Breaking the pair relationship between two remote devices

Sniffing and cracking the secret Bluetooth link key shared between two remote devices is only possible if the attacker can sniff the pairing process successfully. This means there's no way to sniff and crack the Bluetooth link key if both devices are already paired up, since they will follow the Challenge-Response authentication process.

If you find this scenario, it'd be interesting if you could break the pair relationship between both devices and force them to repeat the pairing process. Then you'll have the chance to sniff and crack the new link key.

Shaked and Wool Re-Pairing attack, the theory.

Long time ago Yaniv Shaked and Avishai Wool published a paper explaining how to cryptographically crack the Bluetooth PIN. I quote:

5.2 Attack details

Assume that two Bluetooth devices that have already been paired before now intend to establish communication again. This means that they don't need to create the link key Kab again, since they have already created and stored it before. They proceed directly to the Authentication phase (...). We describe three different methods that can be used to force the devices to repeat the pairing process. The efficiency of each method depends on the implementation of the Bluetooth core in the device under attack. These methods appear in order of efficiency:

1. Since the devices skipped the pairing process and proceeded directly to the Authentication phase, the master device sends the slave an AU_RAND message, and expects the SRES message in return. Note that Bluetooth specifications allow a Bluetooth device to forget a link key. In such a case, the slave sends an LMP_not_accepted message in return, to let the master know it has forgotten the link key (...). Therefore, after the master device has sent the AU_RAND message to the slave, the attacker injects a LMP_not_accepted message toward the master. The master will be convinced that the slave has lost the link key and pairing will be restarted (...). Restarting the pairing procedure causes the master to discard the link key (...). This assures pairing must be done before devices can authenticate again.
   
   
2. At the beginning of the Authentication phase, the master device is supposed to send the AU_RAND to the slave. If before doing so, the attacker injects a IN_RAND message toward the slave, the slave device will be convinced the master has lost the link key and pairing is restarted. This will cause the connection establishment to restart.
   
   
3. During the Authentication phase, the master device sends the slave an AU_RAND message, and expects a SRES message in return. If, after the master has sent the AU_RAND message, an attacker injects a random SRES message toward the master, this will cause the Authentication phase to restart, and repeated attempts will be made (...). At some point, after a certain number of failed authentication attempts, the master device is expected to declare that the authentication procedure has failed (implementation dependent) and initiate pairing (...).
   

The three methods described above cause one of the devices to discard its link key. This assures the pairing process will occur during the next connection establishment, so the attacker will be able to eavesdrop on the entire process, and use the method described in Section 3 to crack the PIN.

Spoofing the wrong link key, the practice.

Shaked and Wool attack looks nice and smart, but method 3 can be described in a much easier way: You just need to spoof one device's BD_ADDR and provide a wrong Bluetooth link key when authenticating in some other device's Bluetooth profile. Trust relationship will be broken for security reasons and the stored link key deleted.

Let's see this with an example:

You discover two remote devices, a mobile phone and a PDA. You'd like to obtain the secret shared Bluetooth link key, however both devices are already paired up.





If any of the devices establishes a connection with the other one, they will follow a Challenge-Response process to validate the authentication mechanism.

In order to break the pair relationship, you need to spoof one of them first (spoof its BD_ADDR). Let's say you choose to spoof the mobile phone...



Then, you need to install a random Bluetooth link key in the system.



From now on whenever you try to establish a connection with any Bluetooth profile requiring authentication in the PDA (the other device) the stored link key will be used in the Challenge-Response process.

The link key provided is wrong, so the Challenge-Response process will fail.


The attacker tries to connect the OBEX FTP profile in the PDA, which requires authentication.

For security reasons, the trust relationship will be broken and the stored link key will be deleted in the PDA.



If the mobile phone now tries to establish a connection with the PDA, the devices won't follow the Challenge-Response authentication process; they will need to repeat the pairing process.



And you will be there to sniff and crack the new Bluetooth link key. ;)

Sniffing the Bluetooth pairing

With the help of a Bluetooth sniffer it is possible to eavesdrop the Pairing process and obtain the secret link key shared between two remote devices.



The attacker may use two Bluetooth dongles, a standard adapter to perform operations such as inquiry and scan for devices nearby, and a sniffer adapter to capture the packets.



Then, discover two random devices before they initiate the pairing process.



Andrea Bittau published a frontline software that can be used to send commands and operate the hardware sniffer.





At this time, the remote devices can begin the pairing process, packets generated will be captured by the sniffer.







Among all the packets captured you may find the keys created for the Bluetooth link key generation and therefore obtain it.





OpenCiphers' Bluetooth Pin Cracking Core or BTCrack PIN Cracker by Thierry Zoller can be used to crack the link key from the sniffed keys.



We can check the cracked link key, Kab, is the same shared by the remote devices.



Once you own the Bluetooth link key, you can perform the BD_ADDR spoofing attack and use it to access to profiles requiring authorization/authentication in both devices, such as OBEX FTP Profile, which allows you to send files, get files and list directories in the mobile phone.





And the Dial Up Networking Profile, which allows you to send AT Commands to the mobile phone.





Bluetooth security is now broken. However, keep in mind that performing this attack in the real world is almost impossible. The attacker must find two devices right before they initiate the pairing process and know which one is playing the master role in the piconet in advance. This is more like a Proof of Concept.

Sniffando el emparejamiento Bluetooth

Con la ayuda de un sniffer Bluetooth sería posible escuchar el emparejamiento de dos dispositivos Bluetooth y obtener la clave de enlace que comparten.



Un atacante podría utilizar dos módulos Bluetooth, un adaptador convencional para realizar operaciones tales como búsqueda y detección de dispositivos cercanos, y un adaptador sniffer para capturar los paquetes.



En primer lugar, detectar dos dispositivos cualesquiera que estén a punto de iniciar el proceso de emparejamiento.



Luego utilizar la herramienta frontline que desarrolló Andrea Bittau, la cual permite enviar comandos y operar un hardware sniffer.





En este punto, los dispositivos Bluetooth remotos pueden comenzar el proceso de emparejamiento, los paquetes generados serán capturados por el sniffer.







Entre todos los paquetes capturados, podemos encontrar las claves temporales creadas durante el proceso de emparejamiento para generar la clave de enlace y, por consiguiente, llegar a obtener la misma.





Podemos utilizar el Bluetooth Pin Cracking Core de OpenCiphers o el BTCrack PIN Cracker de Thierry Zoller para crackear la clave de enlace Bluetooth a partir de las claves temporales capturadas.



Es fácil comprobar si la clave crackeada corresponde con la clave de enlace que realmente comparten los dispositivos remotos.



Una vez que la clave de enlace Bluetooth está en nuestra posesión, podemos llevar a cabo el ataque BD_ADDR spoofing y utilizar esta clave para acceder a perfiles que requieran autorización/autenticación en cualquiera de los dispositivos, como por ejemplo el perfil de OBEX FTP para Transferencia de Archivos, que permite enviar y descargar archivos del teléfono móvil así como listar directorios.





Y el perfil de Acceso Telefónico a Redes, que permite enviar comandos AT al teléfono móvil.





Con esto se ha conseguido romper la seguridad en Bluetooth. No obstante, resulta casi imposible reproducir este ataque en el mundo real. El atacante necesitaría encontrar dos dispositivos justo en el momento previo al emparejamiento y saber de antemano cual de los dos juega el papel de maestro en la piconet. Se trata más bien de una Prueba de Concepto.

BD_ADDR spoofing attack

One of the major security issues in Bluetooth is the BD_ADDR spoofing. Taking a look at the spec you can see how simple are the security mechanisms implemented by Bluetooth technology: authorization and authentication.

3.2.1 Authorisation and Authentication
Authorisation is the process of deciding if device X is allowed to have access to service Y. This is where the concept of ‘trusted’ exists. Trusted devices (authenticated and indicated as “trusted”), are allowed access to services.
3.2.2 Security Levels of Services
Authorisation Required: Access is only granted automatically to trusted devices (i.e., devices marked as such in the device database) or untrusted devices after an authorisation procedure.

Source: 3.2 Security Levels – Bluetooth Security Architecture Version 1.0 (www.bluetooth.com)

That means that the authorization mechanism is based only in the BD_ADDR of the devices, if the BD_ADDR exists in the trusted devices list, got access granted.

4.2.1 Authentication
The authentication procedure is based on a challenge-response scheme […]. The verifier sends […] a random number (the challenge) to the claimant. The claimant calculates a response, that is a function of this challenge, the claimant’s BD_ADDR and a secret key. The response is sent back to the verifier, that checks if the response was correct or not. […] A successful calculation of the authentication response requires that two devices share a secret key.

Source: 4.2 Security - Core v2.0 + EDR (www.bluetooth.org, available for SIG members)

That means that the authentication mechanism is based only in the BD_ADDR and the shared secret link key.

Some interesting questions show up... :)

• What happens if an attacker spoofs some trusted device's BD_ADDR? Is he autorized to connect the remote device?
• What happens if an attacker gets access to a secret link key shared between two devices? Can it be used to authenticate on both of them?

Yes, you can.

The BD_ADDR spoofing attack.

The BD_ADDR spoofing attack allows an attacker to masquerade as some trusted/paired device and use the credentials to gain access to profiles requiring authorization/authentication in a remote mobile phone.


The BD_ADDR spoofing attack can be developed in two levels:

• Spoofing the BD_ADDR of some trusted device to access profiles requiring authorization.
• Spoofing the BD_ADDR and obtaining the shared secret link key generated during the pair up to access profiles requiring authentication.

The scope of such attack can be:

• Sending AT commands to the mobile phone
• Sending / Getting files from the mobile phone
  

Practical scenario.

Let's create a scenario with a Sony-Ericcson phone paired up with a a Dell Axim PDA. The HTC Shift will spoof the PDA's identity to attack the mobile phone.





First, you discover the devices.



If you try to establish any connection with the mobile phone, it's sure that the user will deny it since it's coming from an unknown device.



So, in order the HTC Shift can impersonate the PDA you need to spoof its BD_ADDR.



And obtain the secret link key shared between the PDA and the mobile phone.



At this time, we're not discussing ways to obtaining the link key, let's say you simply get (physical or virtual) access to it in the PDA. After, you install the key on Ubuntu.



Finally you gain free access to profiles requiring authorization/authentication.

For instance, the OBEX FTP Profile, which allows you to send files, get files and list directories in the mobile phone.





For instance, the Dial Up Networking Profile, which allows you to send AT Commands to the mobile phone.