David Sopas – Web Security Researcher

29/12/17 Papers # , , , ,

BLE Driving 101

I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.

Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.

I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.

I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.

We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂

This was the final result.

On the left you have a original dongle and in the right the mean mother f*cker dongle!

What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.

Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm

Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm

Now that I have a better dongle 😀 I had it to my portable configuration:

1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank

Devices found

Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co

Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:

Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.

2 responses
04/12/17 Papers # , , ,

Using UART to connect to a chinese IP cam

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things-exploitation/index.html

Student ID: IoTE- 766

Following my interest in going deeper on IoT – specially on hardware hacking, I grabbed a chinese IP cam – Loftek and started checking its internals. I already had researched the web application itself and the mobile app for Checkmarx but now I wanted something different.

My main goal was to find a serial port where I could connect to my laptop and see where it takes me. I was really hoping for root access…

After identifying the components I got what I wanted. A UART connection in J2 that I hoped that allowed me to create a serial communication. In this case it was pretty easy to identify them because they were printed on the PCB – RX – TX – GND – VCC (5V).

I grabbed a couple of pins and started soldering them to the RX – TX – GND. This last one was not very well positioned because the pin holes were very close to each other.

Now the fun part. Connect to my laptop. I used 3 jumper cables and the Attify Badge.

RX – D0
TX – D1
GND – GND

Next step, detect the baudrate for the communication. I used the python script from Craig Heffner on Kali Linux and it returned:

In the following case I used screen but you can also use minicom – with the previous detected baudrate:

And guess what! A root shell dropped in the console.

Other interesting thing that I already did on a previous research was to use this IP camera to sniff the network.  What I did was to install a tcpdump binary and created a small script:

#!/bin/bash
ifconfig ra0 down
iwconfig ra0 mode monitor
ifconfig ra0 up
./tcpdump -i ra0 --monitor-mode -w cap.cap &
sleep 30
killall tcpdump
ifconfig ra0 down
iwconfig ra0 mode managed essid network-2g key s:myKeyto_Wifi
ifconfig ra0 up

After a while I got few hits on the Wireshark that allow me to see people using Dropbox inside the network and some other services:

LLMNR/NBNS Poisoning anyone? 🙂

I hope to continue my path on hardware hacking because it’s really fun. Don’t forget also to check my BLE article where I wrote my notes on this “smart bluetooth” thing.

no responses