Internet of Things Hacking

I look forward to his talk thanks man thanks guys for having me uh so uh besides uh sexed up my talk a little bit they they gave me the title hacking the internet of things and I really really uh I think they uh basically gave me the equivalent of uh clickbait for talk titles so it's not quite that sexy but um we'll try to have some fun so a little bit about who I am uh my name's Jason Davison I'm I'm from Buffalo New York originally and I moved here in June it was a fantas fantastic Improvement in my life uh I'm a threat Analyst at fish Labs uh lots of cool people over there

lots of uh lots of fun good work and uh I mean Twitter's cool so hit me up on Twitter at at Jason Davidson and we'll get we'll get down to business here so so why are we here today well uh we're here to celebrate information security no uh I'm here to talk about a little bit of research I did in school and uh I'm I'm trying to convey a message to the nonstandard infosec audience so if uh if you don't work an infosec job 40 or 80 hours a week or whatever we work uh this this kind of talk is targeted a little bit towards you and how you can uh take your first steps and

get started in information security things like that so yeah for those of you maybe in School uh for those of you if you if you're not in school and you're in infosec and you're looking for something fun to do you know what I mean just hack the planet man so uh here's here's a look at our agenda for the next uh 30 minutes to an hour I I definitely won't go till time uh I first want to introduce and formalize the concept of The Internet of Things uh talk about what it is uh what it's becoming and we'll talk about a little bit about how Bluetooth fits in there and why Bluetooth is a good fit

and uh then we'll move into the Bluetooth protocol and how Bluetooth devices identify themselves uh the pairing process uh Bluetooth communication things like that and then I'll step into my research which includes this lovely light bulb and um I hopefully will'll give you a working demo and we can move forward with questions and a uh I'll wrap it up with a conclusion there at the end also I want to uh I want to get this out there this is this is my first presentation so this is much a learning experience for me as I hope it is for all of you uh so if you have constructive criticism or any criticism really feel free to share that with me

so uh I can become better at this so formalizing The Internet of Things such a flashy word used by the news and and other various indust Ries to uh well for clickbait things like that uh so what is the internet of things well the iot can be thought of I I think of the iot as uh a world where every physical device is connected to the internet you can imagine uh trash cans refrigerators uh toasters dishwashers laundry machines things of that nature all connected to the internet and uh yeah you could imagine your fridge telling you you're out of milk or you need eggs uh your washing machine has the capability to tell you that your

laundry is done or even your dishwasher telling you to empty empty the dishwasher it's ready for ready for another cycle so 10 billion W wirelessly connected devices existed in 2013 and moving forward the ABI research group predicted that there would be 30 billion devices um connected by 2020 so it's not that the iot is really something that isn't isn't already here we are already experiencing it and I think as as the infoset community and as members of information security researchers or just infosec professionals uh I think it's our our duty to basically try to do our best to bake security into the internet of things now as opposed to where the where it's been done in the

past where Security's just kind of spread on as a frosting so uh I would like to I would like to see that um taking place here over the next several years so now we want to know where does Bluetooth really fit into all this well Bluetooth is a nice short range protocol and it it uh it has a niche kind of in iot uh as oppos to uh it finds more of its niche in iot I think as iot grows Bluetooth will also grow so a little bit of background on Bluetooth uh the Bluetooth protocol has been around since 1994 and it offers us convenient use for everyday technology things like uh your headsets your your Hardware on your

computer like various wireless keyboards and mice uh this light bulb so uh Bluetooth Bluetooth is all around us already so that that's nice and as iot grows I I I suspect that they will they will grow together as I was previously saying the number of Bluetooth devices currently being shipped I believe uh Bluetooth estimates that it'll be three billion devices being shipped currently every year and they suspect by 2019 that there will be 5 billion Bluetooth capable devices being shipped every year and uh this is a pretty trivial point at the bottom but uh the more popular something becomes whether it be a protocol or as the iot grows uh it's a high it becomes a higher value Target to

attackers so I think I like I like I said I'd like to see uh security being baked in now as opposed to spread on top later before it's too late uh and the people over at Bluetooth uh do a good job job they take they take security really seriously and when they uh Implement a new new version kind of of the protocol or they move on they they make sure that they're uh working it in as well so Bluetooth networks well how are they structured so a Bluetooth Network basically is is uh you can think of it as a piconet or a personal area network um traditionally a piconet uh consists of one master device where the master

device is the smartest device uh in the ponet it's it can be thought of as the defining device and uh here we see there's a master and it connects to one slave device this can this can be uh represented here by my ability to connect to the light bulb

Maybe there we go so we have our one master device which is my cell phone and we are able to control our slave device in this case the light bulb but you can also Imagine where we could have multiple devices in a piconet one to many so if I had seven of these typically one master can connect up to seven slave devices and uh well let's be honest seven of these would be awesome you would it's your life would be a Non-Stop party um so yeah that's that's basically how uh Bluetooth networks are generally structured so how how do Bluetooth devices identify themselves well you can think of a Bluetooth device it has a unique 48-bit identifier similar to a

MAC address basically uh it's pretty much the exact same thing except it's structured a little bit differently each Bluetooth address consists of three parts as can be seen in my awesome diagram there uh the nap the first two bytes is the upper or non-significant address part my apologies uh the next one bite is the upper address part and the last three bytes are the lower address part now together the nonsignificant address part and the upper address part so the first three bytes make up the manufacturer ID and the last three bytes make up the device ID which is assigned to the device unique to the device assigned by the manufacturer and and that's just uh

that's how Bluetooth devices identify themselves moving forward we'll talk about the pairing process here so before two devices can begin communicating with one another uh they they must first be paired and before they can begin pairing the master device has to be able to discover the slave and this pairing process is probably not the pairing process that uh everybody's used to you're probably used to uh just a a user interaction enter the pass key and pin this one may be a little bit dated but you can think of that as user interaction so that that's what generally is needed to start the pairing process uh so before before they can connect the master must discover the

slave or they must enter an inquiry phase when you're in discovery mode you're basically sending out requests and waiting for other devices to reply to you with with the address or with their address or what gets the pairing process started and uh in some cases with where Bluetooth devices require UI uh that could be a pass key uh I believe it can be anywhere between 14 or four and 16 digits and I believe default on most devices is zero 0000 that's the default Pass Key to start the pairing process uh so here we can kind of see never are any of the authentication or any of the keys created are never sent in transit a random number is

always generated uh on both devices and in the first in the first one the master device tries to sync up with the slave their clock the Master device's Clock is used to sync the slave device so they're both generating these numbers off the Master's clock and the pairing process is complete after it goes through all these steps all these steps here and each time a random number is generated it's just to make sure that the slave device is still on the same page as the master device pairing process so Bluetooth uh does does uh this pretty interestingly so paired devices they move between 79 channels 1,600 times per second so what Bluetooth device what what the master device does

is once everybody in the piconet is synced up using the master devices clock it'll develop a advanced frequency hopping map where devices can move across channels and uh this is generally this is generally done to avoid uh noisy noisy channels so this is done the map is created so devices the communication Channel stays open because Bluetooth operates around 2.44 gahz and 2.4 GHz is pretty much the garbage band so uh this afh map comes in handy when when devices are trying to talk to each other this also makes it really difficult to passively sniff Bluetooth traffic it is not something that's done trivy Tri triy uh you generally have to get a special special dongle to go ahead and go ahead

and try to passively sniff bluetoo traffic which I'll talk about here in a little bit so my research if if anybody wants to take a nap or anything just it's cool well I was given so I was approached by my professor at school and there were three devices that we were given uh our research topic was hacking iot and I ended up with this bluetooth light bulb uh the other one was a drop cam and one was a a door lock that operated via Bluetooth which probably would be really really cool to get my hands on one of those uh so when I started my research I wanted to basically think about all right how can

how can what potential attack vectors uh does this light have and obviously uh there was one main attack Vector they communicate via the application the mobile application communicates to the light bulb via Bluetooth basically so there's the Bluetooth protocol I had to look at I had to figure out all right how does this protocol work uh where does it Implement security well what potential uh what potential attack vectors exist there and the other thing that I wanted to look at was how does the mobile application control the light bulb so how is the mobile using Bluetooth to get the light bulb to change colors or Flash or whatever whatever functionality you choose and that I I didn't want to attack the

mobile application because at what point does attacking the mobile application become attacking the phone and then if you if you have to root the phone have you really attacked the light bulb I I it's a it's a circum you kind of circumvent just attacking the light bulb through through that methodology so I tried to stay stay away from that as much as I could so this fantastic project ubertooth one uh Michael I believe it's developed by Michael Osman and uh this allows you to passively detect Bluetooth devices and follow them through the afh map and follow them through Channel hopping things like that um I wasn't I'm trying not to I'm trying to keep this at uh a little bit of a

higher level but the discovery of the upper address part is what's really difficult with uh with Bluetooth because you can figure out the lap the lap is transmitted at the beginning of every single packet in in plain text so that's that's pretty trivial to capture the lap the UAP however the upper address part uh is much more difficult call and it is necessary to be able to figure out the UAP in order to follow a master device and slave devices throughout throughout uh the afh map um if anybody wants to talk about that after the fact I'll be more than happy to uh give give that a give that a go but I'm doing my best to uh keep

a a different message in my in my talk here so ultimately as awesome as ubertooth 1 was I had little success sniffing traffic between the uh mobile device and the light bulb and this was because the manufacturer of the light bulb kind of tweaked the Bluetooth protocol and I think they did this via the via the application uh so it's not it's not a standard implementation of how Bluetooth would normally be I remember doing research in my apartment and I had Netflix on in the background and I got crazy amount of traffic when I I was running a a capture but it was for my PlayStation controller I was like yeah I did something no so

uh I was kind of bummed out there I was like all right well how how do I figure out what this traffic looks like exactly and then Android came to the rescue so this is basically the equivalent of cheating in my mind uh developer mode on Android you just enable developer mode and you have the ability to sniff Bluetooth traffic off the Bluetooth interface on the Android device so it was as simple as enabling developer mode clicking capture Bluetooth traffic going back to the application sending commands kill the traffic capture and then spit it back or pull it off the phone actually in this case using ADB which is a fantastic Tool uh for Android

developers the Android debug Bridge just pulled that off the phone and then I opened the traffic and wire shark and I was able to see exactly what was being sent to the light bulb and how the two devices were communicating so the last piece of the puzzle well was using Blues Blues is the Bluetooth stack for Linux and uh there's kind of two two pieces to the puzzle here HCI tool can be thought of as kind of the Swiss army knife of the Blues package uh it's basically HCI tool allows you to communicate via the host controller Port interface uh to two different Bluetooth devices and then there is gat tool which stands for generic attribute Tool uh

which basically allows you to utilize terminal G tool is just to use the terminal to use your Bluetooth interface on your Linux machine so without uh without any more explanation uh we'll take a look at I guess we can look at the wire shark traffic quick so you guys can understand how how easy it actually was and then uh we'll make the light flicker a little bit and talk about some some ramifications what what uh what could be done with that all right we got to increase

that

um let's

see all right that's a little bit better so War shark BT what is it BT cool all right and I apologize for this being difficult to see I'll try to I'll do my best to explain it so we can see uh our Local Host being our machine or in this case actually this is the Android device and then our remote host being the light bulb uh if we go down here to the Bluetooth attribute protocol you can see that there is it uses the right op code so we're writing we're sending a command to the light bulb we have a handle the handle can be thought of as a identifier for which attribute you want to

modify in this case I assume 2 e is basically specifying that we're going to change the color attribute something of that nature and then you can specify the value that you're going to Value you're sending to the light bulb in this case I believe cc2 433 is off so that's me turning the light bulb off we'll kill wire shark here and we'll play with the light bulb a little

bit all right so we'll do pseudo actually yeah we'll just go we'll go for it sudo HCI tool L Le scan I can't type in that

look all

right oh look at all the Bluetooth devices so uh clearly one of them is the light bulb a couple of other people popping in here uh so we have this is just a basic survey of uh Bluetooth devices in the

room who's up here oh

man look at all the devices all right so we clearly have our light bu well now we're going to utilize Gat tool here to das help help oh man bomber can't type huh G A TT command G tool not found need another oh good call thank you very much um um okay let me just full screen this all right so Gat tool we can see here that we have the ability to char right under G commands we can send chart right which we saw in our wire shark our wire shark packet capture Char right we also have the ability to char read which in future work I plan I I'm curious as to what you

can read from the light bulb or what what the light bulb has for you to read read back to you uh we have char WR and then we're going to go down here to our characteristics our value descriptor read and write and we have our our Tac a specifies our handle and Tac n is the value we're sending across so we can go get tool Dash actually dasb for our Bluetooth address that we're utilizing here and dash dash char Char right t a for our handle value which was 0 x002 e and then I believe CC 2333 should turn it on oh bummer missing a t a value is required oh forgot the T and

cool let me get out my do I have it I do my list of fun commands so my last command that I put in if you have like any any thoughts about epilepsy or anything like that just don't look at the light bulb uh so yeah you can utilizing that we're able to do fun things you know what I mean you can go through and we can change change colors 56 0 d0 0 ff0 f good call appreciated did that change it nope didn't change it 56 D two oh actually you know what instead of failing I'm just going to stick to the simple commands and we'll make it strobe right now so you can go through and you can do

things like modify

3 oh man 3 BB 38144 not changing huh right there we go it just took it a minute interesting normally it's right away so you can go through and do things like that uh now there's no reason that any person with epilepsy should probably have these in their house let alone entire piconet of these but you could imagine uh some some this is a this is a stretch but Health ramifications of Johnny black hat downstairs if your if your device isn't paired with the piconet of light bulbs uh he pretty much has free reain to write write to these and and change their color and make them strobe and things of that nature 36 0244 oh that's too

much 244 like that's intense you know what I mean but everybody who wants this now is ready to party exactly so that that's uh that's kind of uh where I had come to a standstill on my research amongst now now I have the capability to uh well I'm much busier now that I'm working and not in school but now I have the capability to fuzz commands to the light bulb you know what I mean see kind of test the boundaries test the waters of what works and what doesn't and as I had said uh it'd be really interesting to see what what is on the light bulb that you can read back uh from it for actually for all I know

it may not be that interesting um moving forward here so uh wrapping this up here hopefully a little early uh much like that kitten snuggled in that blanket so awesomely uh the iot is here to stay it's not going anywhere uh like I said it's already it's already here and it's becoming more and more real as uh devices can connect wirelessly to uh to the

internet and uh as I said our our job as members of the information security Community uh is to make sure that how how is security being implemented and is it being implemented the right way so like I said uh go out and do research and if you find find something interesting uh report it to the people developing the product and and make sure that there's not not a cool zero day in your fridge or something like that I don't know uh so also I believe Bluetooth does a good job of implementing security between Advanced frequency hopping and uh encrypted traffic and requiring user interaction before devices pair with one another I think I think they're doing a

good job over there uh on the Bluetooth protocol and yeah the Internet of Things is bringing new and exciting attack vectors uh to to our everyday lives so to my target audience uh go hack something all these things now exist uh thanks to Josh uh there's Bluetooth paper thanks Josh for pointing that out um Bluetooth paper I went on there I looked there were Bluetooth pacifiers that monitor the baby's temperature how fun would that be you change the temperature that somebody's like the baby's 112 degrees everybody's freaking out uh toaster you know dishwashers all that cool stuff uh cars car hacking has been really big Charlie Miller doing a lot of cool stuff with that so um yeah go out and find

something that you think is fun to do and fuzz the hell out of it you know what I mean uh go do go do some research and who knows maybe you'll find something interesting and uh be able to talk about it and that would be really it'd be a lot of fun and uh I want to give a shout out to a couple people uh thanks to my professor at fonia state where I went to school for basically he was my mentor uh he helped me out a lot uh pushed me in the right direction in information security and stuff like that and he gave me the opportunity to take on this project a little bit that was a lot of fun so

thanks to him I want to give a shout out to the Charleston bsides uh staff and everybody here for giving me my first opportunity to talk that was really cool and hopefully I didn't blow it up here and thanks to everybody here for paying attention to me or trying to for the last 35 minutes I really appreciate it guys cool

cool