Workshop: Blue2thprinting: identifying the form and function of the Bluetooth devices
XENO KOVAH
Abstract
At this very moment you are enveloped in the warm glowing warming glow of dozens to hundreds of Bluetooth devices. Aren’t you curious what all those little critters are?! In this workshop we’ll use the Blue2thprinting tools to poke at these apparitions and get a sense of what they are and what they want from us!
Note: this workshop will require you to run a prepared Linux VMware VM, and plug in USB Bluetooth dongles for sending and receiving packets. Come with VMware installed, and a machine you're willing to plug USB devices into.
Workshop Outline
Blue2thprinting is Bluetooth-toothprinting - the act of creating a toothprint (2thprint) to identify distinct features of a Bluetooth device. These 2thprints help us determine information such as what type of Bluetooth chip it uses, what company makes it, what model it is, etc. Over the past year I have focused on Blue2thprinting as a way to approach vulnerability assessment of Bluetooth devices. Specifically, whether they are vulnerable to the over-the-air Bluetooth chip vulnerabilities found by Veronica Kovah and presented at BlackHat USA 2020.
This workshop serves as a preview of the 1-day Blue2thprinting class being developed for OpenSecurityTraining2 (ost2.fyi) by Xeno Kovah. This brief workshop will give you a basic introduction to what the built-in Linux tools do and don't give you, and how that information is combined with and supplemented by the customized Blue2thprinting tools, and wrapped into more human-understandable formatting.
The first 20 attendees who arrive will be provided with a preconfigured Linux VM where both the collection and analysis components are already set up, and the two USB dongles necessary to demonstrate improved capture capabilities. (Attendees after 20 can get the VM but will need to look over the shoulder of someone with the hardware.) The VM will also be pre-seeded with some real Bluetooth data from past security conferences I've attended (DEF CON, Hardwear.io, RingZer0 2022, etc), that can be explored at your leisure. You'll also get a chance to try out the brand new "BTIDALPOOL" crowdsourcing infrastructure, which lets folks submit or retrieve shared Bluetooth information from a central server.
In this workshop you’ll learn about and play around with the following:
Linux Bluetooth default tools:
- hciconfig
- bluetoothctl
- btmon
Linux non-default tools:
- Wireshark
- gatttool
- sdptool
Blue2thprinting software:
- central_app_launcher2.py for coordinating active 2thprinting components
- Sniffle for sniffing BLE or sending arbitrary BT Low Energy packets
- Analysis scripts for post-processing log files and placing data into MySQL database
- TellMeEverything.py to provide a nicer interface to the data in the local or remote BTIDALPOOL database
At the end of the workshop you’ll be cordially invited to join the BlueCrew, and be introduced into the wide world of open research questions that exist in the Bluetooth space, awaiting your collaboration.
BOOTSTRAP25's Workshop rooms
Xeno and Veronica's BOOTSTRAP25 Training
All trainings come with complimentary access to our BOOTSTRAP25 event! Book a virtual or in-person trainings and get a taste of the others at BOOTSTRAP25!
Ringzer0
In-Person Training | March 18-21
Xeno Kovah
Prior to working full time on OpenSecurityTraining2, Xeno worked at Apple designing architectural support for firmware security, and code auditing firmware security implementations. A lot of what he did revolved around adding secure boot support to the main and peripheral processors (e.g. the Broadcom Bluetooth chip.) He led the efforts to bring secure boot to Macs, first with T2-based Macs, and then with the massive architectural change of Apple Silicon Macs. Once the M1 Macs shipped, he left Apple to pursue the project he felt would be most impactful: creating free deep-technical online training material and growing the newly created OpenSecurityTraining 501(c)(3) nonprofit.