PacSec 2015 speaker

1. PacSec
November 2015
Blue-Toot
or
”My Android Had a Little Accident...”
Adam “Major Malfunction” Laurie

2. Who are we?
• Aperture labs: www.aperturelabs.com

3. Who are we?
• Aperture labs: www.aperturelabs.com

4. Who are we?
• Aperture labs: www.aperturelabs.com

5. Who are we?
• Aperture labs: www.aperturelabs.com

6. • Zac Franken
• Chip Monkey
• Scary Chemicals
• Bad Smells
Who are we?

7. Who are we?
• Adam Laurie
• Code Monkey
• Convert scary
analogue Magic
Moonbeams to
lovely Digital Bits
& Bytes

8. What?

9. What?
• Bounty programs
• Pwn2own
• Mobile Pwn2own
• Android NFC
• Android Bluetooth

10. Android + NFC = Blue-toot

11. Android + NFC = Blue-toot

12. Android + NFC = Blue-toot

13. Android + NFC = Blue-toot

14. Android + NFC = Blue-toot

15. Android + NFC = Blue-toot

16. Android + NFC = Blue-toot

17. Android + NFC = Blue-toot

18. Android + NFC = Blue-toot

19. Android + NFC = Blue-toot

20. Android + NFC = Blue-toot

21. Android + NFC = Blue-toot

22. Android + NFC = Blue-toot

23. Android + NFC = Blue-toot

24. Android + NFC = Blue-toot

25. Why?
• Mobile pwn2own 2013
• Short Distance ($50,000):
• Bluetooth, or Wi-Fi, or NFC

26. Why?
• Mobile pwn2own 2013
• Short Distance ($50,000):
• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way
home...

27. Why?
• Mobile pwn2own 2013
• Short Distance ($50,000):
• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way
home...

28. Why?
• Mobile pwn2own 2013
• Short Distance ($50,000):
• Bluetooth, or Wi-Fi, or NFC
• Pwned in departure lounge on the way
home...
• Not. Too late...

29. Why?
• Mobile pwn2own 2014
“You are welcome to hold your vuln for
Mobile Pwn2Own 2014 or to submit
now to the ZDI for consideraton as a
regular case.“ - ZDI

30. Bounties

31. Bounties
• The good:
• Reward anyone for finding bugs
• Research not driven by company

32. Bounties
• The good:
• Reward anyone for finding bugs
• Research not driven by company
• Big bucks - $75,000 top prize in 2014

33. Bounties
• The bad:
• Research paid only on success
• Cheaper for vendor
• More expensive for researcher
• No free market – vendor sets value
• Selling vulns feels wrong!
• Saving vulns for bigger payof

34. Bounties
• The ugly:
• “mobile” pwn2own not so mobile!
• WiFi / NFC / Bluetooth category must be
completed in RF shielded cage
• No phone network!
• Jump through hoops to “win”

35. Bounties
• The ugly:
• “winning” may be decided by coin toss
• Competition is over after 1st
win
• 5 entries in 2014

36. Bounties
• The ugly:
• “winning” may be decided by coin toss
• Competition is over after 1st
win
• 5 entries in 2014
• Subsequent winners given ½ prize

37. Bounties
• The ugly:
• Next day vuln “worthless”
• Unless you sell it on the black market...
• Errmmm... What's the diference?

38. Bounties
• The ugly:
• Less secure by definition:
• Not all security companies will have
access to all vulns
• You are only as secure as the group
covered by your preferred vendor

39. Bounties
• The ugly:
• Wassenaar
Dragos tweeted on Sept 1st
:
“The frst bona fde casualty of the Wassenaar
changes: HP won't be doing PWN2OWN
Mobile in Japan due to new export
restrctons.”

40. The Hack
• NFC
• NDEF
• SmartPoster
• WiFi Config
• Bluetooth handover

41. The Hack
• NFC
• NDEF
• Bluetooth handover
• Switches on Bluetooth
• Target “open” service
• Obex push
• Send HCI command on established
connection

42. The Hack
• Bluetooth
• Send HCI command on established
connection
• Connection is always encrypted
• Either side can request key change
• Push new key

43. The Hack
• Bluetooth
• Push new key
• New key now in target keysfile
• Restart Bluetooth stack on target
• Key found in keysfile at startup == TRUST!

44. The Hack
• Bluetooth
• Push new key
• New key now in target keysfile
• Restart Bluetooth stack on target
• Key found in keysfile at startup == TRUST!

45. The Demo
• This is where it all goes horribly wrong...