Bluetooth Hacking

9,331 views

Published on

Published in: Technology, Business
1 Comment
9 Likes
Statistics
Notes
No Downloads
Views
Total views
9,331
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
628
Comments
1
Likes
9
Embeds 0
No embeds

No notes for slide

Bluetooth Hacking

  1. 1. Seminar on Blue tooth Hacking [security and threats] By- Dhanashree Waikar Roll No – 3379 Project Guide – Prof. N. R. Talhar
  2. 2. Overview <ul><li>Introduction </li></ul><ul><li>Bluejack attack </li></ul><ul><li>Bluespamming </li></ul><ul><li>The Bluesnarf attack </li></ul><ul><li>The Bluebug attack </li></ul><ul><li>Helomoto </li></ul><ul><li>Crack pin code </li></ul><ul><li>Blueprinting </li></ul><ul><li>Other attacks [Trojans, Viruses, worms] </li></ul><ul><li>Security levels </li></ul><ul><li>Countermeasures </li></ul>
  3. 3. Bluetooth introduction <ul><li>Wireless networking technology </li></ul><ul><ul><li>For short range devices </li></ul></ul><ul><li>Speed-2.4Ghz </li></ul><ul><li>Range is between 10 to 30m </li></ul><ul><li>Data transfer rate is 1mbps </li></ul><ul><li>Bluetooth SIG </li></ul><ul><ul><li>Founded in 1998 </li></ul></ul><ul><ul><li>Trade association </li></ul></ul><ul><ul><li>Owns and licenses IP </li></ul></ul>
  4. 4. Bluejack <ul><li>OBEX push attack </li></ul><ul><ul><li>Object exchange protocol for exchanging data with one another (data like files, picture, business cards, calendar entries etc.) </li></ul></ul><ul><li>Commonly send ‘business card’ with message via OBEX </li></ul><ul><li>Variants </li></ul><ul><ul><li>Bluetoothing </li></ul></ul><ul><ul><li>Bluechatting </li></ul></ul><ul><li>Modifying a remote mobile phone’s address book </li></ul><ul><li>Bluespamming </li></ul>
  5. 5. BlueSnarf Attack <ul><li>Discovered by Marcel Holtmann </li></ul><ul><ul><li>Published in October 2003 </li></ul></ul><ul><li>BlueSnarf exploits weak OBEX implementation on mobile phones </li></ul><ul><li>OBEX pull attack </li></ul><ul><ul><li>Attacker involves the use of the OBEX protocol to forcibly pull sensitive data out of the victim’s mobile phone </li></ul></ul><ul><ul><li>Extreme vulnerableand damage possible through bluesnarfing </li></ul></ul>
  6. 6. BlueSnarf Attack continued … <ul><li>Can steal sensitive data without the knowledge of the victim </li></ul><ul><ul><li>Address book, Photographs, </li></ul></ul><ul><ul><li>Music, videos, calendar, </li></ul></ul><ul><ul><li>IMEI, noReading/decoding sms messages etc. </li></ul></ul><ul><li>Adv connects to OBEX push profile </li></ul><ul><ul><li>No authentication, no pairing needed -> invisible connection </li></ul></ul>
  7. 7. Bluebug <ul><li>Discovered by Martin Herfurt </li></ul><ul><ul><li>Public field test - CeBIT 2004 </li></ul></ul><ul><li>Full access to AT command set hence Full phone control </li></ul><ul><li>Based on AT Commands -> not OBEX </li></ul><ul><li>Typical use cases : - </li></ul><ul><ul><li>Call control (turning phone into bug) </li></ul></ul><ul><ul><li>Initiating a new call to predefined no. </li></ul></ul>
  8. 8. Helomoto <ul><li>Bluesnarf + Bluebug </li></ul><ul><li>Requires entry in 'Device History' </li></ul><ul><li>OBEX PUSH to create entry </li></ul><ul><li>Connect RFCOMM to Hands free or Headset </li></ul><ul><ul><li>No Authentication required </li></ul></ul><ul><ul><li>Full AT command set access </li></ul></ul>
  9. 9. Pairing <ul><li>When two devices first meet, they “pair” </li></ul><ul><ul><li>Slave must have knowledge of BD_ADDR through inquiry or user input </li></ul></ul><ul><li>Pairing information recorded, may contain authentication credentials </li></ul><ul><li>Inquiry mode no longer necessary since BD_ADDR is recorded on slave </li></ul>
  10. 10. Creation of k_init Creation of k_init
  11. 11. Creation of k_ab Creation of k_ab
  12. 12. Mutual authentication Mutual authentication
  13. 13. The Basic Attack List of messages sent during pairing and authentication process
  14. 14. The Basic Attack Structure The Basic Attack Structure
  15. 15. Blueprinting <ul><li>Used for generating statistics about manufacturers and models </li></ul><ul><ul><li>Bluetooth device address->format->MM:MM:MM:XX:XX:XX </li></ul></ul><ul><li>Whether there are devices in range that have issues with Bluetooth security </li></ul><ul><ul><li>Used to get knowledge of different models that can be affected </li></ul></ul><ul><li>Use service discovery protocol (SDP) </li></ul><ul><li>Attacker  sends problem  Bluetooth device  Bluetooth device  sends back hash  attacker </li></ul>
  16. 16. Virus Worms and Trojans <ul><li>Viruses do not have the capability to spread and infect devices on their own. </li></ul><ul><li>Even worms are malicious files that cause harm to the target device. </li></ul><ul><li>Trojans are malicious files that can be used for carrying out harmful activities on the target device. </li></ul>
  17. 17. Security <ul><li>A device can implement three different security modes: </li></ul><ul><ul><li>Nonsecure: A device will not initiate any security measures, so communication takes place without authentication or encryption. </li></ul></ul><ul><ul><li>Service-level enforced security: Two devices can establish an ACL link in a nonsecure manner. Security procedures are initiated when a L2CAP (Logical Link Control and Adaptation Protocol) channel request is made. </li></ul></ul><ul><ul><li>Link-level enforced security: Security procedures are initiated when the ACL link is being established. </li></ul></ul>
  18. 18. Countermeasures <ul><li>One should not enable Bluetooth unless it is necessary. </li></ul><ul><li>One should not accept files or business cards or any other incoming Bluetooth data from unknown people. </li></ul><ul><li>Avoid using short pairing codes. </li></ul><ul><li>Change the default name </li></ul>
  19. 19. Any Questions?
  20. 20. Thank you

×