Introduction
Hi, after so long creating a new post this time I just wanna talk about Bluetooth devices and blackberries...not the fruit huh!Well in fact I am not sure if I will cover something interesting related to BB (Blackberry) I just will try to
Also have in mind that the bluetooth dongle I am using is a cheap-poor-not-great one.
The hardware
I just have this and will try to see what sort of tweaks and tricks we can perform...yeah the /Rooted ad, it was a great Con that took place in Spain I want to mention in my wiki, didn't hear about it? http://www.rootedcon.es/eng/index.html
The tools
So far a brand new Backtrack 4 seems enough.Bluetooth dongle id
root@bt:/# tail /var/log/syslog Apr 10 13:18:36 bt kernel: eth0: no IPv6 routers present Apr 10 13:21:57 bt kernel: Bluetooth: Core ver 2.15 Apr 10 13:21:57 bt kernel: NET: Registered protocol family 31 Apr 10 13:21:57 bt kernel: Bluetooth: HCI device and connection manager initialized Apr 10 13:21:57 bt kernel: Bluetooth: HCI socket layer initialized Apr 10 13:22:04 bt kernel: usb 2-2: new full speed USB device using uhci_hcd and address 2 Apr 10 13:22:04 bt kernel: usb 2-2: device descriptor read/64, error -71 Apr 10 13:22:05 bt kernel: usb 2-2: configuration #1 chosen from 1 choice Apr 10 13:22:06 bt kernel: Bluetooth: Generic Bluetooth USB driver ver 0.5 Apr 10 13:22:06 bt kernel: usbcore: registered new interface driver btusb root@bt:/# hciconfig -a hci0: Type: USB BD Address: 00:00:00:00:00:00 ACL MTU: 0:0 SCO MTU: 0:0 DOWN RX bytes:0 acl:0 sco:0 events:0 errors:0 TX bytes:0 acl:0 sco:0 commands:0 errors:0 //when "upping" the device more info is provided and more commands are accepted and do not time out. root@bt:/# hciconfig hci0 up root@bt:/# hciconfig -a hci0: Type: USB BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8 UP RUNNING RX bytes:348 acl:0 sco:0 events:11 errors:0 TX bytes:38 acl:0 sco:0 commands:11 errors:0 Features: 0xff 0xff 0x8f 0xf8 0x18 0x18 0x00 0x80 Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 Link policy: Link mode: SLAVE ACCEPT Name: 'CSR - bc3' Class: 0x000000 Service Classes: Unspecified Device Class: Miscellaneous, HCI Ver: 1.2 (0x2) HCI Rev: 0x639 LMP Ver: 1.2 (0x2) LMP Subver: 0x639 Manufacturer: Cambridge Silicon Radio (10) //seems just a ROM memory is installed root@bt:/# bccmd -d hci0 chiprev Chip revision: 0x0015 (BC3-ROM) //dfutools for managing the firmware do not work root@bt:/# dfutool -d hci0 archive bt_dongle_orig_firmware.bin Can't find any DFU devices
We can see the dongle from the picture above is a Cambrige Silicon Radio, with a bluecore 3 firmware
Faking our name
I thought I couldn't as this device wasn't supposed to have writable memory
root@bt:/# hciconfig hci0 name eslimasec root@bt:/# hciconfig hci0 name hci0: Type: USB BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8 Name: 'eslimasec'
Scanning
root@bt:/# hcitool scan Scanning ... XX:XX:XX:XX:XX:XX BlackBerry 8520
when the device is in listen/waiting mode for other devices to discover it, it reveals this information.
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX Requesting information ... BD Address: XX:XX:XX:XX:XX:XX Device Name: BlackBerry 8520 LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9 Manufacturer: Cambridge Silicon Radio (10) Features: 0xbf 0xfe 0x8f 0xfe 0x98 0x19 0x00 0x80 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme> <power control> <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL> <AFH cap. master> <AFH class. master> <extended features>
BlackBerry (& other devs) Attacks
Scam attack by changing our dongle name.
It was tested that the blackberry devices have a sort of cache that allows them to remember the name of you dongle from the first time you tried to get paired.
//change the name of the dongle to make the user set the code you want, then just ask for info and that pairing message will appear on the victim screen root@bt:/# hcitool info XX:XX:XX:XX:XX:XX
No comments:
Post a Comment