Bluetooth Vulnerabilities

4,300 views

Published on

Network Security Final Term Project Presentation

Published in: Education, Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
4,300
On SlideShare
0
From Embeds
0
Number of Embeds
257
Actions
Shares
0
Downloads
93
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Bluetooth Vulnerabilities

  1. 1. Bluetooth Vulnerabilities ECE 478 Winter 05 Victor Yee
  2. 2. Topics • What is Bluetooth? • Eavesdropping • History • Impersonation • SIG • Cipher Vulnerabilities • Modes • Address • Bluejacking • Pairing • Bluesnarfing • Bluetooone • Bluesniper
  3. 3. What is Bluetooth? • Wirelessly connect to – Wireless headsets – Handhelds – Personal computers – Printers – Mobile phones – Digital cameras – GPS receivers – Digital pens – Automobiles
  4. 4. What is Bluetooth? • Short-range (10m-100m) wireless specification • Operating at 2.4GHz radio spectrum • Allows up to 7 simultaneous connections maintained by a signal radio. • Data transfers at least 2Mb/s
  5. 5. History • Named from Danish King Harold Bluetooth from the 10th century – instrumental in uniting warring factions that is now Norway, Sweden, and Denmark • The logo was designed by a Scandinavian firm in which the runic character H & B were used
  6. 6. SIG • Bluetooth Special Interest Group – Privately held trade associations made up of leaders • Telecom • Computing • Automotive • Industrial automation • Network industries. – They are marketing and advancing the development of the technology
  7. 7. Bluetooth Protocol Stack • L2CAP - Logical Link Control and Adaptation Protocol • OBEX - Generalized Multi-Transport Object Exchange Protocol • RFCOMM - Serial Port Emulation • SDP - Service Discovery Protocol • TCS - Telephony Control protocol Specification
  8. 8. Modes • Bluetooth devices can be in different modes – Discoverable • Device can be found by others searching in range – Connectable • Respond to messages from connected devices – Non-Discoverable – Non-Connectable
  9. 9. Address • Bluetooth device address (MAC) – Unique identifier for the device for all communication – Device Access Code (DAC) is used to address the device – Channel Access Code (CAC) is used to identify the channel – DAC & CAC • Determined by device address • Not encrypted
  10. 10. Address • Unique Address – Track and monitor behavior of user – Logs = Violation of privacy
  11. 11. Security Modes • Mode 1 – No Security • Mode 2 – Application/Service based (L2CAP) • Mode 3 – Link-Layer • PIN Authentication • Address Security • encryption
  12. 12. Security Modes • Difference between Mode 2 and Mode 3 – Bluetooth device initiates security procedures before the channel is established during Mode 3
  13. 13. Security Modes • Different security Modes for devices and services – Devices (2 Levels) • Trusted Device – unrestricted access to all services • Untrusted Device – Services (3 Levels) • Require authorization and authentication • Require authentication only • Open to all devices
  14. 14. How does Pairing Work? • Two Bluetooth devices need to pair up before data can be exchanged. • PIN consisting of numeric digits from 0-9 is established • Device sends a random number to the other device. • Both devices compute the initiation key based on a function of the shared PIN, Bluetooth device address that received the random number, and the random number.
  15. 15. PIN • 0000 is default – 50% of used PINs are 0000 (Laziness) • 4 digits – 10,000 Possibilities
  16. 16. Verification • Other device responds the computed computation back to the first device • First device compares the received value to its computed value if they are the same • Then the roles switch
  17. 17. Eavesdropping • Attacker is able to listen to messages or data exchanged between devices. – No application layer encryption – Middle-person attack • Voice data between phone and headset • Obtain credit card information (Internet purchases) • Exhaustively guesses all PIN up to a certain length
  18. 18. Impersonation • If PIN is known, Attacker is able to impersonate – Alter email responses (Internet Access) – Data to be printed (Printer)
  19. 19. Cipher Vulnerabilities • 128 bit key can be broken in 2^64 • Divide-and-conquer attacks are not possible – Need access to key stream over long periods – Bluetooth has high resynchronization frequencies
  20. 20. Bluejacking • Sending anonymous messages to another device without approval or authorization • Example – Tourists admirers Swedish handicrafts in a storefront window, cell phone chirped with an anonymous note: quot;Try the blue sweaters. They keep you warm in the winter.quot; Tourist is oblivious to who the sender is.
  21. 21. Bluesnarfing • Snarf is network slang for unauthorized copy • Theft of Data, Calendar Information, Phonebook Contacts, Phone’s IMEI – Stolen IMEI can be used for cloning a phone • Attacker establishes connection without confirmation • Cell phones vulnerable to privacy invasion • Devices can be purchased on the Internet • Attackers exploit a flaw through OBEX Protocol using a PUSH Channel attack
  22. 22. BlueBug • Based on AT Commands • Gives the attacker high levels of control to mobile phones – Phone calls – Text Messages (SMS) – Phonebook entries (Reading/Writing) – Call Forwards • Flaw on the RFCOMM channels – Not announced over the Service Discovery Protocol (SDP) – RFCOMM protocol provides emulation of serial ports over the L2CAP protocol
  23. 23. Bluetooone • Increasing the range by attaching a directional antenna • Long Range attacks • Not limited to 100 meters distance
  24. 24. Bluesniper • Tested at 1.1 miles in 2004
  25. 25. Other Flaws • Battery draining denial of service attack – Occupies channel – Drain battery from continuous scanning
  26. 26. Protection? • Turn off Bluetooth when not in use • Set to Non-Discoverable • Choose Random PIN numbers (16 Octets) • Confidential and Sensitive information should not be transmitted
  27. 27. Sources • Bluetooth.com • Bluetooth.org • Bluetooth Protocol Stack. thewirelessdirectory.com • Ellie, Jelly (2004). Why ‘bluejacking’? Bluejackq.com • Jakobsson, Markus. Security Weaknesses in Bluetooth. Lucent Technologies. • Laurie, Adam. (2003). Bluetooth Hacking – Full Disclosure. trifinite.org. • Laurie, Ben (2004). Bluetooth Security Briefs. thebunker.net • Vainio, Juha (2000). Bluetooth Security. Helsinki Univ. • Whitehouse, Ollie (2003). War Nibbling: Bluetooth Insecurity. @stake Research Report.

×