tj oconnor nate grunzweig david brasefield. the views expressed in this presentation are those of...
TRANSCRIPT
honeyM
TJ OConnorNate GrunzweigDavid Brasefield
The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.
The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.
http://www.cdcr.ca.gov/News/Images/overcrowding/MuleCreek_071906v1.jpg
Mobile Devices
Think about… this device knows Who you talked to last Where you have been Your email Your texts from last night
And we don’t give it any protection
But it could be worse… There are some things that just shouldn’t be mobile
devices….
Credit Card Systems
Should a credit card system really have a radio whose main design constraint is to cost < $2?
But nobody exclusively uses wireless payment devices…
What happens on iPad release day if you jam 2.4?
First Responder / Medical Devices
Heart-rate monitors, glucometers, respirators, hearing aids, patient data
Should this stuff really rely on a framework built for inexpensive cost instead of security?
What happens if …..
This guy meets with a hospital floor of Bluetooth™ enabled heart rate readers?
Can you DOS a floor of Nurses?
Mobile Sniper Phone (Really?)
Camouflaged Sniper Before L2CAP
Camouflaged Sniper After L2CAP
But Nobody Really Cares Until…
Average consumer communication devices become vulnerable…
Nokia 6310 Bluebug iPhone SDP Attack Broadcom WiFi
Drivers
When I see Mobile Devices…. ….I see targets.
Many vectors for attack.
Quick rush to market.
Unlikely average consumer will update (firm|soft)ware.
We aren’t even going to talk about…
Goal is to have it cost less than $300
Goal is to always be connected to your network
Attacks are obvious though, right?
Lots of great work done on Bluetooth / WiFi Intrusion Detection
Virginia Tech doing a lot of great anomaly / signature detection on attacks.
Signatures are obvious and easy….. Unauthenticated RFCOMM connect to
13; followed by AT Commands == BlueBug
Anatomy of a MD Attack
http://www.blackhat.com/presentations/bh-usa-09/MAHAFFEY/BHUSA09-Mahaffey-MobileFuzzing-PAPER.pdf
1. Discover WiFi MAC Address passively.2. MAC + 1 = Bluetooth Address3. Send Malformed SDP Packet to BT
Address4. Read your texts from last night.
Fuzzing to Discover Attacks
Starting to get really popular See Mahaffey’s paper at Blackhat
2009 Makes really evil things possible
like device driver exploits
Bottom Line Up Front…(Or in the middle of the presentation)
We really don’t know what is out there.
We need to collect mobile device zero day.
Take lessons learned from wired IDS
Honeypots for the win!
Treat the device as a whole…
Necessary to examine all vectors to analyze an attack.
- Attacker jams 3G to force user on WiFi
- Passively observes WiFi Traffic to find MAC
- Begins Bluetooth Fuzzing - Finds Vulnerability- Listens to Lindsey Lohan’s Voicemail
What makes a mobile dev unique?
Bluetooth WiFi GPS Infrared Zigbee WiMax (2|3)G, CDMA, EDGE
What makes a mobile dev unique?
Applications Integrated Browsers▪ Mobile Safari▪ BlackBerry ® Browser
Bundled Software 3rd Party Applications Homebrew Apps
Bluetooth
Bluetooth MAC Address Registered OUI 04:1E:64:xx:xx:xx tells us you are an
iPhone Discoverability RFComm Ports
UUID16 : 0x0003 – RFCOMM – L2CAP (PSM) Ports
UUID16 : 0x0100 - L2CAP Service Discover Profile (SDP)
Service Discovery Profile.
sdptool browse --l2cap 00:23:6C:60:21:12
Attribute Identifier : 0x1 - ServiceClassIDList Data Sequence UUID16 : 0x111f - HandsfreeAudioGateway UUID16 : 0x1203 - GenericAudioAttribute Identifier : 0x2 - ServiceRecordState Integer : 0x0Attribute Identifier : 0x4 - ProtocolDescriptorList Data Sequence Data Sequence UUID16 : 0x0100 - L2CAP Data Sequence UUID16 : 0x0003 - RFCOMM Channel/Port (Integer) : 0x8
WiFi / IP
MAC Address Registered OUI again may be increment of BT
Wireless Fingerprints TCP Fingerprints
POF, Queso TCP SERVICES
Banner Grabs UDP SERVICES
Applications – Mobile Browsing
Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.
BlackBerry9630/4.7.1.40 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105
MOT-L6/0A.52.45R MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1
Apps
Introduce a whole new realm….
App Vulnerabilities
A realm that we just can’t keep up with…..
How…..
Do we emulate all of this, while still inviting attacks and logging?
Emulate Bluetooth Emulate WiFi / TCP / UDP GPS Match all the signatures.
Used Python To Glue…
…lot of open source tools to make a audit device signature
Btaudit Nmap Sdptool POF Hcitools
Used Python To Glue…
… open source tools together for traffic generation
bccmd Scapy PyBluez POF
Used Python To Glue…
…lot of open source tools to log interaction with devices
Wireshark Kismet tpcdump Spectools gpsd
honeyM Device Profile
Bluetooth Hardware
bccmd – utility for flashing Cambridge Silicon Radios
Written by Marcel Holtmann and Adam Laurie
Allows us to flash a $25 dongle into anything
Writing Bluetooth Code (pyBluez)
# Bind a Bluetooth RFCOMM Socketserver_sock=BluetoothSocket( RFCOMM )server_sock.bind((dev,PORT_ANY))server_sock.listen(1)
# Advertise a vulnerable Bluetooth Phonebookadvertise_service( server_sock, "Contacts", service_classes = [ SERIAL_PORT_CLASS ], profiles = [ SERIAL_PORT_PROFILE ] )client_sock, client_info = server_sock.accept()
WiFi Hardware
Willing to pay Windows Tax for AirPcap TX card.
One of few cards able to change MAC OUI
Supported Traffic Injection via Compat-Wireless (zd1211rw); you’ll just need to add the USB Vendor ID.
Scapy
So easy, even Army officers can write packet injection code…
Total Packet Manipulation Library Supports multiple protocols Supports Bluetooth / WiFi Code Great references and examples out there
Scapy TCP Finite State Machines Adam Pridgen over at TheCoverOfNight.com
WiFi Scapy
# Create an 802.11 PacketdnsResp = Dot11(type = "Data", FCfield =
"from-DS”, addr1 = addr1, addr2 = addr2)
# Append DNS Reply to 802.11 PacketdnsResp /= DNS(id = id, qt = qt, qd = qd,
an = DNSRR(rrname = rrname, ttl = ttl, rdata=rdata))
# Send Packetsendp(dnsResp)
Scapy + POF For the Win.
# Use POF to impersonate a TCP SYN from
# SymbianOS phone
pkt = p0f_impersonate(IP(dst='www.shmoocon.org')/TCP(sport=1025, dport=80, flags=’S'), osgenre='SymbianOS')
send(pkt)
User Behavior
Mimicking users is difficult.
LARIAT project up at MIT.
We can’t just fire off wget scripts to www.kittenwar.com , www.ilovekats.com to pretend to be a college student.
User Behavior
In honeyM, you can select a profile….
University Student Top Secret Government Agent My Mom Corporate Employee
User Behavior
Top Secret Government Agents do things like VPN, SSH, use PKI… (no really, they do.)
Corporate employees do things like browsing financial news, logging into webmail.
University students do things like….. (well university student things)
Don’t even ask about my Mom.
Putting it together…..
BT Results
Nmap Results
What to log…
Any communications activity to the device is suspect.
Doesn’t mean every Bluetooth NAME_REQ is bad though… this happens all the time.
How do we reduce false positives in logging?
Layered Logging
WiFi Logging
Is this just a malformed 802.11 frame or is it more?
Bluetooth Logging
Recording all Bluetooth hci layer information.
In an ideal world…
Everyone would have a Bluetooth Protocol Analyzer for logging Piconets.
Application Layer Logging
Oh look, Al Qaeda just got bluebugged.
So kewl we had to say thanks.
Kismet-NG now supports Spectools traffic as a plugin.
Can correlate spectrum activity to management frames.
Auxiliary/wireless/dos_ctf_flood
Legal Constraints of WiFi Logging
Unique legal constraints to mobile device honeyclients not found on wired networks
Typically we relied on Expressed Consent or Trespasser Consent to allow us to capture on a honeyclient.
Unfortunately we cannot get the entire consent of all users on 2.4GHz.
Shortcomings of honeyM
Can only do full BT packet capture with specialized equipment
CATC Merlin Frontline USRP
Shortcomings of honeyM
Subject to chaff
What if I just send a 1,000,000 packets to obscure my actual attack?
These are the same problems for wired honeypots.
how to overcome this?
Make the targets so attractive, nobody thinks it is a honeyclient
#hcitool scan - Paris Hilton’s iPhone
Conclusions
Mobile Device attacks are dynamic, relying on multiple vectors for attack.
We can use honeyclients to discover novel attacks on mobile devices.
