Thomas Ost - SwissT.net
Transcription
Thomas Ost - SwissT.net
Sniffing Bluetooth Smart: Fokus Sicherheit Thomas Ost, Institut für Mikroelektronik, Fachhochschule Nordwestschweiz 2013 - heute M.Sc. Elektrotechnik, Embedded System Design und Signal Processing, FHNW 2012 - 2013 ETHZ Elektro- und Informationstechnologien Lebenslauf Thomas Ost 2009 - 2013 B.Sc. Life Science Technologies, Medizinal- und Analyse Technologien, FHNW 2008 -2009 Berufsmaturitätsschule Liestal 2007 - 2008 Automatiker, Störungsbehebung Mess-, Steuerund Regelungstechnik in der biotechnologischen Produktion F. Hoffmann-La Roche AG https://ch.linkedin.com/pub/thomas-ost/b7/224/b01 [email protected] [email protected] 2003 - 2007 Lehre Automatiker, F. Hoffmann-La Roche AG Agenda ● ● ● ● ● ● ● Einführung Bluetooth Smart: Was ist der Unterschied zu Bluetooth Classic? Sicherheitsprobleme von Bluetooth Smart in der 4.0 und 4.1 Spezifikation Wie mache ich mein Produkt sicher? Passive Sniffing Tools: Ubertooth die Open-Source Variante Demo Zusammenfassung Einführung WARUM WIRELESS? IoT Internet of Things Topologie D R Internet WLAN D D LAN S D D R = Router S = Switch D = Device Topologie D D D D C D C D D D D D C = Coordinator D = Device Piconets P C C P P P P P P P C = Central P = Peripheral Scatternet P C C P P P P P P C P P C = Central P = Peripheral Piconets P C non- C conn e ctabl P e P P P P P nonconn ectab P le P C = Central P = Peripheral Medizintechnik Fitness Security Automation Automobil Home Entertainment Bluetooth Smart Was ist der Unterschied zu Bluetooth Classic? ● Low Power Geräte ● Datenübertragung = Energie ● Kleinere Datenrate < 1 Mb/s OTA < 260 kb/s Data Throughput realistisch < 10 kb/s ● Kleinere Reichweite < 30 m realistisch < 10 m Bluetooth 4.x https://www.bluetooth.org/en-us/specification/adopted-specifications GATT/ATT Host GATT/ ATT SMP L2CAP L2CAP HCI HCI Link Layer Link Layer PHY PHY Controller GATT/ATT Host GATT/ ATT SMP L2CAP L2CAP HCI HCI Link Layer Link Layer PHY PHY Controller PHY ➢ ➢ ➢ ➢ ➢ ➢ ➢ ➢ 2.4 GHz ISM Band 2.4000-2.4845 GHz 79 Channels 1 MHz spacing 1 MHz Channel Bandwidth GFSK Mod. Ind. 0.280.35 / PSK Modulation Max Output Power 100 mW Throughput 1 Mb/s, 3Mb/s und 24 Mb/s PHY ➢ ➢ ➢ ➢ ➢ ➢ ➢ ➢ 2.4 GHz ISM Band 2.4000-2.4845 GHz 40 Channels 2 MHz spacing 1 MHz Channel Bandwidth GFSK Mod. Ind. 0.450.55 Max Output Power 10 mW Throughput 1 Mb/s t h l c i e N atib p m o K PHY ➢ ➢ ➢ ➢ ➢ ➢ ➢ ➢ 2.4 GHz ISM Band 2.4000-2.4845 GHz 79 Channels 1 MHz spacing 1 MHz Channel Bandwidth GFSK Mod. Ind. 0.280.35 / PSK Modulation Max Output Power 100 mW Throughput 1 Mb/s, 3Mb/s und 24 Mb/s PHY ➢ ➢ ➢ ➢ ➢ ➢ ➢ ➢ 2.4 GHz ISM Band 2.4000-2.4845 GHz 40 Channels 2 MHz spacing 1 MHz Channel Bandwidth GFSK Mod. Ind. 0.450.55 Max Output Power 10 mW Throughput 1 Mb/s Security GATT/ATT L2CAP HCI Link Layer ● Elliptic Curve Diffie-Hellman (ECDH) secure simple pairing ● Pairing via Numerical Comparison, Just Works, Passkey Entry, Out-of-Band (OOB) ● Pairing PIN ist kein Input für den Sicherheitsalgorithmus PHY Core Specification 4.2 Security GATT/ ATT SMP L2CAP HCI Link Layer ● Elliptic Curve Diffie-Hellman (ECDH) LE secure connections ● Pairing via Numerical Comparison, Just Works, Passkey Entry, Out-of-Band (OOB) ● Pairing PIN ist kein Input für den Sicherheitsalgorithmus PHY Core Specification 4.2 Was ist mit der Spezifikation 4.0 und 4.1? Sicherheitsprobleme von Bluetooth Smart in der 4.0 und 4.1 Spezifikation “Just Works and Passkey Entry do not provide any passive eavesdropping protection. This is because Secure Simple Pairing uses Elliptic Curve DiffieHellman and LE does not.” “Just Works und Passkey Entry schützen nicht for passivem abhören, da kein Secure Simple Pairing mit Elliptic Curve Diffie-Hellman verwendet wird.” “Just Works and Passkey Entry do not provide any passive eavesdropping protection. This is because Secure Simple Pairing uses Elliptic Curve DiffieHellman and LE does Pairingnot.” in Bluetooth Smart ist gemäss Spezifikation 4.0 und 4.1 nicht sicher! “Just Works und Passkey Entry schützen nicht for passivem abhören, da kein Secure Simple Pairing mit Elliptic Curve Diffie-Hellman verwendet wird.” Sicherheitsziele beim Pairing ➢ Schutz gegen passives abhören (sniffing, passive eavesdropping) ➢ Schutz for Man-in-the-Middle (MITM) Attacken Bluetooth Smart Pairing 4.0, 4.1 1. 2. 3. 4. Pairing Method Exchange, IO Capabilities Pairing with Temporary Key (TK) Generate Short Term Key (STK) Establish Long Term Key (LTK) Alice Initiating Mrand Mconfirm = AES(k, AES(k, Mrand XOR p1) XOR p2) Sconfirm (Srand) LE Legacy Pairing - Just Works Mconfirm Bob Non-initiating Srand Sconfirm = Sconfirm AES(k, AES(k, Srand XOR p1) XOR p2) Mrand Mconfirm (Mrand) Srand STK LTK Alice Initiating Mrand Mconfirm = AES(k, AES(k, Mrand XOR p1) XOR p2) Sconfirm (Srand) LE Secure Pairing - Just Works Bob Non-initiating Mconfirm Srand Sconfirm = Sconfirm AES(k, AES(k, Srand XOR p1) XOR p2) Mrand XOR p1) XOR p2) AES(k, AES(k, Mrand Srand 6-Digit PIN: → Brute Force Attacke Just Works: k = 0 Mconfirm (Mrand) STK LTK LTK Reuse Auch wenn man das Pairing nicht abhören konnte und ein LTK schon etabliert ist, kann ein Re-Pairing erzwungen werden! Bluetooth Smart Decrypting Software crackle crackLE cracks Bluetooth Smart Encryption https://lacklustre.net/projects/crackle/ by Mike Ryan Wie mache ich mein Produkt sicher? Sicheres Pairing mit Bluetooth Smart Secure Simple Pairing (ECDH) update Security Manager on Host to 4.2 Spec. Out-of-Band Pairing (OOB) Sicheres Pairing mit Bluetooth Smart Secure Simple Pairing (ECDH) update Security Manager on Host to 4.2 Spec. Out-of-Band Pairing (OOB) Secure Simple Pairing - LE Secure Connections 1. 2. 3. 4. 5. Public Key Exchange Authentication Stage 1 Authentication Stage 2 Link Key Calculation LMP Authentication and Encryption Secure Simple Pairing - LE Secure Connections 1. 2. 3. 4. 5. Public Key Exchange Authentication Stage 1 Authentication Stage 2 Link Key Calculation LMP Authentication and Encryption Elliptic Curve Diffie-Hellman ➢ ➢ ➢ ➢ Key Exchange Algorithmus Berechnungen mit Elliptischen Kurven Benötigt weniger Ressourcen wie standard Diffie-Hellman Elliptic Curve Discrete Log Problem (One-Way Function) https://www.youtube.com/watch?v=F3zzNa42-tQ (Elliptic Curve Diffie-Hellman) https://www.youtube.com/watch?v=yDXiDOJgxmg (Elliptic Curve Diffie-Hellman) Alice Initiating SKa, PKa DHKey = LE Secure Pairing - Numeric Comparison Public Key (PKa) Public Key (PKb) SKb, PKb DHKey = P256(Skb,Pka) P256(Ska,Pkb) 128 bit nonce Na 128 bit nonce Nb Cb Na Check Cb = Bob Non-initiating Confirmation Cb = f4(PKb,PKa, Nb,0) Nb f4(PKb,PKa, Nb,0) Va = Vb = g2(PKa,PKb,Na,Nb) g2(PKa,PKb,Na,Nb) Display Check is Va = Vb and Confirm with OK Passive Sniffing Tools Ubertooth die Open-Source Variante Sniffing Tools Ellisys Bluetooth Explorer 400 (BR/BER/BLE) Frontline BPA 600 (BR/BER/BLE) nRF Sniffer Nordic Semiconductor (Bild Adafruit Version) (BLE) Preis ca. 20’000 $ Preis ? Preis 30 $ Ubertooth One 120 $. Basic Rate (BR), Bluetooth Smart (BLE) Michael Ossmann, Dominik Spill, Mike Ryan, Will Code, Jared Boone und weitere. LPC175x Arm Cortex-M3 Microcontroller Ubertooth Aufbau Full Speed USB 2.0 100 MHz Clock 32 kb RAM 256 kb Flash RP-SMA Antenna Connection CC2591 RF Front-End Power Amplifier Low-Noise Amplifier Improves Sensitivity CC2400 Transceiver 2.4 GHz RF Transceiver Baseband Modem Data Rate max. 1 Mbps Buffermode Packet Handling (Ersatz Chip CC2500 von TI) USB 2.0 Ubertooth Datenfluss Bluetooth RF Signal LNA Demodulation Packet Search USB Stream Processing Software ➢ ➢ Linux Mac OS X https://github.com/greatscottgadgets/ubertooth Wireshark Plugin für Ubertooth Bluetooth Smart Sniffing DEMO Passives Sniffing von Bluetooth Smart mit Ubertooth Heart Rate Monitoring Zusammenfassung ➢ Ist Wireless wirklich die sinnvollste Variante? ➢ Was für eine Wireless Technologie dient meinem Zweck? ➢ Verwende ich eine sichere Pairing Methode? ○ ○ Secure Simple Pairing mit ECDH Out-of-Band OOB Pairing ➢ Wie kann ich meine Bluetooth Smart Verbindung überwachen und debuggen? ○ Sniffing Tool Ubertooth Ressourcen Shmoocon 2011 Michael Ossmann Ubertooth History: https://www.youtube.com/watch?v=KSd_1FE6z4Y Dominic Spill 2012 Ubertooth Firmware: https://www.youtube.com/watch?v=HU5qi7wimAM Mike Ryan Blackhat 2013 Bluetooth Smart Attacks: https://www.youtube.com/watch?v=agwA_6AAGOA Bluetooth Specification: https://www.bluetooth.org/en-us/specification/adopted-specifications Ubertooth Project Page: http://ubertooth.sourceforge.net/ Crackle Project Page: https://lacklustre.net/projects/crackle/ Vielen Dank! ?