Blue Hawk: Bluetooth-Based Motion Detection and Proximity Authentication

woo okay guys so my name is D Rait as Karen said I'm the CTO and co-founder of turnwood cyber security and today I'm going to present you our latest research about Bluetooth rtls which essentially can add to any mobile device a virtual proximity sensor based on Bluetooth so let's talk a little bit about what is rtls and how this mechanism works so rtls stands for realtime location system and it's working with a very basic principle okay that can convert the signal strings into approximate distance and other than identify the exact distance or the approximate distance from the device that I want to measure I can also measure the trend so for example if I have two devices and I run

this app continuously I can detect whether it's go in range out of range if it's come near me or goes away from me and this opens up the door for a very interesting use cases so let's discuss some of the most common use cases I'm sure some of it you can relate so let's talk about asset tracking so I like to go to the beach I live near the beach and every time I go to the beach with my portable JBL Bluetooth speaker after maybe the second or third beer I forgot where I put the speaker it's get lost I don't know what to do and then I have to take my uh money and buy another speaker

and to be honest I don't have any more spare money for Bluetooth speakers I spend everything so I need a um effective solution that I can either detect the avoided speaker or do something else with it so with this solution what I can do it's either get an alert whether the speaker is going out of range and then I know that I lost it or use my phone like a metal detector just go like this on the beach and see whether it's going in range again and then I can find it so I'm sure you can relate to that aset tracking it's a very common use cases when talking about rtls system it's already being used with

apple with Google with the Android devices so again very common use cases what about physical Access Control are you familiar with physical Access Control usually done by smart card and other physical means so when using Bluetooth I can limit access or gain restrict access area like a military bases or other restrictive places just by using a device it can be your either your personal phone with the Bluetooth enabled device or with a Bluetooth stag dedicated and but there are other forms of using this capabilities for example whenever I order a cleaning services to my house and I want to know when the cleaner arrived when he went away and which rooms he enter okay I can just use

a s simple commodity Hardware my old cell phone with this solution and then whenever he arrived and go I have a time stamp and I can identify if it's was someone else if it was him based on the device that he has and it doesn't have to be only his phone it can be maybe his airphones or any other enabled Bluetooth device so physical Access Control also very important use case another very nice use case is an an authentication so we can use proximity as another Factor when we utilizing MFA multiactor authentication so think about it when I want to log in to a maybe a sensitive system system I can use proximity okay as another authentication

factor and if I'm not close enough to the sensitive system I won't be able to log in and if we take this use case one step further okay we can utilize even more announced use case that's called contextual authorization so instead of just approve or deny authentication I can enable the authentication but with restrictive access so for example if I go into a data center and try to log into a very sensitive machine like the domain controller for example if I'm in the data center and the proximity sensor detect me I can enable full privilege but if I'm doing so from other location maybe I just get less privilege okay I won't be able to write or delete data

okay so this is mostly for defensive use cases there are other offensive use cases as well so for example and we when we conduct an a physical reting ging for example we can use physical Recon and real time movement tracking and detect security guides based on their Bluetooth enable equipments okay another use case is authorized device poofing so um the way that we are Ena or able to detect those bluetooth enabled devices is usually by the mech address this is the unique identifier of the Bluetooth devices so if I can spoof the mech address of the Bluetooth device I can impersonate to someone else maybe I mimic his device okay so this is something that we can conduct in a red

teaming okay and and use this as well um so what we did in the research eventually is we created a mobile app and the goal was to create something that it's simplified that it's approachable to anyone to try and use this app is called blueh Hawk and it's already in the Android Marketplace you can download right now for free and use it and try it out it's still in the proof of concept stage so there are still some bugs but you can still try it and give us a feedback and the purpose is it's work with any Bluetooth 4.0 plus enabled devices so even for your legacy smartphone this is going to work okay it's also have a monitor for the RSSI

the technology that we use for proximity it's called RSSI there are other Technologies RSSI stands for receiver signal strength indicator as as I mentioned this is um with Bluetooth 4 4.0 and higher there are other technologies that are more accurate because this is only give me the approximate distance but not the exact location if I want to H calculate the exact location like in a triangulation purpose like we do in a cellular phones we need to use other technology that involve more machine it's called trialation okay and this is something that again can be done with RSSI but need more devices for the receiver part okay we have a rule based engine so whenever I detect

and Trigger some of the rule base that I discovered for example getting in range of out or out of range I can set a rule that for example utilize some of the mobile phone sensor like recording a video recording sound and send me an alert either in the in the phone or in the email okay and we support several different actions as I stated and let's see a short demo okay now the demo I'm going to present at the moment it's a recorded video okay but after we finish maybe I show you a live demo if you like it okay what do you say do you want to see a live demo okay so first let's see the

recording and but before before the demo the most important part um in this lecture is giving credit to the amazing 10 R team that was part in the development so thank you David Volson Alon caralis saniv rodinsky and without you it wouldn't happen and we wouldn't have this up so thank you very much and let's see the demo guys okay so before I see it I just want to go over the demo stages okay so first what we're going to do is a device Discovery we're going to scan all the devices available then we're going to add and save a new device that we're going to apply a rule on then we're going to configure a rule

that is a device out of range so when the device Bluetooth won't be available anymore it's going to go out of range the rule going to be activate and then the action that we're going to use is a video recording and sending a notification both in the email and on the phone screen okay and then we're going to view the result so let's see what happened okay so now we starting the app we start scanning the devices I'm going to narate the video okay it's just a short two minutes video and then we can see here the RSSI which is the signal strength of every found device um in a short minute you can see the

distance that we can convert the RSSI into distance in meters okay actually there is a Formula you can find online and see it for yourself then I'm going to detect my cell phone and save it as a save device and I'm going to apply a rule on my cell phone this is a Galaxy s20 Fe so let's go create a name for this device

and now we're going to create a new rule so we create a rule name and then we Define which action we want to see okay so the action I chose is getting a regular notification on the font screen and record front video and we have several different conditions supported the condition I chose was getting out of range as discussed so now we have the rule we have the name okay the rues scan interval set for 15 seconds okay so this is the amount of time we need to

wait and the clock is sticking

as you can see in the type section in the type column I can also identify the fingerprint of the Bluetooth device and see what type it is if it's airphone if it's another phone device if it's an other Bluetooth emitted device okay now we can see we had the rule activated okay so I'm going to see the result and this is the front video

recording we have a little leg so we didn't see the video running but as you can see I also got an email alert it's also support geolocation so in the alert we're going to get the latitude and longitude that allow you to determine exactly which G location the alert was taken from um and this is the video guys so thank you and now do you want to see a live demo all

right here it is okay so first I'm going to activate the app you can see that I okay so now this is the app as you can see I found a lot of different devices here in the room okay now I already predefined a rule over here okay so the rule is a discovery rule whenever I find a new device the rule going to be activate and the action that going to be taken in this rule is taking a video from the rare camera okay so you're going to get in the demo guys okay and I said the interval have a problem with the camera and I set the video interval for 10

seconds okay so let's activate now we have a 15 seconds

interval okay I think something happened let's see

let's go over here oh I got a new discovery rule let's see the video recording

okay so this was the demo guys so blue hawk is available for you in the Android Marketplace thank you very much it's was pleasure to be here and if you have question so you can come to me after the conference later on and ask anything thank you very much thank you Karen thank you let's smile to the camera right there woo okay