accessing bluetooth using software defined radio
TRANSCRIPT
A c c e s s i n g B l u e t o o t h U s i n g S o f t w a r e D e fi n e d R a d i o
Chase Schultz, Senior Security Consultant [email protected]
About ISE
Analysts• White boxPerspective
• Hackers; Cryptographers; RE
Research• Routers; NAS; HealthcareCustomers• Companies with high value assets
Exploits• iPhone; Android; Ford; Exxon; Diebold
whoami• Chase Schultz• Senior Security Consultant • Independent Security Evaluators• Twitter – f47h3r_b0• Interests:
– Reverse Engineering, Web App Hacking, SDR, Fuzzing, Embedded Systems, Python & Go… and Pancakes …
ISE Proprietary
Agenda① Importance of SDR for RF research② Scope of Talk③ Bluetooth Devices④ SDR Platforms⑤ GnuRadio⑥ Scapy-Radio & Applied Use (Demo)⑦ Known Limitations⑧ Future Research⑨ Ways to Get envolved
Why is this important?
Talk Scope
• Scapy-Radio Released @ Blackhat 2014 by Airbus
• No 0-day… sorry ;(
• Applied use of Scapy-Radio to access Bluetooth…
What is Bluetooth & Why would I want to play with it?
• Examples of Bluetooth Devices– “Smart” Home Automation– iOS & Android Apps using Bluetooth– Fuzzing of Bluetooth Platforms– IoT
Software Defined Radio Setups
• Hardware– USRP (Tested)– HackRF (?)– BladeRF (?) – RTL Chipsets (?)
• Software– GnuRadio– Scapy-Radio
What I use at home
Goal: Sniff Bluetooth Packets via USRP
Gnu Radio BTLE Flowgraph
Scapy-Radio• Modified Version of Scapy• Protocols for Parsing Radio Added
• Research Presented @
Scapy-Radio Architecture• 2 Main Components
– Gnu Radio– Scapy
Using Scapy Radio• Load up BTLE GRC Block• Write Scapy-Radio Script• Run Said Script• Profit(???)
ISE Proprietary
Scapy-Radio Python Script
Demo• Pray to the pancake gods…
Uses for Scapy-Radio• Possible Tie-In’s with existing
libraries• Analyzing Bluetooth Traffic at Home• Building Parsers & Exploiting Signals• Using Scapy-Radio in combination
with Fuzzing Tools such as Sulley or Peach
Current Limitations• Scapy-Radio -> BTLE Adv. Packets• BTLE Data Channel / Frequency
Hopping• Bandwidth available to SDR’s• Documentation
Future Areas of Research• Scapy-Radio Supports more than just
BT– Zigbee– Zwave– Etc. – it up to you!
• FHSS – Following BTLE Frequency Hopping
• Adding new protocols to Scapy-Radio• Perhaps NFC?
Key Takeaways
• SDR is quickly becoming a new tool for researchers to assess RF systems
• Use of Scapy-Radio to Capture Packets BTLE Packets
• Ideas for Future Research
Thank You!• Toorcon / PancakleCon / You!• Drew “Redshift” Porter• Contact ISE -- https://
securityevaluators.com/
https://github.com/f47h3r/scapy-radio-btle-sniffer
@f47h3r_b0
Get Involved