Archive for May, 2011

 

Ubertooth is so Sweet, it hurts!

May 26, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

Finally my Ubertooth One came in!!!!  What is an Ubertooth one you ask? Project Ubertooth [by Michael Ossman] is an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation . 

So the problem with current bluetooth devices, such as this one I have used before for pentesting [http://www.amazon.com/Azio-BTD-V201-Micro-Bluetooth-Adapter/dp/B003765X38], is that it only can find those Bluetooth devices that are in discovery mode.  I won’t go into the details of Bluetooth weaknesses now, but it used to be that you could just tell your customers to make sure to leave their devices with discovery mode disabled… but not anymore.

When a device is in discovery mode, it actively broadcasts an abundant amount of information about that device and makes it visible for anyone to connect to.  After two devices connect to each other, you can turn off discovery mode, and those devices that have previously connected to each other will still be able to connect.  Any new devices won’t be able to connect to your device, until it is once again put in discovery mode.

The thing lacking in today’s Bluetooth Pentesting world is the fact that cheap equipment and tools similar to 802.11 just aren’t available. Most 802.11 WIFI devices these days have the ability to actively monitor and inject into wireless networks.  Bluetooth devices, on the other hand, currently don’t have the ability to cheaply monitor (being able to put a Bluetooth device into monitor mode) the Bluetooth spectrum.  If it was possible, this would allow an attacker/pentester to actively monitor any Bluetooth traffic.

There have been some devices, like USRP http://en.wikipedia.org/wiki/Universal_Software_Radio_Peripheral, which would allow you to read/write/monitor traffic on a large wireless spectrum.  The problem with this is that these devices cost over $1000 bucks and the frequency modules are sold separately. That is why the Ubertooth is a great addition to the security world.

The Ubertooth device is sold at http://www.greatscottgadgets.com/ for a little over $100 bucks.  What can this device do?  It is a usb device that can but montior and potentially inject packets into bluetooth traffic.  So here are some pictures of my device out of the box:

https://www.securepla.net/wp-content/uploads/2011/05/1.jpg
https://www.securepla.net/wp-content/uploads/2011/05/2.jpg

Installation was pretty straight forward, as long as you RTFM.  Pretty much install all the dependencies stated in the README files (the only one I had trouble with was pyusb.  You can use this version here: http://sourceforge.net/projects/pyusb/files/PyUSB%201.0/1.0.0-alpha-1/), install Kismet, install Ubertooth plugin, and run Kismet!

Once I had all the correct dependencies installed, I ran the basic spectrum analyzer that came with Ubertooth.  Images below [OooOOooOOO]:

https://www.securepla.net/wp-content/uploads/2011/05/3.jpg

After that I setup Kismet, activated the plugin, and boom, I was sniffing Bluetooth.

https://www.securepla.net/wp-content/uploads/2011/05/4.jpg

I then took the output from Kismet and dumped it into Wireshark:

https://www.securepla.net/wp-content/uploads/2011/05/5.jpg

The issue with being able to do a full communication capture is that Bluetooth works by jumping between 79 different channels (1600 times a second). As long as you can figure out the pattern that the two devices communicated, you will be able to full packet captures. Hopefully I’ll be able to show you this in one of my future posts.

One important thing to note from Michael Ossmann:

Notice that Kismet-Ubertooth identifies not only the LAP but also the 8 bit Upper Address Part (UAP) of detected devices as it is able. This is done by analyzing the timing and other characteristics of multiple packets over time. Another advantage of Kismet is that it dumps complete decoded packets to a pcapbtbb file that can be read with a Wireshark plugin that is distributed with libbtbb. Full packet decoding is only possible when the packet’s UAP has been determined. http://ubertooth.sourceforge.net/usage/start/

More Information Here: http://www.kickstarter.com/projects/mossmann/ubertooth-one-an-open-source-bluetooth-test-tool

Now go buy your own!

-Cheetz