Peekabooo: Advanced Bluetooth Device Detection - Martin Herfurt

thank you very much Martin thanks for having me thanks for being here so this is about Bluetooth or let's say advanced Bluetooth device detection and it's called peekaboo so Who am I I'm a finder of the trifle net group I'm professional services member of the team member of the Greenville networks company who is a vendor of vulnerability management solutions and there's my own company so and it turns out like my whole life my whole professional life seems to revolve around like colored party parts it's like Bluetooth green bone and red eyes we know that right so what is gonna happen within this talk so first we I will give you a very short very superficial Bluetooth technology

overview we're not here to talk about tech details today this is a very low-level talk just to get people who are interested started with low effort right hmm then I will talk about Bluetooth security like the last 20 years maybe like given a very superficial overview here and then to the core of the talk Bluetooth device discovery at at the end of the talk I will present project peekaboo to you all right [Music] so the situation at the moment Joe just raise your hand if you have a Bluetooth device with you or Bluetooth enabled there so it's pretty much everybody and who didn't turn bluetooth on not just for this talk but in general who did it

not turn on raise your hands all right so it's half of you there's a statistics out there that I just dug up yesterday it says 20% of all Europeans turn on their Bluetooth usually in the States is 40% but I guess do all this new technology coming up like variables like smartwatches people will increasingly turn their Bluetooth on which is good and bad in a way well there's worldwide 10 billion Bluetooth enabled devices whereas a big portion of them are smartphones and of course cars to have all Bluetooth and bluetooth it the Bluetooth sick themselves says that audio streaming for Bluetooth is like the killer application so everybody or many many people use bluetooth to stream their audio from

their phones to their headsets and there's new fields of adoption coming up so there's a lot and we will hear about medical devices today as well and with the advent of Bluetooth Low Energy or what the Bluetooth SIG is calling it like Bluetooth smart there's a lot of new application fields in the medical sector and of course there's the Internet of Things where this new feature mesh networking functionality which is included in Bluetooth 5.0 and recently 5.1 got released so there's a lot of features targeting the the IOT market so there's more to come and as said this is very superficial so in the early 2000s we had like a few profile based attacks same some protocol

specific things these were the things or these were the times when the trifle night group which I'm a member or founding member of did a lot of Bluetooth security work and of course we were not the only ones later on we had like company Michael Osmond for example who entered the field by SDR sniffing Bluetooth traffic I will mention him once more today and also Dominic's bill and and his colleague mark and in the early 2010's Reid we saw a lot of protocol attacks but very recently we see a lot of very down to the chip based attacks which are very sophisticated and require a lot of knowledge about hardware and everything hmm and just to pick a few

highlights there was the blue Bourne attack in 2017 which I found to be really harsh why is that because it was a buffer overflow of vulnerability in the l2 cap protocol which basically every Bluetooth classic device is using and it was used or it was there in the kind of reference implementation and everybody was vulnerable to this specific issue which allowed code execution on the target device and this was so to me where I was like away from the Bluetooth topic this was just a shocker for me to see that this is still out there and nobody had to look at that before so and what we see a lot especially with Bluetooth Low Energy there's a lot of

devices out there that implement their own kind of interface in order to talk to apps and they're usually very poorly implemented except you have like a brand product where the reputation loss would be damaging to the company selling this product but usually of Chinese pastes and manufacturers don't care a lot so this all boils down to Bluetooth device discovery so if you want to tinker with the device that is Bluetooth enabled you would first have to find it and back then in the old days the Bluetooth inquiry scan just did that you just turn on your laptop and search for devices and usually back then devices were all visible and all being available to you

for you to connect to it and there's even urban legend who has heard about two things all right so two thing was allegedly sex dating in the metro or not Metro in the subway of London so where people would offer their their personal service via Bluetooth name and people were just able to find each other like on a peer-to-peer fashion so I'm not sure if this but was the reason for making devices invisible by default but this is the common standard now so if you have a Bluetooth device it's most likely not visible when you just turn it on you will be able to take a to to switch it to visible once you want to pair it to

another device and so on but usually it's not visible anymore so a lot less fun in the subway then mmm and researchers came up with all kinds of different methods for device discovery but most of them are pretty costly they need specialized talker or at least they're not not very simple setups usually you would have to have a lot of knowledge about radio protocols and sniffing them and so on so you tooth is not easy to sniff hmm but before you learn about or we talk about Bluetooth devices gallery we have to know about that what it's all about and it's all about the Bluetooth device address for Bluetooth classic devices which are like the old legacy version

devices of pluto's so there's six bytes and they look alike like a MAC address and they have six bytes like separated by dashes or Collins and usually the first three bytes of this address are sorry of this address are assigned by the oh you eye table is like an I Triple E I think it's I trophy and they collect and sell these prefixes to companies who want to produce Bluetooth devices and also network devices and a Bluetooth address is now built upon these six bytes whereas the last three bytes are the lower address part which are kind of half of the address already and but these are usually assigned by the device manufacturers randomly and the

third byte from the left is the so-called UAP the upper address part and the two bytes to the very left are the non significant address parts and we learned later on that these are really non significant to the Bluetooth protocol all right so as mentioned earlier there has been what I consider the gold standard for Bluetooth device discovery and this is detailed in the talk from 2009 I think it was at DEFCON 17 it was called Bluetooth smells like chicken and the approach they had there was they calculated the hopping sequence they were sniffing packets with software-defined radio solutions like here on the right which is the USRP new radio kind of use RP is Atlas research

and of course nowadays there's all kinds of devices like heck RF and then burr tooth and yacht stick from great Scot gadgets I mean what they did was pretty complicated in a way that you would have to have at least some of these hardware components and of course you would have to understand the protocol so the method they used was very sophisticated and it's it's available on github I guess so it's it's like easy to replicate it but still you need a lot and I thought like two years ago or two and a half years ago I thought there should be an easier approach to sniffing or to discovering Bluetooth devices and because there was

almost ten years of no improvement in this field and but the chicken method has some downsides so the Bluetooth interface you want to discover has to be communicating duh and of course it's a very complicated setup and it takes these people out of the equation that just want to play with Bluetooth and maybe find some other devices round in order to send them something so this is kind of high profile and as there's a worldwide trend going on at the moment we see that in the USA like everywhere in politics there's a big dumbing down effect currently taking place and that's why I started in the late 2016 that's when Trump was elected I also

started dumbing down stuff myself I mean so the the goal was to find a less sophisticated cheaper way to discover Bluetooth devices and this is not about esoteric sorry to say that but it's about duality so the core idea of discovering Bluetooth devices with peekaboo is that usually devices share the same sock so Wi-Fi and Bluetooth is on the same chip that means that the UI o UI ID in the beginning of the device address usually is the same as for other interfaces on this device same vendor same o UI prefix right hmm and so knowing the Wi-Fi MAC obviously is knowing 50% of the PD device address and then again you have the random 3 bytes

which often have an offset from the Wi-Fi MAC which is constant not all the times feds often so knowing the offset of that Wi-Fi to make it was a MAC address to Pediatrics offset it's like guessing the other 50% and there was even a mention in the book from from an old friends in 2015 Joshua Wright wrote Cove Road hacking exposed wireless and he's mentioning that Apple iPhones usually you have an offset offer 1:1 offset in the address so starting with this so this was around the time where it was popular to to see all the Wi-Fi probe requests and collect them I thought well everybody is telling me there their wife iMac so what can I do with

that and I tell you what I did I I went to all kinds of retailer stores and dip pictures off the device next to the the sign like the the vendor sign and usually it's it's saying the MAC address of the Wi-Fi and the Bluetooth the address once you have turned it on you can see both of these addresses I snap pictures and edit those informations to my own spreadsheet and see what I discovered so the address offsets are for the majority of devices like very small so we have like to the one hand a very high offset sometimes but you see these vendors in the middle Huawei Apple Samsung these are like almost all of

them are in this very certain area of offsets and then again you see the market share by manufacturers so this shows what the major headset a handset manufacturers are and you can see that Samsung Huawei and Apple is just among the three top vendors what does that mean that means it's easy for a lot of devices out there to guess what the offset is so and so to speak how to find the the Bluetooth address and I used to have a one plus three which had a zero offset from Mac to wife sorry from Wi-Fi to Bluetooth which i think is not even legal Apple usually uses minus one so if you subtract the Bluetooth address from

the Wi-Fi address and Huawei has some odd values here like minus 2500 one 2001 three thousand one so it's like not random right these are classes of offsets Samsung uses minus one but there's something ugly I will talk about here so sometimes devices do have different Oh UI IDs so I called this address space entanglements because like the one part like the Wi-Fi MAC has the left oh UI keys and on the right side you see the oh you I ID off the Bluetooth address so in in some cases this is not the same address and I'm not really sure why this is so maybe this is because of manufacturing logistics or maybe it's because I usually photograph

new devices that were in the shelves just recently so maybe the manufacturers were just having small batches of productions and we're using up like old orphaned MAC addresses there I don't really know the reason for that but it happens it's not the majority but still you find like these entanglements a lot

so the new task is not to find Bluetooth addresses anymore the new task is to find Wi-Fi MAC address MAC addresses and usually this is easier there's known approaches to that it's it's Wi-Fi probes send out all kinds of devices that you can collect it's it's using Ehrmann next generation where you can also sniff into encrypted networks to see the MAC addresses being used there it's by using oh by just connecting to puppy public Wi-Fi hotspots where everybody is able to see everybody else or by running a rogue access point with a well known SSID for example like Google guest psk you could try that all the devices who that know this SSID will connect and so you will get their MAC

address in return and collecting non random IP version 6 local link addresses also would work because these non-randomized versions of these addresses contain also the address of the interface so there is existing countermeasures against collecting Wi-Fi MAC addresses and usually you find them in Android devices a lot so that's what this research is based on so Android users starting with I think lollipop a certain oh you I prefix plus random bytes for doing Wi-Fi probes and I wrote that out there so if you find it an address like that you just can ignore that and but it turns out that this probing Mac so I have to drink here so this probing Mac didn't always was not always in every request

back then so that was funny observation I think they got better with this I don't know what caused the device to use the original address for probing and sometimes this special ID but well and there's also randomized MAC addresses I found that in the developer options of my Android PI device so I don't know if this is standard I'm using a 1 plus device not sure if this is something they put in there but there's also apps out there that would require you to have root on Android that would randomize your MAC address when connecting on a Wi-Fi networking in queue its default you say good to know so for a lot of people not so much for me well and

sometimes in Android devices there is a deactivation of network interfaces once they are not used so this is referring to the doze feature that saves a lot of energy on Android devices so this is also a kind of meeting against this issue but it's right there and Wi-Fi access points with kinda isolation would also not work for getting addresses of them let's say Google gasping network because find the isolations active there I just tried that before so knowing all this I came up with the Beast the Beast is is like just a hop with an attached USB Armory which runs Kali Linux and has I have to mention this a very high power you can start in a car with that once

your battery is empty because you have heaps once you switch on that hub you will get a lot of current flow and most battery packs won't be able to to provide this kind of energy so that was the first approach of doing all kinds of scenarios so what did I do with that there was like the hybrid method a I call its just scanned for L a piece and smartly correlate Wi-Fi probes with these L a piece so how did I get these L a piece these blue to specific lower address parts I just used an uber tooth having it on from wiskus mode which then would monitor a few of the 79 channels and grab off these lower address parts

and then correlate it timely with the devices that send out Mac requests all the time and just add these parts together and try out whether there is the device there or not the downside of this approach is you need specialized hardware obviously and both of the devices interfaces must be communicating for you to to see the MAC address of the Wi-Fi interface and to see the lower address part of the Bluetooth interface and the downside of this method is also you have to you only able to defer to find devices that have dual like two kinds of interfaces like usually these are smart phone tablets laptops parables not so much Brutus the only devices or like beacons

that only use Bluetooth Low Energy but it's quite efficient so hyper a Bluetooth device detection method P is now a very easy approach so this is based on that list of known offsets that I was presenting earlier you just scan for Wi-Fi max and do the math kind of and then you do an educated guess on the PD address and try to connect to it and to ping it and see if it's there also is the same downside only works for devices which has Wi-Fi and Bluetooth interfaces and also but there's a few upsides to that you don't need special hardware so the barrier the is very low to start searching for Bluetooth devices with

this method and there's another upside this may be net for that more on that later but you will now say well it's that the title says advanced Bluetooth device discovery and of course I took this into account and I've always been curious in that way so tens of flow is making that advance as many other things as well so it's machine learning and the plan is to have two different models for that like one classification model that would based on the address tell me well there's an offset of 1 or minus 1 or 2500 and the other part is for these randomly addresses a randomly generated addresses that maybe follow some rule which is more complicated and that's why

I would like to do a regression model on these addresses as well so my sample size is way too little I they have 220 different devices which was a lot of work but I need more data for that for doing modeling with tensorflow and there's this proof-of-concept app which I call peekaboo and the logo is a cat and that that can't be a coincidence so go to the Play Store and save the cat there's many orphan cat copies out there they give them a home on your phone please so it's not yet available in the App Store on the market and in the Google Play Store and we see shortly what it does that's a

demo it's it's just straightforward I'm starting the app and now the app scans for Wi-Fi addresses in the same hotspot so this could be a public hotspot or this could be your rogue access point that you brought with you and now this takes a little longer it tries to connect the on the Bluetooth level it does a thing of kind of two guesses per device it's like just minus one and plus one for now because I didn't incorporate a tensorflow model yet so in to keep things interesting only the last entry on this list is is a match and by the way it's not easy to do Bluetooth scans with the android api it's not it's not

meant to be done there I think this has to do with privacy concerns it's off it's not even possible to to clean the this own addresses from the device before Android 6 it was possible to get the MAC address from your device now you would have to get the link local address of your Wi-Fi interface IP version 6 in order to get your own MAC address and maybe giving things away here because this is a privacy concern with this information apps can identify for very closely and to the other hand the BD address cannot be questioned anymore from the AI API so what you see here you didn't hear it but it said meow and and

this is the way how you would teach the system about a new address that is not able to be discovered yet so I enter here the the MAC address of the Bluetooth device address of my tablet and it's scanning this single device again and you see the offset here something around thousand hundred ninety six thousand this is a quick walkthrough of the app so there's not not a lot of things to see I hope you you saw the time up there that was Sunday at 4:13 a.m. so I did work a lot for this app and all ahead of time sure hmm so but in order to get all this data I collect from this app so if you scan devices

I will send information back upon upon positives that were identified and also information about the devices that you provided an address and this person this data is not personal at all so it's using randomized MAC addresses there's usually an offset added to both addresses so that the offset in between those two addresses stays the same for the learning the Bluetooth device name which often holds the model name is transmitted and the offered service IDs and the offered service IDs are collected for later use these are usually uu IDs referring to things like obex push like kind of offered services why a Bluetooth classic and maybe we are bringing back the traffic blueprinting project which was all about identifying

models by their Bluetooth properties and yeah that this is also not personal its you have to argue on a gdpr level here because I'm also collecting the Android advertisement ID which is kind of unique to your device that can be changed over the course of time so this is not personal but it would help me later on to identify double entries with very similar devices that I can then take out of the sample and this is what a very minimal version of a rogue access point could look like so this is an el cheapo I think he's dealing whatever access point that I found one day intense a Chinese interface only and you can set

it on a name and just power it on with a little power bank and bring it along hmm so I don't want to give you ideas but maybe this is a new reason to lurk around like public hotspot places and see there we also have our first endorsement for the product it's it's from hip people to hit people so that's been it so I want to thank my wife Ewa for bearing with me during especially during the last two weekends I want to thank green bond networks who's helping me to work on the good side of things and of course thanks to besides Munich and all of you for making this possible here so is there questions or maybe

that's your job Martin to ask for questions are there any questions I look right over there I think to talk could you shortly elaborate what you can do if you have the MAC address at Luton MAC address maybe I missed it I'm glad you're asking so I prepared for this question so the question would be why we collect or why would somebody collect Bluetooth addresses I myself do not present an attack here today but I have a question FAQ so why is that you are familiar with the underwear gnomes I think the business model is very similar here so phase one is collect VD address phase two and phase three is profit right does that answer your question

good I'm happy so any other questions there must be questions this is a really interesting talk I would have a question because you mentioned that the Wi-Fi system and the Bluetooth and shares shares the same sock is this all like like one big SDR device basically in that sock or how do I have you ever looked at that I'm not really but but there is like no manufacturers that kind of bundled all these functionalities I don't know what the core on these devices is looking like but I could imagine that there is like crosstalk possible like on a very low level there's a question over there Michael [Music] these microphones are in bluetooth so now it works so since you're prepared

for the first question my second question is of what other questions have you prepared very good question I'm glad you're asking

so the other question I prepared for is why did you use a cat there so cats are sneaky and so are you when using peekaboo and of course there's a very famous example of a cat choosing little blue things and that is Azrael from The Smurfs so that's that's the other question and then to be honest to have also here like a list of oh - one - quick well something bad happens who's been hacking him yeah alright so that was just the Bill of Materials for the beasts which is like around 300 euros like given or like there was two Bluetooth uber tooth dongles a lot of standard dongles and that's been it for for the Beast so that

was the third question I was appreciate thanks for the question trying to do any other questions really no more questions are you all basically frying or this question right over here hi when you have these addresses can you ping them directly so if you know the address normally you have to discover them if you have them do you have software to just write them and attack them or something hmm yeah you can of course if you have the address of the standard way under Linux would have been to to do an l2 ping that required the device to be in payable mode or to respond to page requests and there's devices out there for example my

new car doesn't respond respond to page requests anymore so that's a hardening measure that no vendor would consider I guess because it's like - I have to click here I don't always click always clear always click I just open up the presentation once more okay so there's nothing more to see except my contact details so in case you have questions afterwards so here we go so right so you would have to ping it this is not possible under under Android you have a very limited possibility to talk to external devices which is for a reason I guess but the good thing is the app doesn't require root access with root you would maybe be able to install

some kind of binaries on there in order to facilitate a ping as we know it from Linux so if there are no further questions I would like you to help me by thanking Martin for this wonderful talk about Bluetooth discovery