Bluetooth Hacking

Only available on StudyMode
  • Download(s) : 378
  • Published : July 19, 2011
Open Document
Text Preview
Hacking Bluetooth enabled mobile phones and beyond – Full Disclosure Adam Laurie Marcel Holtmann Martin Herfurt

21C3: The Usual Suspects
21st Chaos Communication Congress December 27th to 29th, 2004 Berliner Congress Center, Berlin, Germany Bluetooth Hacking – Full Disclosure @ 21C3

Who we are


Adam Laurie
– – –

CSO of The Bunker Secure Hosting Ltd. Co-Maintainer of Apache-SSL DEFCON Staff/Organiser Maintainer and core developer of the Linux Bluetooth Stack BlueZ Security Researcher Founder of trifinite.org Bluetooth Hacking – Full Disclosure @ 21C3



Marcel Holtmann




Martin Herfurt
– –

Outline (1)
● ● ● ● ● ● ● ●

Bluetooth Introduction History Technology Overview The BlueSnarf Attack The HeloMoto Attack The BlueBug Attack Bluetooone Long-Distance Attacking

Bluetooth Hacking – Full Disclosure @ 21C3

Outline (2)
● ● ● ● ● ●

Blooover Blueprinting DOS Attacks Sniffing Bluetooth with hcidump Conclusions – Lessons tought Feedback / Discussion

Bluetooth Hacking – Full Disclosure @ 21C3

Bluetooth Introduction (1)
● ● ● ● ●

Wire replacement technology Low power Short range 10m - 100m 2.4 GHz 1 Mb/s data rate

Bluetooth Hacking – Full Disclosure @ 21C3

Bluetooth Introduction (2)


Bluetooth SIG
– – – – –

Trade Association Founded 1998 Owns & Licenses IP Individual membership free Promoter members: Agere, Ericsson, IBM, Intel, Microsoft, Motorola, Nokia and Toshiba Consumer http://www.bluetooth.com Technical http://www.bluetooth.org

– –

Bluetooth Hacking – Full Disclosure @ 21C3

History (1)


Bluejacking
– –

Early adopters abuse 'Name' field to send message Now more commonly send 'Business Card' with message via OBEX 'Toothing' - Casual sexual liasons



Bluetooth Hacking – Full Disclosure @ 21C3

History (2)


Bluesnarfing


First publicised by Marcel Holtmann, October 2003


Wireless Technologies Congress, Sindelfingen, Germany Bugtraq, Full Disclosure Houses of Parliament London Underground



Adam Laurie, A L Digital, November 2003
● ● ●



'Snarf' - networking slang for 'unauthorised copy'

Bluetooth Hacking – Full Disclosure @ 21C3

History (3)


Bluesnarfing
– –

Data Theft Calendar
● ●

Appointments Images Names, Addresses, Numbers PINs and other codes Images



Phone Book
● ● ●

Bluetooth Hacking – Full Disclosure @ 21C3

History (4)


Bluebugging


First publicised by Martin Herfurt, March 2004


CeBIT Hanover

– – – –

Create unauthorised connection to serial profile Full access to AT command set Read/Write access to SMS store Read/Write access to Phone Book

Bluetooth Hacking – Full Disclosure @ 21C3

History (5)


Full Disclosure after 13 months


More time for manufacturers to fix
● ●

Embedded devices New process for telecom industry Firmware updates available 6310i tested OK



Nokia claims to have fixed all vulnerable devices
● ●

– –

Motorola committed to fix known vulnerabilities Sony Ericsson publicly stated “all problems fixed”

Bluetooth Hacking – Full Disclosure @ 21C3

Bluetooth Technology


Data and voice transmission
● ●

ACL data connections SCO and eSCO voice channels

● ●

Symmetric and asymmetric connections Frequency hopping
● ● ● ●

ISM band at 2.4 GHz 79 channels 1600 hops per second Multi-Slot packets

Bluetooth Hacking – Full Disclosure @ 21C3

Bluetooth Piconet


Bluetooth devices create a piconet
● ● ● ● ●

One master per piconet Up to seven active slaves Over 200 passive members are possible Master sets the hopping sequence Transfer rates of 721 Kbit/sec



Bluetooth 1.2 and EDR (aka 2.0)
● ●

Adaptive Frequency Hopping Transfer rates up to 2.1 Mbit/sec

Bluetooth Hacking – Full Disclosure @ 21C3

Bluetooth Scatternet


Connected piconets create a scatternet
● ● ● ●

Master in one and slave in another piconet Slave in two different piconets Only master...
tracking img