Sunday, November 23, 2008

Breaking the pair relationship between two remote devices

Sniffing and cracking the secret Bluetooth link key shared between two remote devices is only possible if the attacker can sniff the pairing process successfully. This means there's no way to sniff and crack the Bluetooth link key if both devices are already paired up, since they will follow the Challenge-Response authentication process.

If you find this scenario, it'd be interesting if you could break the pair relationship between both devices and force them to repeat the pairing process. Then you'll have the chance to sniff and crack the new link key.

Shaked and Wool Re-Pairing attack, the theory.

Long time ago Yaniv Shaked and Avishai Wool published a paper explaining how to cryptographically crack the Bluetooth PIN. I quote:

5.2 Attack details

Assume that two Bluetooth devices that have already been paired before now intend to establish communication again. This means that they don't need to create the link key Kab again, since they have already created and stored it before. They proceed directly to the Authentication phase (...). We describe three different methods that can be used to force the devices to repeat the pairing process. The efficiency of each method depends on the implementation of the Bluetooth core in the device under attack. These methods appear in order of efficiency:

  1. Since the devices skipped the pairing process and proceeded directly to the Authentication phase, the master device sends the slave an AU_RAND message, and expects the SRES message in return. Note that Bluetooth specifications allow a Bluetooth device to forget a link key. In such a case, the slave sends an LMP_not_accepted message in return, to let the master know it has forgotten the link key (...). Therefore, after the master device has sent the AU_RAND message to the slave, the attacker injects a LMP_not_accepted message toward the master. The master will be convinced that the slave has lost the link key and pairing will be restarted (...). Restarting the pairing procedure causes the master to discard the link key (...). This assures pairing must be done before devices can authenticate again.

  2. At the beginning of the Authentication phase, the master device is supposed to send the AU_RAND to the slave. If before doing so, the attacker injects a IN_RAND message toward the slave, the slave device will be convinced the master has lost the link key and pairing is restarted. This will cause the connection establishment to restart.

  3. During the Authentication phase, the master device sends the slave an AU_RAND message, and expects a SRES message in return. If, after the master has sent the AU_RAND message, an attacker injects a random SRES message toward the master, this will cause the Authentication phase to restart, and repeated attempts will be made (...). At some point, after a certain number of failed authentication attempts, the master device is expected to declare that the authentication procedure has failed (implementation dependent) and initiate pairing (...).

The three methods described above cause one of the devices to discard its link key. This assures the pairing process will occur during the next connection establishment, so the attacker will be able to eavesdrop on the entire process, and use the method described in Section 3 to crack the PIN.

Spoofing the wrong link key, the practice.

Shaked and Wool attack looks nice and smart, but method 3 can be described in a much easier way: You just need to spoof one device's BD_ADDR and provide a wrong Bluetooth link key when authenticating in some other device's Bluetooth profile. Trust relationship will be broken for security reasons and the stored link key deleted.

Let's see this with an example:

You discover two remote devices, a mobile phone and a PDA. You'd like to obtain the secret shared Bluetooth link key, however both devices are already paired up.

If any of the devices establishes a connection with the other one, they will follow a Challenge-Response process to validate the authentication mechanism.

In order to break the pair relationship, you need to spoof one of them first (spoof its BD_ADDR). Let's say you choose to spoof the mobile phone...

Then, you need to install a random Bluetooth link key in the system.

From now on whenever you try to establish a connection with any Bluetooth profile requiring authentication in the PDA (the other device) the stored link key will be used in the Challenge-Response process.

The link key provided is wrong, so the Challenge-Response process will fail.

The attacker tries to connect the OBEX FTP profile in the PDA, which requires authentication.

For security reasons, the trust relationship will be broken and the stored link key will be deleted in the PDA.

If the mobile phone now tries to establish a connection with the PDA, the devices won't follow the Challenge-Response authentication process; they will need to repeat the pairing process.

And you will be there to sniff and crack the new Bluetooth link key. ;)

Tuesday, November 18, 2008

Sniffing the Bluetooth pairing

With the help of a Bluetooth sniffer it is possible to eavesdrop the Pairing process and obtain the secret link key shared between two remote devices.

The attacker may use two Bluetooth dongles, a standard adapter to perform operations such as inquiry and scan for devices nearby, and a sniffer adapter to capture the packets.

Then, discover two random devices before they initiate the pairing process.

Andrea Bittau published a frontline software that can be used to send commands and operate the hardware sniffer.

At this time, the remote devices can begin the pairing process, packets generated will be captured by the sniffer.

Among all the packets captured you may find the keys created for the Bluetooth link key generation and therefore obtain it.

OpenCiphers' Bluetooth Pin Cracking Core or BTCrack PIN Cracker by Thierry Zoller can be used to crack the link key from the sniffed keys.

We can check the cracked link key, Kab, is the same shared by the remote devices.

Once you own the Bluetooth link key, you can perform the BD_ADDR spoofing attack and use it to access to profiles requiring authorization/authentication in both devices, such as OBEX FTP Profile, which allows you to send files, get files and list directories in the mobile phone.

And the Dial Up Networking Profile, which allows you to send AT Commands to the mobile phone.

Bluetooth security is now broken. However, keep in mind that performing this attack in the real world is almost impossible. The attacker must find two devices right before they initiate the pairing process and know which one is playing the master role in the piconet in advance. This is more like a Proof of Concept.

Monday, November 17, 2008

Sniffando el emparejamiento Bluetooth

Con la ayuda de un sniffer Bluetooth sería posible escuchar el emparejamiento de dos dispositivos Bluetooth y obtener la clave de enlace que comparten.

Un atacante podría utilizar dos módulos Bluetooth, un adaptador convencional para realizar operaciones tales como búsqueda y detección de dispositivos cercanos, y un adaptador sniffer para capturar los paquetes.

En primer lugar, detectar dos dispositivos cualesquiera que estén a punto de iniciar el proceso de emparejamiento.

Luego utilizar la herramienta frontline que desarrolló Andrea Bittau, la cual permite enviar comandos y operar un hardware sniffer.

En este punto, los dispositivos Bluetooth remotos pueden comenzar el proceso de emparejamiento, los paquetes generados serán capturados por el sniffer.

Entre todos los paquetes capturados, podemos encontrar las claves temporales creadas durante el proceso de emparejamiento para generar la clave de enlace y, por consiguiente, llegar a obtener la misma.

Podemos utilizar el Bluetooth Pin Cracking Core de OpenCiphers o el BTCrack PIN Cracker de Thierry Zoller para crackear la clave de enlace Bluetooth a partir de las claves temporales capturadas.

Es fácil comprobar si la clave crackeada corresponde con la clave de enlace que realmente comparten los dispositivos remotos.

Una vez que la clave de enlace Bluetooth está en nuestra posesión, podemos llevar a cabo el ataque BD_ADDR spoofing y utilizar esta clave para acceder a perfiles que requieran autorización/autenticación en cualquiera de los dispositivos, como por ejemplo el perfil de OBEX FTP para Transferencia de Archivos, que permite enviar y descargar archivos del teléfono móvil así como listar directorios.

Y el perfil de Acceso Telefónico a Redes, que permite enviar comandos AT al teléfono móvil.

Con esto se ha conseguido romper la seguridad en Bluetooth. No obstante, resulta casi imposible reproducir este ataque en el mundo real. El atacante necesitaría encontrar dos dispositivos justo en el momento previo al emparejamiento y saber de antemano cual de los dos juega el papel de maestro en la piconet. Se trata más bien de una Prueba de Concepto.