The document discusses various Bluetooth hacking techniques such as Bluejacking, Bluesnarfing, Bluebugging and Blueprinting which can steal sensitive data or take control of Bluetooth devices, and outlines security measures like enabling encryption and changing default settings to protect against attacks. Common attacks explored are Bluejacking to send messages, Bluesnarfing to extract data, and Bluebugging which allows full phone control via AT commands. Countermeasures recommended are disabling Bluetooth when not needed, not accepting unknown files/cards, using long secure pairing codes, and changing default names.

1. Seminar on Blue tooth Hacking [security and threats] By- Dhanashree Waikar Roll No – 3379 Project Guide – Prof. N. R. Talhar

2. Overview Introduction Bluejack attack Bluespamming The Bluesnarf attack The Bluebug attack Helomoto Crack pin code Blueprinting Other attacks [Trojans, Viruses, worms] Security levels Countermeasures

3. Bluetooth introduction Wireless networking technology For short range devices Speed-2.4Ghz Range is between 10 to 30m Data transfer rate is 1mbps Bluetooth SIG Founded in 1998 Trade association Owns and licenses IP

4. Bluejack OBEX push attack Object exchange protocol for exchanging data with one another (data like files, picture, business cards, calendar entries etc.) Commonly send ‘business card’ with message via OBEX Variants Bluetoothing Bluechatting Modifying a remote mobile phone’s address book Bluespamming

5. BlueSnarf Attack Discovered by Marcel Holtmann Published in October 2003 BlueSnarf exploits weak OBEX implementation on mobile phones OBEX pull attack Attacker involves the use of the OBEX protocol to forcibly pull sensitive data out of the victim’s mobile phone Extreme vulnerableand damage possible through bluesnarfing

6. BlueSnarf Attack continued … Can steal sensitive data without the knowledge of the victim Address book, Photographs, Music, videos, calendar, IMEI, noReading/decoding sms messages etc. Adv connects to OBEX push profile No authentication, no pairing needed -> invisible connection

7. Bluebug Discovered by Martin Herfurt Public field test - CeBIT 2004 Full access to AT command set hence Full phone control Based on AT Commands -> not OBEX Typical use cases : - Call control (turning phone into bug) Initiating a new call to predefined no.

8. Helomoto Bluesnarf + Bluebug Requires entry in 'Device History' OBEX PUSH to create entry Connect RFCOMM to Hands free or Headset No Authentication required Full AT command set access

9. Pairing When two devices first meet, they “pair” Slave must have knowledge of BD_ADDR through inquiry or user input Pairing information recorded, may contain authentication credentials Inquiry mode no longer necessary since BD_ADDR is recorded on slave

10. Creation of k_init Creation of k_init

11. Creation of k_ab Creation of k_ab

12. Mutual authentication Mutual authentication

13. The Basic Attack List of messages sent during pairing and authentication process

14. The Basic Attack Structure The Basic Attack Structure

15. Blueprinting Used for generating statistics about manufacturers and models Bluetooth device address->format->MM:MM:MM:XX:XX:XX Whether there are devices in range that have issues with Bluetooth security Used to get knowledge of different models that can be affected Use service discovery protocol (SDP) Attacker  sends problem  Bluetooth device  Bluetooth device  sends back hash  attacker

16. Virus Worms and Trojans Viruses do not have the capability to spread and infect devices on their own. Even worms are malicious files that cause harm to the target device. Trojans are malicious files that can be used for carrying out harmful activities on the target device.

17. Security A device can implement three different security modes: Nonsecure: A device will not initiate any security measures, so communication takes place without authentication or encryption. Service-level enforced security: Two devices can establish an ACL link in a nonsecure manner. Security procedures are initiated when a L2CAP (Logical Link Control and Adaptation Protocol) channel request is made. Link-level enforced security: Security procedures are initiated when the ACL link is being established.

18. Countermeasures One should not enable Bluetooth unless it is necessary. One should not accept files or business cards or any other incoming Bluetooth data from unknown people. Avoid using short pairing codes. Change the default name

19. Any Questions?

20. Thank you