WIRELESS VILLAGE - Blue Sonar

Video thumbnail (Frame 0) Video thumbnail (Frame 1457) Video thumbnail (Frame 3392) Video thumbnail (Frame 5086) Video thumbnail (Frame 13740) Video thumbnail (Frame 14852) Video thumbnail (Frame 17728) Video thumbnail (Frame 19098) Video thumbnail (Frame 21903) Video thumbnail (Frame 32436) Video thumbnail (Frame 33886) Video thumbnail (Frame 35251) Video thumbnail (Frame 42523) Video thumbnail (Frame 54323) Video thumbnail (Frame 57849) Video thumbnail (Frame 65460)
Video in TIB AV-Portal: WIRELESS VILLAGE - Blue Sonar

Formal Metadata

Title
WIRELESS VILLAGE - Blue Sonar
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
BlueTooth is everywhere, it is in all of our pockets and the only protection most use is not being in discoverable mode. This will be a talk on enumeration, tracking non-discoverable Bluetooth devices, as well as an operators perspective on some awesome use cases for Blue Sonar. Of course it is already in Pentoo. This talk is imperative for those in the WCTF, because you will need this tool to find many of the BlueTooth foxes.
Goodness of fit Bit Game theory
Laptop Standard deviation Slide rule Group action Multiplication sign Mobile Web Food energy Area Local Group Telecommunication Ubiquitous computing Musical ensemble Metropolitan area network Wireless LAN Operations research Android (robot) Counting Computer network Range (statistics) Food energy Digital object identifier Distance Similarity (geometry) System programming Personal area network Information security Communications protocol Windows Phone
Operations research Multiplication sign Mobile Web Projective plane Android (robot) Range (statistics) Food energy Distance Regular graph Food energy Power (physics) Transmitter Similarity (geometry) Goodness of fit Telecommunication System programming Personal area network Cycle (graph theory) Information security Windows Phone Wireless LAN
Group action Direction (geometry) Multiplication sign 1 (number) Database Frustration Client (computing) Mereology Area Different (Kate Ryan album) Computer configuration Single-precision floating-point format Core dump Arrow of time Information security Area Email WiMAX Shared memory Range (statistics) Bit Food energy Instance (computer science) Type theory Process (computing) Telecommunication Quicksort Asynchronous Transfer Mode Point (geometry) Laptop Classical physics Trail Asynchronous Transfer Mode Digital filter Real number Regular graph Revision control Goodness of fit Computer hardware Reverse engineering Firmware Address space Metre Inheritance (object-oriented programming) Information Plastikkarte Counting Limit (category theory) Personal digital assistant Infinite conjugacy class property Revision control Electronic visual display Wireless LAN Communications protocol Software protection dongle Pulse (signal processing)
Touchscreen Demo (music) Demo (music) Gradient Bit Function (mathematics) Price index Distance 2 (number) Power (physics) Mathematics Vector space Enumerated type Negative number Energy level Social class
Metre Point (geometry) Laptop Asynchronous Transfer Mode Dependent and independent variables Multiplication sign Range (statistics) Regular graph Mereology 2 (number) Bit rate Term (mathematics) Flag Software testing Information Physical system Area Touchscreen Information View (database) Software developer Computer file Bit Type theory Process (computing) Personal digital assistant Hill differential equation Window
Filter <Stochastik> Point (geometry) Trail Asynchronous Transfer Mode Digital filter Dependent and independent variables Code Multiplication sign Demo (music) Motion capture Sheaf (mathematics) Hidden Markov model Set (mathematics) Menu (computing) Mereology Distance Number Goodness of fit Pi Touch typing Cuboid Flag Electronic visual display Information Data conversion Reverse engineering Booting Address space God Touchscreen Forcing (mathematics) Video tracking Denial-of-service attack Line (geometry) Cryptography System call Mathematics Word Positional notation Computer configuration Software Telecommunication Wireless LAN Freeware Communications protocol Window Asynchronous Transfer Mode Address space
Revision control Touchscreen Multiplication sign View (database)
Revision control Touchscreen Trail Image resolution Closed set Demo (music) Projective plane Bit rate System call Window
Point (geometry) Metre Laptop Boss Corporation Building Standard deviation Information Block (periodic table) State of matter Software developer Neighbourhood (graph theory) Wave packet Graphical user interface Voting Enumerated type Hacker (term) Right angle Address space Spacetime
NP-hard Randomization Building Thread (computing) Code Multiplication sign Demo (music) Set (mathematics) Bit rate Client (computing) Function (mathematics) Information privacy Mereology Food energy Mathematics Computer configuration Network socket Extension (kinesiology) Information security Exception handling Scripting language Trail Software developer Bit Maxima and minima Lattice (order) Digital object identifier Type theory Radical (chemistry) Information security Asynchronous Transfer Mode Point (geometry) Classical physics Trail Slide rule Regular graph Product (business) Number Revision control Alphabet (computer science) Gastropod shell Software testing Booting Proxy server Address space Default (computer science) Information Video tracking Projective plane System call Personal digital assistant Routing Communications protocol
Logical constant Dependent and independent variables Open set Rule of inference Connected space Number Voting Software Personal digital assistant Intrusion detection system System programming Single sign-on Information security Address space God Row (database) Physical system Cloning
NP-hard Android (robot) State of matter Code Multiplication sign Range (statistics) 1 (number) Parameter (computer programming) Client (computing) Mereology Software bug Hypermedia Computer configuration Different (Kate Ryan album) Netzwerkverwaltung Information security Social class Scripting language Touchscreen Electronic mailing list Bit Sequence Connected space Digital photography Befehlsprozessor Process (computing) Right angle Spacetime Asynchronous Transfer Mode Row (database) Laptop Power (physics) Number Element (mathematics) 2 (number) Frequency Latent heat Goodness of fit Term (mathematics) Gastropod shell Address space Punched card Plug-in (computing) Dependent and independent variables Information Denial-of-service attack Database Line (geometry) Software Wireless LAN Window
should we start the talk now yeah sure okay go ahead 1 2 3 not it dammit alright good morning evening afternoon I don't know what freaking day it is happy Tuesday yes welcome to Saturday oh alright we are the wireless village literally I am
Rick and he is Rick so we are Rick and we we do shouldn't have fun with it we love to give you guys the capability to play this game to listen to the talks and we love the fact that you guys come back every year and listen to us I wouldn't listen to us this long so I don't know why the hell you guys have but thank you very much for it today we have a little bit something special I guess we could say special maybe I feel special I feel special too this is a tool that has not been released yet this is a tool that is doing things that other tools can't do and it kind of came up under a funny story which you'll have to endure so I'm sorry about that you're not so right go ahead what's this blue
teeth stuff other than like you know pardon anybody from Kentucky I don't name them sure King Harald the blue tooth who ate lots of blueberries apparently blue tooth is a ubiquitous networking technology for people too lazy to plug in cables and the whole slide yeah man yep yeah that's it that's it hey it is fancy I Triple E 802 11 802 15 1 and yeah and there there is no oversight there is a guidance group cool you missed a bunch of anyway people can read can you all read cool I'm not reading the slides here's why we care about Bluetooth though who has on or off a Bluetooth device on you right now if there's anybody with your hand down you're a liar and if you're not prove it strip search where's TSA in their house ok bluetooth is everywhere it's on your watch it's on your phone it's on your headsets it's on your laptops and it's on a lot of your laptops I mean Jen Jo Bob Jimmy we see yeah we do and we see you from like the time you walk down the steps to the time you get here so we like playing with Bluetooth but we like playing with Bluetooth for really really really good reasons it's everywhere and it exploitable then comes along this crazy
thing but you can challenge your friends to see who gets the highest step count at Def Con yeah a Fitbit Bluetooth Low Energy come on be technical Bluetooth Low Energy is a low energy protocol for people too lazy to plug in cables but seriously
Bluetooth Low Energy has the same
transmit power as regular Bluetooth which you know you'd think Low Energy obviously it's gonna be weak and go less distance actually that's not true at all it just has to do with how deep the power saving cycles are so it'll basically turn completely off do absolutely nothing and then wake up and send like a packet and then shut up for like a quarter of a second which is a really long time when you're a radio trust me it is so like for wake up's a second is really really really good power saving and so you keep it quiet for like five minutes yeah fitbit's or you know a couple of days of battery life but when you're talking about some of these Bluetooth beacons and things like that they're actually sending out like a signal every couple of you know four times a second and these batteries on you know doublea's they're like two years to have a Bluetooth beacon for your marketing project so it really is pretty low energy so last year was it last year was
last year two years two years ago yeah Rick was up on stage on a delayed talk because of dongles dongles suck suck but they released a tool called blue Hydra and we all thought wow blue Hydra is absolutely awesome who in the rooms heard of blue Hydra Oh awesome wow there's like wireless people here in the wireless village that's neat his knee blue Hydra tells you what's in the airspace like arrow dump does and blue Hydra does a really really good job of enumerated out things it does such a good job that it tells you the difference between Bluetooth Low Energy and Bluetooth classic we'll get to that in a minute while that's super important but the amount of data that comes out of that's phenomenal they did a great job on this now that being said Bluetooth has some weird quirks to it masters and slaves so masters and slaves discoverable and not discoverable bluetooth is a really really weird thing I see a lot of you know Bluetooth security requirements which are literally Wi-Fi security requirements with some jerk did a Find and Replace on Wi-Fi and changed to blue to I'm also seeing the same with WiMAX and all kinds of other crap but that's just not how things work for instance Bluetooth doesn't even transmit the whole MAC address in the air it only transmits the last three octets of the MAC address that's the last half and when you have Wi-Fi for example you have a be SSID for the access point you have the transmitting BSS the transmitting MAC address which is you know either the client or the access point depending on direction and then you have the receiver which again client or access point depending on direction you have three MAC addresses at least in every single packet full MAC address is unencrypted all the time Bluetooth there's one half of one MAC address for a communications group so you can have multiple devices talking to your phone and it'll all basically share half of a MAC address and the only way they know who's talking to you is because they are not the one transmitting so it must be to them it's a really really frustrating protocol because of things like that so building blue Hydra was entertaining when you're looking for for raw monitoring of things uber tooth is a really great tool but there are limitations to bluetooth that a lot of people just don't know about so that's that's my favorite one it's lots of fun so we asked the question last year how many people in the room do RF or wireless pentesting as all of or part of their daily job okay seven people out of I can't count that I that's not very many but the people that do that bluetooth is a pain in the ass because you can't track things as properly as you'd like to because if I'm trying to follow the CI CEO home and I want to know where he lives or what he's doing or how he's doing it I have massive options of doing it except his phone's not pairing his phone's not trying to pair and all I have is a master or slave I don't know which it isn't in love it's him or her so that's a big problem so flip that to security from defense you have a better opportunity of not getting caught with Bluetooth prior to today than you would with your wireless radios and everybody knows why I should turn my wireless off but as soon as you get on the plane get on a train get in the cab you turn on your wire you turn on your Bluetooth you put your headphones in your ears you start talking to somebody because you know wires are so you know 2017 and get you tangled like it you need to have the ability to be you know mobile and walking around and or just you know looking cool walk through San Francisco everybody has these new ear these weird earrings they're white they kind of stick down a little bit they kind of dangle they're really cute but they're also Bluetooth and bluetooth is very difficult to track sort of talk about the hardware was very difficult to track talk about different hardware yeah cool so Bluetooth is great again comparing it to Wi-Fi with Wi-Fi you just take a card and you get a good driver and then you flip it in monitor mode and you monitor everything and it gives you full packet headers that are unencrypted all the time and that's awesome the target price for a Bluetooth radio is five cents and because of that they're very very very minimal they're very low-power they're very weak they're very crappy and things like monitor mode just basically don't exist so you end up getting a Bluetooth sniffer in this case this is an uber tooth one from Great Scott gadgets it's a great little device for finding classic mode devices and a whole bunch of Bluetooth low-energy stuff in the latest release has been vastly improved so these these are really great for monitor mode but as it turns out they're not Bluetooth uncle's at all they don't actually support using them as regular bluetooth devices so to interact with a Bluetooth device you still need a Bluetooth device so if you want to pull something and say what's your name more tell me about yourself what firmware revision are you you still need a real bluetooth dongle so blue Hydra specifically pairs these two things together to find the most devices and to extract the most information from those devices how much do those two devices cost yeah so this not being five cents like the one built into most laptops this is a Sena UD 100 and these are about 50 or 60 depending on where you buy them uber tooth ones I think are like a hundred bucks or something yeah something in that general 120 these these are definitely available in the vendor area I have no idea if the Senna's are but these are really decent devices and again they're they're like 100 bucks ish but that's expensive yes not everybody has a budget 400 dollar pieces of equipment that sit on your shelf so again real quick for those that
have it blue Hydra you type in blue Hydra into pen 2 or another device that you have added blue Hydra onto which I think there's good instructions for Callie because you know yeah there are there are a good install instructions for Callie because helpers a nice guy and it it breaks it down for you so it gives you classic it gives you classic 4.0 Bluetooth Low Energy and Low Energy 4.1 gives you the ability to see the difference between the types of radios that you're dealing with blue I just cool and it's cool enough that we're
going to say hey let's show you guys so those you haven't seen blue Hydra yet I
love live demos because they always fail
yeah speaker sucks get them out of the way this is always fun - let's see okay so there's that screen you just saw they give you a really nice output here's how it works here's what it does here's what's important about it and you run it and when you run it it starts to enumerate all of the Bluetooth that you're gonna see it also gives names anybody see their device up there don't be embarrassed they're all up there it's okay it really is yeah and it just shows you now what's really cool if we watch this for a second or two and I'm trying to see it from here when an Apple device shows up it actually numerate s-- those name Wow that's pretty neat but this is just giving us enumeration gives us a little bit of a distance vector gives us a little bit of a power of a vector Rick why don't you explain RSS I received signal strength indicator yes that one this is actually more like signal level kind of yeah so this is basically telling you about how far away something is based on the signal strength so the signal strength is a typically negative number which is gonna tell you how strong it is coming in so negative 100 being really really weak negative 40 being pretty decent and everywhere in between negative numbers work exactly the way they should when you learn them in like second grade math class so negative 40 is good negative 100 is bad it's not hard all right so we've got some capabilities here we have some enumeration we have the ability to see things problem is I'm wearing a Bluetooth device Apple watch happens to be one of the least talkative devices that exists out there so when I hold this near where the Bluetooth is it's not popping up it's not showing you anything on the screen so I was see if
this works yeah it worked so blue Hydra with the Fox we have the ability to speed that system up a little bit so those of you that are playing blue Hydra TAC TAC no info no TAC info gives you the ability to see things with a much faster refresh rate that faster refresh rate gives you better fidelity on the targets you're looking or it also gives you better signal-to-noise ratio in terms of what you see on the screen versus what you're in what you're in bounds of in most cases it's 300 seconds timeout in most cases the problem is is that it goes and it takes time out to interrogate each device that it sees so let's say you're running through the casino chasing people you're going to pick up a bunch of devices be nowhere near them and then try to info scan all of them which takes huge amounts of time out of your discovery window so no info just says don't impose can anybody just keep discovering all the time so we'll be much better fidelity so we
do that no can I type blind maybe yes much much much faster scanning they stay green longer because they've been seen sooner and it keeps rolling through now as you watch through this this is literally the Bluetooth devices that are in this area that this internal radio inside my laptop is looking for not using the UD 100 not using the uber tooth which by the way is an amazing tool it does give you better fidelity but I can do all this sitting down with my laptop nothing else this is the crappy XPS 13 that Rick was talking about with the Qualcomm chip burned into it this is the internal radio on a regular Dell XPS so it's not giving you amazing performance but it is giving you some really interesting information now occasionally if you watch this range and I saw one come through so I'm able to come back again it's going to give range of a device based on how far it thinks it is based on a predefined um o UI brilliance on developers part Rick in grimlock the grand no locks whatever weird name noob anyway there you go point eight nine meters fifteen point eight five meters who is uh blue indigo blue Giga that's the test flag that's one of ours oh and the Emma Corps is one of ours two into its fifteen meters away C Eric Eric raise your hands fifteen point eight five meters it's sitting it's sitting where Eric sitting that's about 45 feet yeah give or take not too bad so it does a really good job of that now this is helpful but it's not quick fidelity it's not I want to track you I want to track you this gives us the ability to just kind of see things that first does that'll
screw it up for the next time we do have the ability with that - yeah box mode
ginger on dance LEDs there you go there
you go so filters all right so neat idea yeah we started running blue Hydra in Wireless village capture the flag and the real problem is is most people were actually building like little raspberry pies with like five inch screens and battery packs and nine lines of text or ten lines of texts on their display otherwise it was unreadable and we realized that it sees a enormous number of devices because everyone turns on their Bluetooth and nobody turns it off and thanks Apple so when you're trying to track a specific device it became nearly worthless so I added in the filtering ability so that you could just on the UI side filter out so it's still tracking everything in the background you can say I want to filter for this device and has a couple of modes one mode is called highlight where I'll just highlight it on the screen the other mode is called exclusive where it's only going to show you the things that you're filtering for there's an example of filtering my MAC address here there's an example of filtering for proximity UUID major and minor number which are all Bluetooth Low Energy ibeacon that would be helpful for the hide-and-seek I think for the Bluetooth that might be helpful for the the hard hide-and-seek especially the hard hide-and-seek that hasn't been found yet that's correct yes that one hasn't been found yet okay just check yeah so those those feet yes probably a lot of points to those features were built specifically for fox hunting and finding things or if you wanted to track for example I know every time my mother-in-law pulls into the driveway because I've got a little screen running blue Hydra and she is set in the filter list and before she knocks on the door I know that I'm not home alright so now you have the backstory so I was driving down the road cuz my kids swim and I drive down the road a lot and he's a nice car though so it's okay yeah and I was thinking of things and you know as you do when you're driving down the road and I called Rick and I said hey listen I'm going to train some folks that need to find people and they're gonna track things and they're gonna do things it's really really neat blah blah blah what if we were able to say hmm track a Bluetooth device that was not active that was just sitting in somebody's pocket that's like crazy talk because you know if blue Tuesday's and connecting it's not beginning it's not trying to talk to anybody it's not being loud it's just sitting there on the device most people are pretty okay with their Bluetooth device in their pocket who turns bluetooth off when they leave their house for real every time you leave your house you turn bluetooth off no no hold on wait ask this question reverse the hell do you use bluetooth were at your house seriously I mean I used my headset when I'm on the road not when I'm sitting at my desk I use my watch that I don't miss phone calls when I'm like out and about doing things like this can be like oh that one's not important yeah like what would tea use bluetooth for at home no one okay cool that's what I thought yeah so he cures speakers get wired speakers at home me Selma you don't bring the speakers with you oh man all right I'm driving down the road nice today can we do this he goes nope yep well call it's a weird conversation it was a whole lot of us both saying like one word maybe I don't know so there's this thing called layer two layer two is an interesting protocol set go ahead layer two is all I'm good at it definitely read my code you'll know that I'm telling the truth I can't do that Butler - I understand so Bluetooth is a really fabulous spec yeah layer two is really really open so there's this thing called an l2 ping which is basically like our ping would be which is you know here's a MAC address ping it and it just responds to anybody all the time no matter what so once you know somebody's Bluetooth MAC address you can just kind of ping it and they will respond to you all the time or ping flood them and slowly drain their battery so the very last line on this BD address BD a a B D underscore adder L to ping is almost your Linux boxes you can run L to ping you can ping things okay neat so now we can ping something cool big deal so we decided to use layer 2 to our advantage and I said Rick you can do something with this and about an hour and a half later he called me back yeah so blue this is special in a lot of ways the MAC address method that I the MAC address issues I was talking about earlier come into full force here if you're sniffing and you catch a Bluetooth address you only get the last three octet uber tooth tools have the ability to discover the fourth octet so the the Bluetooth address is divided up into three sections network address part which is the first two which are used for crypto exclusively then there's the upper address part which is one octet and then there's the last three octets which is called the lower address part the largest parts what you get for free uber tooth tools actually can recover if there's a decent amount of data the upper address part what's really cool is that is all the device cares about you can ping ZZ ZZ correct MAC address and it will respond you can ping ffff correct MAC address it will spawned it does not care at all about those first two they are not used in any communications that aren't encrypted l2 pings being completely unencrypted so with the uber tooth or with device that is once in discoverable mode that we have caught and captured that MAC address we have enough of the MAC address to ping you forever and we'll be able to tell if you come back and range the most fun part of that is I can say something silly like do you know what your Bluetooth MAC address is and half the people here in the next hour are gonna look at their phone and try to figure that out and when you open up the bluetooth menu your discoverable that whole time you know because what would you do if you couldn't get a device to pair you to open the Bluetooth settings so it's gonna automatically set it to discoverable mode for you or maybe you're just gonna reboot your phone because it's windows 95 and reboots fix everything well that turns your Bluetooth into discoverable mode as well what about when you're on the airplane and you turn it off because well I guess you're living 2 years ago when they told you how to turn it off but when you turn it back on you're in discoverable mode again because you know that's when things pair so obviously you need to be in discoverable mode because you turned on your Bluetooth so it's pretty easy to capture it once you capture it oh my god don't touch that thank you it was humming really bad all right so again I'm driving down the road get to where I'm going he calls me up because hey try this so I said huh okay I'll try it the code
you just send me just blindly cuz that's
fun so we have the old version of Bluetooth this is pinging a watch it happens to be on my wrist so if I put it close you notice if you look really really really closely the RSSI return value zero yeah it's not on the screen it's on my screen I can see what you can't see his screen come on come on that's even funnier sorry it's his first time presenting is this hour there we go
all right cool so see that RSSI return value it's like zero no it's like seven 10 21 as it's moving away okay we're now tracking a non beaconing device but that view sucks and it's really slow and we don't really like it but I wrote it in like 20 minutes which isn't bad but you know it could be
better I proved it worked so it was tough to read it's hard to track so therefore I said hey let's do some other Russ jumped in and said hey what if you do this I get this hey call me back in 20 minutes cool so stop the 1 yeah
nothing sideways yeah mirrored screens are nice are should try it sometime all right so in comes new version well look at that we come back moves away redline gets bigger redline gets smaller make the window full sky um yeah project a resolution whoo I make it bigger close this let's say close
somewhere I can't see upside down
I think lows windy from here there we go
there we go so my watch is close to where my Bluetooth radio is that when it moves away and when it gets closer em is the peak of my graphical user development I hope you all like this GUI but what we see with this is very important and I would like to put majestic 12 on the spot because they actually were the first to use this tool and in about what three or four hours they found a completely standard Samsung Galaxy S I don't know seven or something not connected not open locked sitting on a desk or was it on somebody I don't know where it was what it was at the info booth oh there we go so mobic s-- didn't go very far good friend they were able to track this in all of this space by bottlenecking and or doing whatever tactics they do because they're actually really good at fox hunting and we applaud them and they'll probably give a talk next year on it but that being said think about the possibilities of sitting outside of a parking lot sitting outside of a building sitting near a neighborhood and waiting for something or someone to come into play now by saying something this is a cars bluetooth this is a watch this is a phone this is roughly what we've been seeing roughly 15 20 to 30 meters with internal radios so completely not looking like a hacker with wires and antennas and all that crap literally the internal radio on these devices beaconing this information back to you now how do you get the MAC address you say huh interesting you was anybody here for wasabi and Rick stock earlier where they talked about enumeration discovery and all that kind of fun stuff like the building blocks of what we actually do I was yeah I was going to and I listened it was good but when you do discovery when do you do discovery you do it in the morning you do it at night you do it at lunch you do at the coffee shop you do at the airplane you do at the train all places where people are connecting and disconnecting from things and looking at their phones has arrived a train occasionally subway or train do you ever see anybody's face you see tops their heads or on their phones right there listen to headphones they're on their phones most people nowadays it's cool to not have wires coming out of their headphones well because of that at some point they have to pair at some point they have to open things I pick up so many things the reason that I asked for this tool that exists I was sitting in a coffee shop waiting for my wife to get finished doing something you know the owner of my company so it was probably important let's just go with your boss here we go and this guy walks in well the guy happened to be the guy running for governor for the state of Maryland he happened to have a Tesla how do I know this because he was beaconing blah blah Tesla he had a bluetooth device that was called blah blah's iPhone and he had on that laptop with him that was called blah blahs Mac or blah blahs whatever that being said I went up to him and I said sir you realize I know who you are where you are when you are and why you are and what you're doing and he looked at me kind of kind of cockeyed and I was like here's this here's this here's this and I'm guessing your license plays is this and he goes are you stalking me I said no you just gave me all that information by walking into Starbucks I happened to look outside there were two Tesla's in the parking lot one happened to say blah blah for Governor tough gas right and after all this all he got was a button that says vote blah I did I got the button and I didn't but anyway there is a real problem here folks and the real problem is the fact that all these devices are made for our convenience but they're all beaconing they're all yelling they're all screaming for years the wireless village prior known as the Wi-Fi village thank you mr. Kelly in the back by the way John Kelly raise your hands John John actually started this like a billion years ago and I took it from him because he got too lazy to run it anymore or too successful I'm not sure which to start he was too smart running it Marty to run it anymore but this all kind of started with him so you know hey thanks he slowly backs over door but we were all worried about Wi-Fi turn off your Wi-Fi radios turn off this turn off this well I'm here to say guys if you have Bluetooth it exists and we can find it so you're saying hey this sucks I have turned all my off no you don't because we're the wireless village
and we care so the defense against this and we're still working on it a little bit but the defense against this is to actually attack yourself with this same attack if you've got enough devices pinging your device it doesn't allow other devices to ping it now I have some ideas why oh I actually can I can explain this one now finally positive this to me like three days ago and I'm like I don't know and yeah it turns out Android specifically I know who has
a default now where it can only connect to five devices at once but you can change that default to only connect to four three two or one so if for example I'm the kind of idiot that has to have a watch and extra radios that connect via radio to me I can set my phone to only connect to two Bluetooth devices at once and then as long as I turn off my go tenha before I try to use my headset I am good to go and I'm completely immune to somebody pinging me to death so yeah thanks for adding that in Android 9 Google or alphabet Corp or whoever you are now but thank you again this isn't an ideal situation but neither is being able to be tracked so if you've got clients that you don't want to be tracked building a little Raspberry Pi setup that just runs a script when it boots that pings their phone with two or three terminals one or two radios you're actually doing okay to block against this it's not ideal but again like I said neither is this attack and neither is this tracking you see how effective it is it is within feet that you can get to someone if you're really looking hard that's kind of creepy now let's write security because you know we have to write slides but let's talk real-world here let's say you've got a target pen test assist you know you're an assassin I don't care what you do but you've got a target inside of a building and you know that you don't know who that target is but you know that they have a phone and you get 15 or 20 phones you've got a picture and that's all you got well you wait till they come out you wait for that to start pinging you've got a you know four or five different people that may have come out at the same time to know who that is you can then pick up additional digital information about these people law enforcement military counter-surveillance any type of security work who does security work in here which means you're probably protecting something or you're the adversary and you're attacking something there's two sides to this story we want to make sure we're covering both because we do both things we're in the black world we're in the white world we're in both but in doing so we want to make sure everybody's well aware this sucks this really sucks I was thrilled that he wrote it but then when it started it's like now we got to figure out a way to talk to people about how this works so finding and tracking is a big deal when it makes sense you know they already did it these folks literally we told them there was a tool called blue sonar they used it they found that phone relatively quickly so you want to go to github and sell them in Cali all by themselves Jews that was pretty impressive yeah now plug quick plug it's already in pen two if you download pen two it's already there you type to do blue sonar you've got it all you need is the MAC address MAC address is the harder thing but we showed with Hydra and with other blue Bluetooth tools you can get that data Wireshark will get that data with uber tooth beautifully with a socket there's a lot of ways to get this data but understand you're very vulnerable to it for the Fox hunters out there this is a really cool tool to get you points this weekend for those of you that are doing security this is a tool that could go a long way at a minimum in showing the people that you're trying to protect hey turn your off if you don't need it we've been talking about turning stuff off if you don't need it for years here's another good reason to show why I want to do another plug this is this is not even a pet project this is some garbage BS that I wrote as a POC because Rick said I wonder if this is possible and I said I'm pretty sure it is let's find out together try things try things and then put them up places for other people to try them and be entertained by it I maintain that my code is good enough that a real coder can look at it and say oh is that what you wanted and then they go in there take the tool and they rewrite it and they make it way better than I ever could but the point is is this stuff's not hard l to ping is just built into Linux and I've got a shitty shell script that's parsing the output from it and pulling for RSS I like a threaded bash scripts that this is not impressive this is not cool the impressive part is that it actually works and it's kind of neat because nobody else nobody else wrote like 20 minutes worth of shell to do this particular thing before and so it turns out to be really useful but the these are the kinds of things that you do for fun and you check to see if it worked and then it works and then you talk about it on stage but really that I want to stress just how silly this was I mean this was literally a phone call between him and I after my kids went to bed while he was driving home from swim meet like this is okay I guess we're weird but this is what we discussed so draw the phone and you know yeah then I wrote 20 minutes of shell script and made the first version of this so please do things try them put them on github even if you think they suck my code all sucks lots of it's on github like half maybe more of those people are running a bunch of my code as route I don't know why but they are and they all trust me so I don't you know I at least if you're on my discharge like the guys my on Cali I'm gonna add a you name check in there next I didn't say that anyway any questions yeah so in Android nine the question was where is the settings you limit the number of Bluetooth devices in Android nine it is an option under developer settings just regular developer settings no like routing or anything weird like that so the question is what about privacy when the MAC address is constantly changing and the answer is what world do you live in le privacy extensions are a bitch and this is a classic mode tool where none of the MAC addresses ever changed like that because the protocols don't support it Bluetooth Low Energy for the most part also doesn't implement that yet a lot of tools headphones and things like that don't implement the MAC address privacy very very very few devices do one of the exceptions being the Bluetooth Low Energy on Apple watches actually seems to implement it and a couple of the marketing beacons that I've seen implements it basically so you can't spoof their marketing campaign which is like the coolest thing I've ever seen come out of a marketing product and random MAC addresses four times a second not that we would be using anything like that for our challenges but that being said there are the proxy you UUID doesn't change so in a lot of cases there are other things that are there MAC address doesn't but other things don't blue Hydra implements all that it pulls it all out for you so even if it is changing hint-hint on the hide-and-seek bluetooth you can find it by proxy you I do so the question is what are the packets and the answer is it's it's a packet literally called l2 ping for Bluetooth so it would be equivalent to an ARP ping
if you're talking about like a tcp/ip network it's just a layer to paying MAC address to MAC address and that's all it does it's just really really simple it literally it creates an unencrypted connection between you and the device it says yo and you say yo and I K cool our SSI and it's phenomenal security on Bluetooth because there's all kinds of Bluetooth IDS's and Bluetooth yeah monitors and Bluetooth you know sim implement know you've been drinking I have yes Oh question sorry next question Oh God woody yep yeah so the question is when you're using blue sonar are you packed it passive or active active you are totally active you are sending a ping you are getting a response again who here has a Bluetooth IDs yep that's the number of hands that should go up this is not something that's reported to you by the phone if you remember like a million years ago when they first started implementing like the really nasty harassment over Bluetooth in like football stadiums and stuff you'd get like a pairing request you don't get any of that it's it's completely invisible to the user it's a unencrypted connection no pairing and it just sends a ping back and forth and then disconnects or in my case I keep the connection open but it's it's dead silent to the user but it is absolutely being transmitted and we haven't noticed a whole lot of battery degradation on it either unless you totally flooded second row are there legitimate devices that are using a constant ping over Bluetooth lacking a Bluetooth IDs system of my own I legitimately have no idea I don't think that makes any sense I think that this is you know there are uses for this but I don't think anything would be doing like a constant ping like I'm doing so yeah like three or four pings inside of a minute would probably be a dead giveaway for a tool like this so if anyone's writing a Bluetooth IDs there's your first rule first row so how fast can you send the packets is the question oh I've got a UH basically asleep in
there to control like okay I want to do
for a second or I want to do one a second or whatever l2 ping has a dash F flood ping option which will send them really really fast the difference being that's gonna hit one MAC address at a time the MAC address space is huge so if you were to re write that tool to ping a different MAC address every time in flood mode I slow really slow you you could legitimately ping every address in the airspace the problem is it would take years there's there's actually a tool out there called Red Fang I believe that does brute-forcing of Bluetooth MAC addresses and the chances of finding one is approximately winning the lottery yeah that finding something with an uber tooth or whatnot is much more reliable much more reliable it's four bytes that you have to find is successfully pinging something you know the media so what if you know the manufacturer so trying to limit the space the manufacturer is actually the part that's cut off and doesn't matter for the most part so limiting the address space is really really hard yeah it's it's definitely a tough thing in the back what does the specification say about l2 paying handling I have no idea we have tested this against any number of phones watches headsets and the reliability seems extremely high some things do go to sleep after a while having nothing to do with this like if it's a pair of cheap headphones or good headphones sometimes they'll say I'm not connected to a phone and they'll kind of go into a really low power mode where they don't respond to these pings by phone I indoors go to sleep in about 20 minutes yeah by and large they will respond assuming they're responding to anything and everything new is stays up forever yeah have I used blue Hydra with ble what with the Adafruit tool Oh with the Adafruit tool no no I have not and it wasn't really written to do that was it well so so the Adafruit Bluetooth sniffer is a Bluetooth low-energy sniffer similar to an uber tooth one I have an uber tooth one quite a few of them honestly and so I used when I had sitting at my desk we also I was developing it for a customer who wanted to use uber tooth one so that that's what I did there's no reason that it couldn't be added to blue Hydra to support an Adafruit tool right now I'm actually not doing any passive Bluetooth low-energy stuff at all in blue Hydra because blue btle is pretty chatty to start with I want to add that butt and then I go and write 20 line shell scripts that turn into talks at Def Con so I'll get there honest or I will accept your poor request one of those two yeah glasses so Bluetooth Low Energy isn't it's low power as in the CPU can power down for long periods of time the radio can power down for long periods of time without you know breaking the connection or breaking whatever it's doing the actual like transmit power is roughly the same its class 1 class 2 class 3 they're not like weaker they're not shorter range it's talking about these sleep cycles and the power down states that they're able to maintain and that's what makes it Bluetooth smart or Bluetooth Low Energy Bluetooth 4 the one thing that scares me a bit about Bluetooth I just threw this back up if I get your bssid it's the Norview that didn't turn off your Bluetooth yeah I get your Wireless bssid your MAC address I have a MAC address I know by oh you I look up that it might be a Dell or an apple or a you know why way with this I'm looking at you guys I I mean I'm literally pulling your name your phone your Fitbit your information and unfortunately I haven't found a way and I'm sure there may be a way in the underlying the underlining capabilities but watches I have a Samsung s3 I've got the Apple watch I've got a couple you can't change the name it's based on the username of the account that you set it up with so Rick's Apple watch comes up whenever Rick's Apple watch is around and that bugs the crap out of me because of exactly this screen this is a security conference now granted I don't think we're supposed to use the term muggles anymore but there's a lot of muggles here that have no idea what security is and they're here because it's really cool to be a Def Con to her wrists tourists muggles whatever you want to call them but that being said there's a lot of going up on the up
going up on that screen that's extremely personal information that scares me a hell of a lot more than a bssid of you knowing I have a Dell laptop yeah me and 45 other people in the room yeah the database on this tool is pretty fun too but this isn't a blue hide you're talking yeah right so the question is because a lot of phones have sequential MAC addresses across Bluetooth and Wi-Fi could you use that to figure out things and the answer is hell yes and the answer is I've been begging for somebody who can actually code to make that Akismet plug-in for a long time because kismet actually can see the Wi-Fi stuff and then it can see the Bluetooth stuff but it's only gonna see like what's in discoverable mode and whatnot but if you wrote a tool that literally saw okay Wi-Fi MAC address this is a client device I'm gonna ping one up and one down just for the sake of argument and see if I find a Bluetooth device that's a totally legitimate thing to do and it's great the one caveat there is the MAC addresses for Wi-Fi are kind of starting to get random this isn't a Wi-Fi talk but that is a thing right now everyone everyone everyone I don't care what your marketing department says crapple is bad at this okay Apple specifically adds an extra element to each one of their packets that has a randomized MAC address that tells you what the original MAC address was good design and Android has this supported except for it also has to be supported by the chipset and almost none of them are I think last time somebody did a poll of which Android phones support it was the answer was like one so we're slowly moving towards that actually if you want it Windows 10 and network manager in Linux do a great job of randomizing the MAC address and that is the exhaustive list so be embarrassed because Windows beat us to the punch on good security actually seriously that's that's pretty cool but yeah you can if you catch a legitimate MAC address do the one up one down thing it's getting harder but it is definitely still a thing second row is that the last octet usually the last octet is the one that is changing again not every phone has exactly serialized MAC addresses some of them have completely different ones a lot of companies just don't reborn' the MAC addresses Apple for a long time was famous for reburning them to be serialized and apparently the new ones aren't so you know what's what you're gonna get out of that may or may not be amazing but it's still a whole lot better than not trying as this tool proves try don't don't just say it's not possible try sometimes you come up with something that's crappy this photo try there is no try do do and see if it works please feel free to do so install pen to hey what's the passphrase to the open network for the CTF gets down it's down the passphrase is installed pens ooh maybe the neck they on knock team can help me set it up again I don't know I'm pretty stupid yeah I am it's true well thank you for sitting through our travel appreciate it [Applause]
Feedback