00:00:00.000-->00:00:05.239
>>So as you may have guessed by
now, this is real time bluetooth
detection using blue hydra >>it

00:00:05.239-->00:00:10.377
feels very real time doesn't it?
>>We're going to go a little
faster than we planned so we're

00:00:10.377-->00:00:15.382
going to jump ahead here, oh
can't, [laugh] >>try to page up
and down >>alright I'm

00:00:18.151-->00:00:22.656
Granalocks I work at Pwnie
express, I've been there for
about as long as Pwnie Express

00:00:22.656-->00:00:26.727
has existed and I primarily
focus on device detection,
looking at different kinds of

00:00:26.727-->00:00:30.430
devices that we see in the
environments that we're
monitoring for people um that's

00:00:30.430-->00:00:36.603
how I got involved with this
project with this Mr The Plague
looking guy here um so we saw

00:00:36.603-->00:00:39.873
that we needed to see more
bluetooth devices because we
were barely seeing anything that

00:00:39.873-->00:00:48.448
was out there in the world and
this is how this came about
>>Woo I'm a very calm zerochaos

00:00:48.448-->00:00:54.521
uh a lot of you might know me I
do wireless stuff and please
stop calling wifi wireless,

00:00:54.521-->00:00:58.392
those are not the same things.
Ah I like anything that you
aren't touching because it's way

00:00:58.392-->00:01:02.763
cooler to hack things that you
didn't touch uh wire is boring
and wireless stuff is fun

00:01:02.763-->00:01:08.902
whether it's AM radio or
bluetooth or wifi or whatever so
free plug for the wireless

00:01:08.902-->00:01:15.442
village uh come by Sky View one
uh 26th floor of the other tower
and hang out with us and do some

00:01:15.442-->00:01:20.447
real wireless stuff. So what is
bluetooth right? Bluetooth is
cheap it's meant to replace the

00:01:23.717-->00:01:27.254
cables that fail us horribly
while we're trying to give our
presentation at Defcon

00:01:27.254-->00:01:32.125
[laughter] um but that's really
what it's for it it's not for
high bandwidth applications it's

00:01:32.125-->00:01:36.063
not intended for that originally
it it's just intended to replace
the cables so you don't have to

00:01:36.063-->00:01:42.102
plug in your keyboard or
possibly your your monitor Or
possibly I I don't know I guess

00:01:42.102-->00:01:47.407
your cell phone it it's not
meant for much, right? What it
does is frequency hopping spread

00:01:47.407-->00:01:52.412
spectrum it hops eight hundred
times a second to try to get
away from interference and to

00:01:54.548-->00:01:59.453
not interfere so much with other
devices so you're actually going
to be hopping constantly all

00:01:59.453-->00:02:04.658
over the spectrum which as you
might imagine makes monitoring
it a lot harder. And that's

00:02:04.658-->00:02:09.096
really why there's no monitor
mode on these these pieces of
hardware is it's very difficult

00:02:09.096-->00:02:13.100
to monitor this in the first
place and the target price of
bluetooth radio is about five

00:02:13.100-->00:02:19.206
cents and none of it's normal
operation requires that kind of
monitor mode so why why would

00:02:19.206-->00:02:23.043
you ever do that? Uh increasing
component cost is just not
something that's typically done

00:02:23.043-->00:02:29.383
for fun, so they didn't do it.
So no monitor mode means sad
face. Uh bluetooth is divided up

00:02:29.383-->00:02:34.488
into three basic classes. Class
one is the hundred milliwatts
which is about hundred meters is

00:02:34.488-->00:02:39.226
what they expect the distance to
be in fantasy land uh those are
high powered devices the sena

00:02:39.226-->00:02:44.765
dongle that pwnie express likes
to use uh they're really nice to
have uh if you actually expect a

00:02:44.765-->00:02:49.836
class one to go a hundred meters
you might be on another planet
but class two is what you

00:02:49.836-->00:02:55.208
normally run into it's your your
bluetooth on your cell phone,
your headset, your laptop, those

00:02:55.208-->00:02:59.946
are ten meters, which thirty
feet away for like something
meant to connect your keyboard

00:02:59.946-->00:03:04.418
is is pretty good, right? That
That's not really a problem for
what you're doing from my pocket

00:03:04.418-->00:03:10.157
to my ear piece is only about
two and a half feet um sicilian
it's the best we can do it's a

00:03:10.157-->00:03:14.761
little farther for him but still
well within thirty feet right?
It's not really a big deal to

00:03:14.761-->00:03:19.533
have low power bluetooth if you
get a really bad one that's
called class three, that's one

00:03:19.533-->00:03:23.603
milliwatt and that's why
sometimes you buy the really
cheap bluetooth headset or it

00:03:23.603-->00:03:27.407
was really expensive but it was
mad really cheap from your
pocket to your ear is not all

00:03:27.407-->00:03:31.178
that possible because it's
actually only going to go about
a meter and you're basically

00:03:31.178-->00:03:37.284
maxing it out if you're a six
foot tall person okay this is
what bluetooth looks like on

00:03:37.284-->00:03:42.289
spectrum uh we we've got the
really pretty 3D waterfall that
honestly if I could put this as

00:03:44.391-->00:03:48.028
a video would look so much
cooler but since I can't do a
live demo to start with we'll

00:03:48.028-->00:03:52.933
just go ahead and be happy that
I've got this at all. This is a
standard uh fast fourier

00:03:52.933-->00:03:57.504
transform um waterfall display,
but you can see all those little
blips are bluetooth this was

00:03:57.504-->00:04:02.642
actually us rocking out in the
wireless village sending stuff
up last night uh this is this is

00:04:02.642-->00:04:07.647
high bandwidth audio this is
this is very high quality as you
can see very very little actual

00:04:09.683-->00:04:16.056
data is being sent on a network
where you would have like a
large wifi network possibly

00:04:16.056-->00:04:20.794
right in the middle of this
you'd actually see all the
bluetooth go below and above

00:04:20.794-->00:04:25.098
using what's called adaptive
frequency hopping, it's
basically just going to avoid

00:04:25.098-->00:04:30.370
interfering with the wifi and
avoid being interfered with by
the wifi and that's really a a

00:04:30.370-->00:04:35.242
function of just get out of the
way because you're the lower
bandwidth guy and it's easier

00:04:35.242-->00:04:40.547
but again that makes it a lot
hard to sniff bluetooth directly
and that's why those radios just

00:04:40.547-->00:04:45.418
don't have those kinds of
functionalities. Bluetooth
classic, this is the stuff that

00:04:45.418-->00:04:50.423
you all know and love you
probably are using a every day
headsets, things like that, the

00:04:52.926-->00:04:58.331
security for this stuff is
really really simple it it works
on a process called Discoverable

00:04:58.331-->00:05:03.303
or not discoverable if it's not
discoverable that's the mode
it's supposed to be in all the

00:05:03.303-->00:05:08.942
time it's supposed to be just
not visible to the outside world
to the outside world as it were

00:05:08.942-->00:05:15.115
it's supposed to be already
configured already did the key
exchange, people compare

00:05:15.115-->00:05:21.288
everything to wifi I can't count
the number of times I've walked
in for wi-macs recommendations

00:05:21.288-->00:05:26.193
or bluetooth recommendations and
it was a set of wifi
recommendations where they did a

00:05:26.193-->00:05:30.330
search and replace and changed
wifi to ZigBee or something
stupid like that and it's like

00:05:30.330-->00:05:37.103
no no no like like that's not
how this works okay? Bluetooth
when you disconnect doesn't

00:05:37.103-->00:05:42.676
actually terminate the
authentication the key material
is saved on both ends those are

00:05:42.676-->00:05:47.013
kept you don't have to
reauthenticate this is why you
don't have to type the pin in

00:05:47.013-->00:05:53.820
every time you use every piece
of your bluetooth hardware,
right? The pairing is part of

00:05:53.820-->00:05:58.692
you turn into discoverable mode,
you find the device, then you
pair to it, and kind of like a

00:05:58.692-->00:06:03.263
marriage you can let people know
that you're married but the
pairing you kind of should be

00:06:03.263-->00:06:07.601
doing in secret, right? You
don't want people to be
observing that key material

00:06:07.601-->00:06:12.706
because that's all of your
security right there. For a
really good primer on how that

00:06:12.706-->00:06:18.078
works, um Mike Ryan gave a talk
at SchmooCon a couple years ago,
I highly recommend it was called

00:06:18.078-->00:06:21.681
How Smart is Bluetooth Smart but
he goes over how all of the
pairing and stuff works and it's

00:06:21.681-->00:06:26.353
very eye opening to know if
you're not pairing in a faraday
cage you probably should start

00:06:26.353-->00:06:31.358
but bluetooth classic is all of
the security is is based on
pairing in secret And if you are

00:06:34.294-->00:06:38.932
not paired to a device it's a
lot harder to find it and we'll
get into how we do that and it's

00:06:38.932-->00:06:44.704
fun. Bluetooth low energy
there's probably way too many of
you that have this on in the

00:06:44.704-->00:06:49.709
room uh all of you with a fitbit
or a smartwatch or a salt card
to authenticate to your cell

00:06:51.745-->00:06:57.384
phone for you uh these bluetooth
low energy devices are the
really popular stuff now and

00:06:57.384-->00:07:02.722
that's kind of why we ended up
writing this tool the bluetooth
stuff has been exploding and we

00:07:02.722-->00:07:08.061
couldn't' see it and that was
really terrifying for us and
when we started building this

00:07:08.061-->00:07:12.299
and seeing just how much was out
there it became a much bigger
priority to work on this because

00:07:12.299-->00:07:17.070
we thought it was cool. So
bluetooth low energy unlike
bluetooth classic has three

00:07:17.070-->00:07:22.409
discoverability settings uh
general discoverability limited
discoverability and non

00:07:22.409-->00:07:27.147
discoverable uh what's funny is
is it really doesn't matter
because the way this works is

00:07:27.147-->00:07:31.918
you send out an advertisement
and you say hey I'm invisible
and you send it out about four

00:07:31.918-->00:07:35.922
times a second hey I'm
invisible, hey I'm invisible,
hey I'm invisible, hey I'm

00:07:35.922-->00:07:41.795
invisible and the way the spec
is written you drop those
packets that's what you're

00:07:41.795-->00:07:46.800
supposed to do [laughter] I'm
glad you all feel the same as me
about how great that is. Some

00:07:49.369-->00:07:55.141
devices don't advertise ah if
you're wearing a fitbit you
don't own one of them, if you're

00:07:55.141-->00:07:58.712
wearing pretty much any of the
fitness bands, fitness trackers,
most of them just don't do it,

00:07:58.712-->00:08:03.550
the more high end devices a lot
of the smartwatches they don't
advertise unless you go to the

00:08:03.550-->00:08:07.754
settings menu and mark it
discoverable and that kind of
stuff they're actually half

00:08:07.754-->00:08:12.258
decent but we still do see them
quite a bit because sometimes it
loses it's connection to the

00:08:12.258-->00:08:17.430
phone decides it needs to
advertise so the phone can find
it again and things like that.

00:08:17.430-->00:08:22.435
So bluetooth proliferation uh
there's a whole bunch of random
IOT IOT IOT IOT IOT IOT are you

00:08:24.771-->00:08:30.543
all drunk yet? [laughter] good
okay that's enough of that
garbage, wearable stuff, all

00:08:30.543-->00:08:36.383
around you bluetooth low energy
which was also called bluetooth
smart although it is not

00:08:36.383-->00:08:42.555
actually lower power transmit
and receive it's designed to be
lower power consumption it's

00:08:42.555-->00:08:47.927
trying to do deep sleep cycles
and things like that to avoid
burning all that power so all of

00:08:47.927-->00:08:52.332
the wearable devices the
smartwatches the the fitness
trackers they try to do that so

00:08:52.332-->00:08:57.570
here's just a really quick
terrifying set of numbers, you
know fitbit last year sold 21

00:08:57.570-->00:09:04.244
million devices, uh ShowMe did
12 million, Apple did 11.6, I'm
reading while I eyeball my

00:09:04.244-->00:09:10.784
cohort just so he knows that
Apple is in third behind China
anyway, point is, total seventy

00:09:10.784-->00:09:15.789
eight point one million wearable
bluetooth low energy pieces of
unsecure garbage uh mostly um

00:09:19.559-->00:09:23.496
it's terrifying right? We have
all of these devices with us all
the time, I'm wearing three of

00:09:23.496-->00:09:27.967
them try to count them while I'm
standing here, but seriously we
have so much of this and we're

00:09:27.967-->00:09:33.072
not looking for it. It's
interesting if nothing more than
that, but you can get a lot of

00:09:33.072-->00:09:38.845
fun and and pro from it so I
think it's even more interesting
alright prior art I'm gonna

00:09:38.845-->00:09:42.015
gloss over pretty quick because
I'd like to give more time to my
cohort we looked at a bunch of

00:09:42.015-->00:09:44.017
bluetooth tools that existed
RedFang is a bluetooth discovery
that does brute forcing of Mac

00:09:44.017-->00:09:46.019
addresses, hey it's not
discoverable I'm going to ping
every mac address on the planet

00:09:46.019-->00:09:51.024
and try to find it, that's one
way to do that, uh we went with
a different way, but that that's

00:09:54.194-->00:09:59.199
one way to do that, uh BTCrack
and Crackle are pin crackers
those are trying to break the

00:10:03.570-->00:10:08.708
authentication between the the
devices and then Bluesnarfer is
an older tool meant for like

00:10:08.708-->00:10:13.746
dumping phone books and SMS
messages off of phones none of
this was in our interest what we

00:10:13.746-->00:10:18.785
were trying to do is discover
that devices were in the area,
fingerprint them, track them,

00:10:18.785-->00:10:23.656
see when they show up, when they
leave, have the ability to find
them physically in meet space

00:10:23.656-->00:10:28.161
and that that's really what was
interesting to us so like all of
this stuff existed only Crackle

00:10:28.161-->00:10:32.031
really worked on bluetooth low
energy stuff and and none of it
was really all that interesting

00:10:32.031-->00:10:38.638
to us. Bluetooth discover,
Bluelog is a great tool but it
was written back when there

00:10:38.638-->00:10:44.277
wasn't bluetooth low energy so
it doesn't support bluetooth low
energy so it spans out a bunch

00:10:44.277-->00:10:49.282
of really useful logs constantly
at a terrifying rate and uh we
didn't find it all that useful

00:10:51.351-->00:10:56.756
uh BTScanner was an absolutely
beautiful app kind of like
KISMET but for bluetooth worked

00:10:56.756-->00:11:00.727
really well unless you pressed
any key and then it would crash
[laughter] uh it's been known to

00:11:00.727-->00:11:04.931
maintain it's not it's not their
fault it's been unmaintained
since about 2003 as far as I

00:11:04.931-->00:11:10.770
could tell uh so no le support
on that either because there was
no such thing as le and it had a

00:11:10.770-->00:11:16.075
really neat gooey and we really
liked it and maybe if either of
us could code in C we would have

00:11:16.075-->00:11:20.613
picked it up and started working
on it but as it turns out I
shouldn't program and he's

00:11:20.613-->00:11:27.554
better? >>arguable >>arguably
better um useful stuff uh it
turns out if you're going to

00:11:27.554-->00:11:32.559
stand on the shoulders of giants
and you're working on bluetooth
the Bluez team is probably a

00:11:35.562-->00:11:41.100
hearty good place to start so
Bluez is the library for linux
that runs all the bluetooth

00:11:41.100-->00:11:47.240
stack and they not only have a
functional library and workable
tools they have documentation

00:11:47.240-->00:11:52.245
ooh ooh and examples and unit
tests that work sixty seventy
percent of the time so it's

00:11:54.647-->00:11:59.152
really really good stuff um I'd
like to thank them for that and
there's a thanks for it later

00:11:59.152-->00:12:05.058
but but really thank you so
hciconfig is the main controller
brings the cart up down resets

00:12:05.058-->00:12:09.829
it when it goes out to lunch
which is pretty often because
it's five cent hardware I mean

00:12:09.829-->00:12:13.233
they charge you a lot more for
it but that plastic got to be
really expensive because the

00:12:13.233-->00:12:18.238
chip sure ain't um hcitool is
going to discover your your
classic devices uh hcitool scan

00:12:21.040-->00:12:27.947
will look for classic devices in
discover mode hcitool lescan 'le
scan' as we were calling it

00:12:27.947-->00:12:33.620
internally works but it's really
hard to parse uh and when I told
the Bluez team what i was doing

00:12:33.620-->00:12:40.393
with them they were like oh my
god stop, stop now never do that
again you're an idiot and I said

00:12:40.393-->00:12:44.697
okay cool but could you
elaborate? They're like oh all
those tools are completely out

00:12:44.697-->00:12:50.970
of date unmaintained and
probably will crash your kernel,
oh thanks So uh they told me

00:12:50.970-->00:12:55.708
about their test scripts and
some of their documentation and
we moved on to the test scripts

00:12:55.708-->00:13:01.180
which was Bluez test discovery
which was a a uh thing that they
did in Python that shows how to

00:13:01.180-->00:13:05.818
use the DBus interface and a
bunch of internal libraries to
actually do proper detection

00:13:05.818-->00:13:11.124
that doesn't crash your system
the bluetooth dongle still
crashes relentlessly but the the

00:13:11.124-->00:13:15.261
kernel doesn't and that that's
definitely an improvement for
those of you have never crashed

00:13:15.261-->00:13:20.667
your kernel while giving a
presentation [clears throat]. So
the problem is is of course

00:13:20.667-->00:13:27.106
being that the Bluez team writes
the main libraries for linux uh
it hides some le devices the non

00:13:27.106-->00:13:31.344
discoverable ones it just go
ahead and throws out the
responses and uh things like

00:13:31.344-->00:13:36.516
that but what it did for us is
it helps us to talk to the
bluetooth card it taught us how

00:13:36.516-->00:13:42.155
all of that works and we use all
of their documentation and their
API calls and took their huge

00:13:42.155-->00:13:48.361
bit of code and like ripped out
the six lines we needed and said
that we modified it. That and

00:13:48.361-->00:13:52.999
that taught us how to see
discoverable devices. But
discoverable devices are only so

00:13:52.999-->00:13:58.171
much of the fun I mean granted
le stuff is noisy as sin but we
wanted to see other stuff so we

00:13:58.171-->00:14:03.209
fell back to our good friends uh
at the Ubertooth team uh and
they have a lovely piece of

00:14:03.209-->00:14:07.046
hardware uh I think it's about a
hundred bucks something like
that uh you can buy them

00:14:07.046-->00:14:11.718
basically everywhere but Great
Scott Gadgets make a product
called the Ubertooth and this is

00:14:11.718-->00:14:17.690
a true bluetooth basic rate
sniffer. It sniffs basic rate
which is kind of like to

00:14:17.690-->00:14:23.863
bluetooth what 802.11b is to
wifi uh there are faster speeds
but somehow people always send

00:14:23.863-->00:14:29.235
stuff at slower speeds so you
can see it uh they can't sniff
bluetooth EDR which is bluetooth

00:14:29.235-->00:14:35.007
2.0 enhanced data rate with
these but that hasn't actually
been much of a problem for us

00:14:35.007-->00:14:40.213
because everything kinda sends
packets at a slower speed at
some point fast enough that we

00:14:40.213-->00:14:46.152
feel happy um so Ubertooth Scan
was the program we were using
initially and what it does is it

00:14:46.152-->00:14:52.525
sniffs on one channel and it
looks for any devices that are
communicating in bluetooth you

00:14:52.525-->00:14:57.530
only transmit the lower address
part of the master device when
you are having a communication

00:15:00.166-->00:15:05.204
and who its from and to is
dependent on the time slot so
it's from master to slave from

00:15:05.204-->00:15:10.877
slave to master back and forth
and what this allows us to do is
we can sniff the lower address

00:15:10.877-->00:15:14.747
part and then you grab some
information from the header and
you do some math after a couple

00:15:14.747-->00:15:19.619
of packets you can figure out
the upper address part which is
enough to ping the device and

00:15:19.619-->00:15:23.756
that's just what Ubertooth scan
did is it would then take your
bluetooth dongle and it would

00:15:23.756-->00:15:27.994
query it for a name and
information and give you a bunch
of information on the device

00:15:27.994-->00:15:33.966
back. Uh because we had all of
the test discovery stuff already
and it was working so well we

00:15:33.966-->00:15:38.738
wanted to not have it
interrogate the bluetooth device
like that so we talked to the

00:15:38.738-->00:15:42.041
Ubertooth team and they
introduced the last thing on
their minds which was

00:15:42.041-->00:15:48.481
Ubertooth-RX-Z uh and they gave
us that flag where it just does
the sniffing part and it doesn't

00:15:48.481-->00:15:53.252
do anything else and then we
parsed it internally and and my
friend Granolocks will explain

00:15:53.252-->00:15:59.826
that >>Right about now actually.
Okay so I'm actually gonna go
through and talk about the tool

00:15:59.826-->00:16:03.930
that we made and how it
functions I mean it is we are
open sourcing it as part of this

00:16:03.930-->00:16:07.066
and so I'm actually going to
talk through the internals of
the tool a little bit with the

00:16:07.066-->00:16:11.204
hope that people will be able to
read through it and look through
it and you know contribute back

00:16:11.204-->00:16:16.275
to it ideally would be great So
the primary goal that we had was
to create an aerody- airodump

00:16:16.275-->00:16:21.414
like interface where you could
see a live view of bluetooth
devices around you at any given

00:16:21.414-->00:16:25.718
time um we also wanted to
support bluetooth low energy
because the existing tools that

00:16:25.718-->00:16:29.522
did something like this did none
of that and that was a really
important thing for us just

00:16:29.522-->00:16:34.427
given how much uh device
proliferation we've been seeing
on the low energy side of things

00:16:34.427-->00:16:37.597
And again the second point up
there find as many devices as
possible that was really the

00:16:37.597-->00:16:42.501
goal but a bigger part of that
was to find them as quickly as
possible because a lot of the

00:16:42.501-->00:16:47.039
lower energy devices are things
like mobile or wearable devices
that are on people that are

00:16:47.039-->00:16:51.811
moving around or on cars or
vehicles or on trolleys with
beacons and so they tend to move

00:16:51.811-->00:16:55.548
past you very quickly and if you
don't pick them up when they're
there you're going to miss them

00:16:55.548-->00:17:00.920
entirely. Um we opted to have a
database back end for the
purposes of persistency we

00:17:00.920-->00:17:04.824
wanted to be able to turn this
thing off and then bring it back
up later and and be able to

00:17:04.824-->00:17:09.462
correlate devices that we saw
back to what we had previously
seen and that you know the

00:17:09.462-->00:17:13.566
database allowed us to do that
and another goal going back to
sort of standing on the

00:17:13.566-->00:17:17.703
shoulders of giants is really
minimize the amount of direct
hardware interfacing we're

00:17:17.703-->00:17:21.574
actually doing this really
allowed us to move a lot faster
on the development side of

00:17:21.574-->00:17:26.245
things and it allowed us to kind
of keep things as simple as
possible and use the tools that

00:17:26.245-->00:17:31.217
exist without trying to reinvent
the wheel and um we're not at
all focused on cracking or brute

00:17:31.217-->00:17:35.855
forcing or attacking bluetooth
with this tool at least at this
time. Um in terms of the design

00:17:35.855-->00:17:41.093
logic um it's primarily written
in Ruby it's 95% Ruby um there's
a little bit of Bash and a

00:17:41.093-->00:17:44.964
little bit of Python the Bash is
mainly there to manage the
interface and to shell out to

00:17:44.964-->00:17:48.901
run some of the third party
tools that we're relying on
>>What he's trying to say is

00:17:48.901-->00:17:54.640
we're sorry in advance >>Yeah
and then python yeah yeah if you
read it good luck and I'm sorry

00:17:54.640-->00:18:00.246
but ah the Python side of things
is just the test discovery
script using the Bluez like the

00:18:00.246-->00:18:04.984
py bluez library that Rick
mentioned um so we built it on
top of these existing tools as

00:18:04.984-->00:18:10.189
much as possible this helped us
develop very rapidly and we
modified the tools as we needed

00:18:10.189-->00:18:14.694
but again to minimize the use of
hardware we entirely relied on
them where we could. So at a

00:18:14.694-->00:18:19.131
high level what we do is we have
a number of discrete threads
like Ruby threads running in the

00:18:19.131-->00:18:23.102
background which are doing each
of our each of our different
tasks and then everything gets

00:18:23.102-->00:18:28.174
boiled down into a single data
processing thread uh for the
database we did use SQLite

00:18:28.174-->00:18:33.813
initially and SQLite if anyone's
ever used it which I'm sure you
have it's kind of trash ah it

00:18:33.813-->00:18:37.817
worked for our purposes but one
of the problems with it is it's
extremely blocking and so if you

00:18:37.817-->00:18:40.886
try to access it for multiple
threads you're going to end up
with a ton of right lock

00:18:40.886-->00:18:44.957
contention and everything's
gonna fall over so we ended up
boiling everything down into a

00:18:44.957-->00:18:49.595
single thread for processing the
data which ultimately served us
pretty well for reasons I'll

00:18:49.595-->00:18:55.601
probably explain if I have time.
Yep. Before we get into the
threads I think the tool that we

00:18:55.601-->00:19:01.240
need to talk about is btmon
which is also part of the Bluez
library and this is uh a tool

00:19:01.240-->00:19:06.078
which is the whole the whole
blue hydra suite is dependent
upon and so there is no true

00:19:06.078-->00:19:11.317
monitor mode which is to say
like monitoring rf for bluetooth
like we might have with wifi but

00:19:11.317-->00:19:16.822
what it does is it monitors the
interactions between the
operating system and the adapter

00:19:16.822-->00:19:21.460
the bluetooth adapter so as
commands get sent to the adapter
the adapter sees packets it

00:19:21.460-->00:19:26.365
it'll summarize btmons able to
summarize those messages into a
basically a long stream of

00:19:26.365-->00:19:30.603
whatever the heck is going
through the adapter and we use
that as our primarily primary

00:19:30.603-->00:19:34.373
point of contact for getting
data out of the out of the
interface. Uh It's it's

00:19:34.373-->00:19:38.344
reasonably parseable it it has
text output and so it's it's a
little funky and I'll show you

00:19:38.344-->00:19:42.848
the output in a second here but
it's it's it wasn't too bad to
handle the parsing one of the

00:19:42.848-->00:19:47.386
things that's really powerful
about using btmon like this is
we were able to throw all kinds

00:19:47.386-->00:19:54.360
of different commands such as
what Rich uh Zero mentioned
sorry, yeah nice catch there, um

00:19:54.360-->00:19:57.997
you know we could run the
hcitool commands or the l2ping
commands and they or the test

00:19:57.997-->00:20:02.234
discovery as well and all of
that would come streaming out of
btmon in one place. It also

00:20:02.234-->00:20:06.739
supports multiple bluetooth
dongles and right now the actual
service isn't supporting

00:20:06.739-->00:20:11.977
multiple devices but we plan to
add that in the not too distant
future. So with btmon this is

00:20:11.977-->00:20:16.315
the you can see the output here
this is a single message coming
out of btmon it's an le

00:20:16.315-->00:20:21.487
advertising report this is an le
device advertising its existence
and the way that we use it is we

00:20:21.487-->00:20:25.791
have a single thread that
executes and filters the
messages coming out of btmon and

00:20:25.791-->00:20:30.996
breaks them up we push them over
to another thread that basically
buffers them by device so we'll

00:20:30.996-->00:20:35.935
see same device same device same
device same device different
device and we get a new device

00:20:35.935-->00:20:39.572
we flush that out to get parsed
and processed and we start
buffering the new device that

00:20:39.572-->00:20:44.743
we're seeing data about um
Alright so the next thread
that's really significant and

00:20:44.743-->00:20:49.081
this is where a lot of the
actual work is done is the is
the main discovery thread. So

00:20:49.081-->00:20:54.820
this thread is responsible for
running test discovery commands
and it also feeds off a number

00:20:54.820-->00:20:59.258
of queues which different parts
of the system feed into that
tell it who it needs to gather

00:20:59.258-->00:21:03.762
information from who it needs to
ping uh the l2ping command is
very useful for us because it

00:21:03.762-->00:21:08.367
allows us to test if devices are
still present even if they've
gone out of discoverable mode or

00:21:08.367-->00:21:12.638
even if we never saw them in
discoverable mode such as with
an Ubertooth uh it's also

00:21:12.638-->00:21:17.543
responsible mainly for the info
gathering and the test discovery
script will see the classic mode

00:21:17.543-->00:21:22.448
devices as well as the le
advertisements. Nothing none of
the commands that get run in

00:21:22.448-->00:21:26.485
this thread we do anything with
it's just all coming out of
btmon and the on the other side

00:21:26.485-->00:21:29.789
of things we do do error
handling here so you'll see a
lot of error handling if you

00:21:29.789-->00:21:34.160
start reading this code but
that' just to make sure >>well
not a lot >>we do some error

00:21:34.160-->00:21:38.531
handling here and that's mainly
mainly where error handling so
if something goes wrong with the

00:21:38.531-->00:21:43.836
card or any of the commands
we'll catch it here and handle
it here. So the Ubertooth thread

00:21:43.836-->00:21:48.407
also exists it will only start
if you have an Ubertooth device
plugged in and it is completely

00:21:48.407-->00:21:53.045
optional ah it does not replace
having a conventional bluetooth
dongle which you absolutely need

00:21:53.045-->00:21:56.749
to run this system. This system
still relies on a traditional
bluetooth dongle we recommend

00:21:56.749-->00:22:01.387
the sena dongles that pwnie
express ships and they're
they're quite robust. With the

00:22:01.387-->00:22:06.358
Ubertooth thread it's running
the Ubertooth-rx command on a
slow loop and it bypasses btmon

00:22:06.358-->00:22:12.731
entirely and ships that
information straight into the
processing queue. So with the

00:22:12.731-->00:22:19.605
data processing thread this is
kind of the core brain of what
we're doing and it is mainly ah

00:22:19.605-->00:22:22.608
excuse me it's mainly
responsible for updating,
creating the records and sort of

00:22:22.608-->00:22:27.112
tracking what devices we've seen
but it also operates as a
feedback loop to the rest of the

00:22:27.112-->00:22:31.383
system populating the queues to
say you need to che-test this
device you need to see if this

00:22:31.383-->00:22:36.522
is still present and this allows
the discovery thread to do what
it needs to do to kind of see

00:22:36.522-->00:22:40.926
and gather the information as
quickly as we can to you know
get gather info about devices

00:22:40.926-->00:22:44.797
before they pass out of our
range. Ah one of the interesting
problems we found here was the

00:22:44.797-->00:22:50.102
actual device correlation of
bluetooth devices. So we assumed
initially and pretty naively

00:22:50.102-->00:22:54.139
that we'd just be able to see
mac addresses and say okay this
is the same mac address that we

00:22:54.139-->00:22:59.144
saw previously it's the same
device ah that falls over pretty
quickly initially it falls over

00:22:59.144-->00:23:03.382
with the Ubertooth because the
Ubertooth will only see the
lower and upper address part

00:23:03.382-->00:23:09.154
which is the last four octets of
the mac address so in the
example here you can see if a

00:23:09.154-->00:23:11.357
device with physical address of
dead beef cafe and and an
Ubertooth will just return

00:23:11.357-->00:23:15.094
something something beef cafe
and have no sense of the vendor
if you wanted to do an OUI

00:23:15.094-->00:23:19.198
lookup you wouldn't be able to
do this off this alone and we're
never able to get the rest of

00:23:19.198-->00:23:24.670
that address, the complete
address with an Ubertooth. So we
are able to however zero pad it

00:23:24.670-->00:23:29.074
or pad it with any arbitrary
hacks and send it back out and
ping those devices and they will

00:23:29.074-->00:23:33.479
respond to their upper and lower
the UAP LAP, upper and lower
address parts and the non

00:23:33.479-->00:23:37.616
significant address part which
is the first two octets is
totally irrelevant except for

00:23:37.616-->00:23:42.087
doing vendor lookups. So if we
then see that device come into
discoverable mode and we see

00:23:42.087-->00:23:46.025
it's full address we're able to
backfill and kind of fill in
fill in the addresses that we

00:23:46.025-->00:23:50.296
didn't see which we initially
saw with an Ubertooth uh another
type of device correlation we're

00:23:50.296-->00:23:55.968
able to do in here is ibeacons
ibeacons are capable of rolling
their macs very aggressively

00:23:55.968-->00:23:59.638
they change their address
quickly and they don't always do
this but they can do this and so

00:23:59.638-->00:24:03.976
we're not able to consistently
rely on looking it up by the
address so we were able to carve

00:24:03.976-->00:24:08.414
out some information out of
btmon specifically the proximity
ID and the major and minor

00:24:08.414-->00:24:12.685
numbers which we were fairly
consistently able to track
ibeacons even as they rolled

00:24:12.685-->00:24:18.691
their macs and moved around the
space. So the last thread that's
kind of worth mentioning and

00:24:18.691-->00:24:21.760
this wouldn't be our demo though
I don't know we're probably not
going to have a demo because of

00:24:21.760-->00:24:26.665
this because of this, we have
screenshots is the CUI thread
and uh it's the command line

00:24:26.665-->00:24:33.005
user interface which is to say
it's it's the aero dump style
output which shows you >>woo!

00:24:33.005-->00:24:38.210
>>Thank you, Which is which is
really a live table of the
devices that you're seeing

00:24:38.210-->00:24:43.248
around you at any given time so
it's it's simple it's not curses
or anything but it is sortable

00:24:43.248-->00:24:47.519
columns and you can kind of add
and remove columns as you need
to get the information that you

00:24:47.519-->00:24:52.057
care about for the devices uh so
that's the main that's the main
bulk of the internals of the

00:24:52.057-->00:24:58.697
tool. We were gonna go I think
next to a demo and we're going
to do it live >>yeah let's uh

00:24:58.697-->00:25:03.402
let's do it dead >>So we're
going to do it dead >>Yeah so
I'm going to apologize because

00:25:03.402-->00:25:08.240
after going through six laptops
we finally got something that
works and I am not unplugging it

00:25:08.240-->00:25:13.379
right now to see if we fixed the
wire or if all five laptops
before this one didn't work >>we

00:25:13.379-->00:25:17.983
could >>Uh yeah we're going to
after everything else so I don't
have to switch back and forth

00:25:17.983-->00:25:23.288
and break it again so I'll show
you the screenshots and if we're
really lucky I'll switch to a

00:25:23.288-->00:25:29.728
live demo afterwards. This is
CUI what it is basically is is
as Granolocks said it's roughly

00:25:29.728-->00:25:35.968
an aero dump style interface
we've got the address, the
version, uh what version

00:25:35.968-->00:25:40.973
including like 4.2 will show up
here on the devices that tell us
the rssi names manufacturer is

00:25:44.309-->00:25:48.347
an overloaded field so we grab a
bunch of different information
from different places in the

00:25:48.347-->00:25:55.154
bluetooth stack and we kinda put
the best thing in in that spot
and then range is an ibeacon uh

00:25:55.154-->00:26:00.092
specific thing the ibeacons
actually give you a calibrated
tx power of what they expect the

00:26:00.092-->00:26:05.697
signal strength to be at a meter
away so you can use that to
magically estimate the distance

00:26:05.697-->00:26:10.702
very very reliably uh so as you
can see these were all sitting
on top of the bluetooth dongle

00:26:10.702-->00:26:16.942
when we tested this. Uh this
interface is pretty simple and
if I'm lucky I'll get to show

00:26:16.942-->00:26:21.713
you but you can see this little
carrot right here, this is
indicating that this is sorting

00:26:21.713-->00:26:27.986
uh ascending it can also sort
descending you can reverse the
sort and the other cool thing is

00:26:27.986-->00:26:32.791
you can change which column it
is sorting by. You can also
change which columns are

00:26:32.791-->00:26:38.063
available so this is the default
view of columns, manufacturer,
and range being the two

00:26:38.063-->00:26:44.069
interesting ones this is the
ibeacon specific columns where
we add in the proximity UID the

00:26:44.069-->00:26:48.507
major number and the minor
number these are the things that
ibeacons unique so it's

00:26:48.507-->00:26:53.512
proximity is basically the
company and then major is like
8, 10, this, store number, and

00:26:55.881-->00:27:00.352
then the minor is like this is
in the fruit stand so that when
you walk up to the fruit stand

00:27:00.352-->00:27:06.291
you've got the grocery store app
on your phone and it says oh
dollar off bruised apples or

00:27:06.291-->00:27:11.296
whatever it is. This is the
company display information uh I
find that a lot of stuff has

00:27:14.766-->00:27:19.271
interesting things in the
company and company data field
and so we added that as a

00:27:19.271-->00:27:22.841
secondary display while
debugging some stuff and and
left it in there because we

00:27:22.841-->00:27:28.180
thought it was useful so you can
change the column sets you can
change the sort you can change

00:27:28.180-->00:27:33.418
uh you know up or down sort as
well and >>I I think it's worth
noting and we may or may not be

00:27:33.418-->00:27:37.523
able to show this given the
functioning of the demo but this
is a fraction of the data we're

00:27:37.523-->00:27:40.792
actually gathering about these
devices there's a ton more
information being stored in the

00:27:40.792-->00:27:45.364
database this is what we
considered to be the most useful
and immediate information when

00:27:45.364-->00:27:49.434
you're looking at a live view
but if you got back and pull
data out of the database there's

00:27:49.434-->00:27:54.439
a massive amount of information
about these devices >>So where
do I get it, uh on Github, Pwnie

00:27:57.242-->00:28:02.180
Express slash blue underscore
hydra because go blue hydra,
hail blue hydra, uh you can

00:28:04.216-->00:28:08.921
download it, there's a list of
depths in the read me and then
you can run it straight from the

00:28:08.921-->00:28:12.891
get check out and there's no
problems with doing that because
shocker that's how we developed

00:28:12.891-->00:28:17.896
it uh it does run on Kali
because we developed
specifically to run on Kali

00:28:20.132-->00:28:24.803
linux which is what the pwnie
express sensors run uh that said
they haven't packaged it yet so

00:28:24.803-->00:28:29.007
you just have to install the
dependencies and all that stuff
manually or especially if you're

00:28:29.007-->00:28:32.511
competing in the wireless
capture the flag this weekend
you can just download pen-2's

00:28:32.511-->00:28:37.916
latest release and it's already
on there and gosh I developed
blue hydra I added it to my

00:28:37.916-->00:28:42.387
distro I wonder if there could
possibly be any contests around
needing it desperately? >>Could

00:28:42.387-->00:28:46.525
I track somebody with this tool?
>>Could you track somebody with
this tool? That's a very good

00:28:46.525-->00:28:51.530
question sir, SHUT UP, questions
are later [laughter] I mean yes.
Yes. Thank you for your question

00:28:56.935-->00:29:01.873
uh sir. Uh so our conclusions
were basically we found a lot of
old bluetooth stuff because when

00:29:04.076-->00:29:08.947
bluetooth came out it was really
cool to hack bluetooth and then
apparently it wasn't cool

00:29:08.947-->00:29:14.720
anymore but somehow it became
cool to have nine bluetooth low
energy devices on your person at

00:29:14.720-->00:29:20.058
all times so we thought it would
be cool to look at bluetooth
again uh we took a really simple

00:29:20.058-->00:29:26.064
idea that uh had Gabe very mad
at me for a very long time
because it turns out hey there

00:29:26.064-->00:29:31.069
you go Granolocks it was harder
to do than expected and uh yeah
so we both such at programming

00:29:33.672-->00:29:38.043
but he sucks a little less that
I do [laugh] so it was
surprising to see just how many

00:29:38.043-->00:29:43.682
devices were out there I can't
count the number of places I
went where I just saw hundreds

00:29:43.682-->00:29:48.687
of devices inside of one room
and wondered why just why. So um
I'd like to thank Defcon for

00:29:53.392-->00:29:57.929
telling me that the projector
was VGA and then providing HDMI
that doesn't work [laughter]

00:29:57.929-->00:30:02.934
Though I would sincerely like to
thank the CFP selection crew you
know who you are for letting us

00:30:07.839-->00:30:11.843
present uh we really do
appreciate that because we think
this is really cool and we

00:30:11.843-->00:30:16.748
really hope that you do too uh
we'd like to thank Pwnie Express
for paying us to build this and

00:30:16.748-->00:30:21.520
then letting us convince them to
open source it and not just open
source it but put a BSD license

00:30:21.520-->00:30:28.460
on it uh Coconut Pickard for
helping us release this code as
BSD uh our boss got a new hacker

00:30:28.460-->00:30:34.533
name and that's what it is so
[laughter] yeah if any of you
see the uh the VP of engineering

00:30:34.533-->00:30:40.305
you can you can call him that
and don't dumb me don't don't
blame me uh the Ubertooth team

00:30:40.305-->00:30:44.910
for being awesome uh not only
did they implement a new feature
for us but they told us how a

00:30:44.910-->00:30:50.582
bunch of stuff worked and helped
us a lot and the Bluez team for
their very efficient german

00:30:50.582-->00:30:55.420
making fun of us which helped us
to do what we needed to do uh
that was really really great of

00:30:55.420-->00:31:00.358
them so Q and A will be in room
the bar at the bottom of the
escalators uh there are other

00:31:03.428-->00:31:09.634
people that will be taking over
this place in about eight
minutes and that leaves me for

00:31:09.634-->00:31:15.841
yelled out question and answers
while I try to get a cool demo
running so that those of you

00:31:15.841-->00:31:20.846
that prepped funny bluetooth
device names don't feel like you
got cheated [laughter]