dirtytooth: it´s only rock'n roll but i like it
TRANSCRIPT
DirtyTooth:it’sonlyRock’n’Roll,
butIlikeit!
ChemaAlonso([email protected])
PabloGonzález([email protected])
IosebaPalop([email protected])
JorgeRivera([email protected])
ÁlvaroNuñez-Romero([email protected])
ExecutiveSummary
Bluetoothcommunicationsareontheincrease.Millionsofusersusethetechnologytoconnect toperipherals thatsimplifyandprovidegreatercomfortandexperience.ThereisatrickorhackforiOS10.2.1andearlierthattakesadvantageofthemanagementoftheprofilescausingagreat impactontheprivacyofmillionsofuserswhouseBluetooth technology daily. From the iOS device information leakcausedbytheincorrectmanagementofprofiles,alotofinformationabouttheuserandtheirbackgroundmaybeobtained.
1.Bluetoothdevices
Bluetoothdeviceshaveundergoneaproliferation.Itsusewithperipheralshasmeantthat theexpansionanduseof technologyhave rocketed in recentyears.Keyboards,mice,speakers,hands-freekitsandawholerangeofdevicesuseBluetoothtechnologytoprovidewirelesscommunicationtousersandimprovetheusabilityofperipheralsandentertainmentelements.
Allmodernoperatingsystemssupportandintegratethetechnology.MobileoperatingsystemssuchasAndroid,iOSandWindowsPhoneprovidevariouswaysofinteractingwiththedifferentelementsmentionedabove.
1.1-VersionsofBluetooth
Bluetoothtechnologyhasbeencontinuallyevolvingovertheyears.Thefollowingtableshowsthedifferentversionsandupdates:
Version Yearofintroduction
Bluetoothv1.0 1999
Bluetoothv1.1 2002
Bluetoothv1.2 2003
Bluetoothv2.0+EDR 2004
Bluetoothv2.1+EDR 2007
Bluetoothv3.0+HS 2009
Bluetoothv4.0 2010
Bluetoothv5.0 2016-2017
Table1:VersionsofBluetoothtechnology
Version2.1incorporatesanimportantfunctionforthisresearch-thepossibilityofnotenteringthePINcodetoenablepairingofdevices.Audiodevicessuchasspeakersorheadphoneswithversion2.1ofBluetoothdonotrequireuserstoenteraPINinordertoeffectpairing.
2.-BluetoothProfiles
WhenadevicewantstouseaseriesoffunctionsviaBluetooth,aprofileisrequiredtopermit said functions. A profile is simply a specification of functions that can beperformedviaaBluetoothconnection,thatis,adescriptionoftheactionsthatcanbeperformedviatheconnectionwiththeassociatedprofile.
ThereareawidevarietyofBluetoothprofiles.Theofficiallistcontains31profiles,whichprovide various functions such as access to contacts,messages from thedevice, the
abilitytousehands-free,sendaudiotoadeviceandsoon.Therangeoffunctions isgrowingconstantly.
2.1-BluetoothProfilesoniOS
TheiOSoperatingsystemsupportsaseriesofspecificBluetoothprofiles.Thefollowingarethedifferentprofilessupportedbythedifferentdevices:
1. Hands-FreeProfile(HFP1.6).
2. PhoneBookAccessProfile(PBAP)
3. AdvancedAudioDistributionProfile(A2DP)
4. Audio/VideoRemoteControlProfile(AVRCP1.4)
5. PersonalAreaNetworkProfile(PAN)
6. HumanInterfaceDeviceProfile(HID)
7. MessageAccessProfile(MAP)
Device HFP1.6 PBAP A2DP AVRCP1.4 PAN HID MAP
iPhone4andlater
Yes Yes Yes Yes Yes Yes Yes
iPhone3GS Yes Yes Yes Yes Yes Yes -
iPhone3G Yes Yes Yes Yes Yes - -
iPhoneOriginal
Yes Yes - - - - -
iPad2andlater
Yes - Yes Yes Yes Yes -
iPad(1stGeneration)
- - Yes Yes Yes Yes -
iPodTouch(4th
Generation)
Yes - Yes Yes Yes Yes -
iPodTouch(2ndand3rdGeneration)
- - Yes Yes Yes Yes -
Table2:ProfilessupportedondifferentAppledevices
3.-Hack:DirtyTooth
Bluetoothprofilesaccessdifferentmobileresources,soitisessentialthatproperpermissionsmanagementisavailablefromtheoperatingsystem.Bluetoothallowsadevicetorundifferentprofiles,switchingbetweenthem.
Theoperatingsystemnotifiesyouwhenthereisaprofilechangeonadevicethatispairedwiththemobiledevice. In this research,a testwascarriedouton the iOSandAndroidoperatingsystemsandeachgaveverydifferentresults.
Whenadeviceislinkedtoamobileandtheformerchangesitsprofile,twocircumstancesmayoccur. The first is that the operating system detects the change of profile and therefore offunctionsanddatatowhichthelinkeddevicecanaccessandaskstheusertoaccepttheprofilechange.Thistakestheformofasecurenotification,sothattheuserrealizesthattheconnectedBluetoothdevicewantstoaccessanotherprofileand,therefore,theprivateinformationontheterminal. The second circumstance is that the operating system does not detect the profilechangeandallowsittobeaccomplishedwithoutnotifyingtheuser.
ThissecondcircumstancehasbeendetectediniOSoperatingsystemsandhasbeendefinedasDirtyTooth.ThistrickorhackallowsanattackertoimpersonatetheA2DPprofileofaspeakersothatauser's iOSdeviceconnectsassuming it tobea speaker.A fewmomentsafterpairing,without having to enter a PIN, the device changes its profile to another. The iOS operatingsystemdoes not notify this change and allows the attacker to access and download privateinformationfromthedevice.
3.1-Diagram
Beforedetailingthe implementation,thefollowing isaschematicexampleofwhat isusedintheimplementationofDirtyTooth.Thediagramisvalidforboththesoftwareandthehardwareversionsofthetrick.
Figure1:FlowdiagramofDirtyToothoniPhone
WhentheiOSsystemdetectsaBluetoothsignal,theusercanvisualizethedevicewithwhichitwantstoconnectandascenariolikethefollowingwillbeobserved:
Figure2:DiscoveryofaRogueSpeaker
ThespeakerthatappearsintheBluetoothdiscoveryisannouncingtheA2DPprofile,aprofiletoplayaudioviatheBluetoothconnection.Whentheuserclicksonit,thepairingiscompleted,withnoneedforaPINinversionsBluetooth2.1orhigher.
Inthefollowingimage,youcanseehowtheheadphonesiconshowsintheupperrightcorner.ThedevicethatsupplantsaspeakerforafewsecondshasanA2DPprofile.
Figure3:DevicesetupLinkedtotheA2DPProfile
Afterafewseconds,theattacker'sdevicecanchangeitsprofiletoaPBAPprofileforexample.Ifthishappens,iOSwillperformtheprofilechangewithoutdisplayinganytypeofnotificationtotheuser.Thisisthemomentwhentheattackercanaccessthecontactlistanddownloadit.
Figure4:SwitchtoPBAPprofilewithautomaticcontactssynchronization
NotetheexistenceofasetupfaultorweaknessiniOS.Whentheprofilechangeiscarriedoutwithoutnotification,thesynchronizationofcontacts isenabledbydefault,givingaccesstotheattacker.
Thetrickorhackcanbeextendedtootherprofiles,astheoperatingsystemdoesnotrequestauthorizationtochangetheprofile. InthecaseofaMAPprofile, inordertoaccessthemessagesonthemobiledevice,aswitchdisplaystosynchronizemessages,butinthiscaseitisdisabledbydefault,onthecontrarytowhathappensinthecaseofthePBAPprofile.Inotherwords,thetricktakesadvantageofthelackofauthorizationtochangeprofileandthedefaultsettingstosynchronizeelementsonthedeviceviatheBluetoothconnection.
TheelementsthatcanbedownloadedfromthemobiledeviceviatheDirtyToothhackareanyelementsthatmaybeaccessedviatheprofiletowhichithasbeenchanged.APBAPprofileallows:
1. The request for and download of contacts from the device. This enables apotentialattackertoextractallinformationfromthecontactsdirectoryoftheiOSoperatingsystem.TheformatinwhichtheyareextractedcanvarybetweenVCard2.1and3.0.
2. Therequestforanddownloadofcallhistory,incomingandoutgoing,fromthedevice.ThisenablesapotentialattackertoextractthecallregisterfromtheiOSoperating system. The format inwhich they are extracted can vary betweenVCard2.1and3.0.
Informationextractedwith theattacker'sRoguedevicecanbesentvia Internet toaserver under the attacker’s control. Thus connecting iPhone devices with an audiodevice,evenhands-free,withBluetoothisathreattouserprivacy.
TheinformationthatcanbeextractedfromtheterminalviaaPBAPprofileisasfollows:
1. Peopletowhomtheuserrelates.
2. Theuser'sphonenumber.
3. Companieswithwhichtheuserrelates.
4. Emailaddresses.
5. Thecardowner'scontactinformation.
6. Thecallhistory.
7. Thephysicaladdressesofthepeopleassociatedwiththecontactcard.
ThisinformationcanbeprocessedontheInternettoachieveagreaterlevelofdetailandknowledge.
3.1.1-SoftwareImplementation
ThefirstapproachtotakeadvantageoftheDirtyToothhackwasmadeviaasoftwareimplementation.Tocarryoutthehackthefollowingcomponentswereused:
1. RaspberryPi3ModelB.
1. 1.2GHz64-bitquad-coreARMv8CPU
2. Bluetooth4.1module
3. BluetoothLowEnergy(BLE)
2. PyBluez.APythonmodulethatextendsBluetoothfunctionalityinPython.AccesstotheresourcesisprovidedbyBluetoothtechnology.
3. PyOBEX.ThispackagemustbeinstalledfollowingtheinstallationofPyBluezandimplementsthefeaturesoftheOBEXprotocol.
HereistheoperationoralgorithmimplementedtoperformDirtyTooth:
1. A.bashrcfilewasused,whichonstartingtheRaspberryPi3identifiesthenamewithwhichtheBluetoothmodulewill issuethesignalandclass.Thefollowinglinesareaddedattheendofthefile:
1. pulseaudio-D
2. #sudo-upipulseaudio-D
3. sudohciconfighci0name"NAMEHERE"
4. sudohciconfighci0class0x240418
5. sudohciconfighci0sspmode1
6. sudohciconfighci0piscan
7. sudo/usr/bin/hacktooth/dirtytooth.py&
Asyoucansee,thehciconfigcommandistheonethatdefinestheclassoftheprofilethatisofferedviaBluetooth.
2. Optionpulseaudio-Dallowstheexecutionofpulseaudiodaemon.ThesspmodeallowsthemodulesetuptospecifytheneedtoenteraPINinthepairingprocessbetweenspeakerandtheiPhone.Bysettingitto1,itwillnotaskforaPIN,aslongastheBluetoothdeviceversionisequivalenttothe2.1implementationorhigher.
3. Thedirtytooth.pyfileisinchargeofautomatingtheactionsoncethepairingisdone.Inthefirstinstancethedeviceispairedthankstothecommandsenteredinthe.bashrcfile.
4. Onceadeviceispaired,thedirtytooth.pyfileislaunched.ThisfilewillmaketherequestbychangingtheclassUUID.ThisisthemomentthatthehackentersiOS,astheoperatingsystemneitherprohibitsitnornotifiestheuser.
Looking more closely at the last point of the algorithm, we must emphasize thatdirtytooth.pyhasafunctionthatexploitstheBluetoothconnection,viathePBAPprofile,toobtainfiles.
Figure5.ObtainingdataviaPBAP
Ontheotherhand,thefunctionisusedtoobtainthelistofcontactsinVCardformatandthecallregisterinthesameformat.
Figure6:GetlistofcontactsandcallrecordsviaPBAP
Thesoundcontinues to function, so theuserdoesnotdetectany leakageofprivateinformationfromthedevice.ThefilesaretemporarilystoredbeforebeingsenttothebackendviaanInternetconnectionontheRaspberryforsomefiles,asyoucanseeintheimage:
Figure7:FilesextractedfromtheiPhone
Analyzing the file and format obtained the following information can be found. It isimportanttodetectthattheUIDwithavalueof0belongstotheVCardineveryiPhoneandtothephonenumberandpersonalinformationoftheowneroftheiPhone.
Figure8:UIDwith0belongstoownerofiPhone
3.1.2-HardwareImplementation
Forthehardwareimplementationofthehack,arealBluetoothspeakerwasused.Thespeakerwasequippedwithaseriesofmodulesthatprovidedifferentfunctions:
1. ABluetoothmodulethatwillsupplanttherealspeaker
2. ThecoreofthesystemisaTeensyboardwithamicroSDconnector.TheTeensywasprogrammedwiththeTeensyduinoframeworkinordertomakeuseofthecollectionoflibrariesavailableforArduino.
3. A2G/GPRSAdafruitmodulewasusedfortheInternetconnectionoftheboard.
WiththeBluetoothmodule,therealspeakerwillbesupplantedandtheA2DPprofileconnectionoffered.ThecoreisresponsibleforchangingtheprofiletoPBAPwhentheconnection has been established with the iPhone. At this moment, thanks to theDirtyTooth hack, access to the iPhone contacts and call history will be given. Asillustratedbelow:
Figure9:DirtyToothhackhardwarescheme
3.2-SystemsProven
InthecaseofthePBAPprofile,thelistofprovensystemsagreeswiththemodelsofiOSdevicesthathavetelephonefunctions,i.e.theiPhone.Themodelsthatcanbeusedinthehackare:
1. iPhone3G.
2. iPhone3GS.
3. iPhone4/4S.
4. iPhone5/5S.
5. iPhone6/6S/Plus6/Plus6S.
6. iPhone7/Plus7.
Currently,alliOSoperatingsystems,compatiblewiththelistofpreviousmodels,canbeusedwithDirtyTooth.ThecurrentversionoftheoperatingsysteminthereleaseofthisdocumentisiOS10.2.1.
3.3-Scopeandpossibilities
ThedatathatcanbeobtainedviatheDirtyToothhackare:
1. Peopletowhomtheuserrelates.
2. Theuser'sphonenumber.
3. Companieswithwhichtheuserrelates.
4. Emailaddresses.
5. Thecardowner'scontactinformation.
6. Thecallhistory.
7. Thephysicaladdressesofpeopleassociatedtothecontactscard.
Afterprocessing this information,more relevant informationmightbeobtained.Thefollowingisthetypeofdatathatcanbederivedandobtainedfromacontacttheft:
1. ImagesfromFacebookprofiles.
2. Nameoftelephoneoperator.
3. AfirstlevelofrelationshipwithcompaniesandemployeesviaLinkedIn.
4. MACWifiadapteraddress.
5. OSandmodelofterminal,APT-oriented.
6. Geographicallocationoflandlinenumbers.
7. Ownersofthelandlinenumbers.
8. Interaction with the Telegram/WhatsApp API for image discovery, statusinformationandconnectiontime.
4.-Conclusions
TheBluetoothconnectionofiPhoneswithperipheralssuchasspeakers,headphonesorsound equipment imply risk for the user's privacy as these elements could extractprivateinformationfromtheiPhone,withouttheuserbeingawareofit.
TheDirtyToothhackenablesanattacker toextractprivate information fromthe iOSdeviceandtoknowtheuser'srelationshipsandenvironment,aswellasdatasuchas:
1. Peopletowhomtheuserrelates.
2. Theuser’stelephonenumber.
3. Companieswithwhichtheuserrelates.
4. Emailaddresses.
5. Thecardowner'scontactinformation.
6. Thecallhistory.
7. Thephysicaladdressesofpeopleassociatedtothecontactscard.
Thehackortrickputsusers'privacyatrisk.TheiOSoperatingsystemdoesnotnotifytheprofilechangeandallowstheexecutionofthefunctionsandactionsassociatedwiththenewprofile,sothattheusers'dataareatriskofbeingstolenbyapotentialattacker.
Uploadingtheinformationtoaservercontrolledbytheattackerallowstheinformationtobeprocessed toattainagreater levelofdetail. Information canbeexploitedandmuchinformationcanbeobtainedfromtheperson'srelationships.
Inotherwords,DirtyToothisatrickorhackthatcantakeadvantageofthisaccesibilityconfiguration.It'sasimplyaccesibilityconfigurationpotentiallydangerous.
5.-References
• iOSProfiles–Bluetooth.https://support.apple.com/es-la/HT204387• Specification Bluetooth. Requirements PIN.
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-121r1.pdf
• iOS10.2.1Security.https://support.apple.com/es-es/HT207482• Specification of Profiles. Bluetooth.
https://www.bluetooth.com/specifications/profiles-overview• Bluez Libray Specification. https://people.csail.mit.edu/albert/bluez-
intro/c212.html• Components:BlueCreationBC127.https://www.sparkfun.com/products/11927• Teensy.https://www.pjrc.com/teensy/