PG - Taking D-Bus to Explore the Bluetooth Landscape

okay so as was said uh we're going to take duus to explore the Bluetooth landscape um brief little overview just so you know what is kind of coming up oh es situ okay so let's dive into this um who am I uh I'm a PhD I'm a Bluetooth security researcher and a security research scientist uh General boilerplate stuff all these things that I'm going to be talking about are my own work not that of any employer past present future all that good junk so why are we talking about Bluetooth well Bluetooth whether you like it or not enjoy it or even really think it's it's worth it it's becoming pretty ubiquitous so the two good examples that I have here are the

first is doing some wiggle War driving in an 80 person puddle jumper Landing in an Airfield 80 people on a plane 200 something Bluetooth devices all within range of just my phone the other is so the other the other side of this would be um for those of you that may be familiar with a story about wired uh Apple headphones not working without the Bluetooth capability it basically boiled down to a product saving scheme so that by implementing Bluetooth chips they could produce the cords for cheaper even though they're supposed to be wired so whether you like them or not they're getting pretty ubiquitous and they're popping up just about everywhere but why do we care about this well really as

we'll hopefully see uh the Bluetooth landscape is a bit of a wild west and so we should really have better insight for what Bluetooth Wildlife is out there get a better idea of what the landscape looks like and ideally augment these tools so that the security research Community can dive in and get their hands dirty into this stuff because it was a pain in the ass to figure out any of this uh two things that I want to make sure you all understand before we dive in because they'll be very key to following the rest of the talk the first of is um when you're looking at the Bluetooth protocol model this bottom layer or controller layer or host

controller interface is exceedingly important because what is going on in that layer is you have translation of Hardware to software communication you can't inject anything to this layer you can't interact on this layer but you can sniff it so you can see everything that's going on but any communication you're doing is either Hardware directly or it is software on top of all this the second thing you'll need to know is what does a b device look like well essentially what you're running is what's called a gat server without getting too much detail into it essentially what you have is a device that that device has some number of services on them the services can have

nested in them a series of characteristics those characteristics can have within them uh a series of descriptors now that we've gone over the really boring stuff we can get into the larger meat of this so what are we talking about well we're talking about my tool uh the Bluetooth landscape exploration and enumeration platform or as I so lovingly call it this bleeping tool um what does it do well the real purpose for having made this tool was a lot of the command line tools and things that are out there are depreciated by eight or plus years um they've been you've got odd tools that have been folded into other tools where you lose a little bit of really nuanced granular

control on some lower levels so the whole point for this was to have a device that could perform the enumeration of the landscape around you enumerate these devices in a meaningful way so you can figure out what you can read and right to and just give you a platform for being able to do this under a nice user interface now there's some more advanced stuff that's getting worked on such as adding in Automation and logging to make it easier to do Post attack analysis or just even post enumeration analysis um capturing of signals is a little weird but the basics and and stuff are all in there and more interestingly I started adding some points for doing some cartography of the

landscape that we end up seeing as we as we search for uh devices so what you can do is you can think of this tool as kind of a set of binoculars um as you go about uh the Bluetooth landscape what you might want to do is go on a safari so let's go looking for what devices are out there right what Bluetooth animals do we see and and what what uh what Wildlife is out there what do they look like or do they have weird characteristics what are the outliers that are out there in the world when we go looking around so here is uh the training data I'm going to give you guys uh I think

you can figure out what device this is um it's pretty straightforward it is a pixel 4A device um there's some maybe interesting information here right we have some service data that is is kind of present um not really sure what these Al okay so everything ble is hex it gets represented here is decimal but almost all communication back and forth is is heximal so we've got some interesting hex values maybe that's that's kind of cool if we use bleep to take a look at the characteristics that are here on this device we see okay here's this really interesting hex string that maybe means something something super important I'm not a Google pixel developer I don't necessarily know but

it's it's Unique to this space now if we take a look at a device that I'm not going to tell you who made it what do you notice about it so one part is that it's decided to name itself the same as its Hardware uh interface so okay it's using a MAC address as a name maybe that's a means to kind of hide itself um instead of service information what we have is manufacturer data and what we see here is a uent uh number along with again some set of hex data attached to it those of you who are painfully uh aware of the Bluetooth Sig documentation know what device this is already but let's keep looking so we use

bleep to take a look at the characteristics and descriptors that are there it is a hot mess staring at this thing we see maybe some interesting descriptors that are perhaps a binary value but let's use bleep to only read back the characteristics now can you tell me what device this this is yeah pretty pretty straightforward it's an Apple device that uint 76 is a dead giveaway that's the manufacturer code for Apple um we also see it's a watch running version 6.6 so now we've got a clear picture of of the device that is in front of us now here's a similar examination of an iPhone and you'll notice here as well that uh once again you don't have the

name necessarily hiding itself you do see that uint number one more time so you can identify it again from the manufacturing data that's there but then we also see this very odd uh error here at the bottom that is bleep I've written all the error handling on it so what bleep believes is going on is that there's an authentication event based on a code that's delivered um on that HCI layer that we'll get into later um and it believes that some sort of pairing request has failed so okay bleep is able to not only try to get an idea of what the landscape is but also tries to give you an idea of what are what are the

issues that are happening under the hood if we take a look at one more device which I'm not going to give away um here what we're doing is we're using bleeps pretty print uh function in order to print it more in that structure that I was telling you about earlier so here's the top level service in nested characteristic descriptor if we take a look at uh service 0010 um which this is a handle the terminology in ble and Bluetooth gets very annoying after a while but but the point is on this one we start seeing some names we start see or we start seeing codes maybe version numbers down here if we keep looking at

the device we can see a little more information again we've got a version number and most importantly here zebra Technologies we just found a zebra on a safari hunt now I know from my own uh personal life and work I have done that zebra Technologies in this case is a package scanner a a physical package scanner most likely a handheld device they used to scan barcodes uh get signatures all that sort of stuff so let's take a look at the details on this device so here what we're doing is we're using a deep dive mode that is also in bleep and it will go through and print out all attached information for all characteristics descriptors and services

that it has enumerated on the device and so once again you know there's some interesting strings maybe we get some version numbers I mean there there's a lot of info here but maybe it's nothing right I wrote the tool why do you trust me I could be lying to you and this is just doing stuff that I think will trick you into using it well the way we can do that is let's go deeper so if you remember that HCI layer I was telling you about what we need to do is we need to start examining Communications on that layer see what we can tell about the communication that's being sent there and corroborate whether or not

bleep is actually a useful tool or just a fun hobby that is hallucinating and doing its own thing so here is communication for two Bluetooth devices communicating ble on an on just that HCI layer this is using a tool known as bton um again open Simple to use most folks that are developing Bluetooth are using it to sanity check their work what's important here is that you can see the direction in which communication is going based on the uh Arrow brackets that you get the color coding makes it a little easier to read but what you're seeing here is you've got an attempt to read some handle so if you remember that handle is just another way to identify

characteristics and things um it's complaining about insufficient authentication it then attempts to pair goes through this pairing process and we hit some issue about an agent not not existing so okay that ends up being detrimental to us because authentication fails and down here the device ends up disconnecting us from its communication but hey now we can kind of read what's going on under the hood and make sure that that what we're seeing is what we expect so here I've got another uh capture from bton and it's it's pretty easy to see what's going on here right I mean you've got an Intel Corporation device now there is some information that even the uh bton doesn't know what the hell this

is because Intel just decided to use this device flag what does it mean I have no idea I don't work at Intel I don't do their their uh Bluetooth development but we see that the device continues to communicate we're not getting the same authentication error so we get instead a connection response some configuration requests that's great it then blasts an insane amount of information because it's telling me about every capability that it has on the device towards the end of this blast of information we see it gets a complaint about a2dp syn and Source okay maybe that won't that won't tank me entirely unfortunately we keep going and it actually does because since that is a

key part of of this Intel device it ends up leading to a remote user termination connection and disconnects me entirely so I've shown you two two fun examples of this now uh raising your hands how many of you recall what was going on with Bluetooth last year and a certain uh dolphin named device that was messing around with apple yeah so let's go bobing for some apples and see what's weird about them and what kind of difference we've seen since that time so here I've got the HCI capture for that iPhone uh communication I was showing you earlier in bleep right and what did we see there we saw oh it screamed something about authentication

and not being able to pair so what we see in the HCI communication is once again here's that read request for this handle uh we end up getting an error response to that screaming about ins uh insufficient authentication if we recall from the earlier one it ends up not being able to authenticate and the device ends up disconnecting us okay fun so does it happen every time so here I'm taking a look at yet another uh Apple iPhone device and we see again that same sort of pattern you've got a handle that it attempts to read from insufficient authentication it's not necessarily the same handle but you get this this pattern of activity and what we notice is this sense of okay

well you can start reading from this Apple device up until some error response happens and then we'll kind of forget about it now it's not just Apple devices that I've seen this on since last year um this is just a small list of handles that I've seen for ious devices the unknowns are just ones that hid their identity well enough I couldn't quite identify what it was um but most importantly what do we notice about the pattern of this of this Behavior we notice that essentially we're we're communicating with the device until we reach some Panic Point trip this Panic reaction and the device freaks out on us so what does bleep show for this from

its side well when using bleep we end up getting errors telling us that the device is has disconnected so okay we're we're seeing the same information both on that HCI layer and from bleep itself so now we need to start mapping this problem because I would like to get around this I'm tired of every Apple device just telling me I can't talk to it um so I decide I'm going to start mapping these L landmines I keep walking across and you know the bigger question is can we prevent this disconnection is there maybe information hidden behind there that they're they're just trying to prevent me from getting at it because of the way that I'm going about it and

so what I did was augment how bleep would end up collect cting this information normally what you're doing is you're communicating to the device and collecting the Gap information which is the general access profile those are those um levels of details that we saw earlier that had the name the Alias the Bluetooth address highle stuff um but what I end up deciding to do is we'll create a map that we can use in order to track which characteristics we we read see if there's any issues once we've got that skeleton we'll create the coordinating map once we do the enumeration pretty straightforward check the map is this a known bad issue it is great I don't want to bother reading

from it it's going to waste all it's just going to waste my time it's not known to be an issue great let's try to read from it get back the response we'll do some error checking on on the communication we received back if it turns out to cause an issue great Market is bad and we'll just go that way rather than some systemic panic and and and run and so we run this on bleep taking it against an iPhone um and we see here that we're still reading from it right no no errors yet we see we get towards some of these characteristics that we saw earlier like 00 uh one0 but it continues going so okay well what if

what about some of the other ones that we saw on that list right 00 2E well we keep going and no we managed to actually get past 2E all right well does anything ever trigger doesn't view like it right we get all the way to the end of this menu there's no errors nothing screaming about anything but again don't believe me right I wrote bleep for all I know I did a really shitty job and just it it's hallucinating answers and telling me that that it's fine so let's check that HCI layer and what do you all notice about this

output yes I

think disconnect complete andon yes exactly so the only reason the device disconnected us is that it timed out I can tell you from at the time I was scanning this because the device got away from me but we didn't trip a panic reaction this device let us read all of its characteristics through without kicking us off or throwing us off anywhere so awesome hey we did it um just grabbed the wrong version of it okay this is this is a little uh more clustered than want but what are the things that we end up learning from this well okay first and foremost Bluetooth devices are really platform specific manufacturers are right now basically dictating how these devices get

implemented and how they're put out in the wild it really leads to this wild west sort of En environment in it um with that hey we found an actual zebra on a safari hunt I don't know many talks you can say that you got to see a zebra so I I think that is that is worth it um the more interesting two points are these two at the end so what uh first and foremost what I found most interesting is that it appears that apple is using canaries in order to prevent you from continuing to enumerate devices and characteristics from what I could tell from what the flipper was doing during what is it sour apple bad

apple whatever the hell we decided to name that one um is that it was essentially systematically going through in just blasting Communications against the uh against the characteristics in the Gap server that's running so by just having this Panic reaction disc connecting they're hoping to circumvent that um the second one is depending on how you present yourself as a Bluetooth device will change the interaction you get with with uh devices so that h2p audio sync and Source issue that I saw earlier um once I installed pulse audio on this machine and scanned again I ripped my headphones away from my phone to my laptop without realizing what had happened until all of a sudden I'm

hearing a YouTube video I didn't know was even playing um so it's fun stuff uh for those of you that want to play with the tool this is where you go um to find it uh it's looks like this very straightforward I'm going to show you guys a bit of a demo of it operating so um just so that you can get again some more experience looking at it and seeing how it works um so let's go to the demo um so here as before I have uh that B team on so that we can take a look at the background communication um along with it and then here we've got uh bleep in order to start it up in user

mode it is this simple you just have to have python installed and the requirement libraries which are all on GitHub um but you just write uh bleep tacm for the mode user for user mode hit go um it will start enumerating around the room and seeing what devices are in range there are some annoying things um about uh the debus and how it works it will then start producing a series of devices um this yes there is a Pokémon go plus device around here that I've been trying to talk to for the last 2 days and it will not speak to me um the the mpy uart is a PW um server that I've I've made to help test this against

there's this Oppo a15 will notice that a lot of these other names are more or less trying to hide themselves from us um that last one is my phone uh which fun fact about uh B even though my bluetooth is off on my phone it will still show up I won't be able to talk to it but I can still enumerate its location within the wild so picking one of these devices okay so this is the fun thing about the dbus the dbus will forget uh so if you take too long to pick a Target it will just tell you I've forgotten about this I don't know what the hell you're trying to talk to um so

as again we do uh that M user pick a device at random um and let it go and try to communicate to it so taking a look on the back end we can see that um the device has connected we attempted to get feed features and the device did not like this and has booted us off so once again we're seeing that that panic and I hate you reaction bleep will attempt to still communicate to it a few times it ends up leading to a timeout in those cases um yes it it looks slow and is confusing hence the need for having this B team on again if you're getting really in into the weeds

and under the hood um but because I can't always control the environments around me I have also made demos so if we take a look at say the B CTF and decide that we are going to brute force a series of rights to it um much like before you'll see that it's going to type uh bleep tacm user I added A-D file for this version which I'm going to upload which allows me to identify a device uh that is because I didn't know how many Bluetooth devices you all were going to bring and I didn't want to go digging for it um as we expect to see it's going to go through and enumerate the device here's that Gap

layer information um the text is really big so all of this is kind of flying by what it's done is it has enumerated all the characteristics on the device we are then generating a list of the characteristics that it found using that list of characteristics to then perform an action so here what we're doing is we're reading from a characteristic that we've decided uh once I hit enter I am then picking a characteristic uh that I know has um a flag on it where well well sorry here we're showing the score here's that readall that shows again all those characteristics in a nice easierto read um format here we see that there's a right up there where it's attempting

to Brute Force so I'm saying okay right to this device use brute force mode uh it will then ask me how many characters the right should be whenever it hits enter and continues um so I'm picking that characteristic I'm saying it needs to use two B uh two bytes of information start brute forcing it and it will just go through the entire Spectrum uh from 0 to 255 and write everything it can to there um what we'll see at the end of this is uh the um right characteristic that had the flag that told us to Brute Force these values we'll end up producing a flag it's a bctf so it's a CTF we're playing

with um we will then go and read from that device here is that flag we'll then copy the device write it to the score characteristic which is separate from where you read from it um where here we go picking the characteristic to read from which I think is Char 0029 to B I was off by one um so B is where we write uh the string to great it's written it here as a string instead of an integer as we saw before um we then read from the characteristic and uh see that we have in fact scored the flag hooray we've got basic IO interaction um I've got demos for signals I've got demos for this and that um but I would

like to leave some time for questions so please please as this continues playing in the background ask questions as you need don't have time for questions oh even better okay well if you want to talk to me more about it please come up otherwise thank you for uh listening to my insane ramble about Bluetooth wildlife