 Hi, and good morning. Thank you for coming to my talk. I see there are seven people in the room, out of which two of them are my friends and two are moderators and one is the next speaker, which is fine. You're with friends. Yeah. But you have a problem. So this is what basically happens when you are the first talk of the last day. Yes. So which I guess is fine. Okay, so let's get started. This is a brief talk about Bluebon. Bluebon is one of the security flaws which was reported to us in Bluetooth implementation and there are various unique things about this security flaw. One thing is that this is really a cross implementation flaw. As in, you know, this is the first of its flaws which affects a lot of platforms which we use. It affects Linux. It affects Windows. It affects Android. It affects Apple OS. So this is one of the first cross implementation flaws which we have really seen. I have two demonstration videos which are very, very short, which actually shows how your Android phone can be exploited or, you know, how your Linux machines can be exploited. I actually intended to do a live demo, but I have not had very good experiences with live demos in consensus because, you know, things don't seem to work very well. So let's get started. My name is Josefa. I work as principal product security engineer at Red Hat. I have been Red Hat with around 12-ish years now. I am a part of various upstream security communities. So I work with Mozilla. I work with WebKit. I work with Liberty Office, PHP, Python, Samba, Xorg. So, you know, I'm a part of around 15 or 16 upstream various security teams. I contribute to Fedora. I have been contributing to Fedora for around last eight years now and I have been doing different things. I regularly speak at conferences. This is my third time at Fawca. I speak at Fedora conferences. I speak at Red Hat conferences. And, you know, most of my talk is about security. It's about open source security, right? So let's get started and let's talk about Bluetooth. So Bluetooth is really, really interesting. And it was the standard first came around, I think, in 1998. So it is not very old, probably 20 years old. So the standard was first introduced in 1998. Most widespread protocol used for short-range communication, right? So if you want to do a short-range communication of, say, like 10 feet or 15 feet or something like that, it is the most wide-range protocol which is currently being used. They are more than 8.2 billion devices, right? So they are more than 8.2 billion devices which currently have Bluetooth enabled in some form or other. Various type of devices, everything from consumer products, like, you know, your mobile phones, your laptops, to things like your television, your refrigerator. If you have an IoT device, some of the IoT devices also have Bluetooth enabled. So there are a lot of devices and the projector, it's fine now. So there are a lot of devices which use Bluetooth. There are some critical medical devices also which use Bluetooth. So you know, if you have heard of pacemakers, pacemakers are small devices which they implant inside the body, which is supposed to give electric signals to your heart which makes it beat, right? So the modern pacemakers also are Bluetooth enabled if you have heard of insulin pumps. Insulin is, so if you are a diabetic, insulin pump is a special device which has got an emergency dose of insulin, which can be actually embedded, put inside the body. And you know, if you are a diabetic and you know, if some fine day, if you forget to take your insulin injection, insulin pumps are special devices which will give you an emergency dose when it figures out that, you know, your blood insulin level is going down. So all of these devices, newer insulin pumps, newer pacemakers are also Bluetooth enabled. There are a lot of IoT devices which we see nowadays also have Bluetooth, right? So it is really, really widespread. The 8.2 billion number which you see from last year, I think is from December 2017, if I am not wrong, so the numbers are going, right? Bluetooth is licensed and it is actively managed by the Bluetooth special interest group. It is called, I think, BLE, sorry, that is probably the next slide, okay? It is licensed and it is managed by the Bluetooth special interest group. The Bluetooth special interest group consists of 34 companies, right? So it has got hardware companies, it has got software companies. So we have vendors like Apple, Intel, Microsoft and different, different companies. So they are currently 34 small and big companies which are a part of the Bluetooth special interest group. They are newer Bluetooth standards which they are trying to bring about. There is something called Bluetooth low energy. So if you have Bluetooth embedded in an IoT device or something like that, which needs to run from a battery or it needs to run from a battery for a very long time. So we have the Bluetooth low energy device as well. There is a new thing which is called Bluetooth mesh topology, which basically means that you can extend the range of your Bluetooth. So if I am able to connect to your mobile phone and you are able to connect to somebody else and he is able to connect to somebody else, we can effectively use this kind of mesh topology to extend the range of Bluetooth. So let's come to what is wrong with Bluetooth. The biggest problem with Bluetooth is that it is extremely complicated. It is extremely complicated, it is extremely over engineered and one of the reasons for that is they are too many stakeholders. They are hardware companies who want to enforce their own standards. They are software companies, they are mobile companies, they are consumer electronic companies. So it is extremely over engineered, it is extremely complicated. And to give you an example of how over engineered it is, if you look at Wi-Fi standards. So Wi-Fi standards, if you download the Wi-Fi standard, Wi-Fi standard I think is around 450 pages. So the standard, the white paper which actually talks about everything is 450. So it is quite small and you know you see Wi-Fi is heavily used and Wi-Fi I think is a little bit older than Bluetooth. So Wi-Fi standard is around 450 pages. But if you see Bluetooth standard, Bluetooth standard is 2800 pages and more. So this is how extremely complicated, how extremely over engineered Bluetooth is. And this is one of the reasons which has kept security researchers away from trying to look at Bluetooth. Because in order to find flaws with Bluetooth, you actually need to understand Bluetooth. And nobody is going to download a 2800 page white paper from their website and try to study it. It's going to probably take a couple of months. So Bluetooth is really, really over engineered, it is really, really over complicated. This has kept the researchers away from trying to audit its implementation. So as I mentioned, you need to download, you need to understand. And I have spoken with a lot of researchers and they wanted to do some research with Bluetooth. But after studying a couple of pages of Bluetooth standard, they decided that it wasn't probably a good idea. And there are other standards, there are other softwares which they can easily audit. And instead of trying to venture into Bluetooth, to give you a simple idea, so networking has this thing called fragmentation, which basically means that if the packet is too large, you divide it into smaller parts so that it will go through networks which don't have a lot of bandwidth. In Bluetooth, you can do fragmentation in 22 different ways. So there are different layers. On each layer, you can do a different kind of fragmentation. And it is the responsibility of the layer above to try to join all the packages together and try to figure out at what layer, what fragmentation was done. So this is an extremely, extremely complicated standard. And nobody really, like I said, nobody really looked at implementation because in order to look at implementation, you need to understand the standard which is the biggest hurdle which we have seen. So you first understand the standard, then you look at the implementation. So, and I probably kicked the projector cable or something like that. Yeah, it's back. So you need to understand the standard, then you need to understand the implementation and then you need to have a security mindset to find flaws. There was some research which was done in Bluetooth. I think it was a couple of years back. The research was more of a cryptography thing in which they found a flaw in which adding needs to be done. And they found a flaw with it. And it was fixed very, very fast. But that was kind of more of a superficial research than trying to go deep down into how Bluetooth works. So what BlueBorne is and what BlueBorne can do. And this is really, really interesting. And I have a demonstration. If you see the demonstration, you will probably never want to switch Bluetooth on. So what BlueBorne can basically do? BlueBorne can allow attackers to take control of devices which have Bluetooth enabled. And if you look around, you probably have your laptops which have Bluetooth, you have your mobile devices. They are these devices called FitBits and stuff like that, which has got Bluetooth enabled because you need to transfer data to your laptop and stuff like that. So if you look around, there are so many devices. You have your cameras, you have your mobile phones. You have so many devices which have Bluetooth enabled. And BlueBorne can actually allow attackers to take control of those devices. And it can allow attackers to access corporate data and network. And I'll give you a very, very good example as to how that can be done. It can allow attackers to penetrate air gap networks. So air gap networks, as in the device is not physically connected by a network wire or something like that. And we will see an example of that also. It can allow attackers to spread malware. Just imagine what it can do to critical medical devices. So if I want to kill somebody, theoretically if I want to kill somebody, and I know he is using a Bluetooth-enabled pacemaker or a Bluetooth-enabled insulin pump, I can connect to his pacemaker and I can make the pacemaker stop giving electric signals to the heart. Or I can make the insulin pump give an overdose of insulin to the person and he'll probably die. So this really apart from stealing of data, apart from spreading malware, this has got really bad consequences. And I was speaking to somebody yesterday and we are trying to discuss BlueBorne. And I gave him a very, very simple example. So I had gone to this place to have lunch. And there is an app available on Linux machines which is called Bluetooth Sense N2. And if you run that, it will scan all the Bluetooth devices around you which are in discoverable mode. What I could do is I could connect to all of these devices by using BlueBorne. I can spread malware. So I can connect to your phone. I can install malware on your phone. And then my work is done. Now what you need to do is after having lunch, you go back to where you work. That place probably has got a wireless network. So you switch on wireless on your mobile phone. And as soon as you do that, the malware on your mobile phone dials back to me. And it says that this guy is active. Now I can use your mobile as a launchpad. And I can attack all the devices which are now close to you. So if you go back home, and if your wife has got Bluetooth, if your kids have got Bluetooth, I can effectively infect all of those phones. And when your wife goes to work, I can use her mobile to infect all of the phones and laptops and devices. And when your kid goes to school and if your kid takes the phone with you, I can use that as a launchpad to attack as well. So this has got a lot of consequences. And one thing which is very bad about this flaw is you don't need your device to be in discoverable mode. So Bluetooth, if you have used Bluetooth, Bluetooth has got this thing called discoverable mode in which if discoverable mode is on, it will allow other people to discover what your mobile name is and stuff like that. So you don't need to be in discoverable mode. And I have a quick slide about what discoverable mode is. So when you switch on Bluetooth, by default most of the devices are in discoverable mode. And as I said, and as the word itself says, discoverable as in if somebody scans, he's able to see your mobile phone or he's able to see your device. There is one more mode which is called page scan mode which basically means that you are trying to hide yourself from the rest of the people who are trying to scan. So there is a page scan mode and it doesn't really make sense to keep your device in page scan mode because they are devices available on the internet. So if you go to amazon.com, there is a device called ubertooth, which you can buy for around, I think, $25 or $26, I think. And what this device basically does is it scans all the devices which are around you and you don't really need to be in discoverable mode. So you can hide yourselves if your Bluetooth is on and if you are in page scan mode, if you are trying to hide yourself, you don't really need to be in discoverable mode. And if you don't have a device like ubertooth, there is one more thing which you can do or there is one more thing which the attacker can do is you can try to capture Wi-Fi signals coming from that device. So if my laptop Wi-Fi is on and I'm trying to connect, I can try to capture Wi-Fi and the Wi-Fi standard basically says that the MAC address does not have to be encrypted. So the Wi-Fi standard says that the MAC address does not need to be encrypted. So I can capture Wi-Fi packets coming or going from your laptop or device and I can find the MAC address and standard says that if you have Bluetooth on your laptop, if you have Wi-Fi on the laptop, then Bluetooth MAC address is Wi-Fi MAC address minus 1. So it is very, very easy. I capture Wi-Fi packets from your device. I subtract 1 and I get the blue Bluetooth MAC address. Once I have the Bluetooth MAC address, I can very easily attack. So this is how an attacker would prepare himself to attack. Now let's see the actual flaws which were discovered. They found a flaw with Linux implementation of blue Bluetooth and it's called CV-2017-1-000251. CVE is a unique number which is given to all security flaws so that we are able to identify one flaw from the second flaw. This is essentially the vulnerability lies in the blue's implementation of L2CAP EFS feature. If you don't understand it, you need to go to 2,800 pages to actually try to figure out what this is. It is essentially a stack buffer overflow in the kernel. The attacker only needs to send a configuration request. So very, very important. You don't need to be paired. You don't need to be paired with the Bluetooth device. I only need to send a configuration request and this is a remote code execution and I have a demo which shows how the actual attack will work. So this is a remote code execution which means I can take control of your Linux device if you have Bluetooth which is enabled. It will not work in modern operating systems. So if you have Red Hat or if you have Fedora or if you have Debian, the newer version it may not work because we have a security feature which is enabled which is called I think kernel stack smashing protection. So this is a feature which is enabled in a kernel. So these things will not work in the modern operating system. So I have a demo and what the demo basically does is there are a lot of smart devices which have got Linux embedded in it. So my demo basically uses a Samsung smartwatch. So if you are using any of the Samsung variable devices or probably non-Samsung as well but if it has got Linux embedded then this exploit will probably work and why this exploit works with the smartwatches because the fingerprint of the operating system is very small. You cannot have all of these hardening things inside it. So let me see if I can quickly run the demo. There is some music inside it but before I start this kind of runs I have 5 minutes. Oh God. So maybe I should skip this and I should get to things which are more interesting. So this is kind of a little bit more interesting. It shows how your Android phone can be attacked. So the scene is added into two parts. There is the attacker over here and there is a person who is using an Android phone. I think this one is using Samsung Galaxy S6 or something like that. So this is quite new. So I am going to pause again. There is the Android phone over here. It has got Bluetooth which is enabled. It has got nothing to do with the laptop. The laptop basically shows that the user has no idea of what is happening on the phone. So there is a Samsung Galaxy S6 if I am not wrong and Bluetooth is enabled again. The attacker does not have to pair with the Bluetooth device. So there is an attacker here. This exploit is available on the internet. Though it is not fully weaponized but it is available in GitHub. And the attacker tries to connect to the Bluetooth device and soon over here probably you are not able to see a lot but he gets a shell on the device and we will soon see what happens. Now he has control of the device and we will see what the user has got absolutely no idea. The user has got absolutely no idea of what is happening. He will switch the device on. So we will see the device come on and there. So the attacker is able to wake up the device. He opens the camera because he has full control of the device. He takes a photograph of the person sitting just opposite the camera. And he does that and he can access devices on the phone as well. So what I can basically do is if I have my mobile in front of me the attacker can open the camera, he can take my photograph he can transfer the photograph from the mobile phone to his device. And there are a lot more things which the attacker can... he steals the picture from the device. Right? Apart from that he can switch on the microphone. So you know if you are talking with somebody he can steal that also. He can emulate a keyboard and a mouse. Right? So he can send WhatsApp or he can send telegram messages from your mobile as if you are doing it. So the attacker has got complete control. He can install malware on your device. You know as I mentioned malware can spread to other devices as well. So let me quickly finish off with the... So yeah, this is the flaw in Linux which we found and the demo we don't have time. There are multiple Android flaws which you have found. I think we have two or three. Oh God. It's back. Yeah. We found multiple things. On your Android phone your Bluetooth service basically runs as com Android Bluetooth which has got access to your file system. It has got access to your contacts. It has got access to your photograph. The attacker can even emulate the keyboard or on your mobile phone the attacker can attack immediately or you know he can wait where there are other people so that he can spread. We have just seen the demo. They found other flaws as well. They found a remote code execution flaw in Apple devices. So in Apple I think there is something called Siri remote. I have no idea what that is but you know that's probably affected. They found a remote code execution flaw in Microsoft Windows as well. So you know if you are running a Windows operating system you can probably do some kind of harm as well. And yeah, I think that's it. Yes. Go ahead. I have some questions. The other one is even now the modern device has optimized five-fold lock or face lock. I mean the demo is the phone is five-fold lock or anything. It doesn't matter, right? So if I have full control of the Android device I can probably bypass any of the locking mechanisms which you have. So yeah, the com.bluetooth service it runs with full control on the Android phone. So if you have any locking like if you have a pin number or if you have pattern recognition or if you have face recognition I can probably bypass any of the authentication things. And you know even if I don't want to bypass even if I don't want to bypass I can still steal stuff, right? So I mean if I don't want to unlock the phone I can still steal. If you check your mobile phone your mobile phone has got your photographs your Google map has got where you have been in the last 10 days your browser history has got all the websites you have visited probably you know if you clicked on that small button which says save my password it probably saved your password in some encrypted or unencrypted file. So your mobile phone has got a lot of things which are very very important to you. Yeah, yeah. So everyone has all the security mechanisms in your phone running as code on TPU. Yeah. The attacker can run any code they like. Yeah, because they're... Hello. What's this? I thought it was the Rolando Clujer. Okay. Functions? No, it's CQ. The blank's there.