BtleJuice: The Bluetooth Smart MitM Framework

BtleJuice: The Bluetooth Smart MitM Framework

Tool presented and released at DEF CON 24.

64be6792a94c1f9780ed27234acf8187?s=128

Damien Cauquil

August 06, 2016
Tweet

Transcript

  1. BTLEJUICE: THE BLUETOOTH SMART MITM FRAMEWORK DAMIEN CAUQUIL - CERT-UBIK

  2. /ME Senior researcher at CERT-UBIK (ECONOCOM) Head of Research and

    Development Focus on Bluetooth Smart since 2014 Twitter (me): @virtualabs Twitter CERT-UBIK: @iotcert
  3. AGENDA Bluetooth Smart (or Low Energy) 101 Bluetooth Smart vs.

    Bluetooth Classic Why sniffing sucks Man-in-the-Middle attacks on BTLE BtleJuice MitM framework Live demos !
  4. BLUETOOTH SMART (LE) 101

  5. BLUETOOTH CLASSIC VS. BLUETOOTH SMART Both defined in the Bluetooth

    4.0+ Specs Bluetooth Smart was designed for low power devices (Low Energy) Bluetooth Smart is lighter than Bluetooth Classic Bluetooth Smart is widely used in tiny embedded devices
  6. MANY BLUETOOTH SMART DEVICES USE BTLE

  7. BLUETOOTH CLASSIC VS. BLUETOOTH SMART

  8. BLUETOOTH SMART MAIN FEATURES Frequency Hopping Spread Spectrum to avoid

    interferences (FHSS) Encrypted communications (Security Manager Protocol) Simple communications through Services and characteristics (GAP/GATT) One connection at a time
  9. FREQUENCY HOPPING SPREAD SPECTRUM Devices synchronize first ... ... then

    both of them hop from channel to channel Difficult to sniff an existing connection between two devices !
  10. None
  11. None
  12. SECURITY MANAGER PROTOCOL

  13. SECURITY MANAGER PROTOCOL Devices exchange pairing information (JustWorks, PIN, OOB)

    Devices authenticate the link Keys are distributed and long-term keys stored One must sniff this exchange to break the encryption keys (CrackLE)
  14. THE HARD TRUTH IS: Few devices use encryption but do

    not require it (failed pairing is OK) Almost all devices are not strongly authenticated by mobile applications or other devices BD address is o en the only check performed to ensure authenticity Sniffing-based attacks are difficult to perform in the wild
  15. BLUETOOTH SMART MAN-IN-THE-MIDDLE

  16. WHY BTLE SNIFFING SUCKS Ubertooth: $120 Adafruit Bluefruit sniffer: $30

    (non-standard PCAP) btproxy: only works for Bluetooth Classic, not BTLE Encryption: sniff first then decrypt
  17. None
  18. BLUETOOTH SMART MAN-IN-THE-MIDDLE 1. Connect to the device 2. Create

    a dummy device with same services and characteristics 3. Wait for connection and forward
  19. INTRODUCING BTLEJUICE FRAMEWORK Noble for central and Bleno for dummy

    Standard BT 4.0+ adapters for both central and dummy Websocket to forward GATT operations (and more) Supports bonding (JustWorks) for Bluez 5.x and Linux kernel 4.x
  20. ARCHITECTURE

  21. HOLD ON, A SIMILAR TOOL EXISTS ! Presented @ BHUSA

    2016 by Slawomir Jasek I just discovered it yesterday (thanks to its author) Same libs, same requirements I just discovered it yesterday (thanks to its author) Same goal, different tools More tricks with Bleno and Noble http://www.gattack.io/ https://en.wikipedia.org/wiki/Multiple_discovery
  22. EASY SETUP $ s u d o a p t

    - g e t i n s t a l l b l u e t o o t h b l u e z \ l i b b l u e t o o t h - d e v l i b u d e v - d e v $ s u d o n p m i n s t a l l - g b t l e j u i c e
  23. BTLEJUICE WEB UI (uses Ange Albertini's HEXII)

  24. BTLEJUICE FEATURES Live GATT operations and data sniffing Burp-like interception

    mode allows data manipulation Web user interface Python bindings (2.x & 3.x) Node.js bindings (ES6)
  25. REQUIREMENTS Two-machine setup (we can use a VM too) Two

    Bluetooth 4.0+ adapters (CSR 4.0+ ideally) Node >= v4.3.0
  26. MAN-IN-THE-MIDDLE BENEFITS Works with any Bluetooth 4.0+ adapters Intercepting GATT

    reads and writes are way easier Supports bonding/encryption ! Compatible with tests using a Faraday cage BD address spoofing is possible =)
  27. CREATING THE PERFECT DUMMY (OR HOW TO CLONE A DEVICE)

    Connect BtleJuice Proxy to target device ... No more advertisement, frequency hopping active ! BD address can be spoofed using CSR adapters We can advertise a new device with same address while connected to the original one ὠ
  28. PYTHON BINDINGS class MySniffingInterface(SniffingInterface): def __init__(self, host, port, target): SniffingInterface.__init__(self,

    host, port, target) def on_data_read(self, service, characteristic, data): print('[<][%s - %s] %s' % (service, characteristic, data)) def on_data_write(self, service, characteristic, data, offset, without print('[>][%s - %s] %s' % (service, characteristic, data)) def on_notification_data(self, service, characteristic, data): print('[!][%s - %s] %s' % (service, characteristic, data)) def on_subscribe_notification(self, service, characteristic, enabled): print('[N][%s - %s] %s' % (service, characteristic, enabled))
  29. NODE.JS BINDINGS class MySniffingInterface extends btlejuice.SniffingInterface { onClientConnected(client) { console.log('**

    Connection from '+client); } onClientLeft(client) { console.log('** Disconnection from '+client); } onRead(service, characteristic, data) { console.log('[<][%s - %s] %s', service, characteristic, hexiify(data)) } onWrite(service, characteristic, data) { console.log('[>][%s - %s] %s', service, characteristic, hexiify(data)) }
  30. ON-THE-FLY DATA MODIFICATION def on_before_read(self, service, characteristic, offset): if service.lower()

    == '180f' and \ characteristic.lower()=='2a19': self.batt_level -= 1 if self.batt_level < 0: self.batt_level = 100 raise HookForceResponse(chr(self.batt_level)) def on_before_subscribe(self, service, characteristic, enabled): # dismiss raise HookForceResponse()
  31. KNOWN LIMITATIONS Noble does not support long writes (>22 bytes)

    Induced latency (BTLE to websocket then back to BTLE) May be tricky to use when devices keep connections or advertise during a short delay
  32. BTLEJUICE LIVE

  33. MY TEST DEVICES Device Bonding Auth Interception Replay Gablys Lite

    ? ? ? ? Wistiki ? ? ? ? MasterLock 4400D ? ? ? ? Padlock ? ? ? ? Smartlock ? ? ? ?
  34. DEMO: GABLYS LITE

  35. GABLYS LITE Bonding supported, but not required No strong authentication

    Anyone may make this tag beep Denial of service attack found through replay
  36. DEMO: WISTIKI

  37. WISTIKI Bonding required Bonding provides strong authentication Tag is declared

    lost when connection is lost
  38. MY TEST DEVICES Device Bonding Auth Interception Replay Gablys Lite

    NO ADDRESS YES YES Wistiki REQUIRED STRONG NO NO MasterLock 4400D ? ? ? ? Padlock ? ? ? ? Smartlock ? ? ? ?
  39. MASTERLOCK 4400D Encrypted communications (AES-CCM) No bonding required Authentication through

    challenge/response Long writes through characteristics Available a short amount of time
  40. DEMO: PADLOCK

  41. PADLOCK Everything sent in plaintext Authentication based on BD address

    No bonding required Stays active once a client connected
  42. MY TEST DEVICES Device Bonding Auth Interception Replay Gablys Lite

    NO ADDRESS YES YES Wistiki REQUIRED STRONG NO NO MasterLock 4400D NO STRONG NO NO Padlock NO ADDRESS YES YES Smartlock ? ? ? ?
  43. SMARTLOCK Data partly transmitted unencrypted Authentication based on advertisement data

    No bonding required
  44. MY TEST DEVICES Device Bonding Auth Interception Replay Gablys Lite

    NO ADDRESS YES YES Wistiki REQUIRED STRONG NO NO MasterLock 4400D NO STRONG NO NO Padlock NO ADDRESS YES YES Smartlock NO ADVERT. YES YES
  45. SUMMARY

  46. BTLEJUICE AS A SECURITY TOOL Useful to determine a device's

    behavior Allows data sniffing and manipulation Allows replay attacks Supports bonding
  47. BTLEJUICE AS AN ATTACK TOOL Can bypass BD address authentication

    Can be instrumented to automate attacks Requires generic hardware but at least two machines Known limitations due to Noble and Bleno limitations
  48. FUTURE WORK Improve BtleJuice's proxy reliability Solve the two-machine problem

    Improve user interfaces and bindings Moar testing (need feedback !)
  49. QUESTIONS ?

  50. CONTACT damien.cauquil@digitalsecurity.fr @virtualabs (https://twitter.com/virtualabs) @iotcert (https://twitter.com/iotcert)

  51. USEFUL LINKS https://github.com/DigitalSecurity/btlejuice https://github.com/DigitalSecurity/btlejuice-node-bindings https://github.com/DigitalSecurity/btlejuice-python-bindings http://www.silabs.com/Support%20Documents/RegisteredDocs/UG103.14.pd https://www.bluetooth.com/specifications/adopted-specifications http://lacklustre.net/projects/crackle/ http://www.gattack.io/