Beginning with IoT pen-testing [BLE Version]

Transcript

1. IOT 101 [BLE VERSION] Rupali dash

2. BLE -One of the most communication channels in the IOT

   ecosystem- smart homes, alarm system, door locks , medical device etc. -Bluetooth smart/BLE used for low resource consumption device devices(specs include running on a single battery coin for years and months) -Two types of channels: -37 data channels -3 advertisement broadcast channels

3. BLE connection ⦿ Two components : Peripheral device(broadcaster) & central

   device(smart phone) ⦿ PD broadcasts advertisement packets on regular intervals while CD scans for advertisements. ⦿ CD request for communication request and then scans peripheral for available services. ⦿ CD exchanges information using read/write/notify request.
4. None

5. BLE profiles https://www.bluetooth.com/ ⦿ Generic Access Profile (GAP) ⦿ This

   is responsible for the connections and advertising in BLE. GAP is responsible for the visibility of a device to the external world and also plays a major role in determining how the device interacts with other devices. The following two concepts are integral to GAP: Peripheral devices : These are small and low energy devices that can connect with complex, more powerful central devices. Heart rate monitor is an example of a peripheral device. Central devices : These devices are mostly cell phones or gadgets that have an increased memory and processing power ⦿ Generic Attribute Protocol ⦿ Making use of a generic data protocol known as Attribute Protocol, GATT determines how two BLE devices exchange data with each other using concepts - • Characteristics • Services Services A service can have many characteristics. Each service is unique in itself with a universally unique identifier (UUID) that could either be 16 bit in size for official adapted services or 128 bit for custom services. Characteristics: Characteristics are the most fundamental concept within a GATT transaction. Characteristics contain a single data point and akin to services, each characteristic has a unique ID or UUID that distinguishes itself from the other characteristic. For example HRM sensor data from health bands etc.
6. None

7. BLE vulnerabilities ⦿ Data being transmitted in clear text could

   be sniffed. ⦿ Use hcidump to dump all the communication between the mobile and the Bluetooth chip. ⦿ Advertisement spoofing leading to Dos-device not being able to scan the cloned device for services or the services doesn’t respond. ⦿ Reply attacks ⦿ MITM ⦿ Services available without authentication ⦿ Cloning the device
8. None

9. BLE vulnerabilities ⦿ Fitbit case study ⦿ Un-encrypted communication between

   app and device over bluetooth. ⦿ Can be sniffed and Plan text could be recovered. ⦿ Common vulnerabilities in most of the IOT devices and medical devices(insulin pump) ⦿ Smart lock and alarm systems

10. Pairing modes ⦿ No auth : TK set to 000000(all

    zero) ⦿ 6 digit Passkey :0-999999[Possible bruteforce] ⦿ Out of band authentication: Still not used widely. ⦿ TK: temporary key/passcode ⦿ LTK: When authentication is successful, the two devices start to compute the LTK which will be used for link encryption. This is the final piece of the puzzle for pairing and reconnection: within different association models, authenticate the peer device and prevent Man in the Middle (MITM) attacks. ⦿ STK: You generate the STK using the key generation function for which you give srand, mrand and TK as input. ⦿ TK > STK > LTK

11. Pentest LAB ⦿ Hardware ⦿ Ubertooth ⦿ CSR 4.0 ⦿

    Laptop ⦿ Any BLE device ⦿ Tools ⦿ Wireshark ⦿ Hcitool ⦿ Btproxy ⦿ Bettercap ⦿ Gatttool ⦿ Crackle ⦿ Btle juice ⦿ Btle jack

12. hcitool ⦿ It makes use of the host controller interface

    in a laptop to communicate and read/write changes to BLE devices. ⦿ hcitool is therefore, useful in finding out the available victim BLE device that advertises, and then in changing the values after connection. ⦿ The values/data can only be changed if one knows the service and characteristic the data is coming from. In order to find out the relevant services and characteristics, one may use a gatttool.

13. Gatttool ⦿ As mentioned in the previous paragraph, gatttool is

    mainly helpful in finding out the services and characteristics of an available BLE device so that the victim’s data can be read/written according to the attacker.

14. Sniffing using Ubertooth

15. None

16. Ubertooth command Step-1: $ubertooth-scan –h [man page] $ubertooth-scan –s [hci

    scan]

17. Ubertooth command ⦿ $ubertooth –btle –f ⦿ $ubertooth-btle –f <mac

    address> -c btledump.pcap ⦿ $ubertooth-btle –f <mac> -c /temp/btle ⦿ Also set the capture interface path to /temp/btle in wireshark

18. Crackle and BLE cracking

19. Crackle and BLE cracking -Setup the crackle -capture the complete

    pairing conversation packets using ubertooth.
20. None
21. None