Breaking the pair relationship between two remote devices

Sniffing and cracking the secret Bluetooth link key shared between two remote devices is only possible if the attacker can sniff the pairing process successfully. This means there's no way to sniff and crack the Bluetooth link key if both devices are already paired up, since they will follow the Challenge-Response authentication process.

If you find this scenario, it'd be interesting if you could break the pair relationship between both devices and force them to repeat the pairing process. Then you'll have the chance to sniff and crack the new link key.

Shaked and Wool Re-Pairing attack, the theory.

Long time ago Yaniv Shaked and Avishai Wool published a paper explaining how to cryptographically crack the Bluetooth PIN. I quote:

5.2 Attack details

Assume that two Bluetooth devices that have already been paired before now intend to establish communication again. This means that they don't need to create the link key Kab again, since they have already created and stored it before. They proceed directly to the Authentication phase (...). We describe three different methods that can be used to force the devices to repeat the pairing process. The efficiency of each method depends on the implementation of the Bluetooth core in the device under attack. These methods appear in order of efficiency:

1. Since the devices skipped the pairing process and proceeded directly to the Authentication phase, the master device sends the slave an AU_RAND message, and expects the SRES message in return. Note that Bluetooth specifications allow a Bluetooth device to forget a link key. In such a case, the slave sends an LMP_not_accepted message in return, to let the master know it has forgotten the link key (...). Therefore, after the master device has sent the AU_RAND message to the slave, the attacker injects a LMP_not_accepted message toward the master. The master will be convinced that the slave has lost the link key and pairing will be restarted (...). Restarting the pairing procedure causes the master to discard the link key (...). This assures pairing must be done before devices can authenticate again.
   
   
2. At the beginning of the Authentication phase, the master device is supposed to send the AU_RAND to the slave. If before doing so, the attacker injects a IN_RAND message toward the slave, the slave device will be convinced the master has lost the link key and pairing is restarted. This will cause the connection establishment to restart.
   
   
3. During the Authentication phase, the master device sends the slave an AU_RAND message, and expects a SRES message in return. If, after the master has sent the AU_RAND message, an attacker injects a random SRES message toward the master, this will cause the Authentication phase to restart, and repeated attempts will be made (...). At some point, after a certain number of failed authentication attempts, the master device is expected to declare that the authentication procedure has failed (implementation dependent) and initiate pairing (...).
   

The three methods described above cause one of the devices to discard its link key. This assures the pairing process will occur during the next connection establishment, so the attacker will be able to eavesdrop on the entire process, and use the method described in Section 3 to crack the PIN.

Spoofing the wrong link key, the practice.

Shaked and Wool attack looks nice and smart, but method 3 can be described in a much easier way: You just need to spoof one device's BD_ADDR and provide a wrong Bluetooth link key when authenticating in some other device's Bluetooth profile. Trust relationship will be broken for security reasons and the stored link key deleted.

Let's see this with an example:

You discover two remote devices, a mobile phone and a PDA. You'd like to obtain the secret shared Bluetooth link key, however both devices are already paired up.





If any of the devices establishes a connection with the other one, they will follow a Challenge-Response process to validate the authentication mechanism.

In order to break the pair relationship, you need to spoof one of them first (spoof its BD_ADDR). Let's say you choose to spoof the mobile phone...



Then, you need to install a random Bluetooth link key in the system.



From now on whenever you try to establish a connection with any Bluetooth profile requiring authentication in the PDA (the other device) the stored link key will be used in the Challenge-Response process.

The link key provided is wrong, so the Challenge-Response process will fail.


The attacker tries to connect the OBEX FTP profile in the PDA, which requires authentication.

For security reasons, the trust relationship will be broken and the stored link key will be deleted in the PDA.



If the mobile phone now tries to establish a connection with the PDA, the devices won't follow the Challenge-Response authentication process; they will need to repeat the pairing process.



And you will be there to sniff and crack the new Bluetooth link key. ;)

Sniffing the Bluetooth pairing

As i already proved, it's very easy to build your own Bluetooth sniffer from a consumer Bluetooth dongle. Among all the cool things you can do with that sniffer, it'd be amazing it you could sniff the Bluetooth pairing process and obtain the secret link key shared between two remote devices.



First, you need to build your own Bluetooth sniffer.



Then, discover two random devices before they initiate the pairing process.



Andrea (aka sorbo) published a frontline tool which can be used for sending commands to the hardware sniffer. Instead, i'll use a modded version of this frontline coded by drgr33n and published under a Bluetooth security suite called Blue Smash.



Let's start sniffing...



At this time, the remote devices can begin the pairing process, packets generated will be captured by the sniffer.







Among all the packets captured you may find the keys created for the Bluetooth link key generation and therefore obtain it.





OpenCiphers' Bluetooth Pin Cracking Core or BTCrack PIN Cracker by Thierry Zoller can be used to crack the link key from the sniffed keys.



You can check the cracked link key, Kab, is the same shared by the remote devices.



Once you own the Bluetooth link key, you can perform the BD_ADDR spoofing attack and use it to access to profiles requiring authorization/authentication in both devices, such as OBEX FTP Profile, which allows you to send files, get files and list directories in the mobile phone.





And the Dial Up Networking Profile, which allows you to send AT Commands to the mobile phone.





Bluetooth security is now broken. However, keep in mind that performing this attack in the real world is almost impossible. You need to find two devices just before they initiate the pairing process and know which one is playing the master role in the piconet in advance. This is a PoC only suitable for a perfect in-the-lab scenario with all devices under control. (But still rocks!)

Sniffando el emparejamiento Bluetooth

Como ya demostré, es muy fácil construir tu propio sniffer Bluetooth a partir de un adaptador USB Bluetooth convencional. Entre todas las cosas guays que podrías hacer con un sniffer, sería increible poder sniffar durante el emparejamiento de dos dispositivos Bluetooth y obtener la clave de enlace que comparten.



En primer lugar, necesitamos haber construido nuestro propio sniffer Bluetooth.



A continuación debemos detectar dos dispositivos cualesquiera que estén a punto de iniciar el proceso de emparejamiento.



Andrea (aka sorbo) publicó hace tiempo la herramienta frontline que permite enviar comandos a un sniffer hardware. Sin embargo, en su lugar utilizaré una versión modificada por drgr33n y publicada bajo una suite de auditoría de seguridad Bluetooth llamada Blue Smash.



Empezamos a sniffar...



En este punto, los dispositivos Bluetooth remotos pueden comenzar el proceso de emparejamiento, los paquetes generados serán capturados por el sniffer.







Entre todos los paquetes capturados, podemos encontrar las claves temporales creadas durante el proceso de emparejamiento para generar la clave de enlace y, por consiguiente, llegar a obtener la misma.





Podemos utilizar el Bluetooth Pin Cracking Core de OpenCiphers o el BTCrack PIN Cracker de Thierry Zoller para crackear la clave de enlace Bluetooth a partir de las claves temporales capturadas.



Es fácil comprobar si la clave crackeada corresponde con la clave de enlace que realmente comparten los dispositivos remotos.



Una vez que la clave de enlace Bluetooth está en nuestra posesión, podemos llevar a cabo el ataque BD_ADDR spoofing y utilizar esta clave para acceder a perfiles que requieran autorización/autenticación en cualquiera de los dispositivos, como por ejemplo el perfil de OBEX FTP para Transferencia de Archivos, que permite enviar y descargar archivos del teléfono móvil así como listar directorios.





Y el perfil de Acceso Telefónico a Redes, que permite enviar comandos AT al teléfono móvil.





Con esto se ha conseguido romper definitivamente la seguridad en Bluetooth. No obstante, resulta casi imposible reproducir este ataque en el mundo real. Necesitaríamos encontrar dos dispositivos en un estado anterior al proceso de emparejamiento y saber de antemano cual de los dos juega el papel de maestro en la piconet. Es una Prueba de Concepto que únicamente puede ser reproducida en un entorno de laboratorio, con todos los dispositivos bajo nuestro control. (¡Pero aún así mola!)

Building your own Bluetooth sniffer

On May 2007 Max Moser published a procedure to build your own cheap Bluetooth sniffer from a consumer Bluetooth dongle. Here's the practical how-to, it's fully documented on the internet so this is a short and quick explanation.





There are specific requirements for the Bluetooth adaptor so it can be flashed into a Bluetooth sniffer:

1. Cambridge Silicon Radio (CSR) chipset.



2. BC4 External or Flash. ROM memory adaptors can't be used.


The second dongle (BC4 EXT) will do, the first (BC2 EXT) not sure.

You need these tools:

• bccmd: modify firmware settings
  
• dfutool: flash and update the firmware
  

You can obtain them via bluez-cvs, here is how to:

# sudo apt-get install libbluetooth2 libbluetooth2-dev libusb-0.1-4 libusb-dev
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez login
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez co utils
# cd utils/tools
# gcc -lusb -lbluetooth csr.c csr_3wire.c csr_bcsp.c csr_h4.c csr_hci.c csr_usb.c ubcsp.c bccmd.c -o bccmd
# gcc -lusb -lbluetooth csr.c dfutool.c -o dfutool

You will also need to download and install Frontline Test Equipment FTS4BT version <= 5.6.9.0, in order to obtain the airsnifferdev4*bc4.dfu firmware which you can use to upgrade the dongle.

The procedure is simple. First, you need to change the product id (should be 0x0002) and vendor id (should be 0x0a12), the FTS4BT tool requires that to recognize the Bluetooth adaptor.



Then, you need to backup the firmware of the dongle before flashing it with airsnifferdev4*bc4.dfu.




If you use airsnifferdev5*bc4.dfu you might brick your dongle and make it useless so it's important to find the correct version of FTS4BT (with airsnifferdev4*bc4.dfu), the last version won't do.

After you have done those two operations successfully you can see the Bluetooth dongle is in RAW mode. (You may need to plug it out & in).


The RX and TX bytes should be rising.

You can also test it's working by executing frontline, the tool released by Andrea (aka sorbo) for sending commands to a hardware sniffer.


The timer should be increasing.

You got it!



You can follow these useful links to find more information:

• Slides of Do It Yourself Bluetooth Sniffer presentation
• Bluetooth sniffing for less
• Bluetooth sniffer
  

Construyendo tu propio sniffer Bluetooth

Como ya comenté en mi post sobre Avances en sniffing Bluetooth, en Mayo de 2007 Max Moser publicó un procedimiento para construir tu propio sniffer Bluetooth a partir de un adaptador USB Bluetooth convencional.





El adaptador Bluetooth necesita cumplir dos requerimientos para poder ser convertido en un sniffer Bluetooth:

1. Chipset Cambridge Silicon Radio (CSR).



2. BC4 External o Flash. Los adaptadores Bluetooth con memoria ROM no sirven.


El segundo adaptador (BC4 EXT) sirve, el primero (BC2 EXT) no estoy seguro.

Necesitas conseguir las siguientes herramientas:

• bccmd: permite modificar la configuración del firmware
  
• dfutool: permite flashear el adaptador y actualizar el firmware
  

Se pueden obtener vía bluez-cvs, aquí se explica cómo:

# sudo apt-get install libbluetooth2 libbluetooth2-dev libusb-0.1-4 libusb-dev
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez login
# cvs -d:pserver:anonymous@cvs.bluez.org:/cvsroot/bluez co utils
# cd utils/tools
# gcc -lusb -lbluetooth csr.c csr_3wire.c csr_bcsp.c csr_h4.c csr_hci.c csr_usb.c ubcsp.c bccmd.c -o bccmd
# gcc -lusb -lbluetooth csr.c dfutool.c -o dfutool

También hace falta descargarse e instalar el paquete Frontline Test Equipment FTS4BT versión <= 5.6.9.0, que contiene el firmware airsnifferdev4*bc4.dfu que luego utilizaremos para actualizar el adaptador Bluetooth.

El procedimiento es simple. En primer lugar, la herramienta FTS4BT requiere cierta configuración para poder reconocer el adaptador como sniffer hardware. Hay que cambiar el id de producto (debería ser 0x0002) y el id de fabricante (debería ser 0x0a12).



Después, es recomendable hacer backup del firmware existente en el adaptador Bluetooth antes de flashearlo y cargarle el firmware airsnifferdev4*bc4.dfu.




Si se utiliza el firmware airsnifferdev5*bc4.dfu el adaptador puede quedar inservible así que es importante obtener la versión correcta de FTS4BT (la que contiene airsnifferdev4*bc4.dfu), las últimas versiones disponibles para descarga no sirven.

Tras haber realizado con éxito estas operaciones, se puede observar que el adaptador Bluetooth se encuentra en modo RAW. (Es posible que necesites sacarlo y volverlo a meter).


Los bytes RX y TX deberían ir en aumento.

También puedes comprobar que funciona ejecutando frontline, la herramienta publicada por Andrea (aka sorbo) que permite enviar comandos a un sniffer hardware.


El tiempo debería ir creciendo.

¡Ya lo tienes!



Ahora podrías utilizar el adaptador USB Bluetooth como hardware del sniffer FTS4BT y comenzar a sniffar, pero para ello necesitas tener el paquete comercial registrado con ese adaptador (aunque siempre puedes cambiar la BD_ADDR del adaptador ;)).

Puedes encontrar más información en estos enlaces:

• Slides of Do It Yourself Bluetooth Sniffer presentation
• Bluetooth sniffing for less
• Bluetooth sniffer