 Maybe. We'll see how much feedback I can get for the next five minutes. Yo! How's it going? It's 11 o'clock. It's Friday. It's Vegas. It's Defcon. And everybody's sober, so hopefully we can remedy that today. My name's Bruce Potter. I'm here to talk about blue sniff and war driving of Bluetooth devices and things of that nature. If this isn't your right flight, or you happen to be standing, you have to leave the facility. John Caswell, who's a schmoo, as well as I, worked on this project with me. Unfortunately, he's off in Germany somewhere right now, so he's unable to attend. Anyway, I like to open all my talks with the basic statement of you shouldn't believe anything I say. You know, we're either security professionals or the people that security professionals don't like. You know, when you call them hackers, crackers. I really don't care. But, you know, we get paid or for fun. We're paranoid people, you know? And we shouldn't believe what people are spoon feeding us. Don't come to Defcon and watch people stand up on stage and believe the shit that they say. Challenge it. Ask questions. Attack them. Whatever it takes. Throw stuff at them. I mean, come on. Have some fun. But challenge what you're hearing for the next three days and you're going to walk out of here with a lot more knowledge than if you just sit there and take it. So, that said, I should probably justify as to why you should listen to what I have to say. By day, I'm a security consultant in Northern Virginia. I did work at Verisign for a while. The Network Solutions Division of Verisign even. So, feel free to flog me for that later. I work for some startups in Anchorage, Alaska as well with a great group of people who basically were the foundation of the Shmoo Group. That we started in Anchorage and now is an ad hoc security group of about 30 or so security crypto and privacy wonks. And there's many of us around this weekend and we've got little badges thanks to one of our esteemed colleagues. So, that's nuts and bolts. And if you don't want to believe me now, it's up to you. We've got a lot of ground to cover today. I'm going to go over Bluetooth basics because, shockingly, you know, a lot of people don't know what Bluetooth is or how it works. I could probably find half the people in this room to give me a decent litany about 802.11 security. But Bluetooth security, I don't know there's many people I can talk about it. I know in my talks that when I've been speaking to people in the last three days, most people are just kind of, what's this Bluetooth security you speak of? We're going to go over the security aspects of the protocol. We're going to go over device discovery. That's the big meat of this thing. How do you find Bluetooth devices? And we'll go over our tool that we created. So, first and foremost, I want to get this out of the way. 802.11 and Bluetooth are not related in any way, shape or form. I've given talks on Bluetooth and we got done, people have asked me, how do I configure my 802.11 radio to do that? No, you can't. They operate in the same band. 802.11b, 802.11g operate in the 2.4 gigahertz ISN band as does Bluetooth. That's about the only thing they got going. They use the air and other than that, 802.11 is a LAN protocol unless you talk to community wireless folks and suddenly it's become a man protocol. Bluetooth is a pan protocol, a personal area network designed to be a cable replacement for devices that you would normally hook together kind of near you, like your phone to your earpiece or your phone to your laptop or something of that nature. There are actually, according to some studies, more Bluetooth radios in existence in the field today than 802.11 radios. So a little survey, a year ago, how many people had a Bluetooth device that they owned? Today, how many people have a Bluetooth device that they own? Okay, it's about half as many there. I anticipate if you come back next year it'll be damn near the whole room. You see everybody roaming around with the T68Is or the Nokia 3650s, all these phones are Bluetooth enabled. This fricking laptop is Bluetooth enabled. You know, your PDAs come with Bluetooth now. It's everywhere and 802.11 is going to be tied to some kind of device like a PC or a router. Bluetooth is going to be tied to just about every damn piece of electronic device that you put on your person and your PC and potentially your router. So it's easy to see where the numbers are going to get astronomical quick. In Europe, Bluetooth has a lot more penetration than domestic, I believe in Asia as well. The US is just starting to catch on. Go try and buy a P800 Sony cell phone right now. Find it. One of the reasons people want these besides they're so damn cool is the fact that they've got Bluetooth. They have a master slave architecture. They give it kind of hub and spoke. You've got somebody in the center controlling all the comms. And then you've got a bunch of slaves hanging off of it. As I said, it uses the ISM band. There's a misconception that all Bluetooth devices are low power. One of the tenets of the protocol is to design a low-powered protocol that could be nice to batteries. You know, you've got your Bluetooth earpiece. D-cells hanging off that thing. So a lot of them have been, you know, there is the capability to have low power consumption modes. But there are some people, just as the 802.11 people shove their technology out to the man, there are people that are taking Bluetooth and shoving it out to a LAN environment. There is actually Bluetooth LAN access devices. And these are class one type radios that will go up to 100 milliwatts. There's a Belkin USB dongle. It's the first gen that they made. I think it's 810 is the model number. That's a 30 milliwatt Bluetooth dongle. It works under Linux. It's a great thing. That's what I use for my development. I highly recommend it. I don't work for Belkin. I never have. And they make everything, by the way. I mean, I don't know if you realize, but Belkin now, if it's got electrons, they make this stuff. Bluetooth uses something called frequency hopping, whatever, FHSS. Basically, frequency hopping means, in 802.11, you've got something that's just living in a band. It's just basically transmitting the same section of the frequency at the same time. With FHSS, it's bouncing around. You're hammering around. You're picking different frequencies. And basically, you create a hop pattern, and you hop between all the locations in this hop pattern. I've got a diagram layer that's going to show this. But back in the day, meaning like World War II, FHSS was a security mechanism because you had to know the hop pattern in order to be able to intercept the traffic. You could potentially intercept little bits and pieces here, but you couldn't catch everything. You know, since then, you know, sometimes some declassified mere mortals can use it. But it's a dramatically different way of transmitting radio than 802.11. And this becomes really key, really key later on when we start talking about device discovery. In the case of Bluetooth, each little band that it jumps into is mega-hurt-wide. It sits there for a pretty small amount of time. And it's very resistant to interference because it's hopping around. So somebody's interfering in a band. You know, maybe at the time when they're in that band, they're getting interfered and they hop out and they go somewhere else, but it's not a big success. Bluetooth is... I encourage you to go out and download the Bluetooth protocol specification. It's a thousand pages. Just the core spec. That doesn't include a lot of supporting documentation. We could fill this podium, probably to the breaking point, with Bluetooth specifications that exist. But the basic spec is over a thousand pages, and it's like, you know, you take a piece and you throw it on the floor and there's just pieces everywhere. You've got nice layers that look very OSI-y. And then you've got things that cross-cut layers, you know. And from a security perspective, things that cross-cut network layers, bad. Bad things are going to happen. High points in the protocol, basically RF, you know, all the way down to the physical layer. Here's how I sync up. Here's how I find these people and I'm able to determine where they are in their hopping pattern. There's an inquiry and an inquiry request. Basically, this is where I say, who's here? You know, I want to find a device and I'm sending this inquiry and people will respond and say, hey, it's me. This is known as discoverable mode. This is a configurable option usually on devices, whether or not they want to be found. This is the way that a public device, a device you want others to find is going to be found. Once you find the device, then the protocol specifies ways of discovering services as well. So this is where, you know, we're getting higher up the stack. And this is all on the Bluetooth specification. So, you know, here, what are you? What kind of device? And what's the deal? Like I said, it's got low power modes. Here's a URL for the Linux stack. It's bluesy.sourceforge.net. There's a lot of... I think there's four competing Bluetooth stacks for Linux. This one is by far the most robust and the one that's been kind of accepted by the distributions. If you're going to play around with it, I recommend, if you're doing Linux, got to help you. I recommend using Bluesy. So, Bluetooth security. There's this idea of pairing. And there's a lot of confusion about what this is because it's not described well by the manufacturers when you get your swank little phone and it says you have to pair it. Pairing is not required. Let's just get that out of the way. You can talk to a Bluetooth device and not be paired with it. Pairing is effectively creating a trust relationship. The pairing is an activity. When you go to pair the phone, there's a pin on both sides and you enter in the pin into both devices. They are able to basically, one side creates a random number, does some cryptography with a pin, across the other device. The other device has to be able to basically undo it and shift the random number back and it's all good. We'll talk about why that's vulnerable in a minute so people may see holes in this already. But once that's done, they have this cryptographic key that they can then use basically forever. So the pair key will then derive session keys later on. So this pairing activity happens once. It doesn't happen every time. These two trusted devices talk. But you do not need to be paired in order to talk. Bluetooth has, as you would expect, AA&E. It has authentication and authorization services. This can be done on a per connection basis. Basically all traffic between two devices or per basic session between two services on a device. So you could have your file transfer be authenticated and your voice traffic not be authenticated or something like that. Encryption is the same way. So this is a classic problem in software engineering. I've given you options. I've called designers and here's some options on security. What are you going to do? Screw it all the hell up. And think about this. It's one thing to screw it up on a server. I'm making a web server and I've botched the security and I don't use SSL, I don't pay any attention to how my architecture is created, whatever. This is an embedded device a lot of times. How much horsepower can you really put in that earbud? Do you really have enough spare cycles to be able to encrypt? Or if encryption is a requirement for you, how expensive is your device going to be? God, hell with it, we're just not going to do it. And even if they do it, they may decide security's hard and I'll give you a check box to turn it off. Or maybe by default, I'll have the check box off and you have to go in and check it to make yourself secure. Excellent, this is the way it should work. So you've got two people that can shoot themselves in the foot, you and the people who wrote the application for you. So now there's this idea of profiles. If the early 802.11 days taught us anything, it's or at least taught me something, interoperability can be a real bitch when you give people options or when you don't really specify how you're supposed to play nice together. Bluetooth has this idea of profiles where you can say, hey look, I'm a keyboard and I'm going to talk in this manner and this is how I'm going to communicate to you. And you can formalize this into a profile and these profiles are publicly available and anyone that wants to make a Bluetooth keyboard to interact with you or device to understand your keyboard will just go implement that profile and then you're able to talk to them. It helps interoperability, except there are a lot of profiles out there on the Bluetooth website, they're just scads of profiles. And secondarily, there are multiple profiles for the same types of things. I had a Sony Ericsson T68i and I had a Belkin earpiece and the Sony Ericsson T68i I hated, it was a really crappy phone with bad antenna and I basically kicked it until it broke and then I upgraded to an Nokia 3650 and I thought great, I'll just keep my earpiece and I'll be all dapper and whatnot. Well the problem is the T68i understood both the hands-free and headset profile. There's two different ones that basically do the same thing but the Nokia only understood the headset profile and my earpiece implemented the hands-free profile. So I'm SOL. I have this swank little thing that I had to sell on eBay because I have no use for it. I hope someone in this room bought it and is enjoying it. So what's the deal, I keep referencing 802.11 and the reason I'm doing it is because it's kind of a reference. There's a lot of people that understand it and I'm a real zealot about this but I'm trying to use it as an analog. One thing that's important to understand is that there's more at stake. Because of the way the protocol is basically this mishmash of verticals when you compromise an 802.11 network you're able to potentially sniff at the network layer but if you want to get after a host you've got to go after a port, you've got to be an IP, port, boom you've got to break into the application, whatever. With Bluetooth, if I own basically any part of that stack I'm going to take over everything. I'm going to have victory, I'm going to go after the application. It's just going to be laying there. Potentially there's some higher order authentication encryption on top of it but it's not nearly the same layered approach that Ethernet networks have. So there's a lot more at risk when you expose and have a weak Bluetooth device. It's also more personalized. Think about this, this laptop many of us have laptops of 802.11. When we're done, today I'm going to shut this laptop down and I'm going to start talking to people and have a cigarette, whatever. My phone, on the other hand, is going to be on and that's got a Bluetooth radio on it. So if I'm looking to track me or someone is looking to track me they will be able to key into my phone and determine where I am all the time with really cheap gear. This is really neat. This is tracking with like $50 radios and this is tracking potentially on a metropolitan scale. I can make a little sensor network in downtown DC and track them everywhere. I can determine what's going on, what senators are speaking to each other, oh god all the national security advisors just got together what's going on. This is really kind of scary. There are more Bluetooth radios in existence than 802.11 radios. Here's this huge tracking problem. This really hasn't been covered. This is not hit the press. How many people have an information security policy that covers wireless? How many people have one that covers wireless? Excellent, congratulations. That's really unfortunate that these numbers are so small. This is something information security professionals have to think about and in the interim the attackers are going to have a blast with. There's going to be a lot of executives out there wondering what the hell is happening and why people are like listening to another phone calls from three miles away. Here's my mad Vizio foo. If you think of this from earlier, direct sequence is basically just eating up this huge band all the time in the same place. You can see where it's basically creating this pattern and hopping all over. I'm about to talk about service discovery and I decided this is probably the time to give you a visualization so you understand why Bluetooth is so much different than things like 802.11 B and G. 802.11, like I said, uses DSSS. Transits are always in the same place, which makes it great to find. If I know you're on channel one, I'm going to find you. I'm going to find you right then what's going to happen. 802.11 channel one's like 2.4 to 2.41 some nonsense, whatever. You can get there. There's no confusion about where channel one is. You may have multiple channels, like in 802.11 you've got domestically 11 overseas, 13 or 14, but all you got to do is cycle through quite a handful. We're talking in an order of 10 channels. There's some cards out there that do this real well. Cisco's got an RF mod mode basically transparent channel switching. It runs through all the channels constantly in hardware. This isn't like a firmware kind of thing. This is just hardware channel switching, and it basically looks like it's promiscuously sniffing on all channels all the time. That's why Cisco cards kick so much ass when you're doing wireless 802.11 security work. Prism 2 based cards like Linksys and Netgear cards don't have that functionality in hardware, but they have it in firmware. So they can run through, but they don't run through as fast, it turns out. So if you run through these cards for those that have used them like with something like Kismet, you have to have an external channel hopper to say, I'm going to have to run through the channels in hardware or in software and just kind of tell it flip, flip, flip, flip, flip. You can do about three a second or so, it turns out, on the cards, before they start to basically miss a lot of traffic. Another nice thing about 802.11 finding it, so not only do you know where they are in the frequency band, but there's this idea of beacons in 802.11. I'm here, I'm here, I'm here. In general, it's 100 milliseconds, it's configurable. You can crank it way down, you can crank it way up, but nonetheless, a lot of people have these beaconing networks. You can turn it off. Most access points now give you the ability to credit cloaked or closed or all these different names for a network, and that fools some war driving utilities. Net Stumbler, kind of the original granddaddy of these things, unfortunately really all it's doing is querying the card and seeing what beacons are there. It's not promiscuously listening to say what beacons sound. Airstore and Kismet, however, will. They allow you to access the card promiscuously and go in and just listen. So even if they're not beaconing you're going to catch traffic that's going across. So what you need to have in that case is some other manner of regular traffic to focus in on. And the beautiful thing about modern day PCs, especially like Windows Box, and they're pretty goddamn noisy. Windows got this SMB crap going all the time. Now with OS X you've got rendezvous, so you've got gas traffic flying out of the box. These machines are not quiet. You will find them in a heartbeat. As long as you know, hey I've only got ten channels to run through, you're periodically going to be doing a rendezvous request I'm going to find in about two minutes. I mean let there be no confusion. So anyway, 802.11 when it comes right down to it, it's pretty easy to find stuff. I mean everybody here has gone war driving I've got to assume or at least you know been with friends have been war driving. You go out there and it's just instant gratification. It's the greatest thing in the world. Bluetooth is not going to be that way. Frequency hopping spread spectrum is a lot harder to find. First off at the RF level, you know, Bluetooth is a pain in the butt. Because you've got to line up with that hopping pattern and you've got no idea where the transmitters are in the hopping pattern. So if you know the MAC address of the device and you want to ask it a question or tell it to do something first thing you've got to do is to line up with the hopping pattern which basically means I'm going to run through the hopping pattern really damn fast in an effort to catch up to you. Well that's a real pain in the butt considering the hopping pattern is about two seconds long in the first place. And maybe because you're transmitting something and you're eating up more time faster than you should, I miss you the first time and I got to do it again. And then I got to do it again. And after ten seconds usually statistically you will have found the device you're looking for. Okay. This is not like abnormal. This is the way the protocol works. You will find devices between two and ten seconds on average. I mean for those that have Bluetooth devices when you try to get them to pair or you're trying to do something they don't show up right away. And the reason is they're trying to line up on this hopping pattern to figure out what the hopping pattern is. So as you can imagine you're not going to get the instant gratification before in AR2.11 you had a couple of milliseconds to find it, microseconds even. Here you're just running around looking, looking, looking and if he's not there, he goes out of range for a second and you're going to just keep doing it. You're going to retry. It's a real pain in the butt. Thankfully devices can be discoverable and you can actually send it the inquiry request I talked about earlier. And you would think, well, most people wouldn't have this on unless they were in the process of doing something active with their machine. And for those that have the T68i you could put it in discoverable mode but it would only stay there for about three minutes and that would go away. This was not a security feature, mind you. This was a power feature. When you're in discoverable mode it sucks up a lot more power because it's listening much more actively for requests on the network than it normally would. So I was a black hat and I've gotten my little phone and a buddy of mine is a race car driver and I crew for him and last week his tire rolled off his rim and I took a picture of it with my phone. And so a black hat I figured, well, I want to see how many people will just take the picture of this freaking tire. And so I'm going around in all the rooms and I'm scanning Bluetooth devices and there's just probably per room a dozen phones that are just sitting there in discoverable mode. Some people actually took the picture, says some unknown person is trying to send you a file and people are going, oh yeah, that seems like a rational idea. Devices can, thankfully you can turn off this idea of discoverable mode and in that case you need to be, you need to directly probe the Mac in order to talk to it. So once you've discovered each other say this is a legitimate situation I'm trying to get my phone to talk to my laptop and I've done the pairing. Do the pairing one side was discoverable, the other side didn't need to be I paired, I could turn the discoverable mode off but now that they know each other's MAC addresses all they're going to do is when one wants to talk to each other it's basically going to start walking around through that hot pattern until with that MAC address, targeting at that MAC address until he finds that guy. Bluetooth also has the problem of the service discovery at the application layer there's potentially a lot less traffic going on when I'm standing here and I'm not making a call I'm not syncing my calendar, I'm not doing anything of that the phone's pretty damn quiet, my laptop's pretty damn quiet, there's not a lot of traffic going around. Given the problem that you have that there has to be some kind of traffic for you to sync up on on this pattern that makes it kind of difficult to be able to sniff promiscuously for this data. Sophisticated RF gear solves a lot of these problems if you've got a spectrum analyzer and you're just sitting there, you're going to see little burps as this thing's bouncing around in the spectrum however a lot of us can't afford spectrum analyzers secondly, they're kind of big, they don't look quite as impressive like laying on the table and lastly, it would be real nice if cards did this, if you had some greater flexibility into how the cards interact at the RF level and as of yet no one's been able to make a standard kind of run-of-the-mill card do it. You can buy PC cards they're about between $500 and $2,000 that are effectively software spectrum analyzers and I'm not really certain what the differences are between those cards and basically $50 commodity Bluetooth gear and that's kind of what I'm working on right now is digging through firmware on all these Bluetooth devices trying to figure out what options are there that aren't being exposed in open source drivers obviously, we've gone past okay, so a fun attack this is okay, this is one of those red herrings I'm going to throw this one out there but in practice it's not going to be much of an issue if during the pairing process I can intercept your traffic I own you I know your keys I'm able to basically get your random number and then maybe I'm being a little over the top but the pin is usually a four digit number you know and there's a search space there that's pretty easy to force your way through until you find the right thing and on top of this four digit pin the most people use, most people think pin and they think four digits just like it's in our brain but secondarily when you have a device like an ear piece that doesn't have a keypad there's no way to enter the pin in so it's hard set so Belkin earbuds have one, two, three, four is the pin so if I know you just paired with a Belkin earbud and I'm able to intercept that traffic I can create your keys on my own I can decrypt authenticate I can do anything I want to your traffic this is a bad thing it's recognized by the specification creators but there's really not a lot of way around it right now basically if you're going to pair and you're really paranoid going to a fair day cage or some nonsense in general it's going to be a pretty safe activity more likely the attacks that you see right now are these poorly designed software people with optional security I had a card for my I-Pack no matter what vendor it was and it installed the driver for the Bluetooth card but then installed a whole bunch of profiles and the software that supports it so first of all the profile that supports the network access the software that supports the network access profile is actually a PPP server so there was a PPP server installed on my PDA this was non-trivial I mean this is like a 3 meg piece of software in and of itself the whole driver was like 9 megs secondarily it had a file sharing file sharing profile was turned on by default without encryption without authentication and it was sharing the root of my PDA's file system world-rightable it was potentially the worst possible thing anyone could have done to a driver and it was just the default installation this is real similar to the early days of 802.11 wireless security problems a lot of you probably remember Lucent's access points back in the day where their serial number was their web key so when you drove down the road and saw six digit hex SSID and it had the Lucent Mac octet in front of it you're like oh great I know the web key I can sniff your traffic there's no point of even running web crack or something these defaults are going to be the first thing that the vendors solve they're going to go out there and they're going to get pushed back I think probably from corporate security folks mostly because those are people with the real money and say hey why don't you fix your shit come back when you got better defaults and then we can talk devices like class 3 devices can be intercepted at a distance with reasonable antennas if you're a class 1 device it's even easier to this laptop from my phone I was able to do a distance from basically the back of the room to hear in a session the other day so you know that's a pretty substantial difference and basically I'm not sure what this is I think the thing with my phone is only a class 3 device that's an appreciable distance just for how it's supposed to be used if you're really trying you're going to be picking it up for a while so basically it's like your own Rift ID tag people can follow you around and I want to just reinforce this it's not expensive the cell phone companies can follow you E911 great I'm in distress the cell phone towers can triangulate me I'm sure there's no privacy concerns about my phone company I don't know where the hell I am but now not just the phone company but anyone who's really interested in your activity can create a pretty cheap little network of bluetooth devices everywhere you go for most of us that's not an issue for some people at paranoia for others it's a fact of life something they need to be concerned about so bluetooth war driving war driving is probably a bad term because if you're driving by and given this nature of it takes a long time to pick up the device you're probably not going to see it I mean everyone's war driven at like 60 miles an hour you keep picking these things up you're not going to have that here with bluetooth so it's more like war walking the original way that I did this was in New York about a year and a half ago and just roaming around my PDA and the little device and just keep hitting scan so no device is found yes yes yes and there weren't a lot of devices at the time that had bluetooth so it was a pretty boring endeavor and it turned out you probably needed a better UI to be able to pull this off successfully by default just doing that mechanism like your phone or your PDA is not going to find non-discoverable devices so if you're really looking to have a good time with somebody if they're not discoverable your life just got a lot more miserable I'll get into like how you can overcome it but it's not going to be pretty new tools really need to catch on in order to kind of draw out these concerns and I think that we're going to see in the next year or two a kind of explosive growth not only in bluetooth device penetration but also in the security community's interested in it and the number of tools are going to be created today there's just a handful of tools only a couple of them are really security related it's going to become a lot more proficient there'll be two or three bluetooth instead of one like there is this year there of course is a wonderful voyeuristic appeal of 802 out 11 war drive when we get to go around and see who's doing what the problem is right now the devices that I'm aware of don't have clear interfaces to allow you to periscuously sniff traffic so because of that it's not quite as voyeuristic like you know when you enter 11 I can read your email in theory with bluetooth I can listen to your phone conversations but that kind of alien technology doesn't exist for us mortals yet and hopefully at the end of the day there's some software developers back in a room we're going to get this all figured out and solve some problems so yeah here oh one thing I do want to mention on this slide errors in implementation are going to be a problem that's kind of the next generation problem I think we're going to see the analog to what I'm trying to describe here is you know like an outlook when you can kind of bomb in some html and have something bad inside of the html that gets interpreted by some piece of windows and bad things happen and so you always tell people don't open html mail it wasn't just you know don't open attachments like okay any idiot can figure out don't open the attachment but then there was all this kind of line like don't open the emails you don't trust because maybe there's a problem with the html interpreter or rtf interpreter or whatever or whatever rich text format interpreter that's going to allow someone to own the box and I think the last kind of html interpreter problem was about two or three years ago and then like three weeks ago there was another one so just when everyone was getting used to opening their mail now suddenly people can just bomb in html again and own your box without you having to do anything wonderful we're going to see the same kind of problems as the next generation problems in bluetooth where someone at a conference accepts a picture from someone and inside that picture I've embedded some malware and that malware is gunning for some kind of vulnerability in a parsing engine or whatever of whatever OS that phones running simbian palm windows my god windows 2002 pocket pc whatever the hell they call the thing is damn I have a firewall in my basement that's not as powerful as that box I mean that's ridiculous there's a lot of functionality there they still don't get the security thing windows pocket pc 2002 at least didn't understand how to handle like certificate revocation how to load a new root cert I mean the thing was pretty angry I haven't played with 2003 much yet but that's not going to change you know these guys are thinking they're on the bed in the west they got bigger concerns power consumption and size they're really not caring about security as much as they should so the moral of this is I think in the next year or two you're going to see these kind of malware attacks and this is going to be kind of analogous I think to what happened in Japan with sms where people were sending in sms viruses to people on their phones you know sms was coming in band in the phone over the gsm network or whatever network they connected to this is going to come from the guy next to you walking past you in the mall so the first tool that was released that I want to talk about was red fang it was released by at stake two months ago maybe three months ago and this is really the first you know security tool that goes out and looks for devices that don't want to be discovered it's I applaud them for what they did but unfortunately the process that you have to go through is not pretty because of this deal where it takes a long time to find a device even when you know it's MAC address but you don't know it's MAC address ahead of time means that you're going to go through and you're going to brute force guess MAC addresses and for every MAC address you're trying to guess you've got to wait probably up to ten seconds while you're trying to find the device if there's nothing there you go to 000001 you wait for ten more seconds and you do it again this is a long process the one thing that's nice you know these MAC addresses are the OUI registered IEEE MAC addresses you know these are globally unique MAC addresses that come from that same listing so we're able to create a list of MAC prefixes for various vendors I'm working on putting up just a list of the devices that I'm aware of you know what's the MAC prefix for apples what's the MAC prefix for Ericsson phones what's the MAC prefix for Nokia phones and maybe we'll be able to find the ranges that these companies are using for their MAC addresses and that will allow you to kind of jumpstart the process so you should be able to determine the three octets right off the bat and maybe through some work and some collaboration you'll be able to say these companies are using these smaller ranges which will make finding you know this MAC a lot easier process than the hours and hours that it's going to be right now when you're trying to look like you're trying to find it doesn't that sound exciting going off and looking for one device for hours on end and God help you if you're at Starbucks and that guy gets up after you know 30 minutes and walks away and that's scandalous just useless you can right next to the scan the guy with the funky hat if he ever comes back 0-0 the question is is there broadcast or multicast traffic for it Bluetooth is I guess the way to describe it and I've seen it publicized is not a promiscuous protocol meaning everything's pretty much what you would analog to Unicast the closest thing to this broadcast is this idea of the inquiry request I'm unaware of anything else that basically doesn't specify have to cause you to go right at the MAC address the only thing that's kind of generic IE of broadcast is this inquiry request by turning off discoverable mode that thing's dead so you know it this takes a long time but this is the only way and so if you're an angry adversary you know you're looking and you're targeting someone specifically this kind of thing is going to work out for you if you're not an angry adversary well then you're probably not going to really go down this road it's fun and it's neat and all but I think academically that's about all we got oh yeah the way that the hopping pattern works is it's a seed off the MAC address of the master in the Pyconet the Pyconet's basically the pan you've got all your devices talking to each other and you've got the master you've got all these slaves and they form this thing called a Pyconet and so in the Pyconet the master's MAC address determines the hopping pattern and this is kind of interesting if the master in your Pyconet is discoverable he's basically pimped out everything in its Pyconet because you're able to see the master you're able to find his MAC address you're able to determine the hopping pattern and at that point hey great I can now listen to everybody because I know exactly what their hopping pattern is if one of the members of the Pyconet is indiscoverable you know he's there and that's good but you don't know what a hopping pattern is on yet so you still got to work like hell to try to find other devices so you know just from an architectural perspective my god you have to architect your personal area network you know who's my master and is he going to be in discoverable mode you know make sure he's not and you'll probably be a lot happier so we ripped together this thing and I will caveat this really heavily right now and say it's not the prettiest piece of code and I'll be real happy if anyone downloads it and it actually works successfully out of the box it was kind of a last minute we were going down the road that that stake had gone down and then they released and we just kind of sat in our hands and felt a little dejected and we decided oh we'll tackle the usability problem because you know usability is a big issue in security so we made a really wonderful end curses application that periodically just kind of disappears so it's really usable I'm sure a lot of you have heard this study called why Johnny can't encrypt and it was a study done by some researchers I think in California a couple years ago where they took a bunch of people in the room who weren't computer savvy and locked in together and said here's encrypted email here's how you do it can you send encrypted email to each other and a few people succeeded and most people failed then they spent the day explaining this to them and said okay now send encrypted email to each other and a few more people figured it out and the rest of the people still kind of scratched their butts and said I don't get it usability is a big security issue and as application providers as system integrators, as attackers, as whatever you got to care about usability and potentially it's more important than the technology because the technology I can stand up here and hit you with a technology stick today and most of you are going to get it understand this shit this is good stuff but my god of the tool is terrible they just crater there's no way to use them they're ugly I don't understand it whatever you know or I got to compile some crazy LKM for Linux that takes like 50 other widgets to compile I hate that so you know we tried to solve the usability problem I made it an unusable tool well if you do download this and you fix it in any way shape or form please email me the patch that it integrated we're going to try to rev this a little bit farther just as some proof of concept code and then we're going to go off and do some better integration that will get into in a minute so what this thing is is a front end for a red fang so basically you can just kind of stick red fang on something and say go find things and it'll kind of graphically display I'll get to a screen shot in a minute you know what devices it's found signal strength and things of that nature and it's also a handy little UI yes every time it stops scanning to re-scan and look for more devices you can just sit here with your laptop and as people walk by your table by the pool you'll see who's discoverable and who's not that is probably a lot more useful than the red fang interface right now and I shoot you not it will just do crazy things right now so Kaz wrote the UI Kaz actually wrote everything I should never develop software if anyone ever wants to give me money to actually write software for them to sell you some swamp land and all the other typical cliches this is I think from some other wireless tool I think maybe Kaz participated in it basically you can select your scan normal or the brute force and I think now it'll do both it'll sit there and try finding discoverable things for a while then it'll go and do brute force and then it'll go back and go back so you're getting kind of the best of both worlds hey look a pop-up window in curses this is the coolest ever and then when you saw it and all that kind of stuff those MAC addresses for those that are wondering are actually Cisco 802.11 MAC addresses it just happened to be the ones we had so when you start the tool right now you'll actually see these because they're still like the debug code is still in there so they'll be pre-populated with two Cisco cards that are really not Bluetooth devices so future work and I think this is where things kind of get important integration with other Wi-Fi scanning tools you know usability is going to be an issue the next step after we work out some kinks from BlueSniff is we're going to go to Air Snort and we're going to implement it and merge it into Air Snort so you'll have, you know, the Uber war-driving utility as long as you have low-profile cards that can sit next to each other you know in your PC card slot it'll be good to go a note on that Bluetooth 802.11 interference there's a few studies that have been out on it I recommend reading them I'm not going to make any claims about our qualities because people come to kind of different conclusions I think in general the closer you have the two radios the worse off you are but it's not really going to necessarily be a terrible thing but it may be for you so before you say, damn it I'm using my Bluetooth and my freaking wireless network goes down, you know, go read it you may have some other problem afoot we got to find new scanning methods I mean pure and simple and I think what that's going to get to is finding what the capabilities of the current hardware are you know with Net Stumbler the person who wrote Net Stumbler understood one piece of hardware and that's what he used and that's great but then people were able to look at other types of hardware and say man the Cisco card really kicks ass we should write something that uses this instead of the mechanism that we're using on this Orinoco card people are going to have to start looking at all these vendors and these vendors aren't yet quite as mainstream I mean Belkin I think Lynxist and maybe some other of these kind of copy USAE brands are making this stuff but if you go to the BlueZ supported hardware page there's a lot of vendors you've never heard of and a lot of them are in the language that I can speak very effectively you know buy some cards if you have experiences with cards and you are able to do something that you weren't able to do in other cards let the community know about it you know find a form I don't know if there are any decent bluetooth security forms out there besides the standard issues security focus whatever they got going on or you know email me and I'll help you work through issues and dig through firmware and where we'll figure out which cards can do what I think it's going to be really critical that we catalog these cards and figure out what their capabilities are and figure out what the best tools for the jobs are and you know I stand up here as a daytime security consultant at kind of nighttime just I'm still like a white hat I'm not throwing this out here to be in a tax scenario you know there are attackers who will use this for evil but there are also security professionals who will use this for good you know finding the idiot who's got their you know whatever printer discoverable on their desk some guy outside printing porn to his office he can't figure out why all his porn spewing out his printer so you know that there are good uses as a whole full disclosure concept you know use this tool as you will I don't really care second thing is I'm creating this MAC address table listing I've got a start on it I think it's on the website should have a lot more as soon as I figure out in OS 10 where the the there's a there's a lookup table somewhere on the box that says this is the device named my phone and here's its MAC address and here's another device I'm aware about and here's its MAC address and I swear I went to the root of the file system eGREP-RI Nokia Star waited an hour and a half and I didn't find it so I was really ticked off to cheer up all my battery life doing that grep and not finding it if anyone knows what that table is I've got a just litany of devices stored in this machine that I can't get the MAC address for another big one even though like I said if you know the master and you know its MAC address you know the hopping pattern for everyone in that pico net there's no tools yet that will give you all the traffic in the pico net the one tool that shifts with blue Z is called HCI dump I believe and HCI dump will only give you traffic to and from your own device Bluetooth is not meant to be a promiscuous protocol and the developers who write the drivers really don't intend to be thinking like this they're thinking you know I only want the back and forth and as security people we want the back and forth for everybody because that's where the real juice is because you probably don't want to be seen you know you'd rather be the quiet party in the group so you know there's got to be some work put into that and again this is going to come out of more firmware you know the question is can you change your MAC address for your own Bluetooth device honest to God I don't know I really haven't tried I mean that's like you know this stealthy idea like you know so people think you're something that you're not and since most people aren't looking for you yet I haven't ever thought to try and cloak myself but yeah so I have absolutely no idea and if anyone finds out please let us all know I'm going to open the floor up to some questions before I do you know shameless self-promotion I helped out with a couple of books that are going to be in the vendor table so you know if you feel like pitying me I'd be happy to you know buy it spit on it I really don't care whatever anyway questions loud fire the question is can you un-pair devices and basically cause them to in 802.11 lingo re-associate first of all the pairing concept is only kind of this trust relationship that occurs so the way that you would break a pairing is you basically delete the keys off the both sides and they're unaware of each other anymore and as far as a re-association there are various control frames that you can send the hard part isn't sending them it's just knowing how to send them what part of the frequency to be on and what MAC address to be so there is that capability to break the connection but it's not frankly I just haven't examined it at all because I'm still fighting with this first part of the problem other questions the question is is it possible to force a device into discoverable mode you're talking as an outsider not as the person who owns the device that would involve subverting the device itself to be able to do it there's no protocol bit that says hey flip yourself into discoverable then let me discover you it's not possible it is that's the thing it is listening it's listening generally in a low power mode and that's why you can still address it by MAC address if it hears a frame for its MAC address on the right part of the pattern it says oh this is for me and I need to deal with it so even when you're not discoverable you can still talk to the device and even this is kind of neat when I was sending pictures of these people's phones you can scan these devices you can find them and nothing pops up like there's no security mechanism against discovering the device and so there's really nothing like watching you scanning or whatever you can find out the device name you can find out what services it offers you can do all this nonsense and there's really nothing that the device is going to do to try and stop you until you try to access one of those services that's when authentication encryption are going to kick in and that's when you're going to have some kind of pop up hopefully that says oh hey do you want to accept this and wonderfully the phones and these other devices haven't so you can just accept anything people send to you just take it and then maybe it'll ask you do you want me to save this do you want me to execute it do you want me to rate whatever I mean there's all kinds of options it can do but you can do a lot to the device before it says who are you and what are you doing another question the question is about the predictability and the length of the pattern I think the pattern is about two seconds it sits on every part of the pattern for 625 microseconds and there's 79 locations in the pattern but it's a permutation of the MAC address of the master so you know common tutorial mathematics say there's a lot of different patterns that are possible that mechanism that you go through to try and find someone when you don't know their pattern that discovery mechanism is kind of the best way to do it at least that's the people who designed it came up with the best way and no one's been able to beat it yet other questions the question is if one device loses a parent key what happens basically you can't talk anymore you can't generate the proper keys and just kind of throws its head out there would be two conditions there's one you corrupt its parent key so at the software level it would say this is still a valid key but our keys aren't matching up and there's a second when you delete it at which point the software would probably say there's no key, I have nothing to do and we'll just try to create a normal connection to it other questions the question is regarding other specifications on Bluetooth besides the ones that I referenced there's some IEEE work I think it may be in the 802 chain somewhere I'm not really sure the authoritative source is bluetooth.org.com Bluetooth is a royalty free protocol that was originally developed by Ericsson and then released in the public domain Ericsson actually kind of had a revelation to say we can develop all this stuff but unless we give people the ability to use it independently no one's ever going to adopt it it may be the greatest freakin piece of whatever in the world but no one's going to pay us because until we get critical mass nothing's going to happen so you can go to the bluetooth website you can download Miles of Specs and there's like little primers there that you can get that actually give you kind of a soft landing there's also an application, bluetooth application development book that I cannot for the life of me remember but if you search in Amazon for bluetooth application development it's a really good book it gives you a great head start and using bluesy explains the protocols more in depth about power consumption issues as an application developer you need to be concerned about power consumption and layer 1 issues it's the greatest thing in the world I need to worry about everything from layer 1 to layer 7 and I'm just this poor guy at a desk and I don't know what to do there's going to be problems with this for a while but through our diligence I think we'll be able to tackle it anyway I think I'm going to wrap it up well I'll take one more fire right exactly the question is can you parallelize the scan the redfang tool has been explicitly made to be able to be threaded so you can kick off multiple instantiations of it at a time and it's really going to be limited to how much crap you can shove on your box you know if you get a USB hub or a string of a couple USB hubs together and slam into a bunch of bluetooth devices in theory as much as they'll support you can run off and scan the issue is you need to make sure you're not scanning the same space like if you got 16 radios you shouldn't all start them at 00000 because you're just going to waste a lot of time you shouldn't parallelize that and I think that's probably the short term technique that people are going to use when they're really interested in finding someone you just stick a bunch of radios on it you solve the problem and obviously so you know binary search blog gets shorter anyway one more doctor doctor all right excellent I appreciate it thanks a lot guys have a blast