get it stored onto the Pi, is on the Pi 3, you have Wi-Fi, then using Wi-Fi, you send it over to some panel, and I'll show it to you in a moment. So that's, so it's dot phone book, I see. Yeah. So, here we have great, my phone list. You are the first one. Wait, is that my, yeah, Joe Grand. Hey, take care. My phone is there. Stop it. Yeah. So, let's go to the panel. Over here. Let me refresh. Hopefully it's sent it up. That's finger. Come on. Come on. Come on. There we go. We got three devices. Okay. So, which one do you want to look at? I don't know. This one. So basically it's three different devices that connected to the Pi, to that speaker on the Pi, is now X will trade the data to the cloud. Yeah. We are connecting through my mobile. So, if we connect. Okay. That's mine. That's yours. So, let's use another one. Thank you. I'm not sure which one I selected. The next one. The second one. Second one, are you sure? I think I, The third one. First one. Okay. Okay. I don't know which one I wasn't watching. Slow internet because we're tethered to his phone. Spain. Spain SIM card. So, telephonic SIM cards. It's kind of slow. Yeah. It works. Well, that's not mine for sure. Any of you? Yeah. That's not mine either. Who knows? Who's is it? Oh, there it is. Okay. Great. Okay. Well, normal stuff. Well, we, we use Wildcard not to show the, the whole number. But we still have it. Sure. To give you business cards. From Kevin Migny. You know, This is your prize. We're sharing your data. It's like a Facebook. You got a free account. But you got to share your data. You know, his girlfriend's number. So. Well, this is the idea. It's just a, a lot of small, usability features that you can put together to create something like this. It's only rock and roll, but I like it. Things that you can do with this. Well, Hack works with any other profile. So you can be changing profilers as you wish. And iPhone is going to tell you nothing. Depending on the kind of things that you can do with the Bluetooth profile, you can do more or less thing on the device. We are not. Maybe a next version of iOS. They'll turn on the map profile by default. Yeah. That'd be kind of cool. We tested with the map profile. By default, it's not syncing. It's not syncing the messaging, which is bad for us, but it's good for, for users. With this profile, with a phone book access profile, it's forbidden to, forbidden to, to write the v-card, which is, is not good. Now you can imagine what social engineering setups you can do. If you could write somebody's contact list and change phone numbers for their existing contacts. That'd be very interesting. And then you couple that with SMS spoofing. Right? You can imagine you could probably get compliance and you could use that for some really good pre-texting. And the rest, you know it. You can, you got, you are connecting to one device that someone gave to you in a conference or as a gift. And it's a big device that right now it's only a, a Bluetooth that we replace, but you can add a lot of crazy stuff inside the, the box and you can create whatever, whatever you want it. If you want to learn more about that, we wrote a small paper explaining all the usability features that we are using. In the end, we believe that this is a hack and not a bug, but probably could be good for user if you receive an alert when one device you already connected change the profile. But it's an idea. Who knows? And that's all. If you got to, you want to make any question, we are open to it. In Android, the question is in Android when you can connect to one device that is requiring an access, a paying token or not, but if you connect to one device that is not requiring an, a paying token and that device change the profile, you receive an alert. So there is like a, a permission that you need to get access from a Bluetooth device to the contact list in an Android. That's it. Well, I didn't listen to you very well, but... It's hard to hear you speak up a little bit. The profile switches, yeah. Well, we were thinking about that and let's imagine that the default option for iOS is not to sync contact list. How many users are going to call the call center saying, okay, I cannot connect to my car with my iPhone? So I, my, my belief is that they decide to do this just as a usability feature to, to not having calls to the call center with, with a bad experience. That's my belief, but in the end they are sacrificing security. There, I got connected finally. Really. Okay, the last demo. Explain the demo. Okay. So right now, because we're having some issues with the SIM card here, right now it's trying to upload, exfiltrate. Remember how the data is first stored on the microSD card? Right now, right now it's trying to exfiltrate it, but it can't to the cloud because we're having a problem with the GSM module in here. The SIM card cannot connect to the mobile, the local mobile operator. It's having an issue with the roaming. It's not a problem from telephone, it's a problem from the other operators. So, right now it's kind of stuck trying to upload the data. It's trying to read the file and send it, but as soon as in a moment I'll be able to actually talk to the actual debug module in here and show you what we have, show you that we have the same data. Okay, finally. All right. So I'm just doing a directory. There's a devices directory. So here are the different devices, and this is again over here, where's the pointer? Oh, my pocket. Great. So, let me put this up here. So over here, these are the devices that connect. This is the CRC32 of the actual MAC address of the device. Make this bigger. Great. So now we're going to look and see what's stored in the directory. 41 is something that I don't know. You want to do 41? Yeah, 41. 5, 6, 5, 0, 6, 4, 4, 1. And we'll look at the directory and we'll have the contact list as mainbook.vcf. So over here, that's their contact list and here are their missed calls. It doesn't seem they have any incoming or outgoing calls, which is weird. Let's take a look. Might be somebody that knows that they don't want to share that information. So, this is easier to do. This is easier to do it this way. No, no, I know it. And mainbook. Now it's doing that crappy. Okay. Mainbook.vcf. So here's the... Somebody's... Chris Geiser. Anybody recognize? Chris Geiser, Tom Getz. Whose phone is this? Anybody recognize this? What? New friends? New friends, yeah. Somebody in the audience had to connect, right? And then we're able to now store the phone book essentially, the contact list, call logs, and then what happens is every... What is it? Couple of minutes. Here. This is trying to connect to the mobile operator. Right now, the SIM isn't registered here locally, so Kanax will trade the data. But if we had a prepaid... If we had a SIM card here that was locally in the U.S., it would actually work. Unfortunately, this is not connecting to the local network. Okay, that's all. Thank you very much for being here. Oh. I have a... I brought about 100 of my business cards which are lockpick sets. If anyone would like one, just come up and I'll be happy to give you one. And after you get your business card, just FYI, we will have a snack break out in the foyer out there, so please step outside and make sure not to miss that. It's sponsored by Qualcomm. Thank you, Qualcomm. Hoot!