Realtime bluetooth device detection Blue Hydra
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 93 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36304 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 248 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Reelle ZahlArithmetischer AusdruckEchtzeitsystemWeb-SeiteProgrammierumgebungArithmetischer AusdruckDifferente
00:29
Arithmetischer AusdruckFreewareDrahtloses lokales NetzSoftwareentwicklerHackerProjektive EbeneSichtenkonzeptMaschinenschreibenUnordnungFreeware
01:18
ATMKlasse <Mathematik>Notebook-ComputerDongleKlasse <Mathematik>MultiplikationsoperatorSchnelltasteATMNormaler OperatorHardwareKartesische KoordinatenPunktspektrumAbstandBandmatrixRechter WinkelCoxeter-GruppeFrequenzZusammenhängender GraphNotebook-ComputerZellularer AutomatLeistung <Physik>
03:35
Anpassung <Mathematik>FeuchteleitungFunktionalFrequenzDatensichtgerätSoftwareBandmatrixDemo <Programm>PunktspektrumVideokonferenzSchnelle Fourier-Transformation
04:42
EnergiedichteEnergiedichteSchlüsselverteilungPlastikkarteBitMenütechnikAuthentifikationSchnittmengeEinfach zusammenhängender RaumMultiplikationsoperatorSchlüsselverwaltungKlassische PhysikFitnessfunktionWiMAXATMComputersicherheitZweiZahlenbereichZählenRechter WinkelPersönliche IdentifikationsnummerTypentheorieUnrundheitProzess <Informatik>MereologieHardwareFormation <Mathematik>
08:16
QuellcodeRechenzentrumArithmetischer AusdruckPunktFitnessfunktionInformationSchnittmengeRandomisierungEnergiedichteInternet der DingeGüte der AnpassungZahlenbereichLeistung <Physik>MultiplikationsoperatorRechter WinkelPlastikkarte
09:34
Cracker <Computerkriminalität>Cracker <Computerkriminalität>MultiplikationsoperatorAdressraumWeg <Topologie>Persönliche IdentifikationsnummerEnergiedichteMessage-PassingAuthentifikationElektronischer FingerabdruckFlächeninhalt
10:32
ATMGraphische BenutzeroberflächeApp <Programm>BitrateProgrammierungLoginEnergiedichte
11:27
StichprobeNP-hartes ProblemSyntaktische AnalyseArithmetischer AusdruckKeller <Informatik>ProgrammbibliothekMultiplikationsoperatorKomponententest
11:51
StichprobeSyntaktische AnalyseNP-hartes ProblemArithmetischer AusdruckEinsSoftwaretestExogene VariableCodeInterface <Schaltung>HardwareDonglePhysikalisches SystemProgrammbibliothekBitGüte der AnpassungGamecontrollerPlastikkarteSystemaufrufKonfigurationsraumSystemzusammenbruchKlassische PhysikKernel <Informatik>GeradeSkriptspracheMetropolitan area networkATMBus <Informatik>SinusfunktionCoxeter-GruppeGrundsätze ordnungsmäßiger Datenverarbeitung
13:56
Arithmetischer AusdruckProgrammierungE-MailMathematikProdukt <Mathematik>AdressraumMereologieInformationDongleHardwareMultiplikationsoperatorBitratePunktTabelleFahne <Mathematik>SoftwaretestTelekommunikationRechter Winkel
15:53
Front-End <Software>DatenbankHardwareGerichtete MengeArithmetischer AusdruckHardwareInterface <Schaltung>EnergiedichteMereologieBitDatenbankMultiplikationsoperatorMathematische LogikRichtungQuick-SortTermPunktSoftwareentwicklerSpeicherabzugFunktionalTypentheorieFront-End <Software>SichtenkonzeptMobiles Internet
17:34
VolumenTaskThreadEinsHardwareArithmetischer AusdruckBitProgrammbibliothekMAPZahlenbereichSoftwaretestDatenverarbeitungMathematische LogikThreadFortsetzung <Mathematik>DatenbankTaskEinfache GenauigkeitHardwareInhalt <Mathematik>Interface <Schaltung>BitrateGüte der AnpassungMultiplikationsoperatorSkriptsprachePi <Zahl>Diskrete UntergruppeSchreiben <Datenverarbeitung>
18:51
Arithmetischer AusdruckPhysikalisches SystemInformationDongleDifferenteHecke-OperatorInteraktives FernsehenInterface <Schaltung>Metropolitan area networkMessage-PassingMultiplikationDongleSoftwaretestDienst <Informatik>ATMFunktion <Mathematik>Suite <Programmpaket>NetzbetriebssystemPunktProgrammbibliothekMereologieThreadSyntaktische AnalyseStreaming <Kommunikationstechnik>
20:10
StapeldateiMessage-PassingSyntaktische AnalyseThreadThreadExistenzsatzMessage-PassingFunktion <Mathematik>VerkehrsinformationDifferente
20:42
PunktInformationSoftwaretestThreadArithmetischer AusdruckSoftwaretestKlassische PhysikPlastikkarteATMZahlenbereichAusnahmebehandlungCodeThreadMereologieSkriptspracheFehlermeldungInformationPhysikalisches SystemWarteschlange
21:42
BitrateThreadArithmetischer AusdruckWarteschlangePhysikalisches SystemLoopDatenverarbeitungInformationThreadSpeicherabzugDongleProzess <Informatik>Arithmetischer Ausdruck
22:11
LoopRückkopplungAbstandProzess <Informatik>ThreadArithmetischer AusdruckQuick-SortAdressraumMinkowski-MetrikMereologieWarteschlangeSpeicherabzugThreadSoftwaretestTypentheorieRückkopplungKorrelationsfunktionSpannweite <Stochastik>Lokales MinimumPhysikalisches SystemDatensatzPhysikalismusVerband <Mathematik>InformationZahlenbereichAbstandATMGraphiktablett
24:16
Arithmetischer AusdruckBenutzeroberflächeGeradeThreadSpeicherabzugTabelleBenutzeroberflächeInformationFunktion <Mathematik>ThreadZeitrichtungDemo <Programm>Multiplikationsoperator
24:55
SicherungskopieDemo <Programm>AbstandUmwandlungsenthalpieZahlenbereichDifferenteInterface <Schaltung>Quick-SortDatensichtgerätLeistung <Physik>InformationSchätzfunktionDatenfeldEinsSpannweite <Stochastik>Notebook-ComputerFunktionalDatenbankDemo <Programm>BruchrechnungDefaultAdressraumSichtenkonzeptRuhmasseDongleRechter WinkelKeller <Informatik>InformationsspeicherungApp <Programm>VersionsverwaltungEindeutigkeitSpeicherabzugZeitrichtung
27:53
Kartesische KoordinatenGüte der AnpassungFahne <Mathematik>Mailing-ListeLesen <Datenverarbeitung>
28:57
Ideal <Mathematik>Arithmetischer AusdruckZahlenbereichMultiplikationsoperatorZählenProgrammierungEnergiedichteBeamer
29:50
Arithmetischer AusdruckCodeSchwebungStereometrieQuellcodePlastikkarteCodeHackerTrennschärfe <Statistik>BenutzerschnittstellenverwaltungssystemBeamerOpen Source
30:57
Demo <Programm>MinimumCheat <Computerspiel>
Transkript: Englisch(automatisch erzeugt)
00:00
So, as you may have guessed by now, this is real-time Bluetooth detection using Blue Hydra. It feels very real-time, doesn't it? We're going to go a little faster than we planned, so we're going to jump ahead here. Oh. Try page up and down. All right, I'm Granalox, I work at Pony Express, I've been there for about as long as Pony Express has
00:23
existed, and I primarily focus on device detection, looking at different kinds of devices that we see in the environments that we're monitoring for people. That's how I got involved with this project, with this Mr. The Plague looking guy here. So, we saw that we needed to see more Bluetooth devices because we were barely seeing anything that was out
00:40
there in the world, and this is how this came about. Woo! I'm a very calm zero chaos. A lot of you might know me, I do wireless stuff, and please stop calling Wi-Fi wireless, those are not the same things. I like anything that you're not touching because it's way cooler to hack things that you didn't touch. Wires are boring, and wireless
01:02
stuff is fun, whether it's ham radio, or Bluetooth, or Wi-Fi, or whatever. So, free plug for the wireless village, come by Skyview 1, 26th floor of the other tower, and hang out with us and do some real wireless stuff. So, what is Bluetooth, right? Bluetooth is
01:22
cheap, it's meant to replace the cables that fail us horribly while we're trying to give our presentation at DEF CON. But that's really what it's for, it's not for high bandwidth applications, it's not intended for that originally, it's just intended to replace the cables so you don't have to plug in your keyboard, or possibly your monitor, or
01:40
possibly, I don't know, I guess your cell phone. It's not meant for much, right? What it does is frequency hopping spread spectrum. It hops 800 times a second to try to get away from interference, and to not interfere so much with other devices. So, you're actually going to be hopping constantly all over the spectrum, which as you might imagine makes
02:02
monitoring it a lot harder. And that's really why there's no monitor mode on these pieces of hardware, is it's very difficult to monitor this in the first place, and the target price of a Bluetooth radio is about 5 cents, and none of its normal operation requires that kind of monitor mode, so why would you ever do that? Increasing
02:21
component cost is just not something that's typically done for fun, so they didn't do it. So no monitor mode means sad face. Now, Bluetooth is divided up into three basic classes. Class 1 is the 100 milliwatt, which is about 100 meters, is what they expect the distance to be in Fantasyland. Those are high powered devices, the Cenedon that Pony Express likes to use. They're really nice to have, if you actually
02:44
expect a class 1 to go 100 meters, you might be on another planet, but class 2 is what you normally run into, it's your Bluetooth on your cell phone, your headset, your laptop. Those are 10 meters, which 30 feet away for like something meant to connect your keyboard is pretty good, right? That's not really a problem for what you're doing.
03:03
From my pocket to my earpiece is only about two and a half feet. Sicilian is the best we could do. It's a little farther for him, but still well within 30 feet, right? It's not really a big deal to have low power Bluetooth. If you get a really bad one, that's called class 3, that's one milliwatt, and that's why sometimes you buy the really cheap
03:22
Bluetooth headset, or it was really expensive, but it was made really cheap. From your pocket to your ears, not all that possible, because it's actually only going to go about a meter, and you're basically maxing it out if you're a six foot tall person. This is what Bluetooth looks like on spectrum. We've got the really pretty 3D
03:42
waterfall that honestly, if I could put this as a video, looks so much cooler, but since I can't do a live demo to start with, we'll just go ahead and be happy that I've got this at all. This is a standard fast barrier transform waterfall display. You can see all of those little blips are Bluetooth. This was actually us rocking out in the wireless village setting stuff up last night. This is high bandwidth audio. This is
04:05
very high quality, as you can see, very little actual data is being sent. On a network where you would have like a large Wi-Fi network possibly right in the middle of this, you'd actually see all the Bluetooth go below and above using what's called
04:22
adaptive frequency hopping. It's basically just going to avoid interfering with the Wi-Fi and avoid being interfered with by the Wi-Fi. And that's really a function of just get out of the way because you're the lower bandwidth guy and it's easier. But again, that makes it a lot harder to sniff Bluetooth directly, and that's why those
04:40
radios just don't have those kinds of functionalities. Bluetooth classic, this is the stuff that you all know and love. You probably are using everyday headsets, things like that. The security for this stuff is really, really simple. It works on a process called discoverable or not discoverable. If it's not discoverable, that's the mode
05:02
it's supposed to be in all the time. It's supposed to be just not visible to the people. It's already configured, already did the key exchange. People compare everything to Wi-Fi. I can't count the number of times I've walked in for Wi-Max
05:20
recommendations or Bluetooth recommendations, and it was a set of Wi-Fi recommendations where they did a search and replace and changed Wi-Fi to Zigbee or something stupid like that. It's like, no, no, no, like that's not how this works, okay? Bluetooth, when you disconnect, doesn't actually terminate the authentication. The key material is saved on both ends. Those are kept. You don't have to
05:45
reauthenticate. This is why you don't have to type the pin in every time you use every piece of your Bluetooth hardware, right? The pairing is part of you turn into discoverable mode, you find the device, then you pair to it. And kind of like a marriage, you can let people know that you're married, but the pairing you kind of
06:03
should be doing in secret, right? You don't want people to be observing that key material because that's all of your security right there. For a really great primer on how that works, Mike Ryan gave a talk at ShmooCon a couple years ago, I highly recommend. It was called How Smart is Bluetooth Smart, but he goes over how all the pairing and
06:21
stuff works, and it's really eye-opening to know that if you're not pairing in a Faraday cage, you probably should start, but Bluetooth Classic is all of the security is based around pairing in secret. And if you are not paired to a device, it's a lot harder to find it, and we'll get into how we do that, and it's fun. Bluetooth low
06:41
energy, there's probably way too many of you that have this on in the room. All of you with a Fitbit or a smartwatch or a salt card to authenticate to your cell phone for you. These Bluetooth low energy devices are the really popular stuff now, and that's kind of why we ended up writing this tool. The Bluetooth stuff has been exploding,
07:02
and we couldn't see it, and that was really terrifying for us, and when we started building this and seeing just how much was out there, it became a much bigger priority to work on this because we thought it was cool. So Bluetooth low energy, unlike Bluetooth Classic, has three discoverability settings, general discoverability,
07:21
limited discoverability, and non-discoverable. What's funny is it really doesn't matter, because the way this works is you send out an advertisement and you say, hey, I'm invisible, and you send it out about four times a second, hey, I'm invisible, hey, I'm invisible, hey, I'm invisible, hey, I'm invisible, and the way the spec is written, you drop those packets, that's what you're supposed to do. I'm glad you all feel the
07:47
same as me about how great that is. Some devices don't advertise. If you're wearing a Fitbit, you don't own one of them. If you're wearing pretty much any of the fitness bands, fitness trackers, most of them just don't do it. The more high end devices, a lot of the smart watches, they don't advertise unless you go to the settings
08:04
menu and mark it discoverable and that kind of stuff. They're actually half decent, but we still do see them quite a bit because sometimes it loses connection to the phone, decides it needs to advertise, the phone can find it again, and things like that. So Bluetooth proliferation, there's a whole bunch of random IoT, IoT, IoT, IoT, IoT, IoT,
08:24
IoT. Are you all drunk yet? Good. Okay, that's enough of that garbage. Wearable stuff all around you. Bluetooth low energy, which was also called Bluetooth smart, although it is not actually lower power transmit and receive, it's designed to be lower
08:41
power consumption. It's trying to do deep sleep cycles and things like that to avoid burning all that power. So all of the wearable devices, the smart watches, the fitness trackers, they try to do that. So here's just a really quick terrifying set of numbers. Fitbit last year sold 21 million devices. ShowMe did 12 million. Apple did 11.6.
09:02
I'm reading all three of those while I eyeball my cohort just so he knows that Apple's in third behind China. Anyway, point is total 78.1 million wearable Bluetooth low energy pieces of unsecure garbage, mostly. It's terrifying, right? We have all of these devices
09:22
with us all the time. I'm wearing three of them, trying to count them while I'm standing here. But seriously, we have so much of this and we're not looking for it. It's interesting if nothing more than that. But you can get a lot of fun info from it. So I think it's even more interesting. Prior art, I'm going to gloss over pretty quick because I'd like to get more time to my cohort. But we looked at a bunch of
09:43
Bluetooth tools that existed. Red Fang is a Bluetooth discovery that does brute forcing of Mac addresses. Hey, it's not discoverable, I'm going to ping every Mac address on the planet and try to find it. That's one way to do that. We went with a different way. But that's one way to do that. BT crack and crackle are pin crackers. Those are
10:03
trying to break the authentication between the devices. And then Blue Snarfer is an older tool meant for dumping phone books and SMS messages off of phones. None of this was in our interest. What we were trying to do was discover that devices were in the area, fingerprint them, track them, see when they show up, when they leave, have
10:21
the ability to find them physically and meet space. And that's really what was interesting to us. So like all this stuff existed. Only crackle really worked on Bluetooth low energy stuff and none of it was really all that interesting to us. Bluetooth discovery, blue log is a great tool. But it was written back when there wasn't Bluetooth low energy. So it doesn't support Bluetooth low energy. So it
10:43
spams out a bunch of really useful logs constantly at a terrifying rate. And we didn't find it all that useful. BT scanner was an absolutely beautiful app. Kind of like kismet but for Bluetooth. Worked really well unless you pressed any key and then it would crash.
11:00
It's been unmaintained. It's not their fault. It's been unmaintained since about 2003 as far as I can tell. So no LE support on that either because there was no such thing as LE. And it had a really neat GUI and we really liked it and maybe if either of us could code in C we would have picked it up and started working on it. But as it turns out I shouldn't program. And he's better? Arguably better. Useful stuff. As it turns out
11:31
if you're going to stand on the shoulders of giants and you're working on Bluetooth, the blues team is probably a hearty good place to start. So blues is the library for Linux that runs all the Bluetooth stack. And they not only have a
11:43
functional library and workable tools, they have documentation. Ooh, ooh. And examples. And unit tests that work 60, 70% of the time. So it's really, really good stuff. I'd like to thank them for that. And there's a thanks for it later. But really
12:00
thank you. So HCI config is the main controller. Brings the card up, down, resets it when it goes out to lunch which is pretty often because it's five cent hardware. I mean they charge you a lot more for it but that plastic got to be really expensive because the chip sure ain't. HCI tool is going to discover your classic devices. HCI tool
12:20
scan will look for classic devices in discover mode. HCI tool less scan, LE scan as we call it internally. Works but it's really hard to parse. And when I told the blues team what I was doing with them, they're like oh my god stop. Stop now. Never do that again. You're an idiot. And I said okay cool but could you elaborate. They're like oh all
12:43
those tools are completely out of date, unmaintained and probably will crash your kernel. Oh, thanks. So they told me about their test scripts and some of their documentation and we moved on to the test scripts which was blues test discovery which was a thing that they did in python that shows how to use the D bus interface and a bunch of
13:03
internal libraries to actually do proper detection that doesn't crash your system. The Bluetooth dongle still crashes relentlessly but the kernel doesn't and that's definitely an improvement for those of you who have never crashed your kernel while giving a presentation. So the problem is of course being that the blues team writes the
13:22
libraries for Linux. It hides some LE devices. The non discoverable ones it just goes ahead and throws out the responses and things like that. But what it did for us is it helps us to talk to the Bluetooth card. It taught us how all of that works and we used all of their documentation and their API calls and took their huge bit of code and
13:43
like ripped out the six lines we needed and said that we modified it. And that taught us how to see discoverable devices. But discoverable devices are only so much of the fun. I mean granted LE stuff is noisy as sin but we wanted to see other stuff so we fell back to our good friends at the Ubertooth team and they have a lovely piece of
14:03
hardware. I think it's about a hundred bucks something like that. You can buy them basically everywhere. But Great Scott Gadgets makes a product called the Ubertooth and this is a true Bluetooth basic rate sniffer. It sniffs basic rate which is kind of like to Bluetooth what 802.11b is to Wi-Fi. There are faster speeds but somehow people always
14:24
send stuff at slower speeds so you can see it. They can't sniff Bluetooth EDR which is Bluetooth 2.0 enhanced data rate with these. But that hasn't actually been much of a problem for us because everything kind of sends packets at a slower speed at some point fast enough that we feel happy. So Ubertooth scan was the program we were using
14:44
initially and what it does is it sniffs on one channel and it looks for any devices that are communicating. In Bluetooth you only transmit the lower address part of the master device when you are having a communication and who it's from and to is dependent on the time
15:02
slot. So it's from master to slave from slave to master back and forth. And what this allows us to do is we can sniff the lower address part and then you grab some information from the header and you do some math after a couple of packets you can figure out the upper address part which is enough to ping the device and that's just what
15:20
Ubertooth scan did is it would then take your Bluetooth dongle and it would query it for a name and information and give you a bunch of information on the device back. Because we had all of the test discovery stuff already and it was working so well we wanted to not have it interrogate the Bluetooth device like that so we talked to the Ubertooth team and they introduced the last thing on their minds which was Ubertooth-RX-Z and
15:45
they gave us that flag where it just does the sniffing part and it doesn't do anything else and then we parsed it internally and my friend Granalox will explain that. Right about now actually. Okay so I'm actually going to go through and talk about the tool that we made and how it functions. I mean it is we are open sourcing it as part of
16:04
this and so I'm actually going to talk through the internals of the tool a little bit with hope that people will be able to read through it and look through it and you know contribute back to it ideally would be great. So the primary goal that we had was to create an aerodump like interface where you can see a live view of Bluetooth devices around you at any given time. We also wanted to support Bluetooth low
16:24
energy because the existing tools that did something like this did none of that and that was a really important thing for us just given how much device proliferation we have been seeing on the low energy side of things. And again the second point there find as many devices as possible. That was really the goal but a bigger part of that was to find them as quickly as possible because a lot of the low energy devices are things like
16:44
mobile or wearable devices that are on people that are moving around or on cars or vehicles or on trolleys with beacons and so they tend to move past you very quickly and if you don't pick them up when they're there you're going to miss them entirely. We opted to have a database back end for the purposes of
17:00
persistency. We wanted to be able to turn this thing off and then bring it back up later and be able to correlate devices that we saw back to what we had previously seen and that the database allowed us to do that. And another goal going back to sort of the standing on the shoulders of giants is to really minimize the amount of direct hardware interfacing we're actually doing. This really let us move a lot faster on the
17:21
development side of things and it allowed us to kind of keep things as simple as possible and use the tools that exist without trying to reinvent the wheel. And we're not at all focused on cracking or brute forcing or attacking Bluetooth as a tool at least at this time. In terms of the design logic it's primarily written in Ruby, it's 95% Ruby. There's a little bit of bash and a little bit of Python. The bash is mainly there to
17:43
manage the interface and to shell out to run some of the third party tools that we're relying on. What he's trying to say is we're sorry in advance. Yeah. And then the Python, yeah if you read it good luck and I'm sorry but the Python side of things is just a test discovery script using the blues like the pie blues library that Rick
18:01
mentioned. So we built it on top of these existing tools as much as possible. This helped us develop very rapidly and we modified the tools as we needed but again to minimize the use of hardware we entirely relied on them where we could. So at a high level what we do is we have a number of discrete threads like Ruby threads running in the background which are doing each of our different tasks and then everything gets
18:23
boiled down into a single data processing thread. For the database we did use SQL lite initially and SQL lite if anyone's ever used it which I'm sure you have is kind of trash. It worked for our purposes but one of the problems with it is it's extremely blocking and so if you try to access it for multiple threads you're going to end up with a
18:40
ton of write lock contention and everything's going to fall over. So we ended up boiling everything down into a single thread for processing the data which ultimately served us pretty well for reasons I'll probably explain if I have time. Yeah. Before we get into the threads I think the tool that we need to talk about is BTmon which is also part of the Blues library and this is a tool which is the whole Blue Hydra suite is
19:04
dependent upon and so there is no true monitor mode which is say like monitoring RF for Bluetooth like we might have with Wi-Fi but what it does is it monitors the interactions between the operating system and the adapter the Bluetooth adapter so as commands get sent to the adapter the adapter receives packets it'll summarize BTmon is
19:23
able to summarize those messages into a basically a long stream of whatever the adapter and we use that as our primary point of contact for getting data out of the interface. It's reasonably parsable it is text output and so it's a little funky and I'll show you the output in a second here but it wasn't too bad to handle the parsing. One of
19:43
the things that's really powerful about using BTmon like this is we were able to throw all kinds of different commands such as what Rich Zero mentioned. Sorry. Yeah nice catch there. Um you know we could run the HCI tool commands or the L2ping commands and they are the test discovery as well and all of that would come streaming out of BTmon in one
20:01
place. It also supports multiple Bluetooth dongles and right now the actual service isn't supporting multiple devices but we plan to add that in the not too distant future. So with BTmon this is the out you can see the output here this is a single message coming out of BTmon it's an LE advertising report so this is an LE device advertising its existence and the way that we use it is we have a single thread that
20:23
executes and filters the messages coming out of BTmon and breaks them up. We push them over to another thread that basically buffers them by device so we'll see the same device same device same device same device different device. When we get a new device we flush that out to get parsed and processed and we start buffering the new device that we're seeing data about. Um alright so the next thread that's really
20:44
significant and this is where a lot of the actual work is done is the main discovery thread. So this thread is responsible for running test discovery commands and it also feeds off a number of queues which different parts of the system feed into that tell it who it needs to gather information from who it needs to ping. The L2 ping
21:02
command is very useful for us because it allows us to test if devices are still present even if they've gone out of discoverable mode or even if we never saw them in discoverable mode such as with an Uber tooth. Uh it's also responsible mainly for the info gathering and the test discovery script will see the classic mode devices as well as the LE advertisements. Nothing none of the commands that get run in this thread we do
21:23
anything with it's just all coming out of BTmon and the other on the other side of things. We do do error handling here so you'll see a lot of error handling if you start reading this code but that's just to make sure. We do some error handling here and that's mainly mainly where we're error handling so if something goes wrong with the card or any of the commands we'll catch it here and handle it here. So the Uber
21:43
tooth thread also exists it will only start if you have an Uber tooth device plugged in and it is completely optional. Uh it does not replace having a conventional Bluetooth dongle which you absolutely need to run this system. The system still relies on a traditional Bluetooth dongle we recommend the senna dongles that Pony Express ships and they're quite robust. With the Uber tooth thread it's running the Uber tooth RX command on a slow
22:04
loop and it bypasses BTmon entirely and ships that information straight into the processing queue. So with the data processing thread this is kind of the core brain of what we're doing and it is mainly excuse me it's mainly responsible for updating and creating
22:22
the records and sort of tracking what devices we've seen but it also operates as a feedback loop to the rest of the system populating the queues to say you need to test this device you need to see if this is still present and this allows the discovery thread to do what it needs to do to kind of see and gather the information as quickly as we can to you know gather info about devices before they pass out of our range. One of the
22:43
interesting problems we found here was the actual device correlation of Bluetooth devices so we assumed initially and pretty naively that we'd just be able to see Mac addresses and say okay this is the same Mac address that we saw previously it's the same device that falls over pretty quickly. Initially it falls over with the Uber tooth because the Uber tooth will only see the upper and lower address parts which is the
23:04
last four octets of the Mac address so in the example here you can see a device with a physical address of dead beef cafe and an Uber tooth will just return something something beef cafe and have no sense of the vendor if you want to do an OUI lookup you wouldn't be able to do it off this alone and we're never able to get the rest of that address the complete address with an Uber tooth so we are able to however zero
23:24
pad it or pad it with any arbitrary hex and send it back out and ping those devices and they will respond to their upper and lower the UAP LAP upper and lower address parts and the non significant address part which is the first two octets is totally irrelevant except for doing vendor lookups so if we then see that device come into
23:41
discoverable mode and we see its full address we're able to back fill and kind of fill in the addresses that we didn't see which we initially saw with an Uber tooth. Another type of device correlation we're able to do in here is iBeacons, iBeacons are capable of rolling their Macs very aggressively they change their address quickly and they don't always do this but they can do this and so we're not able to consistently rely on
24:01
looking it up by the address so we were able to carve out some information out of proximity ID and the major and minor numbers which we were fairly consistently able to track iBeacons even as they rolled their Macs and moved around the space. So the last thread that's kind of worth mentioning and this would be our demo although I don't
24:20
know we're probably not going to have a demo because of this we have some screenshots is the sui thread and it's the command line user interface which is to say it's the arrow dump style output which shows you, thank you, which is really a live table of the devices that you're seeing around you at any given time so it's
24:41
simple it's not curses or anything but it is sortable columns and you can kind of add and remove columns as you need to get the information that you care about for the devices. So that's the main bulk of the internals of the tool and we were going to go I think next to a demo and we're going to do it live. Yeah let's do it dead. So
25:00
we're going to do it dead. Yeah so I want to apologize because after going through six laptops we finally got something that works and I'm not unplugging it right now to see if we fixed the wire or if all five laptops before this one didn't work. We could. Yeah we're going to after everything else so I don't have to switch back and forth and break it again. So I'll show you the screenshots and if we're really lucky I'll
25:23
switch to a live demo afterwards. This is sui what it is basically is as Granolock said it's it's roughly an arrow dump style interface we've got the address the version what version including like 4.2 will actually show up here on the devices that tell us the RSSI names manufacturer is an overloaded field so we grab a bunch of different
25:47
information from different places in the Bluetooth stack and we kind of put the best thing in in that spot and then range is an iBeacon specific thing the iBeacons actually give you a calibrated TX power of what they expect the signal strength to be at a
26:04
estimate the distance very very reliably so as you can see these were all sitting on top of the Bluetooth dongle when we tested this. This interface is pretty simple and if I'm lucky I'll get to show you but you can see this little carrot right here this is indicating that this is sorting ascending it can also sort descending you can reverse the
26:26
sort and the other cool thing is you can change which column it is sorting by. You can see this is the default view of columns manufacturer and range being the two interesting ones this is the iBeacon specific columns where we add in the
26:43
proximity UUID the major number and the minor number these are the things that make iBeacons unique so its proximity is basically the company and then major is like it's in this store number and then the minor is like this is in the fruit stand so that when you walk up to the fruit stand you've got the you know grocery store app on your phone
27:03
and it says oh dollar off bruised apples or whatever it is. This is the company display information I find that a lot of stuff has interesting things in the company and company data field and so we added that as a secondary display while debugging some
27:22
stuff and left it in there because we thought it was useful so you can change the column sets you can change the sort you can change up or down on the sort as well. I think it's worth noting and we may or may not be able to show this given the functioning of the demo but this is a fraction of the data we're actually gathering about these devices. There's a ton more information being stored in the database. This is what
27:43
we consider to be the most useful immediate information when you're looking at a live view but if you go back and pull data out of the database there's a massive amount of information about these devices. So where do I get it? On GitHub pony express slash blue underscore hydra because go blue hydra, hail blue hydra. You can download it there's a list of
28:06
depths in the read me and then you can run it straight from the get check out and there's no problems with doing that because shocker that's how we developed it. It does run on Kali because we developed it specifically to run on Kali Linux which is what the pony
28:21
express sensors run. That said they haven't packaged it yet so you just have to install the dependencies and all that stuff manually or especially if you're competing in the wireless catch the flag this weekend you can just download pensu's latest release and it's already on there and gosh I developed blue hydra I added it to my distro I wonder if there could possibly be any contests around needing it desperately. Could you track
28:45
somebody with this tool? That's a very good question sir. Shut up! Questions are later. I mean yes. Yes. Thank you for your question kind sir. So our conclusions were
29:01
basically we found a lot of old bluetooth stuff because when bluetooth came out it was really cool to hack bluetooth and then apparently it wasn't cool anymore but somehow it became cool to have 9 bluetooth low energy devices on your person at all times so we thought it would be cool to look at bluetooth again. We took a really simple idea that had
29:22
Gabe very mad at me for a very long time because it turns out it was hey there you go granulox. It was harder to do than expected and uh yeah so we both suck at programming but he sucks a little less than I do. So it was surprising to see just how many devices were out there I can't count the number of places I went like haggard
29:42
conventions where I just saw hundreds of devices inside of one room and wondered why just why. So um I'd like to thank Def Con for telling me that the projector was VGA and then providing HDMI that doesn't work. I'd really like to thank the CFP selection crew you
30:06
know who you are for letting us present we really do appreciate that because we think this is really cool and we really hope that you do too. Uh we'd like to thank Pony Express for paying us to build this and then letting us convince them to open source it and not just open source it but put a BSD license on it. Uh coconut the card for
30:24
helping us release this code as BSD. Uh our boss got a new hacker name and that's what it is so yeah. If any of you ever see the uh VP of engineering you can you can call him that and don't tell me don't don't blame me. Uh the Ubertooth team for being
30:44
very efficient and they told us how a bunch of stuff worked and and helped us a lot and the Blues team for their very efficient German making fun of us which helped us to do what we needed to do. Uh that was really really great of them. So Q and A will be in room the bar at the bottom of the escalators. There are other people that will be taking over this
31:05
place in about 8 minutes and that leaves me for yelled out question and answers while I try to get a cool demo running so that those of you that prepped funny Bluetooth device names don't feel like you got cheated.