Você está na página 1de 8

Pen Testing and Bluetooth

Table of Contents

Bluetooth ........................................................................................................................................ 2

Bluetooth ........................................................................................................................................ 3

Bluetooth Attacks – Eavesdropping................................................................................................ 7

Notices ............................................................................................................................................ 8

Page 1 of 8
Bluetooth

Bluetooth

42

**042 And let's talk quickly about


Bluetooth.

Page 2 of 8
Bluetooth

Bluetooth
IEEE 802.15 – short distance / personal area network
Link keys are used to send the traffic between devices
after pairing is completed.
• Link keys can be compromised and enable devices that
were never paired to communicate.
— Man-in-the-middle attacks
— Denial of Service attacks

43

**043 This is our last topic as part of


the wireless.

Six years ago, eight years ago, there


were a whole bunch of Bluetooth
vulnerabilities. Right? Every phone that
came out was vulnerable to something or other.

Phones were never patched, because,


you know, they had old implementations
of Bluetooth in it that were vulnerable to
something. Nobody ever updated them. It
was a big deal.

Today, though, there's not a whole lot of


technical vulnerabilities with Bluetooth.
They still occur every now and then. But
not nearly as much as they used to.

Page 3 of 8
So generally, if you're trying to break into
Bluetooth systems now as a pen tester,
you're pretty much limited to trying to
either compromise the link keys or get in
the middle of the pairing process. Those
are generally your two attack vectors that
you can do.

Is Bluetooth really an attack vector for you


as a pen tester?

Student: Could be.

Chris Evans: Could be? It depends.


Right? So you can see from the
information here it's a Personal Area
Network, so you have to be within five,
ten, fifteen feet of somebody in order to
do any types of attacks. That's pretty
close.

But who knows, maybe you've put


something under a desk that automates
the process for you, and it just takes
advantage of anybody walking by. I don't
know. There's all sorts of fun stuff you can
do with this.

Student: Do you know anything about the


SaferPlus that goes-- it's the encryption
for Bluetooth-- how good it is?

Chris Evans: Mm uhm.

Student: Okay.

Chris Evans: Nah, I can't speak to that.

Student: I heard. I knew it's


Bluetooth, you know, because of the not
being very secure, they added something
called SaferPlus to it. Which helps it out. I
don't understand that much about it. I heard.

Page 4 of 8
Chris Evans: Nope. I think that from a pen
testing perspective, what can you actually
get off of a device that supports
Bluetooth?

Student: Contacts.

Chris Evans: Contacts.

Student: Banking apps. You know, email.

Chris Evans: Email, maybe. It really


depends on the phone, whether you have
access to that. But certainly the contact
list. That can be dumped out.

Student: Or even earlier, you know,


people connecting their phone, in like
rental cars, in cars, a lot of times they give
us way more access to their life than
they're even aware of through the screen.

Chris Evans: Yep.

Student: You can use your GPS, for


instance, on a lot of them. So there's
other instances that are linked in your
phone that you're not even aware of.

Chris Evans: Yep. So I will say that it's


very phone dependent. And I will say that
it, again, depends if you doing a pen test,
whether you really want to go after
Bluetooth or not.

Personally, I haven't had the need to.


Because there are usually easier ways to
get what I need than trying to go after
somebody's smart phone. But it is
conceivable that you could be hired to do
a smart phone, or mobile device, pen test.
How would you do that?

Page 5 of 8
Student: Steal the phone. It's a million
times easier.

Student: Change your MAC address.

Chris Evans: Change your MAC address.

Student: You know, to meet whatever


hardware that came up on your scanner
or your sniffer. Sorry.

Chris Evans: Well, from an IP


perspective, yes, but not necessarily for
Bluetooth.

Student: Okay.

Chris Evans: So yeah, it would be a lot


easier to steal the phone. But sometimes
your ROE says you can't steal things from
people. Not trying to play devil's advocate
here. But the pen tests that I've done I
haven't been allowed to steal things.

So even if it's sitting there in the open,


and it looks so inviting, I could just, you
know, "I can't." But you're right.

So why go through all this Bluetooth


mumbo-jumbo if all you can do is just
walk up and take the phone and go get
what you need out of it, and then toss it
back on the guy's desk? Yep, maybe.

But from the pen test perspective,


you can do generally the pairing process,
and the link keys are what you're going to
target if you're going after this from the
network side.

Page 6 of 8
Bluetooth Attacks – Eavesdropping

Bluetooth Attacks – Eavesdropping


Eavesdropping, recording, and even audio injection all with a
Bluetooth connection using a “guessed” pairing PIN

External

((( ))) Antenna

Bluetooth
Dongle

Attacker’s smartphone controls a PC over Wi-Fi, which locates


BT devices, tries default PINs looking for a connection, and
gives control to the attacker.

44

**044 Here's a notional little setup. If


you were actually going to go do this, how you
would actually control it. And yes, there is
hardware available for you to do this.
Requires a phone, and a PC generally.
And there's a software suite out there that
you can run that will look for Bluetooth
devices, try the default pins on it, and it'll
even try to brute force the pairing process
as well.

So if you really want to get access


to the, you know, the guy's phone, so you
can listen in on his headset or something
like that, then this is the setup for you.

Page 7 of 8
Notices

Notices
Copyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below.
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their
own individual study. Except for the U.S. government purposes described below, this material SHALL NOT
be reproduced or used in any other manner without requesting formal permission from the Software
Engineering Institute at permission@sei.cmu.edu.

This material is based upon work funded and supported by the Department of Defense under Contract No.
FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute,
a federally funded research and development center.
The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material
are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and
DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material
or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S.
Government purposes, the SEI recommends attendance to ensure proper understanding.
NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON
DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED
TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF
THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT® is a registered mark of Carnegie Mellon University.
.

Page 8 of 8

Você também pode gostar