The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Reports from Blackhat

Posted by Xavier Ashe on August 4, 2006

I am sure that every has heard about Hijacking a Macbook in 60 Seconds or Less, if not go see the video.  You might need to download a 129 Meg patch.  It applys to Intel Wi-Fi device drivers.  But I get into arguments all the time with my fellow geeks about why I am so lame to use a wired cell phone ear piece when there are all those cool bluetooth earpieces.  Besides the fact it drains the battery quicker, I also read the Trifinite Blog.  The Trifinite group do some interesting research, including plenty of bluetooth fun.  Today, SecurityMonkey posted his day 2 at Blackhat which inculded two presentations on Bluetooth.  Here's some highlights.  Read the full post for all the goodies.

The BlueBag: A Mobile, Covert Bluetooth Attack and Infection Device – Claudio Merloni & Luca Carettoni

The
BlueBag is a sweet creation. It's a simple PC in a suitcase run off of
a lead-cell battery. It runs Gentoo Linux, and has access to a several
USB dongle bluetooth cards.

First day, found 1045 or so devices:
93% Mobile phones, 3% PCs, 2%PDAs, 1% GPS, 1% other.
Of phones, 60% were Nokia, 14% were SonyEricsson, 7% were Samsung, 1.8% Motorola

Visibility
time (the time a device has been in range of BlueBag): shopping mall –
12.3s, university, 10s, airport 23s, bank 14.4s. The visibility time is
very important – this is how much time you have to hack the device with
the BlueBag. You want a longer time if possible.

Bluetooth Defense Kit – Bruce Potter

Bruce
is still the most entertaining speaker on the BH circuit. The man just
cracks me up, and has a knack for pointing out the obvious. He's the
only speaker that I've seen during this event that prefers to not wear
shoes on stage.

Want to protect yourself? Turn discoverable off!

POINT: Most problems with bluetooth are implementation problems, not problems with the protocol.

Refresh of AT commands (you remember these, right?). These are used to control some devices across an RFCOMM connection.

Discoverable mode: when a device wants to be found, it will respond to inquiries

Service Discovery: a bit like port scanning but the remote end doesn't hide anything.

Holy crap: As of November 2005, 9.5M BT radios are shipping every week! Probably higher now.

Contemporary Bluetooth Attacks:
– Rush to market leads to poor security
– Super complicated protocol stack leads to poor security
– Lack of security training for developers leads to poor security

Trifinite.org has lots of attack tools
– Example: Bluediving (bluediving.sourceforge.net) has Linux based implementation of most of tools

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: