Untitled Deck

Question 1

What is fuzzing?

Answer 1

Fuzzing is the process of feeding an implementation with large amounts of unexpected, malformed or random input to identify parsing bugs, crashes or logic flaws.

Question 2

In Wi-Fi fuzzing, what is typically used as input instead of a string in a file?

Answer 2

In Wi-Fi the input isn’t a string in a file, it’s mostly 802.11 frames, including the management frames, control frames and data frames.

Question 3

What are typical targets of 802.11 fuzzing?

Answer 3

Targets of 802.11 fuzzing are wireless drivers, AP firmware, and wireless supplicants.

Question 4

What is the goal of fuzzing 802.11 implementations?

Answer 4

The goal of fuzzing is to find conditions where the implementation causes crashes, reboots, enters a denial of service state, or misparses frames.

Question 5

How does an attacker practically carry out 802.11 fuzzing?

Answer 5

An attacker will generate malformed 802.11 frames and transmit them over the air toward the target.

Question 6

Name some 802.11 fields that can be fuzzed.

Answer 6

Fields that can be fuzzed include the SSID IE, RSN, IE lengths and more.

Question 7

What is Bluetooth described as in the document?

Answer 7

Bluetooth is a short-range wireless technology which comes in two main flavours.

Question 8

What are the two main flavours of Bluetooth?

Answer 8

The two main flavours of Bluetooth are Bluetooth Classic (BR/EDR) and Bluetooth Low Energy (BLE).

Question 9

What is Bluetooth Classic (BR/EDR) mainly used for?

Answer 9

Bluetooth Classic (BR/EDR) is higher throughput, used for audio such as headsets and speakers, HID and similar uses.

Question 10

What is Bluetooth Low Energy (BLE) mainly used for?

Answer 10

Bluetooth Low Energy (BLE) is optimised for low power and is used by wearables, beacons and IoT.

Question 11

What is Classic pairing authentication vulnerable to?

Answer 11

Classic pairing authentication is vulnerable to an offline PIN attack, where an attacker is able to eavesdrop on the initial pairing exchange to capture the plaintext inputs which can be used to guess the PIN.

Question 12

What is said about Bluetooth authentication during initial pairing?

Answer 12

Bluetooth authentication is weak during initial pairing.

Question 13

What can be done regarding non-discoverable Bluetooth devices?

Answer 13

It is possible to identify non-discoverable devices.

Question 14

What is BTCrack?

Answer 14

BTCrack is a Bluetooth PIN cracking tool written for Windows that accepts the input algorithm values in the GUI.

Question 15

What is one recommendation if Bluetooth is unnecessary?

Answer 15

If Bluetooth is not needed, disable the feature and do not rely on marking devices as not-discoverable.

Question 16

Why make Bluetooth devices non-discoverable?

Answer 16

While not a foolproof security mechanism, making a Bluetooth device non-discoverable can significantly help in securing Bluetooth.

Question 17

What should be done with unneeded Bluetooth profiles?

Answer 17

Unneeded Bluetooth profiles should be disabled.

Question 18

How can software maintenance help against Bluetooth attacks?

Answer 18

Maintaining software versions whenever possible helps to mitigate known threats.

Question 19

In what types of devices does BLE have wide-ranging adoption?

Answer 19

BLE has a wide-ranging adoption, from medical devices, fitness trackers, physical security systems and others.

Question 20

Why can Classic Bluetooth be too costly to implement in some devices?

Answer 20

Classic Bluetooth can be too costly to implement due to a complex stack and massive power draw.

Question 21

What kinds of devices are best suited for BLE?

Answer 21

Devices where BLE excels are often low power and short on RAM.

Question 22

What was a key design goal in BLE regarding power and data transfers?

Answer 22

A key design goal in BLE was low-power support for modest data transfers over five years with a single coin battery.

Question 23

How does BLE support its low-power design goal?

Answer 23

BLE uses very aggressive power conservation in order to support its design goal of modest data transfers over five years with a single coin battery.

Question 24

Why does BLE see strong adoption compared to some other protocols?

Answer 24

BLE sees adoption due to more brand recognition; other protocols that offer short, bursty data transfers such as ZigBee and Near-Field Communication do not have the same adoption.

Question 25

How does BLE compare in implementation cost to ZigBee?

Answer 25

BLE costs about $1 to implement per radio endpoint, while ZigBee was intended to be inexpensive at $5 per radio implementation, and BLE undercut this.

Question 26

What is one way BLE changes security related to devices in the environment?

Answer 26

It is easy to find advertising devices, and once found it is easy to follow conversation and traffic capture to PIN bruteforce.

Question 27

What is said about BLE channel hopping from a security perspective?

Answer 27

BLE channel hopping is easy to discover.

Question 28

How does BLE advertising behaviour help an attacker follow a conversation?

Answer 28

BLE advertises on only three channels; if traffic is observed there, one can guess the next channel and then follow the entire conversation and obtain information to get PINs for paired devices by bruteforce.

Question 29

What is noted about many BLE profiles compared to Classic Mode 1 profiles?

Answer 29

Many profiles may appear to be similar to Classic’s Mode 1 profiles, requiring no authentication or encryption to exchange data.

Question 30

What is generally required to test, inspect and audit BLE data in transit?

Answer 30

Methods to test, inspect and audit Bluetooth Low Energy data in transit require hardware and software to interact at multiple layers of the stack.

Question 31

What is the Ellisys Bluetooth Explorer?

Answer 31

Ellisys Bluetooth Explorer is a multi-purpose, wide-band SDR used for the 2.4 GHz RF including Bluetooth Classic/EDR, BLE, Wi-Fi and others.

Question 32

What software does Ellisys produce for use with the Bluetooth Explorer, and what can it do?

Answer 32

Ellisys produces its own software, SmartRF, for use with the Bluetooth Explorer, and SmartRF is capable of recovering BLE artifacts and includes sniffing HCI layer interaction, capturing data and performing traffic analysis.

Question 33

Approximately how much does the Ellisys Bluetooth Explorer solution cost?

Answer 33

The Ellisys Bluetooth Explorer and software solution costs $30,000.

Question 34

What is the NRF 51822 used for in the context of BLE?

Answer 34

The NRF 51822 was developed into a USB dongle for use as a BLE development platform and a sniffer for troubleshooting.

Question 35

What does HCI snooping observe?

Answer 35

HCI snooping observes HCI layer commands to and from BLE devices.

Question 36

How is HCI snooping defined in the document?

Answer 36

HCI snooping is the process of recording the commands that are sent to and from the local HCI layer, destined for and received from the Bluetooth adapter.

Question 37

Why is HCI snooping not considered promiscuous?

Answer 37

Because HCI snooping uses only a local sniffer, it does not follow other devices nor act in promiscuous mode.

Question 38

Which platforms are noted as supporting HCI snooping?

Answer 38

HCI snooping supports both Android and Linux.

Question 39

What tool can be used for HCI snooping on Linux?

Answer 39

HCI snooping can be performed on Linux with btmon.

Question 40

What is Ubertooth One?

Answer 40

Ubertooth One is a custom built Bluetooth adapter designed to break the HCI layer abstraction present with standard Bluetooth adapters.

Question 41

What capabilities does Ubertooth One provide for BLE traffic?

Answer 41

Ubertooth One allows for sniffing BLE traffic and BLE traffic injection and interacting with BLE devices with custom applications.

Question 42

What does hcitool allow an assessor to do?

Answer 42

hcitool allows scanning for advertising devices and the associated device friendly name.

Question 43

What does gatttool allow an assessor to do?

Answer 43

gatttool can be used to interact with the profiles and attach to a specific device to connect to.

Question 44

Why is Classic Bluetooth PIN or passcode cracking considered daunting?

Answer 44

With Classic Bluetooth, capturing the pairing exchange and gathering enough data to crack PINs is fairly daunting, and you need to determine the hopping pattern and other details.

Question 45

How does BLE PIN cracking compare to Classic Bluetooth PIN cracking?

Answer 45

With BLE PIN cracking, these challenges are quite easy to overcome.

Question 46

What makes BLE PIN cracking become quite trivial according to the document?

Answer 46

BLE PIN cracking becomes quite trivial with constant advertisements announcing presence on one of three channels and an easily observable next hop with 11 possible guesses.

Question 47

How can Ubertooth One assist in BLE PIN or passcode cracking?

Answer 47

Ubertooth One can discover advertising BLE devices, follow their channel hopping and recover the exchange, saving the data, and if we are lucky we might capture pairing or bonding exchanges that we can use to bruteforce.

Question 48

What is BLE fuzzing?

Answer 48

BLE fuzzing refers to using automated tools to send broken BLE messages to a device to uncover implementation bugs and security vulnerabilities.

Question 49

What is a BLE replay attack in general terms?

Answer 49

A BLE replay attack is where, if one could capture and replay a single BLE command that performed an action against a device, one could perform the same command repeatedly.

Question 50

What is the effect of a BLE replay attack on a device?

Answer 50

A BLE replay would effectively cause the device to perform the same potentially kinetic action at every replay.

Question 51

Give an example of a BLE replay attack from the document.

Answer 51

One example given is the capture and replay of an unlock command for a door lock; multiple replays could keep the door unlocked, even after the transmission of a lock command.

Question 52

What popular tool is mentioned as an example use case for BLE replay?

Answer 52

A popular use case of the Flipper Zero is mentioned as an example of BLE replay.

Question 53

What does BLE MITM allow an attacker to do?

Answer 53

BLE MITM allows for the modification of requests in transit, although it has a high barrier to entry.

Question 54

What is required to perform a BLE MITM attack as described in the document?

Answer 54

If a connection from the client device (victim) to a master can be proxied, an attacker can modify values in transit.

Question 55

What tool is named as being used for BLE MITM?

Answer 55

BTLEjuice is named as the tool used for BLE MITM.

Question 56

How is an SDR defined in the context of Practical SDR Attacks?

Answer 56

An SDR, or Software Defined Radio, is a radio where most of the radio processing is done in software instead of fixed hardware.

Question 57

What does SDR allow developers to do instead of building modulation mechanisms in hardware?

Answer 57

Instead of developing modulation mechanisms in hardware, developers can write software to process and interpret signals received from the RF spectrum.

Question 58

What assumption does SDR technology avoid making about user intent?

Answer 58

SDR technology does not make any assumptions as to how the user wishes to interpret the spectrum for receive or transmit paths.