SlideShare a Scribd company logo

Bluetooth Hacking: Cracking the PIN and Repairing Attack

Rajeev Chauhan
Rajeev Chauhan

Cracking the PIN, Repairing Attack on Bluetooth devices Explained in simplistic manner. suitable for beginners as well as experts in field of Cyber Security and Bluetooth Technology.

Technology
1 of 21
Download to read offline
By Rajeev ChauhanBy Rajeev Chauhan http://www.cysectips.blogspot.inhttp://www.cysectips.blogspot.in https://www.facebook.com/cyberoxenhttps://www.facebook.com/cyberoxen http://cyberoxen.comhttp://cyberoxen.com Bluetooth SecurityBluetooth Security Step by Step AnalysisStep by Step Analysis cyberoxen
Bluetooth SecurityBluetooth Security ● Depends on pair codes to establishDepends on pair codes to establish the BT Communicationthe BT Communication.. ● Pin cracked.......aim achieved.Pin cracked.......aim achieved. ● SourceSource Cracking the Bluetooth PinCracking the Bluetooth Pin byby Yaniv ShakedYaniv Shaked andand Avishai Wool.Avishai Wool.cyberoxen
Bluetooth ConnectivityBluetooth Connectivity ● Basic TriviaBasic Trivia:: – PIN: Personal Identification NumberPIN: Personal Identification Number.. ● The PIN code is 1-8 bytes long (8-128 bits).The PIN code is 1-8 bytes long (8-128 bits). ● Most devices use PIN sizes of 4 decimal digits.Most devices use PIN sizes of 4 decimal digits. – BD_ADDRBD_ADDR :Each Bluetooth device has a 48 bit:Each Bluetooth device has a 48 bit unique address that is called the Bluetooth Deviceunique address that is called the Bluetooth Device Address.Address. – Pairing :Pairing :The process in which two (or more) BluetoothThe process in which two (or more) Bluetooth devices hook up to create a shared secret valuedevices hook up to create a shared secret value called K_init. The K_init forms the basis for all futurecalled K_init. The K_init forms the basis for all future Bluetooth negotiations between these two devicesBluetooth negotiations between these two devices. cyberoxen
Image ref http://www.hudo.com/joke/men-women-bluetooth-and-wi-fi/ cyberoxen
Bluetooth Pairing andBluetooth Pairing and AuthenticationAuthentication ● It involvesIt involves – Creation of Intialisation key (KCreation of Intialisation key (K_init_init).). – Creation of Link Key (KCreation of Link Key (K_ab_ab).). – Authentication.Authentication. – Derive Encryption Key forDerive Encryption Key for communication.communication. cyberoxen
Creation of K_Creation of K_initinit The K_init key is createdThe K_init key is created using the E22 algorithm,using the E22 algorithm, whose inputs are:whose inputs are: ● BD_ADDR.BD_ADDR. ● The PIN code and itsThe PIN code and its length.length. ● a 128 bit randoma 128 bit random number IN_RAND.number IN_RAND. (transmitted in plain txt)(transmitted in plain txt) ● This algorithm outputs aThis algorithm outputs a 128 bit word, which is128 bit word, which is referred to as thereferred to as the initialization key (Kinit).initialization key (Kinit). Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/ cyberoxen
Creation of KCreation of K__abab ● Using the E21 algorithm, bothUsing the E21 algorithm, both devices create the link key Kdevices create the link key K_ab_ab.. The inputs of E21 algorithm are:The inputs of E21 algorithm are: 1.1. An BD_ADDRAn BD_ADDR.. 2.2. The 128 bit random numberThe 128 bit random number LK_RAND.LK_RAND. ● The devices use the initializationThe devices use the initialization key to exchange two new 128 bitkey to exchange two new 128 bit random words, known asrandom words, known as LK_RANDLK_RANDAA and LK_RANDand LK_RANDB.B. ● Each device selects a randomEach device selects a random 128 bit word and sends it to the128 bit word and sends it to the other device after bitwise x-oringother device after bitwise x-oring it with Kit with K_init._init. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
Mutual AuthenticationMutual Authentication ● The inputs to E1 are:The inputs to E1 are: 1. The random word AU_RAND1. The random word AU_RANDAA.. 2. The link key K2. The link key K_ab_ab.. 3. Its own Bluetooth device address3. Its own Bluetooth device address (BD_ADDR(BD_ADDRBB).). ● This process is based on a challenge-This process is based on a challenge- response scheme.response scheme. ● One of the devices, the verifier, randomizesOne of the devices, the verifier, randomizes and sends (in plaintext) a 128 bit wordand sends (in plaintext) a 128 bit word called AU_RANDcalled AU_RANDAA and other one, theand other one, the claimant, sends AU_RANDclaimant, sends AU_RANDB.B. ● The claimant, calculates a 32 bit wordThe claimant, calculates a 32 bit word called SRES using an algorithm E1. Thecalled SRES using an algorithm E1. The claimant sends the 32 bit SRES word as aclaimant sends the 32 bit SRES word as a reply to the verifier, who verifies (byreply to the verifier, who verifies (by performing the same calculations) theperforming the same calculations) the response word.response word. ● This process is done at both the ends.This process is done at both the ends. ● As a side effect of the authenticationAs a side effect of the authentication process, a 96 bit word called ACO isprocess, a 96 bit word called ACO is calculated by both peers which is usedcalculated by both peers which is used during the creation of the encryption key.during the creation of the encryption key. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
Bluetooth PIN CrackingBluetooth PIN Cracking ● Messages sent during the pairing and authentication process!!!!!!!!Messages sent during the pairing and authentication process!!!!!!!! Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
Bluetooth PIN CrackingBluetooth PIN Cracking ● Eavesdropped the completeEavesdropped the complete process.process. ● Messages recorded.Messages recorded. ● Attacker enumerates allAttacker enumerates all possible values of the PINpossible values of the PIN.. ● The attacker runs E22 with inputsThe attacker runs E22 with inputs IN_RAND and the BD_ADDR, theIN_RAND and the BD_ADDR, the guessed PIN, and finds aguessed PIN, and finds a hypothesis for K_init, to decodehypothesis for K_init, to decode messages 2 and 3.messages 2 and 3. ● Messages 2 and 3 contain enoughMessages 2 and 3 contain enough information to give the attacker aninformation to give the attacker an hypothesis of K_ab.hypothesis of K_ab. ● Using K_ab and the transmittedUsing K_ab and the transmitted AU_RANDA (message 4), theAU_RANDA (message 4), the attacker calculates SRES andattacker calculates SRES and compares it to the data ofcompares it to the data of message 5.message 5. ● The attacker can use the value ofThe attacker can use the value of messages 6 and 7 to re-verify themessages 6 and 7 to re-verify the hypothesis K_ab until the correcthypothesis K_ab until the correct PIN is found.PIN is found. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
Brute Force AlgorithmBrute Force Algorithm Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
Bluetooth PIN CrackingBluetooth PIN Cracking ● Only fully successful against PINOnly fully successful against PIN values of under 64 bits.values of under 64 bits. ● If the PIN is longer, then with highIf the PIN is longer, then with high probability there will be multipleprobability there will be multiple PIN candidates, since the twoPIN candidates, since the two SRES values only provide 64 bitsSRES values only provide 64 bits of data .of data . ● A 64 bit PIN is equivalent to a 19A 64 bit PIN is equivalent to a 19 decimal digits PIN.decimal digits PIN. ● The Bluetooth pairing andThe Bluetooth pairing and authentication process uses threeauthentication process uses three algorithms: E22, E21, E1.algorithms: E22, E21, E1. ● All of these algorithms are basedAll of these algorithms are based on the SAFER+ cipher.on the SAFER+ cipher. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
The Re-Pairing attackThe Re-Pairing attack ● AssumptionsAssumptions:: – Both the devices are already paired once.Both the devices are already paired once. – Pairing process completed.Pairing process completed. – Link Key K_ab stored in each deviceLink Key K_ab stored in each device.. – Attacker to record all the messages andAttacker to record all the messages and crack the PIN using the Basic attackcrack the PIN using the Basic attack. – Proceed directly to the AuthenticationProceed directly to the Authentication phasephase. – Force the devices to repeat the pairingForce the devices to repeat the pairing process.process. – Bluetooth specifications allow a BluetoothBluetooth specifications allow a Bluetooth cyberoxen
The Re-Pairing attackThe Re-Pairing attack ● Three different Approaches.Three different Approaches. ● First MethodFirst Method:: – The master device sends the slave anThe master device sends the slave an AU_RANDAU_RAND message, and expects themessage, and expects the SRESSRES message in return.message in return. – (The slave sends an(The slave sends an “LMP_not_accepted“LMP_not_accepted““ message in return, to let the master knowmessage in return, to let the master know it has forgotten the link key.)it has forgotten the link key.) – The attacker injects aThe attacker injects a LMP_not_acceptedLMP_not_accepted message toward the master. This willmessage toward the master. This will make the master re-initiate the paring.make the master re-initiate the paring. – Restarting the pairing procedure causesRestarting the pairing procedure causes the master to discard the link key.the master to discard the link key. cyberoxen
The Re-Pairing attackThe Re-Pairing attack ● Second Method:Second Method: – Before the master deviceBefore the master device sends the slave ansends the slave an AU_RANDAU_RAND message,message, thethe attacker injects aattacker injects a IN_RANDIN_RAND message toward the slave,message toward the slave, – The slave device will beThe slave device will be convinced the master hasconvinced the master has lost the link key and pairing islost the link key and pairing is restarted.restarted. – This will cause theThis will cause the connection establishment toconnection establishment to restart.restart. cyberoxen
The Re-Pairing attackThe Re-Pairing attack ● Third MethodThird Method :: – After Master has sent theAfter Master has sent the AU_RAND,AU_RAND, An attackerAn attacker injects a random SRESinjects a random SRES message toward the master.message toward the master. – This causes theThis causes the Authentication phase toAuthentication phase to restart, and repeatedrestart, and repeated attempts will be made.attempts will be made. – At some point, after a certainAt some point, after a certain number of failednumber of failed authentication attempts, theauthentication attempts, the master device is expected tomaster device is expected to declare that thedeclare that the authentication procedure hasauthentication procedure has failed and initiate pairing.failed and initiate pairing. cyberoxen
The Re-Pairing attackThe Re-Pairing attack ● CulminationCulmination:: – This assures the pairing process will occur during the nextThis assures the pairing process will occur during the next connection establishment, so the attacker will be able toconnection establishment, so the attacker will be able to eavesdrop on the entire process, and use the basic methodeavesdrop on the entire process, and use the basic method to crack the PIN.to crack the PIN. – After breaking the PIN (0.06-0.3 sec for a 4 digit PIN), theAfter breaking the PIN (0.06-0.3 sec for a 4 digit PIN), the attacker can decode the saved messages, and continue toattacker can decode the saved messages, and continue to eavesdrop and decode the communication on the fly.eavesdrop and decode the communication on the fly. – Since Bluetooth supports a bit rate of 1 Megabit per second,Since Bluetooth supports a bit rate of 1 Megabit per second, a 40KB buffer is more than enough for the common case ofa 40KB buffer is more than enough for the common case of a 4 digit PIN.a 4 digit PIN. cyberoxen
CountermeasuresCountermeasures ● Refrain from entering the PIN into the Bluetooth device forRefrain from entering the PIN into the Bluetooth device for pairing as much as possible.pairing as much as possible. ● Use PIN longer than 6 digits.Use PIN longer than 6 digits. ● The PIN length ranges from 8 to 128 bits. Should ask forThe PIN length ranges from 8 to 128 bits. Should ask for longer bit lenghts.longer bit lenghts. ● Set Bluetooth device in “non-discoverable mode/hiddenSet Bluetooth device in “non-discoverable mode/hidden mode”.mode”. ● Application level security in addition to BT authentication....Application level security in addition to BT authentication.... ie password.ie password. cyberoxen
CountermeasuresCountermeasures ● Use the strongest Bluetooth securityUse the strongest Bluetooth security mode available on the device.mode available on the device. ● Avoid use of standard commercialAvoid use of standard commercial Bluetooth headsets.Bluetooth headsets. ● Disable Bluetooth functionality whenDisable Bluetooth functionality when not in use. Use shorter range Class 2not in use. Use shorter range Class 2 or 3 devices.or 3 devices. ● Make devices discoverable onlyMake devices discoverable only when necessary.when necessary. ● Pair Bluetooth devices in a securePair Bluetooth devices in a secure area using long and randomlyarea using long and randomly cyberoxen
INFORMATION SOURCESINFORMATION SOURCES ● http://www.mysecurecyberspace.com/encyclopediahttp://www.mysecurecyberspace.com/encyclopedia /index/pin-cracking.html/index/pin-cracking.html ● http://www.eng.tau.ac.il/~yash/shaked-wool-mobihttp://www.eng.tau.ac.il/~yash/shaked-wool-mobi sys05/sys05/ ● https://www.sans.org/reading-room/whitepapers/wihttps://www.sans.org/reading-room/whitepapers/wi reless/bluetooth-inherent-security-issues-945reless/bluetooth-inherent-security-issues-945 ● http://pervasive.cs.uah.edu/PSP/BluetoothSechttp://pervasive.cs.uah.edu/PSP/BluetoothSec urityurity ● http://www.techradar.com/news/networking/bluetoohttp://www.techradar.com/news/networking/bluetoo th-jumps-to-4-1-makes-an-early-leap-for-the-inteth-jumps-to-4-1-makes-an-early-leap-for-the-inte rnet-of-things-1204915rnet-of-things-1204915 cyberoxen
cyberoxen

Recommended

WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Agris Ameriks
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
Bisrat Girma
 
Ip addressing
Ip addressingIp addressing
Ip addressing
Online
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
Tom Isaacson
 
Ospf
OspfOspf
Ospf
Alp isik
 

Recommended

WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Agris Ameriks
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
Bisrat Girma
 
Ip addressing
Ip addressingIp addressing
Ip addressing
Online
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
Tom Isaacson
 
Ospf
OspfOspf
Ospf
Alp isik
 
Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin Cardwell
EC-Council
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
Thomas Seropian
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
Venkatesh Kariappa
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Protocolo IP VERSION 4
Protocolo IP VERSION 4Protocolo IP VERSION 4
Protocolo IP VERSION 4
Gladys Marina Yambay Vallejo
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
C I D R
C I D RC I D R
C I D Rcolmbennett
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting PresentationTouhidul Fahim
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
Arun ACE
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
WEP
WEPWEP
WEP
Sudeep Kulkarni
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 
Blind Signature Scheme
Blind Signature SchemeBlind Signature Scheme
Blind Signature Scheme
Kelum Senanayake
 
Email security
Email securityEmail security
Email security
SultanErbo
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Elementry Cryptography
Elementry CryptographyElementry Cryptography
Elementry Cryptography
Tata Consultancy Services
 
Subnetting
SubnettingSubnetting
Subnetting
Netwax Lab
 
Presentación1
Presentación1Presentación1
Presentación1Jonathan Camilo Castro Pinzon
 
Why Exhibit_cloud
Why Exhibit_cloudWhy Exhibit_cloud
Why Exhibit_cloud
eTailing India
 

More Related Content

What's hot

Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin Cardwell
EC-Council
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
Thomas Seropian
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
Venkatesh Kariappa
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Protocolo IP VERSION 4
Protocolo IP VERSION 4Protocolo IP VERSION 4
Protocolo IP VERSION 4
Gladys Marina Yambay Vallejo
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting PresentationTouhidul Fahim
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
Arun ACE
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
WEP
WEPWEP
WEP
Sudeep Kulkarni
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 
Blind Signature Scheme
Blind Signature SchemeBlind Signature Scheme
Blind Signature Scheme
Kelum Senanayake
 
Email security
Email securityEmail security
Email security
SultanErbo
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Elementry Cryptography
Elementry CryptographyElementry Cryptography
Elementry Cryptography
Tata Consultancy Services
 
Subnetting
SubnettingSubnetting
Subnetting
Netwax Lab
 

What's hot (20)

Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin Cardwell
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
kerberos
kerberoskerberos
kerberos
 
Protocolo IP VERSION 4
Protocolo IP VERSION 4Protocolo IP VERSION 4
Protocolo IP VERSION 4
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
C I D R
C I D RC I D R
C I D R
 
Subnetting Presentation
Subnetting PresentationSubnetting Presentation
Subnetting Presentation
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
 
WEP
WEPWEP
WEP
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
 
Blind Signature Scheme
Blind Signature SchemeBlind Signature Scheme
Blind Signature Scheme
 
Email security
Email securityEmail security
Email security
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Elementry Cryptography
Elementry CryptographyElementry Cryptography
Elementry Cryptography
 
Subnetting
SubnettingSubnetting
Subnetting
 

Viewers also liked

Why Exhibit_cloud
Why Exhibit_cloudWhy Exhibit_cloud
Why Exhibit_cloud
eTailing India
 
Narendra modi’s independence day speech with viewpoint on e commerce
Narendra modi’s independence day speech with viewpoint on e commerceNarendra modi’s independence day speech with viewpoint on e commerce
Narendra modi’s independence day speech with viewpoint on e commerce
eTailing India
 
Radiohead 'in rainbow' marketing strategy
Radiohead 'in rainbow' marketing strategyRadiohead 'in rainbow' marketing strategy
Radiohead 'in rainbow' marketing strategyW07ULONGWE
 
Kdqt eng chap008
Kdqt eng chap008Kdqt eng chap008
Kdqt eng chap008huongntt16
 
Qlda 3-tuduychienluoc[easyvn.net]
Qlda 3-tuduychienluoc[easyvn.net]Qlda 3-tuduychienluoc[easyvn.net]
Qlda 3-tuduychienluoc[easyvn.net]huongntt16
 
Indie-Care_Candice Jordan v1
Indie-Care_Candice Jordan v1Indie-Care_Candice Jordan v1
Indie-Care_Candice Jordan v1promohazard
 
eTailing India Chennai Conclave 2013 Part 14
eTailing India Chennai Conclave 2013 Part 14eTailing India Chennai Conclave 2013 Part 14
eTailing India Chennai Conclave 2013 Part 14eTailing India
 
Examen 2° grado primer bimestre
Examen 2° grado primer bimestreExamen 2° grado primer bimestre
Examen 2° grado primer bimestre
saraalonso1989
 
eTailing India Workshop - Retail Track - Workshop Valtech
eTailing India Workshop - Retail Track - Workshop ValtecheTailing India Workshop - Retail Track - Workshop Valtech
eTailing India Workshop - Retail Track - Workshop Valtech
eTailing India
 
Delivering Your Products To Customers In USA – by United States Postal Servic...
Delivering Your Products To Customers In USA – by United States Postal Servic...Delivering Your Products To Customers In USA – by United States Postal Servic...
Delivering Your Products To Customers In USA – by United States Postal Servic...
eTailing India
 
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013eTailing India
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the Cloud
SociusPartner
 
Sage 2015 roadmap – next release and beyond
Sage 2015 roadmap – next release and beyondSage 2015 roadmap – next release and beyond
Sage 2015 roadmap – next release and beyond
SociusPartner
 
Why Should You Exhibit at eTailing India Expo M17?
Why Should You Exhibit at eTailing India Expo M17?Why Should You Exhibit at eTailing India Expo M17?
Why Should You Exhibit at eTailing India Expo M17?
eTailing India
 
Women show the way in india’s progress
Women show the way in india’s progressWomen show the way in india’s progress
Women show the way in india’s progress
eTailing India
 
India’s Startups through Thick and Thin in 2016
India’s Startups through Thick and Thin in 2016India’s Startups through Thick and Thin in 2016
India’s Startups through Thick and Thin in 2016
eTailing India
 

Viewers also liked (19)

Presentación1
Presentación1Presentación1
Presentación1
 
Why Exhibit_cloud
Why Exhibit_cloudWhy Exhibit_cloud
Why Exhibit_cloud
 
Narendra modi’s independence day speech with viewpoint on e commerce
Narendra modi’s independence day speech with viewpoint on e commerceNarendra modi’s independence day speech with viewpoint on e commerce
Narendra modi’s independence day speech with viewpoint on e commerce
 
Radiohead 'in rainbow' marketing strategy
Radiohead 'in rainbow' marketing strategyRadiohead 'in rainbow' marketing strategy
Radiohead 'in rainbow' marketing strategy
 
Kdqt eng chap008
Kdqt eng chap008Kdqt eng chap008
Kdqt eng chap008
 
Qlda 3-tuduychienluoc[easyvn.net]
Qlda 3-tuduychienluoc[easyvn.net]Qlda 3-tuduychienluoc[easyvn.net]
Qlda 3-tuduychienluoc[easyvn.net]
 
Indie-Care_Candice Jordan v1
Indie-Care_Candice Jordan v1Indie-Care_Candice Jordan v1
Indie-Care_Candice Jordan v1
 
eTailing India Chennai Conclave 2013 Part 14
eTailing India Chennai Conclave 2013 Part 14eTailing India Chennai Conclave 2013 Part 14
eTailing India Chennai Conclave 2013 Part 14
 
Examen 2° grado primer bimestre
Examen 2° grado primer bimestreExamen 2° grado primer bimestre
Examen 2° grado primer bimestre
 
eTailing India Workshop - Retail Track - Workshop Valtech
eTailing India Workshop - Retail Track - Workshop ValtecheTailing India Workshop - Retail Track - Workshop Valtech
eTailing India Workshop - Retail Track - Workshop Valtech
 
Delivering Your Products To Customers In USA – by United States Postal Servic...
Delivering Your Products To Customers In USA – by United States Postal Servic...Delivering Your Products To Customers In USA – by United States Postal Servic...
Delivering Your Products To Customers In USA – by United States Postal Servic...
 
dene/ders1.ppt
dene/ders1.pptdene/ders1.ppt
dene/ders1.ppt
 
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013
Tarun Arora- ATOM- eTailing India Conclave Jaipur- 2013
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the Cloud
 
Sage 2015 roadmap – next release and beyond
Sage 2015 roadmap – next release and beyondSage 2015 roadmap – next release and beyond
Sage 2015 roadmap – next release and beyond
 
Why Should You Exhibit at eTailing India Expo M17?
Why Should You Exhibit at eTailing India Expo M17?Why Should You Exhibit at eTailing India Expo M17?
Why Should You Exhibit at eTailing India Expo M17?
 
Career in life insurance
Career in life insuranceCareer in life insurance
Career in life insurance
 
Women show the way in india’s progress
Women show the way in india’s progressWomen show the way in india’s progress
Women show the way in india’s progress
 
India’s Startups through Thick and Thin in 2016
India’s Startups through Thick and Thin in 2016India’s Startups through Thick and Thin in 2016
India’s Startups through Thick and Thin in 2016
 

Similar to Bluetooth Hacking: Cracking the PIN and Repairing Attack

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
Mazin Alwaaly
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
Nikhil Raj
 
Martin Novotny and Timo Kasper
Martin Novotny and Timo KasperMartin Novotny and Timo Kasper
Martin Novotny and Timo Kasper
Information Security Awareness Group
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
Seth Wahle
 
IS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographyIS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographySarthak Patel
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
OnBoard Security, Inc. - a Qualcomm Company
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
POSSCON
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
VishwanathMahalle
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
n|u - The Open Security Community
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
Kannan Ravindran
 
Error detecting and correcting codes
Error detecting and correcting codesError detecting and correcting codes
Error detecting and correcting codes
saraswathi12
 
Wifi cracking
Wifi crackingWifi cracking
Wifi cracking
AbhashKumarJha
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Priyanka Aash
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
arpit.arp
 

Similar to Bluetooth Hacking: Cracking the PIN and Repairing Attack (20)

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
Bluetooth Security
Bluetooth SecurityBluetooth Security
Bluetooth Security
 
Martin Novotny and Timo Kasper
Martin Novotny and Timo KasperMartin Novotny and Timo Kasper
Martin Novotny and Timo Kasper
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
IS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographyIS Unit 3_Public Key Cryptography
IS Unit 3_Public Key Cryptography
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Error detecting and correcting codes
Error detecting and correcting codesError detecting and correcting codes
Error detecting and correcting codes
 
Wifi cracking
Wifi crackingWifi cracking
Wifi cracking
 
network security
network securitynetwork security
network security
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Cryptography in GSM
Cryptography in GSMCryptography in GSM
Cryptography in GSM
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 

Bluetooth Hacking: Cracking the PIN and Repairing Attack

  • 1. By Rajeev ChauhanBy Rajeev Chauhan http://www.cysectips.blogspot.inhttp://www.cysectips.blogspot.in https://www.facebook.com/cyberoxenhttps://www.facebook.com/cyberoxen http://cyberoxen.comhttp://cyberoxen.com Bluetooth SecurityBluetooth Security Step by Step AnalysisStep by Step Analysis cyberoxen
  • 2. Bluetooth SecurityBluetooth Security ● Depends on pair codes to establishDepends on pair codes to establish the BT Communicationthe BT Communication.. ● Pin cracked.......aim achieved.Pin cracked.......aim achieved. ● SourceSource Cracking the Bluetooth PinCracking the Bluetooth Pin byby Yaniv ShakedYaniv Shaked andand Avishai Wool.Avishai Wool.cyberoxen
  • 3. Bluetooth ConnectivityBluetooth Connectivity ● Basic TriviaBasic Trivia:: – PIN: Personal Identification NumberPIN: Personal Identification Number.. ● The PIN code is 1-8 bytes long (8-128 bits).The PIN code is 1-8 bytes long (8-128 bits). ● Most devices use PIN sizes of 4 decimal digits.Most devices use PIN sizes of 4 decimal digits. – BD_ADDRBD_ADDR :Each Bluetooth device has a 48 bit:Each Bluetooth device has a 48 bit unique address that is called the Bluetooth Deviceunique address that is called the Bluetooth Device Address.Address. – Pairing :Pairing :The process in which two (or more) BluetoothThe process in which two (or more) Bluetooth devices hook up to create a shared secret valuedevices hook up to create a shared secret value called K_init. The K_init forms the basis for all futurecalled K_init. The K_init forms the basis for all future Bluetooth negotiations between these two devicesBluetooth negotiations between these two devices. cyberoxen
  • 5. Bluetooth Pairing andBluetooth Pairing and AuthenticationAuthentication ● It involvesIt involves – Creation of Intialisation key (KCreation of Intialisation key (K_init_init).). – Creation of Link Key (KCreation of Link Key (K_ab_ab).). – Authentication.Authentication. – Derive Encryption Key forDerive Encryption Key for communication.communication. cyberoxen
  • 6. Creation of K_Creation of K_initinit The K_init key is createdThe K_init key is created using the E22 algorithm,using the E22 algorithm, whose inputs are:whose inputs are: ● BD_ADDR.BD_ADDR. ● The PIN code and itsThe PIN code and its length.length. ● a 128 bit randoma 128 bit random number IN_RAND.number IN_RAND. (transmitted in plain txt)(transmitted in plain txt) ● This algorithm outputs aThis algorithm outputs a 128 bit word, which is128 bit word, which is referred to as thereferred to as the initialization key (Kinit).initialization key (Kinit). Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/ cyberoxen
  • 7. Creation of KCreation of K__abab ● Using the E21 algorithm, bothUsing the E21 algorithm, both devices create the link key Kdevices create the link key K_ab_ab.. The inputs of E21 algorithm are:The inputs of E21 algorithm are: 1.1. An BD_ADDRAn BD_ADDR.. 2.2. The 128 bit random numberThe 128 bit random number LK_RAND.LK_RAND. ● The devices use the initializationThe devices use the initialization key to exchange two new 128 bitkey to exchange two new 128 bit random words, known asrandom words, known as LK_RANDLK_RANDAA and LK_RANDand LK_RANDB.B. ● Each device selects a randomEach device selects a random 128 bit word and sends it to the128 bit word and sends it to the other device after bitwise x-oringother device after bitwise x-oring it with Kit with K_init._init. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 8. Mutual AuthenticationMutual Authentication ● The inputs to E1 are:The inputs to E1 are: 1. The random word AU_RAND1. The random word AU_RANDAA.. 2. The link key K2. The link key K_ab_ab.. 3. Its own Bluetooth device address3. Its own Bluetooth device address (BD_ADDR(BD_ADDRBB).). ● This process is based on a challenge-This process is based on a challenge- response scheme.response scheme. ● One of the devices, the verifier, randomizesOne of the devices, the verifier, randomizes and sends (in plaintext) a 128 bit wordand sends (in plaintext) a 128 bit word called AU_RANDcalled AU_RANDAA and other one, theand other one, the claimant, sends AU_RANDclaimant, sends AU_RANDB.B. ● The claimant, calculates a 32 bit wordThe claimant, calculates a 32 bit word called SRES using an algorithm E1. Thecalled SRES using an algorithm E1. The claimant sends the 32 bit SRES word as aclaimant sends the 32 bit SRES word as a reply to the verifier, who verifies (byreply to the verifier, who verifies (by performing the same calculations) theperforming the same calculations) the response word.response word. ● This process is done at both the ends.This process is done at both the ends. ● As a side effect of the authenticationAs a side effect of the authentication process, a 96 bit word called ACO isprocess, a 96 bit word called ACO is calculated by both peers which is usedcalculated by both peers which is used during the creation of the encryption key.during the creation of the encryption key. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 9. Bluetooth PIN CrackingBluetooth PIN Cracking ● Messages sent during the pairing and authentication process!!!!!!!!Messages sent during the pairing and authentication process!!!!!!!! Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 10. Bluetooth PIN CrackingBluetooth PIN Cracking ● Eavesdropped the completeEavesdropped the complete process.process. ● Messages recorded.Messages recorded. ● Attacker enumerates allAttacker enumerates all possible values of the PINpossible values of the PIN.. ● The attacker runs E22 with inputsThe attacker runs E22 with inputs IN_RAND and the BD_ADDR, theIN_RAND and the BD_ADDR, the guessed PIN, and finds aguessed PIN, and finds a hypothesis for K_init, to decodehypothesis for K_init, to decode messages 2 and 3.messages 2 and 3. ● Messages 2 and 3 contain enoughMessages 2 and 3 contain enough information to give the attacker aninformation to give the attacker an hypothesis of K_ab.hypothesis of K_ab. ● Using K_ab and the transmittedUsing K_ab and the transmitted AU_RANDA (message 4), theAU_RANDA (message 4), the attacker calculates SRES andattacker calculates SRES and compares it to the data ofcompares it to the data of message 5.message 5. ● The attacker can use the value ofThe attacker can use the value of messages 6 and 7 to re-verify themessages 6 and 7 to re-verify the hypothesis K_ab until the correcthypothesis K_ab until the correct PIN is found.PIN is found. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 11. Brute Force AlgorithmBrute Force Algorithm Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 12. Bluetooth PIN CrackingBluetooth PIN Cracking ● Only fully successful against PINOnly fully successful against PIN values of under 64 bits.values of under 64 bits. ● If the PIN is longer, then with highIf the PIN is longer, then with high probability there will be multipleprobability there will be multiple PIN candidates, since the twoPIN candidates, since the two SRES values only provide 64 bitsSRES values only provide 64 bits of data .of data . ● A 64 bit PIN is equivalent to a 19A 64 bit PIN is equivalent to a 19 decimal digits PIN.decimal digits PIN. ● The Bluetooth pairing andThe Bluetooth pairing and authentication process uses threeauthentication process uses three algorithms: E22, E21, E1.algorithms: E22, E21, E1. ● All of these algorithms are basedAll of these algorithms are based on the SAFER+ cipher.on the SAFER+ cipher. Fig ref: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ cyberoxen
  • 13. The Re-Pairing attackThe Re-Pairing attack ● AssumptionsAssumptions:: – Both the devices are already paired once.Both the devices are already paired once. – Pairing process completed.Pairing process completed. – Link Key K_ab stored in each deviceLink Key K_ab stored in each device.. – Attacker to record all the messages andAttacker to record all the messages and crack the PIN using the Basic attackcrack the PIN using the Basic attack. – Proceed directly to the AuthenticationProceed directly to the Authentication phasephase. – Force the devices to repeat the pairingForce the devices to repeat the pairing process.process. – Bluetooth specifications allow a BluetoothBluetooth specifications allow a Bluetooth cyberoxen
  • 14. The Re-Pairing attackThe Re-Pairing attack ● Three different Approaches.Three different Approaches. ● First MethodFirst Method:: – The master device sends the slave anThe master device sends the slave an AU_RANDAU_RAND message, and expects themessage, and expects the SRESSRES message in return.message in return. – (The slave sends an(The slave sends an “LMP_not_accepted“LMP_not_accepted““ message in return, to let the master knowmessage in return, to let the master know it has forgotten the link key.)it has forgotten the link key.) – The attacker injects aThe attacker injects a LMP_not_acceptedLMP_not_accepted message toward the master. This willmessage toward the master. This will make the master re-initiate the paring.make the master re-initiate the paring. – Restarting the pairing procedure causesRestarting the pairing procedure causes the master to discard the link key.the master to discard the link key. cyberoxen
  • 15. The Re-Pairing attackThe Re-Pairing attack ● Second Method:Second Method: – Before the master deviceBefore the master device sends the slave ansends the slave an AU_RANDAU_RAND message,message, thethe attacker injects aattacker injects a IN_RANDIN_RAND message toward the slave,message toward the slave, – The slave device will beThe slave device will be convinced the master hasconvinced the master has lost the link key and pairing islost the link key and pairing is restarted.restarted. – This will cause theThis will cause the connection establishment toconnection establishment to restart.restart. cyberoxen
  • 16. The Re-Pairing attackThe Re-Pairing attack ● Third MethodThird Method :: – After Master has sent theAfter Master has sent the AU_RAND,AU_RAND, An attackerAn attacker injects a random SRESinjects a random SRES message toward the master.message toward the master. – This causes theThis causes the Authentication phase toAuthentication phase to restart, and repeatedrestart, and repeated attempts will be made.attempts will be made. – At some point, after a certainAt some point, after a certain number of failednumber of failed authentication attempts, theauthentication attempts, the master device is expected tomaster device is expected to declare that thedeclare that the authentication procedure hasauthentication procedure has failed and initiate pairing.failed and initiate pairing. cyberoxen
  • 17. The Re-Pairing attackThe Re-Pairing attack ● CulminationCulmination:: – This assures the pairing process will occur during the nextThis assures the pairing process will occur during the next connection establishment, so the attacker will be able toconnection establishment, so the attacker will be able to eavesdrop on the entire process, and use the basic methodeavesdrop on the entire process, and use the basic method to crack the PIN.to crack the PIN. – After breaking the PIN (0.06-0.3 sec for a 4 digit PIN), theAfter breaking the PIN (0.06-0.3 sec for a 4 digit PIN), the attacker can decode the saved messages, and continue toattacker can decode the saved messages, and continue to eavesdrop and decode the communication on the fly.eavesdrop and decode the communication on the fly. – Since Bluetooth supports a bit rate of 1 Megabit per second,Since Bluetooth supports a bit rate of 1 Megabit per second, a 40KB buffer is more than enough for the common case ofa 40KB buffer is more than enough for the common case of a 4 digit PIN.a 4 digit PIN. cyberoxen
  • 18. CountermeasuresCountermeasures ● Refrain from entering the PIN into the Bluetooth device forRefrain from entering the PIN into the Bluetooth device for pairing as much as possible.pairing as much as possible. ● Use PIN longer than 6 digits.Use PIN longer than 6 digits. ● The PIN length ranges from 8 to 128 bits. Should ask forThe PIN length ranges from 8 to 128 bits. Should ask for longer bit lenghts.longer bit lenghts. ● Set Bluetooth device in “non-discoverable mode/hiddenSet Bluetooth device in “non-discoverable mode/hidden mode”.mode”. ● Application level security in addition to BT authentication....Application level security in addition to BT authentication.... ie password.ie password. cyberoxen
  • 19. CountermeasuresCountermeasures ● Use the strongest Bluetooth securityUse the strongest Bluetooth security mode available on the device.mode available on the device. ● Avoid use of standard commercialAvoid use of standard commercial Bluetooth headsets.Bluetooth headsets. ● Disable Bluetooth functionality whenDisable Bluetooth functionality when not in use. Use shorter range Class 2not in use. Use shorter range Class 2 or 3 devices.or 3 devices. ● Make devices discoverable onlyMake devices discoverable only when necessary.when necessary. ● Pair Bluetooth devices in a securePair Bluetooth devices in a secure area using long and randomlyarea using long and randomly cyberoxen
  • 20. INFORMATION SOURCESINFORMATION SOURCES ● http://www.mysecurecyberspace.com/encyclopediahttp://www.mysecurecyberspace.com/encyclopedia /index/pin-cracking.html/index/pin-cracking.html ● http://www.eng.tau.ac.il/~yash/shaked-wool-mobihttp://www.eng.tau.ac.il/~yash/shaked-wool-mobi sys05/sys05/ ● https://www.sans.org/reading-room/whitepapers/wihttps://www.sans.org/reading-room/whitepapers/wi reless/bluetooth-inherent-security-issues-945reless/bluetooth-inherent-security-issues-945 ● http://pervasive.cs.uah.edu/PSP/BluetoothSechttp://pervasive.cs.uah.edu/PSP/BluetoothSec urityurity ● http://www.techradar.com/news/networking/bluetoohttp://www.techradar.com/news/networking/bluetoo th-jumps-to-4-1-makes-an-early-leap-for-the-inteth-jumps-to-4-1-makes-an-early-leap-for-the-inte rnet-of-things-1204915rnet-of-things-1204915 cyberoxen