Transcription
Stealthily Access Your Android Phones:Bypass the Bluetooth AuthenticationBlueRepliby Sourcell Xu and Xin Xin#BHUSA@BLACKHATEVENTS
Who we areSourcell Xu DBAPP SecurityIoT security researcherfO-000/bluescanDiscovered of the BlueReplisourcell.xu@dbappsecurity.com.cnXin Xin Hardware hacker Make the BlueRepli a convenient hardware tool xin.xin@dbappsecurity.com.cn@DS HatLabHatLab(Hack Any Thing)#BHUSA@BLACKHATEVENTS
Chaotic Scenes of Privacy Access phone files25,000 times in 10 minutes. Self-starting 7000 timesand read the phone bookin one hour.#BHUSA@BLACKHATEVENTS
Could it be Worse?No maliciousor rogue appsinstalledNo touchBluetoothAndroid systemWi-FiMobile NetworkPBAP (Phone Book Access Profile)NFCMAP (Message Access Profile)#BHUSA@BLACKHATEVENTS
What’s Bluetooth Profile?PSE (Phonebook Server Equipment)PBAPPCE (Phonebook Client Equipment)MCE (Message Client Equipment)MAPMSE (Message Server Equipment)#BHUSA@BLACKHATEVENTS
Previous Research: BadBluetooth Require a malicious app with Bluetooth Permissionhas been installed on the victim’s Android phone. PBPA and MAP require the Bluetooth device to beinitiator and the phone to be the acceptor, which isopposite to the attack flow. This make the attack lessstealthy.#BHUSA@BLACKHATEVENTS
What can BlueRepli do?for almost all Android phones Only one interaction with the victimfor a well-known manufacture(may be affected 100 million devices) Totally Stealthily The attacker can make thisinteraction very deceptive.attackattackcontacts, call logs, short messagesordeceivedfake shortmessageattackcontacts, call logs, short messagesvictim 1victim 2#BHUSA@BLACKHATEVENTS
Two Dialog Boxes During Access to PBAP and MAP12Pairing RequestProfile Access RequestHow to bypass?How to bypass?#BHUSA@BLACKHATEVENTS
Why does the Pairing Request pop up?ConnectNo valid link keySecure Simple PairingSharedNew link keyNew link key Future authentication Traffic encryption#BHUSA@BLACKHATEVENTS
The default IO capabilities of AOSP is DisplayYesNo#BHUSA@BLACKHATEVENTS
Bypass the Pairing Request Dialog Box#BHUSA@BLACKHATEVENTS
#BHUSA@BLACKHATEVENTS
Side Effect of the Just Works ModelNoInputNoOutputJust WorksTemporary Bond#BHUSA@BLACKHATEVENTS
Why does the Profile Access Request pop up?No address#BHUSA@BLACKHATEVENTS
#BHUSA@BLACKHATEVENTS
Bypass the Profile Access Request Dialog BoxPBAPAddress dependent?MAP#BHUSA@BLACKHATEVENTS
Side Effect of the Just Works Modelcom.android.bluetoothNoInputNoOutputJust WorksPBAP and MAP accesspermission clearedTemporary Bond#BHUSA@BLACKHATEVENTS
Forge CoD to prevent passing BT BOND STATE NONE#BHUSA@BLACKHATEVENTS
Persistent Bond Cause Just Works not to be automatically accepted#BHUSA@BLACKHATEVENTS
The two methods are mutually exclusiveThe method forbypassing PairingRequest(Temporary Bond)ㄟ( , )ㄏThe method for bypassingProfile Access Request(Forge Address and CoD)#BHUSA@BLACKHATEVENTS
Turnaround ( ︶ ) No BT BOND STATE NONENo BOND NONENo Permission clear#BHUSA@BLACKHATEVENTS
This is the whole picture of BlueReplifor almost all Android phones One interaction with the victimfor a well-known manufacture(may be affected 100 million devices) Totally Stealthily The attacker can make thisinteraction very deceptive.attackattackcontacts, call logs, short messagesordeceivedfake shortmessageattackcontacts, call logs, short messagesvictim 1victim 2#BHUSA@BLACKHATEVENTS
Command Line ToolHardware Tool#BHUSA@BLACKHATEVENTS
Should we based on RaspberryPi ?No battery support.Low integration, jumper wire everywhere.HDMI is not a good idea for portable device.SPI is too slow for higher resolution LCD panel.We just want a S
Choose the solution.Single Cortex-A7@ 1.2GHzIntegrated 128MB DDR3SDIO & UART for basebandRGB Parallel Interface for LCDAXP203 PMU for Li-ion battery2.4GHz Wi-Fi on SDIO interfaceSupported by NexmonBR/LE 5.0 on UART interfaceSupported by InternalBlueActually this is an image of BCM4343S#BHUSA@BLACKHATEVENTS
Porting the bootloader an OSBuildroot & U-Boot & Linux#BHUSA@BLACKHATEVENTS
Coding the GUI Interface.#BHUSA@BLACKHATEVENTS
Making a 3D printed shell.#BHUSA@BLACKHATEVENTS
The video demo#BHUSA@BLACKHATEVENTS
More security issues in the Bluetooth USA@BLACKHATEVENTS
Thank you!Any dbappsecurity.com.cn#BHUSA@BLACKHATEVENTS
for almost all Android phones for a well-known manufacture (may be affected 100 million devices) fake short message victim 1 victim 2 attack deceived One interaction with the victim The attacker can make this interaction very deceptive. contacts, call logs, short messages Totally Stealthily attack contacts, call logs, short messages .
