The document provides an overview of Bluetooth technology, its architecture, and security aspects, highlighting specific vulnerabilities to wireless networks. It describes various types of Bluetooth networks and the methods used for attacks, including tools and techniques such as bluejacking and bluesnarfing. The conclusion emphasizes the importance of user awareness and education in managing Bluetooth security risks, as user actions often facilitate unauthorized access.

1. BLUETOOTH NETWORK SECURITY
BY S.ROHIT SAGAR

2. TABLEOF CONTENT
 INTRODUCTION
 ABOUT BLUETOOTH
 BLUETOOTH NETWORKS
 BLUETOOTH ARCHITECTURE
 SECURITY ASPECTS IN BLUETOOTH
 CONNECTION ESTABLISHMENT
 USED SOFTWERE
A) FOR DISCOVERING DEVICES
B) FOR HACKING
 EFFECTIVENESS OFATTACK
 CONCLUSION

3. BLUETOOTH HACKING THREATS &PREVENTIONS
INTRODUCTION
Wireless communications offer organizations and users many benefits such as
portability and flexibility, increased productivity, and lower installation costs.
Wireless local area network (WLAN) devices, for instance, allow users to move
their laptops from place to place within their offices without the need for wires and
without losing network connectivity.
Ad hoc networks, such as those enabled by Bluetooth, allow users to:
 Data synchronization with network systems and application sharing
between devices.
 Eliminates cables for printer and other peripheral deviceconnections.
Specific threats and vulnerabilities to wireless networks and handheld devices
include thefollowing:
 All the vulnerabilities that exist in a conventional wired network apply to
wirelesstechnologies.
 Malicious entities may gain unauthorized access to an agency‟s computer
network through wireless connections, bypassing any firewallprotections.

4. ABOUT BLUETOOTH
The original architecture for Bluetooth was developedby
Ericson Mobile Communication Co. Bluetooth was originally designed primarily
as a cable replacement protocol for wirelesscommunications.
Among the array of devices that are anticipated are cellular phones, PDAs,
notebook computers, modems, cordless phones, pagers, laptop computers,
cameras, PC cards, fax machines, andprinters.
Now Bluetooth specificationis:
 The 802.11 WLAN standards.
 Unlicensed 2.4 GHz–2.4835 GHz ISM(industrial, scientific, medical
applications) frequency band.
 Frequency-hopping spread-spectrum (FHSS) technology to solve
interference problems.
 Transmission speeds up to 1Mbps
BluetoothClassesand Specifications

5. BLUETOOTHNETWORKS
Bluetooth devices can form three types ofnetworks:
 Point to PointLink
 PiconetNetwork
 Ad-hoc or ScatternetNetwork
PointtoPoint Link
enabled devices shareWhen two Bluetooth
information or data that is called point to point link.
Master
Device
Network /Link
Slave
Device
PiconetNetwork
When there is a collection of devices paired with each other, it
forms a small personal area network called „Piconet‟. APiconet consists of a
master and at most seven activeslaves.
Each Piconet has its own hopping sequence and the master and all slaves share the
same channel.
Master
Device
Slave
Device
Slave
Device
Slave
Device

6. Departmentof Electronics& Communication.
Ad-hoc or ScatternetNetwork
Twoor more piconets connected to eachother
by means of a device (called „bridge‟) participating in both the piconets, form a
Scatternet Network.
The role of bridge is to transmit data across piconets.
Picont1 Piconet2
Fig: Scatternet Network
When a number of Bluetooth devices communicate to each other in same vicinity,
there is a high level of interference. To combat interference, Bluetooth technology
applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times
per second.
For devices to communicate to each other using Bluetooth they need to be paired
with each other to have synchronized frequency-hoppingsequence.

7. BLUETOOTHARCHITECTURE
The Bluetooth core system has three parts:
 RF transceiver
 Baseband
 Protocol-stack

8. Departmentof Electronics& Communication.
SECURITYASPECTSIN BLUETOOTH
The Bluetooth-system provide security attwo level-
 At Linklayer
 At Applicationlayer
Link layer security
Four different entities are used for maintaining security at
the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random
number that shall be regenerated for each newtransaction.
The four entities and their sizes aresummarized in Table-
Table 1.1: Entities used in authentication and encryptionprocedures
Applicationlayer security specification
Entity Size
BD_ADDR 48bits
Private user key, authentication 128bits
Private user key, encryption
Configurable length (byte-wise)
8-128bits
RAND 128bits

9. .
BREAKINGINTO SECURITY
Bluetooth devices themselves have inherent security
vulnerabilities. For example, malicious users can use wireless microphones as
bugging devices. Although such attacks have not been documented because
Bluetooth is not yet commercially prevalent, incidents have been recorded of
successful attacks on PCs using programs such as Back Orifice and Netbus
Attack Tools& Programs
 Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b.
 Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS,
windows mobile.
 Software used: Bluebugger, Bluediving, Bluescanner, Bluesnarfer,
BTscanner, Redfang, Blooover2, Ftp_bt.
 Dell laptop with windows vista to be broken into and for scanning then with
Linux to attempt attacks. Pocket pc for being attacked, and one mobile for
attacking one for beingattacked.
Attackingmethodology
The first & last thing to break security of a Bluetooth
device is set up a connection or pairing. After that we can use the program to
access into device data. Using tools to find the MAC address of nearby devices to
attack. This generally finds devices set to discoverable although programs exist with
a brute force approach that detects them when hidden. These programs also
provide other basic information such as device classes and names.

10. Departmentof Electronics& Communication.
AttackingToolsor Tricks
Bluejacking
Sending an unsolicited message over Bluetooth generally harmless
but can be considered annoying at worst. Bluejacking is generally done by sending
a V-card (electronic business card) to the phone and using the name field as the
message.
OBEXPush
A way of bypassing authentication by sending a file designed to be
automatically accepted such as a vcard and instead using OBEX to forward a
request for data or in some cases control. Used in the below attacks.
Bluesnarfing
Through it we can access to data on a device via Bluetooth such as
text messages, contact lists, calendar, emails etc. This uses the OBEX push profile
to attempt to send an OBEX GET command to retrieve known filenames such as
telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP
server to transfer thefiles.
Here 'Snarf' - networking slang for 'unauthorizedcopy.
Bluesnarfing consistsof:
 DataTheft
 Calendar
● Appointments
● Images
1. PhoneBook
● Names, Addresses,Numbers
● PINs and othercodes
● Images
Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010,
Nokia 6310, 6310i, 8910,8910i

11. Departmentof Electronics& Communication.
Long Distance Attacking (Blue Sniper)
This trick is tested in beginning of August 2004. This experiment has
done in Santa MonicaCalifornia.
The attacker has a class 1 Bluetooth device (called „dongle‟) with software. The
bugged or snarfed device was class 2 device (Nokia 6310i) at distance of 1.78 km
(1.01 miles).
Blueprinting
Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of
devices. This work has been started by Collin R. Mulliner and Martin Herfurt.
Relevant to all kinds ofapplications:
– Security auditing.
– Device Statistics.
– Automated ApplicationDistribution.

12. Attackingsoftware
ForDiscoveringBluetooth Devices
BlueScanner
- BlueScannersearches out for Bluetooth-enabled devices. It will try
to extract as much information as possible for each newly discovered device.
BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden
Bluetooth-enabled devices.
BTBrowser- Bluetooth Browser is a J2ME application that can browse and
explore the technical specification of surrounding Bluetooth-enabled devices. You
can browse device information and all supported profiles and service records of
each device. BTBrowser works on phones that supports JSR-82 - the Java
Bluetooth specification.
BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans for
other devices in range and performs service query. It implements the BlueJacking
and BlueSnarfingattacks.

13. Effectivenessof Attacks
Laptop
This attacks here where a resounding failure with all devices being
attacked requiring user input to function. Bluebugging and Bluesnarfing where both
attempted several times with trial and error the correct channels for these attacks
where found and used to successfully contact the phone but failed to work without
authentication.
VsMobiles
Attacks made against the Nokia N95 and Nokia 6250 both
connected to the phone but required the user to accept to continue and thus where
considered a failure. Attacks were also made against other nearby mobiles with
either the same result or in a single case a successful transfer with Bluesnarfing but
no data gathered (Unusual filenames whereassumed).

14. Departmentof Electronics& Communication.
CONCLUSION:
SECURE YOURDEVICE
Bluetooth socialengineering
Bluetooth is used by people daily so it is possible to use social
engineering techniques to attack devices. One of the most common uses of
Bluetooth is with Mobile Phone can be an interesting part of social engineering to
examine.
Some users tend to accept incoming connections leaving
themselves at risk to outside attack. More a lack of education than anything else
causes people not to recognize a threat when they see one and accept incoming
connections. This is an interesting way of using social engineering to break into
devices.
SecurityEffectiveness
The standard security method for Bluetooth is to simple
have the device hidden or turned off and many devices require user input for any
incoming message orconnection.
This is surprisingly effective as when a device requires
authentication for even a vcard it is difficult to find a way in without an unsecured
channel. The biggest security risk seems to be the users themselves several attacks
succeeded simple because the users accepted the incoming connection (many
harmless audits where performed on bypassers) allowing access on their device (we
considered this a failure of the attack). No amount of security can preventa
user opening the door so to speak. No additional security software was found for
Bluetooth.

15. THANK YOU