Sunday, December 12, 2010

Bluetooth & Blackberry

 

Introduction

Hi, after so long creating a new post this time I just wanna talk about Bluetooth devices and blackberries...not the fruit huh!
Well in fact I am not sure if I will cover something interesting related to BB (Blackberry) I just will try to
Also have in mind that the bluetooth dongle I am using is a cheap-poor-not-great one.

The hardware

I just have this and will try to see what sort of tweaks and tricks we can perform...yeah the /Rooted ad, it was a great Con that took place in Spain I want to mention in my wiki, didn't hear about it? http://www.rootedcon.es/eng/index.html
100420100152.jpg

The tools

So far a brand new Backtrack 4 seems enough.
Bluetooth dongle id
root@bt:/# tail /var/log/syslog
Apr 10 13:18:36 bt kernel: eth0: no IPv6 routers present
Apr 10 13:21:57 bt kernel: Bluetooth: Core ver 2.15
Apr 10 13:21:57 bt kernel: NET: Registered protocol family 31
Apr 10 13:21:57 bt kernel: Bluetooth: HCI device and connection manager initialized
Apr 10 13:21:57 bt kernel: Bluetooth: HCI socket layer initialized
Apr 10 13:22:04 bt kernel: usb 2-2: new full speed USB device using uhci_hcd and address 2
Apr 10 13:22:04 bt kernel: usb 2-2: device descriptor read/64, error -71
Apr 10 13:22:05 bt kernel: usb 2-2: configuration #1 chosen from 1 choice
Apr 10 13:22:06 bt kernel: Bluetooth: Generic Bluetooth USB driver ver 0.5
Apr 10 13:22:06 bt kernel: usbcore: registered new interface driver btusb


root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: 00:00:00:00:00:00 ACL MTU: 0:0 SCO MTU: 0:0
DOWN
RX bytes:0 acl:0 sco:0 events:0 errors:0
TX bytes:0 acl:0 sco:0 commands:0 errors:0
//when "upping" the device more info is provided and more commands are accepted and do not time out.
root@bt:/# hciconfig hci0 up
root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:348 acl:0 sco:0 events:11 errors:0
TX bytes:38 acl:0 sco:0 commands:11 errors:0
Features: 0xff 0xff 0x8f 0xf8 0x18 0x18 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'CSR - bc3'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x639 LMP Ver: 1.2 (0x2) LMP Subver: 0x639
Manufacturer: Cambridge Silicon Radio (10)
//seems just a ROM memory is installed
root@bt:/# bccmd -d hci0 chiprev
Chip revision: 0x0015 (BC3-ROM)

//dfutools for managing the firmware do not work
root@bt:/# dfutool -d hci0 archive bt_dongle_orig_firmware.bin
Can't find any DFU devices

We can see the dongle from the picture above is a Cambrige Silicon Radio, with a bluecore 3 firmware




Faking our name

I thought I couldn't as this device wasn't supposed to have writable memory
root@bt:/# hciconfig hci0 name eslimasec
root@bt:/# hciconfig hci0 name
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
Name: 'eslimasec'




Scanning
root@bt:/# hcitool scan
Scanning ...
XX:XX:XX:XX:XX:XX       BlackBerry 8520

when the device is in listen/waiting mode for other devices to discover it, it reveals this information.
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX
Requesting information ...
BD Address:  XX:XX:XX:XX:XX:XX
Device Name: BlackBerry 8520
LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xbf 0xfe 0x8f 0xfe 0x98 0x19 0x00 0x80
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <sniff mode> <RSSI>
<channel quality> <SCO link> <HV2 packets> <HV3 packets>
<u-law log> <A-law log> <CVSD> <paging scheme> <power control>
<transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
<EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
<interlaced pscan> <inquiry with RSSI> <extended SCO>
<AFH cap. slave> <AFH class. slave> <3-slot EDR ACL>
<5-slot EDR ACL> <AFH cap. master> <AFH class. master>
<extended features>




BlackBerry (& other devs) Attacks

Scam attack by changing our dongle name.

It was tested that the blackberry devices have a sort of cache that allows them to remember the name of you dongle from the first time you tried to get paired.
//change the name of the dongle to make the user set the code you want, then just ask for info and that pairing message will appear on the victim screen
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX

Great Links


No comments:

Post a Comment