 should we start the talk now yeah sure okay go ahead one two three not it damn it all right good morning evening afternoon I don't even know what freaking day it is happy Tuesday yes welcome to Saturday oh all right we are the wireless village literally I am Rick and he is Rick so we are Rick and we we do shit and have fun with it we love to give you guys the capability to play this game to listen to the talks and we love the fact you guys come back every year and listen to us I wouldn't listen to us this long so I don't know why the hell you guys have but thank you very much for it today we have a little bit something special I guess we could say special maybe I feel special I feel special too this is a tool that has not been released yet this is a tool that is doing things that other tools can't do and it kind of came up under a funny story which you'll have to endure so I'm sorry about that you're not so Rick go ahead what's this blue teeth stuff other than like you know pardon anybody from Kentucky I don't name that your king Harold the Bluetooth who ate lots of blueberries apparently Bluetooth is a ubiquitous networking technology for people too lazy to plug in cables and the whole slide yeah and yep yeah that's it that's it hey it is fancy I triply 802 11 802 15 one yeah yeah and there there is no oversight there is a guidance group cool you missed a bunch of shit anyway people can read can you all read cool I'm not reading the slides here's why we care about Bluetooth though who has on or off a Bluetooth device on you right now if there's anybody with your hand down your liar and if you're not prove it strip search where's TSA in their house okay Bluetooth is everywhere it's on your watch it's on your phone it's on your headsets it's on your laptops and it's on a lot of your laptops I mean Jan Joe Bob Jimmy we see you we do and we see you from like the time you walk down the steps to the time you get here so we like playing with Bluetooth but we like playing with Bluetooth for really really really good reasons it's everywhere and it's exploitable and then comes along this crazy thing but you can challenge your friends to see who gets the highest step count at Defcon yay Fitbit Bluetooth low energy come on be technical Bluetooth low energy is a low energy protocol for people too lazy to plug in cables but seriously Bluetooth low energy has the same transmit power as regular Bluetooth which you know you'd think low energy obviously it's gonna be weak and go less distance actually that's not true at all it just has to do with how deep the power saving cycles are so it'll basically turn completely off do absolutely nothing and then wake up and send like a packet and then shut up for like a quarter of a second which is a really long time when you're a radio trust me it is so like four wakeups a second it's really really really good power saving and it's like even require for like five minutes yeah it doesn't happen that sir are you know a couple of days of battery life when you're talking about some of these Bluetooth beacons and things like that they're actually sending out like a signal every couple of you four times a second and these batteries on double a is there like two years to have a Bluetooth beacon for your marketing project so it really is pretty low energy so last year was it last year was last year two years two years ago yeah Rick was up on stage on a delayed talk because of dongles dongles suck god suck but they released to call blue hydra and we all thought wow blue hydra is absolutely awesome who in the rooms heard of blue hydra oh awesome wow there's like wireless people here in the wireless village that's neat that is neat blue hydra tells you what's in the airspace like our dump does and blue hydra does a really really good job of enumerating out things it does such a good job that it tells you the difference between Bluetooth low energy and Bluetooth classic we'll get to that in a minute while that's super important but the amount of data that comes out of that's phenomenal they did a great job on this now that being said Bluetooth has some weird quirks to it masters and slaves so masters and slaves discoverable and not discoverable Bluetooth is a really really weird thing I see a lot of you know Bluetooth security requirements which are literally Wi-Fi security requirements but some jerk did a find in replace on Wi-Fi and changed to Bluetooth I've also seen the same with Wi max and all kinds of other crap but that's just not how things work for instance Bluetooth doesn't even transmit the whole MAC address in the air it only transmits the last three octets of the MAC address that's the last half and when you have Wi-Fi for example you have a BSS ID for the access point you have the transmitting BSS the transmitting MAC address which is you know either the client or the access point depending on direction and then you have the receiver which again client or access point depending on direction you have three MAC addresses at least in every single packet full MAC addresses unencrypted all the time Bluetooth there's one half of one MAC address for a communications group so you can have multiple devices talking to your phone and they'll all basically share half of a MAC address and the only way they know who's talking to who is because they are not the one transmitting so it must be to them it's a really really frustrating protocol because of things like that so building Blue Hydro was entertaining when you're looking for for raw monitoring of things ubertooth is a really great tool but there are limitations to Bluetooth that a lot of people just don't know about so that's that's my favorite one it's lots of fun so we asked the question last year how many people in the room do RF or wireless pen testing as all of or part of their daily job okay seven people out of I can't count that high that's not very many but the people that do that Bluetooth is a pain in the ass because you can't track things as properly as you'd like to because if I'm trying to follow the CEO home and I want to know where he lives or what he's doing or how he's doing it I have massive options of doing it except his phone's not pairing his phone's not trying to pair and all I have is a master or slave I don't know which it is I don't know if it's him or her so that's a big problem so flip that to security from defense you have a better opportunity of not getting caught with Bluetooth prior to today than you would with your wireless radios and everybody knows why I should turn my wireless off but as soon as you get on a plane get on a train get in a cab you turn on your wire you turn on your Bluetooth you put your headphones in your ears you start talking to somebody because you know wires are so you know 2017 and get you tangled I don't like it you need to have the ability to be you know mobile and walking around and or just you know looking cool walk through San Francisco everybody has these new year these these weird earrings they're white they kind of stick down a little bit they kind of dangle they're really cute but they're also Bluetooth and Bluetooth is very difficult to track sort of talk about the hardware was very difficult to talk about different hardware yeah cool so Bluetooth is great again comparing it to Wi-Fi with Wi-Fi you just take a card and you get it a good driver and then you flip it in monitor mode and you monitor everything and it gives you full packet headers that are unencrypted all the time and that's awesome the target price for a Bluetooth radio is five cents and because of that they're very very very minimal they're very low power they're very weak they're very crappy and things like monitor mode just basically don't exist so you end up getting a Bluetooth sniffer in this case this is an uber tooth one from great Scott gadgets it's a great little device for finding classic mode devices and a whole bunch of Bluetooth low energy stuff in the latest release has been vastly improved so these these are really great for monitor mode but as it turns out they're not Bluetooth dongles at all they don't actually support using them as regular Bluetooth devices so to interact with a Bluetooth device you still need a Bluetooth device so if you want to pull something and say what's your name or tell me about yourself what firmware revision are you you still need a real Bluetooth dongle so Blue Hydra specifically pairs these two things together to find the most devices and to extract the most of information from those devices how much do those two devices cost yeah so this not being five cents like the one built into most laptops this is a Senna UD 100 and these are about fifty or sixty dollars depending on where you buy them the uber tooth ones I think are like a hundred bucks or something so yeah something in that general vicinity hundred hundred twenty these these are definitely available in the vendor area I have no idea if the Senna's are but these are really decent devices and again they're they're like a hundred bucks ish but that's expensive and not everybody has a budget for a hundred dollar pieces of equipment that sit on your shelf so again real quick for those that have it Blue Hydra you type in Blue Hydra into Pentu or another device that you have added Blue Hydra onto which I think there's good instructions for Cali because you know yeah there are there are good install instructions for Cali because the developer's a nice guy and it it breaks it down for you so it gives you classic it gives you classic 4.0 Bluetooth low energy and low energy 4.1 gives you the ability to see the difference between the types of radios that you're dealing with Blue Hydra's cool and it's cool enough that we're going to say hey let's show you guys so those you haven't seen Blue Hydra yet I love live demos because they always fail yeah speaker sucks get them out of the way this is always fun to let's see yeah you can I type it right yay okay so there's that screen you just saw they give you a really nice output here's how it works here's what it does here's what's important about it and you run it and when you run it it starts to enumerate all of the Bluetooth that you're going to see it also gives names anybody see their device up there don't be embarrassed they're all up there it's okay it really is yeah and it just shows you now what's really cool if we watch this for a second or two and I'm trying to see it from here when an Apple device shows up it actually enumerates those name wow that's pretty neat but this is just giving us enumeration gives us a little bit of a distance vector gives us a little bit of a power vector Rick why don't you explain our society received signal strength indicator yes that one this is actually more like signal level kind of yeah so this is basically telling you about how far away something is based on the signal strength so the signal strength is a typically negative number which is going to tell you how strong it is coming in so negative 100 being really really weak negative 40 being pretty decent and everywhere in between negative numbers work exactly the way they should when you learn them in like second grade math class so negative 40 is good negative 100 is bad it's not hard alright so we've got some capabilities here we have some enumeration we have the ability to see things problem is I'm wearing a Bluetooth device Apple watch happens to be one of the least talkative devices that exist out there so when I hold this near where the Bluetooth is it's not popping up it's not showing you anything on the screen so I was see if this works yeah it worked so Blue Hydra with the Fox we have the ability to speed that system up a little bit so those of you that are playing Blue Hydra attack no info no attack info gives you the ability to see things with a much faster refresh rate that faster refresh rate gives you better fidelity on the targets you're looking for it also gives you better signal to noise ratio in terms of what you see on the screen versus what you're in what you're in bounds of in most cases it's 300 seconds timeout in most cases the problem is is that it goes and it takes time out to interrogate each device that it sees so let's say you're running through the casino chasing people you're going to pick up a bunch of devices be nowhere near them and then try to info scan all of them which takes huge amounts of time out of your discovery window so no info just says don't info scan anybody just keep discovering all the time so we much better fidelity so we do that whoo can I type blind maybe yes much much much faster scanning they stay green longer because they've been seen sooner and it keeps rolling through now as you watch through this this is literally the Bluetooth devices that are in this area that this internal radio inside my laptop is looking for not using UD 100 not using the uber tooth which by the way is an amazing tool it does give you better fidelity but I can do all this sitting down with my laptop nothing else this is the crappy XPS 13 that Rick was talking about with the Qualcomm chip burned into it this is the internal radio on a regular Dell XPS so it's not giving you amazing performance but it is giving you some really interesting information now occasionally if you watch this range and I saw one come through so maybe it'll come back again it's going to give range of a device based on how far it thinks it is based on a predefined you are a UI brilliance on developers part Rick in a grimlock rano locks whatever weird name noob anyway there you go 0.89 meters 15.85 meters who is blue niga that's not the name of the blue giga that's the test flag that's one of ours and of course one of ours too and it's 15 meters away see Eric Eric raise your hand 15.85 meters it's sitting it's sitting where Eric sitting that's about 45 feet yeah give or take not too bad so it does a really good job of that now this is helpful but it's not quick fidelity it's not I want to track you I want to track you this gives us the ability to just kind of see things that'll screw it up for the next time we do have the ability with that to box mode change your own damn slides there you go there you go so filters all right so neat idea yeah we started running blue idra in wireless capture the flag and the real problem is is most people were actually building like little raspberry pies with like five inch screens and battery packs and nine lines of text or ten lines of text on their display otherwise was unreadable and we realize that it sees in enormous number of devices because everyone turns on their Bluetooth and nobody turns it off and thanks apple so when you're trying to track a specific device it became nearly worthless so I added in the filtering ability so that you could just on the UI side filter out so still tracking everything in the background because I want to filter for this device and has a couple of modes one mode is called highlight where I'll just highlight it on the screen the other mode is called exclusive where it's only going to show you the things that you're filtering for there's an example of filtering my mac address here there's an example of filtering for proximity you id major and minor number which are our bluetooth low energy i beacon that would be helpful for the hide and seek I think for the bluetooth that might be helpful for the the hard hide and seek especially the hard hide and seek that hasn't been found yet that's correct yes that one hasn't been found yet okay just check yeah so those those feet yes probably a lot of points to those features were built specifically for fox hunting and finding things or if you wanted to track for example I know every time my mother-in-law pulls into the driveway because I've got a little screen running blue hydra and she's set in the filter list and before she knocks on the door I know that I'm not home all right so now you have the back story so I was driving down the road because my kids swim and I drive down the road a lot and nice car though so it's okay yeah and I was thinking of things and you know as you do when you're driving down the road and I called Rick and I said hey listen I'm going to train some folks that need to find people and they're going to track things and they're going to do things it's really really neat blah blah blah what if we were able to say hmm track a bluetooth device that was not active that was just sitting in somebody's pocket that's like crazy talk because you know if bluetooth is in connecting it's not beginning it's not trying to talk to anybody it's not being loud it's just sitting there on the device most people are pretty okay with their bluetooth device in their pocket who turns bluetooth off when they leave their house for real every time you leave your house you turn bluetooth off no no hold on wait ask this question in reverse what the hell do you use bluetooth for at your house seriously I mean I used my headset when I'm on the road not when I'm sitting at my desk I use my watch that I don't miss phone calls when I'm like out and about doing things like this can be like oh that one's not important yeah like what do you use bluetooth for at home no one okay cool that's what I thought yeah so speakers speakers get wired speakers at home they sound but you don't bring the speakers with you oh man all right sometime on the road and I said hey can we do this he goes nope yep well hope it was a weird conversation it was a whole lot of us both saying like one word maybe I don't know why so there's this thing called layer 2 layer 2 is an interesting protocol set go ahead layer 2 is all I'm good at definitely read my code you'll know that I'm telling the truth I can't do that but layer 2 I understand so bluetooth is a really fabulous spec yeah layer 2 is really really open so there's this thing called an L2 ping which is basically like our ping would be which is you know here's a MAC address ping it and it just responds to anybody all the time no matter what so once you know somebody's bluetooth MAC address you can just kind of ping it and they will respond to you all the time or ping flood them and slowly drain their battery so the very last line on this bd address bd bd underscore adder L2 ping is almost your Linux boxes you can run L2 ping you can ping things okay neat so now we can ping something cool big deal so we decided to use layer 2 to our advantage and I said Rick you can do something with this and about an hour and a half later he called me back yeah so blue do this is special in a lot of ways the MAC address method that I was the MAC address issues I was talking about earlier come into full force here if you're sniffing and you catch a bluetooth address you only get the last three octets uber tooth tools have the ability to discover the fourth octet so the bluetooth address is divided up into three sections network address part which is the first two which are used for crypto exclusively then there's the upper address part which is one octet and then there's the last three octets which is called the lower address part lower edges parts which you get for free uber tooth tools actually can recover if there's a decent amount of data the upper address part what's really cool is that is all the device cares about you can ping ZZ ZZ correct MAC address and it will respond you can ping FFF correct MAC address and it will respond it does not care at all about those first two they're not used in any communications that aren't encrypted L2 pings being completely unencrypted so with the uber tooth or with device that is once indiscoverable mode that we have caught and captured that MAC address we have enough of the MAC address to ping you forever and will be able to tell if you come back in range the most fun part of that is I can say something silly like do you know what your bluetooth MAC address is and half the people here in the next hour are going to look at their phone and try to figure that out and when you open up the Bluetooth menu you're discoverable that whole time you know because what would you do if you couldn't get a device to pair you'd open the Bluetooth settings so it's going to automatically set it to discoverable mode for you or maybe you're just going to reboot your phone because it's like Windows 95 and reboots fix everything well that turns your Bluetooth into discoverable mode as well what about when you're on the airplane and you turn it off because well I guess you're living two years ago when they told you you had to turn it off but when you turn it back on you're in discoverable mode again because you know that's when things pair so obviously you need to be in discoverable mode because you turned on your Bluetooth so it's pretty easy to capture it once you capture it oh my God don't touch that thank you it was humming really bad you didn't hear that you're old all right so again I'm driving down the road get to where I'm going he calls me up because hey try this so I said huh okay I'll try the code you just send me just blindly because that's fun so we have the old version of Bluetooth this is pinging a watch that happens to be on my wrist so if I put it close you notice if you look really really really closely the RSSI return value is zero yeah it's not on the screen it's on my screen I can see what's the problem you can't see his screen come on come up here that's even funnier where's my damn mouse sorry it's his first time presenting is this hour there we go all right cool so see that RSSI return value it's like zero now it's like seven ten twenty one as it's moving away okay we're now tracking a non beaconing device but that view sucks and it's really slow and we don't really like it but I wrote it like 20 minutes which isn't bad but you know could be better I proved it worked so it was tough to read it's hard to track so therefore I said hey let's do some other shit Russ jumped in and said hey what if you do this I get this hey call me back in 20 minutes cool so stop the one yeah nothing sideways sucks yeah mirrored screens are nice are should try it sometime should all right so incomes new version well look at that we come back moves away red line gets bigger red line gets smaller make the window full screen I am yeah projector resolution who make it bigger close this let's say close somewhere I can't see upside down and close window from here there we go we there we go so my watch is close to where my Bluetooth radio is and when it moves away and when it gets closer and this is the peak of my graphical user development I hope you all like this gooey but what we see with this is very important and I would like to put majestic 12 on the spot because they actually were the first to use this tool and in about what three or four hours they found a completely standard Samsung Galaxy S I don't know seven or something not connected not open locked sitting on a desk or was it on somebody I don't even know where it was but it was at the info booth there we go some movies didn't go very far good for him they were able to track this in all of this space by bottlenecking and or doing whatever tactics they do because they're actually really good at fox hunting and we applaud them and they'll probably give a talk next year on it but that being said think about the possibilities of sitting outside of a parking lot sitting outside of a building sitting near a neighborhood and waiting for something or someone to come into play now by saying something this is a car's Bluetooth this is a watch this is a phone this is roughly what we've been seeing roughly 1520 to 30 meters with internal radios so completely not looking like a hacker with wires and antennas and all that crap literally the internal radio on these devices beginning this information back to you now how do you get the MAC address you say huh interesting you was anybody here for wasabi and rick's talk earlier where they talked about enumeration discovery and all that kind of fun stuff like the building blocks of what we actually do I was yeah I was here too and I listened it was good but when you do discovery when do you do discovery you do it in the morning you do it at night you do it at lunch you do it at the coffee shop you do it at the airplane you do it the train all places where people are connecting and disconnecting from things and looking at their phones as who rides a train occasionally subway or train you ever see anybody's face you see tops their heads are on their phones right those headphones they're on their phones most people nowadays it's cool to not have wires coming out of their headphones well because of that at some point they have to pair some point they have to open things I pick up so many things the reason that I asked for this tool to exist I was sitting in a coffee shop waiting for my wife to get finished doing something you know the owner of my company so it was probably important your boss let's just go with your boss there we go and this guy walks in well the guy happened to be the guy running for governor for the state of Maryland he happened to have a Tesla how do I know this because he was beaconing blah blah Tesla he had a Bluetooth device that was called blah blah's iPhone and he had on that laptop with him that was called blah blah's Mac or blah blah's whatever that being said I went up to him and I said sir you realize I know who you are where you are when you are and why you are and what you're doing and he looked at me kind of kind of cock-eyed and I was like here's this here's this here's this and I'm guessing your license plate is this and he goes are you stalking me I said no you just gave me all that information by walking into Starbucks I happened to look outside there were two Teslas in the in the parking lot one happened to say blah blah for governor tough gas right and after all this all he got was a button that says vote blah blah I did I got the button and I didn't but anyway there is a real problem here folks and the real problem is the fact that all these devices are made for our convenience but they're all beaconing they're all yelling they're all screaming for years the wireless village prior known as the Wi-Fi village thank you Mr. Kelly in the back by the way John Kelly raise your hand John actually started this shit like a billion years ago and I took it from him because he got too lazy to run it anymore or too successful not sure which and he was too smart to run it anymore to run it anymore but this all kind of started with him so you know hey thanks John see slowly back the door but we were all worried about Wi-Fi turn off your Wi-Fi radios turn off this turn off this one here to say guys if you have bluetooth it exists and we can find it so you're saying hey this sucks I've turned all my shit off now you don't because we're the wireless village and we care so the defense against this and we're still working on it a little bit but the defense against this is to actually attack yourself with the same attack if you've got enough devices pinging your device it doesn't allow other devices to ping it now I have some ideas why I actually can I can explain this one now finally good positive this to me like three days ago and I'm like fuck I don't know and yeah turns out Android specifically I know has a default now where it can only connect to five devices at once but you can change that default to only connect to four three two or one so if for example I'm the kind of idiot that has to have a watch and extra radios that connect via radio to me I can set my phone to only connect to two bluetooth devices at once and then as long as I turn off my go ten of before I try to use my headset I'm good to go and I'm completely immune to somebody pinging me to death so yeah thanks for adding that Android 9 Google or Alphabet Corp or whoever you are now but thank you again this isn't an ideal situation but neither is being able to be tracked so if you've got clients that you don't want to be tracked building a little raspberry pi setup pi w even that just runs a script when it boots that pings their phone with two or three terminals one or two radios you're actually doing okay to block against this it's not ideal but again like I said neither is this attack and neither is this tracking you see how effective it is it is within feet that you can get to someone if you're really looking hard that's kind of creepy now let's write security because you know we have to write slides but let's talk real world here let's say you've got a target pen test assist you know you're an assassin I don't care what you do but you've got a target inside of a building and you know that you don't know who that target is but you know that they have a phone you get 15 or 20 phones you got a picture and that's all you got well you wait till they come out you wait for that to start pinging you've got a you know four or five different people that may have come out at the same time to know who that is you can then pick up additional digital information about these people law enforcement military counter surveillance any type of security work who does security work in here which means you're probably protecting something or you're the adversary you're attacking something there's two sides to this story we want to make sure we're covering both because shit we do both things we're in the black world we're in the white world we're in both but in doing so we want to make sure everybody's well aware this sucks this really sucks I was thrilled to derode it but then when it started it's like shit now we got to figure out a way to talk to people about how this works so finding and tracking is a big deal when it makes sense you know they already did it these folks literally we told them there was a tool called blue sonar they used it they found that phone relatively quickly so I had to go to github and install it on Cali all by themselves too is that was pretty impressive yeah now plug quick plug it's already in pen to if you download pen to it's already there you type sudo blue sonar you've got it all you need is the mac address mac address is the harder thing but we showed with with hydra and with other blue bluetooth tools you can get that data wire shark will get that data with ubertooth beautifully with a socket there's a lot of ways to get this data but understand you're very vulnerable to it for the fox hunters out there this is a really cool tool to get you a lot of points this weekend for those you that are doing security this is a tool that could go a long way at a minimum in showing the people that you're trying to protect hey turn your shit off if you don't need it we've been talking about turning stuff off if you don't need it for years here's another good reason to show why I want to do another plug this is this is not even a pet project this is some garbage bs that I wrote as a pock because Rick said I wonder if this is possible and I said I'm pretty sure it is let's find out together try things try things and then put them up places for other people to try them and be entertained by it I maintain that my code is good enough that a real coder can look at it and say oh is that what she wanted and then they go in there take the tool and they rewrite it and they make it way better than I ever could but the point is is this stuff's not hard L2 ping is just built into Linux and I've got a shitty shell script that's parsing the output from it and app holding for RSSI like yay threaded bash scripts that this is not impressive this is not cool the impressive part is that it actually worked and it's kind of neat because nobody else nobody else wrote like 20 minutes worth of shell to do this particular thing before and so it turns out to be really useful but the these are the kinds of things that you do for fun and you check to see if it worked and then it works and then you talk about it on stage but really that I want to stress just how silly this was I mean this was literally a phone call between him and I after my kids went to bed while he was driving home from swim meat like this is okay I guess we're weird but this is what we discussed with her on the phone and you know yeah then I wrote 20 minutes of shell script and made the first version of this so please do things try them put them on github even if you think they suck my code all sucks lots of it's on github like half maybe more of those people are running a bunch of my code is root I don't know why but they are and they all trust me so I don't you know I at least if you're on my distro you trust me but like the guys and so on my shit on Cali I'm gonna add a you name check in there next I didn't say that anyway so you got any questions yeah so in Android 9 the question was where is the setting to limit the number of Bluetooth devices in Android 9 it is an option under developer settings just regular developer settings no like rooting or anything weird like that yeah so the question is what about privacy when the MAC address is constantly changing and the answer is what world do you live in le privacy extensions are a bitch and this is a classic mode tool where none of the MAC addresses ever changed like that because the protocols don't support it Bluetooth low energy for the most part also doesn't implement that yet a lot of tools headphones and things like that don't implement the MAC address privacy very very very few devices do one of the exceptions being the Bluetooth low energy on Apple watches actually seems to implement it and a couple of the marketing beacons that I've seen implement it basically so you can't spoof their marketing campaign which is like the coolest thing I've ever seen come out of a marketing product random MAC addresses four times a second not that we would be using anything like that for our challenges but that being said there are the proxy you you ID doesn't change so in a lot of cases there are other things that are there MAC address doesn't but other things don't little hydra implements all that it pulls it all out for you so even if it is changing hand-to-hand on the hide and seek Bluetooth you can find it by proxy ID so the question is what what are the packets and the answer is it's it's a packet literally called L2 paying for Bluetooth so it would be equivalent to an ARP paying if you're talking about like a TCP IP network it's just a layer to paying MAC address to MAC address that's all it does it's just really really simple it literally it creates an unencrypted connection between you and the device it says yo and you say yo and I K cool RSSI and it's phenomenal security on Bluetooth because there's all kinds of Bluetooth IDS's and Bluetooth monitors and Bluetooth you know SIM implement no you've been drinking too much I have yes oh question sorry next question oh go ahead Woody yeah so the question is when you're using blue son are you packed it passive or active active you are totally active you are sending a ping you are getting a response again who here has a Bluetooth IDS yep that's the number of hands that should go up this is not something that's reported to you by the phone if you remember like a million years ago when they first started implementing like the really nasty harassment over Bluetooth in like football stadiums and stuff you get like a pairing request you don't get any of that it's it's completely invisible to the user it's a unencrypted connection no pairing and it just sends a ping back and forth and then disconnects or in my case I keep the connection open but it's it's dead silent to the user but it is absolutely being transmitted and we haven't noticed a whole lot of battery degradation on it either unless you totally flood it second row are there legitimate devices that are using a constant ping over Bluetooth lacking a Bluetooth IDS system of my own I legitimately have no idea I don't think that makes any sense I think that this is you know there are uses for this but I don't think anything would be doing like a constant ping like I'm doing so yeah like three or four pings inside of a minute would probably be a dead giveaway for a tool like this so if anyone's writing a Bluetooth IDS there's your first rule first row so how fast can you send the packets is the question I've got a basically a sleep in there to control like okay I want to do for a second or I want to do one a second or whatever L2 ping has a dash F flood ping option which will send them really really fast the difference being that's going to hit one MAC address at a time the MAC address space is huge so if you were to rewrite that tool to ping a different MAC address every time in flood mode I slow really slow you you could legitimately ping every address in the airspace the problem is it would take years there's there's actually a tool out there called Red Fang I believe that does brute forcing of Bluetooth MAC addresses and the chances of finding one is approximately winning the lottery yeah that finding something with an uber tooth or whatnot is much more reliable much more reliable it's four bytes that you have to find to successfully ping something you know the mania so what if you know the manufacturer so trying to limit the space the manufacturer is actually the part that's cut off and doesn't matter for the most part so limiting the address space is really really hard yeah it's it's definitely a tough thing in the back what does the specification say about L2 ping handling I have no idea we have tested this against any number of phones watches headsets and the reliability seems extremely high some things do go to sleep after a while having nothing to do with this like if it's a pair of cheap headphones or good headphones sometimes they'll say I'm not connected to a phone and they'll kind of go into a really low power mode where they don't respond to these pings but I'll go to sleep in about 20 minutes yeah by and large they will respond assuming they're responding to anything and everything new is stays up forever yeah have I used blue hydra with BLE what with the Adafruit tool oh with the Adafruit tool no no I have not and it wasn't really written to do that wasn't well so so the Adafruit blue tooth sniffer is a Bluetooth low energy sniffer similar to an uber tooth one I have an uber tooth one quite a few of them honestly and so I used what I had sitting at my desk we also I was developing it for a customer who wanted to use uber tooth one so that that's what I did there's no reason that it couldn't be added to blue hydra to support an Adafruit tool right now I'm actually not doing any passive blue tooth low energy stuff at all in blue hydra because blue BTLE is pretty chatty to start with I want to add that but and then I go and write 20 line shell scripts that turn into talks at DEF CON so I'll get there honest or I will accept your pull request one of those two yeah glasses so Bluetooth low energy isn't it's low power is in the CPU can power down for long periods of time the radio can power down for long periods of time without you know breaking the connection or breaking whatever it's doing the actual like transmit power is roughly the same it's class one class two class three they're not like weaker they're not shorter range it's talking about the sleep cycles in the power down states that they're able to maintain and that's what makes it Bluetooth smart or Bluetooth low energy will tell you Bluetooth for the one thing that scares me a bit about Bluetooth I just threw this back up if I get your bs's ID is the number of you that didn't turn off your Bluetooth yeah I get you buy get your wireless bs's ID your MAC address I have a MAC address I know by OU I look up that it might be a Delaware and Apple or a you know Huawei with this I'm looking at you guys I I mean I'm literally pulling your name your phone your Fitbit your information and unfortunately I haven't found a way and I'm sure there may be a way in the underlying in the underlying capabilities but watches I have a Samsung S3 I've got the Apple watch I've got a couple you can't change the name it's based on the user name of the account that you set it up with so Rick's Apple watch comes up whenever Rick's Apple watches around and that bugs the crap out of me because of exactly this screen this is a security conference now granted I don't think we're supposed to use the term muggles anymore there's a lot of muggles here that have no idea what security is and they're here because it's really cool to be at Defcon tourists tourists muggles whatever you want to call them but that being said there's a lot of shit going up on the up going up on that screen that's extremely personal information that scares me a hell of a lot more than a bs this idea of you knowing I have a Dell laptop yeah me and forty five other people in the room yeah the database on this tool is pretty fun too but this isn't a blue hydro talk yeah right so the the question is because a lot of phones have sequential MAC addresses across Bluetooth and Wi-Fi could you use that to figure out things and the answer is hell yes and the answer is I've been begging for somebody who can actually code to make that a kismet plugin for a long time because kismet actually can see the Wi-Fi stuff and then it can see the Bluetooth stuff but it's only going to see like what's in discoverable mode and whatnot but if you wrote a tool that literally saw okay Wi-Fi MAC address this is a client device I'm gonna ping one up and one down just for the sake of argument and see if I find a Bluetooth device that's a totally legitimate thing to do and it's great the one caveat there is the MAC addresses for Wi-Fi are kind of starting to get random this isn't a Wi-Fi talk but that is a thing right now everyone everyone everyone I don't care what your marketing department says crapple is bad at this okay Apple specifically adds an extra element to each one of their packets that has a randomized MAC address that tells you what the original MAC address was good fucking design and Android has this supported except for it also has to be supported by the chipset and almost none of them are I think last time somebody did a poll of which Android phone support it was the answer was like one so we're slowly moving towards that actually if you want it Windows 10 and network manager in Linux do a great job of randomizing the MAC address and that is the exhaustive list so be embarrassed because Windows beat us to the punch on good security actually seriously that's that's pretty cool but yeah you can if you catch a legitimate MAC address do the one up one down thing it's getting harder but it is definitely still a thing second row is that the last octet usually the last octet is the one that is changing again not every phone has exactly serialized MAC addresses some of them have completely different ones a lot of companies just don't reburn the MAC addresses Apple for a long time was famous for reburning them to be serialized and apparently the new ones aren't so you know what's what you're going to get out of that may or may not be amazing but it's still a whole lot better than not trying as this tool proves try don't don't just say it's not possible try sometimes you come up with something that's crap it's funny try there is no try do do and see if it works if you want to play with these tools please feel free to do so install pen to and what's the past phrase to the open network for the CTF it's down if it were up what would it be it's down the past phrase is install pen to maybe the neck the knock team can help me set it up again I don't know I'm pretty stupid I am it's true well thank you for sitting through our drabel appreciate it