This document summarizes a presentation about Bluetooth security mechanisms. It discusses Bluetooth technology standards and features, security mechanisms like frequency hopping and encryption, weaknesses like easy scanning and weak PINs, known attacks like Bluejacking and bluesnarfing, and recommendations to improve security like using a strong PIN and turning off Bluetooth when not in use. The presentation provides an overview of Bluetooth security risks and best practices.

1. Bluetooth Security
Mechanisms
Hochschule der Medien
Computer Science and Media
Mobile Security
Marvin Hoffmann (B.Sc.)
contact@marvin-hoffmann.de 18. April 2011

2. Fun-Facts
1. Bluetooth is anglicised for „Blåtand“
- danish king who was well known for his
communication skills
2. Bluetooth logo is a bind rune merging
Hagall and Bjarkan runes, the initials of
„Harald Blauzahn“

3. Agenda
1. Bluetooth Technology and Standards
2. Security Mechanisms
3. Weaknesses
• exloitation and protection
4. Known Attacks
5. Conclusion

4. 1. Bluetooth Technology
• developed by Ericsson in 1994
• since 1998 managed by „Bluetooth Special Interest
Group“ (over 14.000 companies)
• v1.0a July 1999 // v1.1 in early 2001
• current Version 4.0 (since December 2009)
• fully backward compatible to v1.1
4

5. 1. Bluetooth Technology
• uses 2.5 GHz ISM band (Industrial, Scientific,
Medical) - licence-free worldwide
• frequence spectrum 2402-2480 MHz
- divided into 79 channels, 1 MHz each
• channel changes 1600 times per second
- leads to 625 µs timeslots
- determine hopping sequence on connection
5

6. 1. Bluetooth Technology
• Two types of networks
• Piconet
M S
- 1 master, up to 255 slaves
(max. 8 active devices at a time, incl. master) S
• Scatternet
- consists of two or more Piconets M S
P
S
P
S
M
6

7. 1. Bluetooth Technology
• 3 classes with different permitted power and range
• minimum distance 10cm
permitted power range *
(mW) (m)
not
recommended
Class 1 100 100
recommended Class 2 2.5 10
recommended Class 3 1 1
* ranges under best conditions
7

8. 1. Bluetooth Technology
• evolution of data rates and features
v1.1 v1.2 v2.0 v3.0 v4.0
(02.2001) (11.2003) (11.2004) (04.2009) (12.2009)
up to 24 still 2,1 / 24
data-rate 732,2 KBit/s 1 MBit/s 2,1 MBit/s MBit/s MBit/s
(peer-to-peer)
Adaptive
Received Signal high speed
Frequency- Enhanced Data Bluetooth low
new features Strength
Hopping spread Rate (EDR)
channel on
energy protocol
Indication WLAN basis
spectrum (AFH)
8

9. 1. Bluetooth Technology
• the 4 different states when setting up a connection
Inquiry Page
Standby Connected
9

10. 1. Bluetooth Technology
• Inquiry
- master sending on different frequences (changing all 3.12µs)
- slave scanning on different frequences (changing all 1.28µs)
- synchronisation of channelhops
- switching to „Page“-mode
• Page Inquiry Page
- calculating hopping-sequence
including unique hardware-ID
of the master device
Standby Connected
- switching to „Connected“-mode
10

11. 1. Bluetooth Technology
• Connected
- synchronous frequency-hopping
- using pattern settled in page mode
• Standby
- no communication
Inquiry Page
- energy saving
Standby Connected
11

12. 1. Bluetooth Technology
• pairing process
random number
M S
acknowledgement
M S
random number + PIN +
M masters Bluetooth address S
(simplified)
XOR combination
M and verification S
:) / :(
M session key S
12

13. 2. Security Mechanisms
• frequence hopping
- master and slaves within a Piconet know
the hopping-sequence
- attacker does not
• limited range
- class 2 or class 3 should be used (class 2 most common)
- turn off when in public or connection not required
13

14. 2. Security Mechanisms
• optional pre-shared key authentication and
encryption algorithms
• strength of security relies primarily on length and
randomness of the passkey used for pairing
• discoverability and connectability
- control whether remote Bluetooth devices are able to
find and connect to a local Bluetooth device
• optional user authorization for incoming
14

15. 3. Weaknesses
• hidden phones can be scanned
• PIN authentication is weak (BF attack possible when
PIN too simple)
- save pin -> no PIN authentication required again
- PIN should be more then 8 characters
(16 characters possible / 128bit)
- be careful when reauthentication requested
• fix and often weak PINs in devices without keyboard
15

16. 3. Weaknesses
„According to the Bluetooth specification, PINs can be
8-128 bits long. Unfortunately, most manufacturers have
standardized on a four decimal-digit PIN. This attack can
crack that 4-digit PIN in less than 0.3 sec on an old
Pentium III 450MHz computer, and in 0.06 sec on a
Pentium IV 3Ghz HT computer.“
Bruce Schneier (June 2005)
16

17. 3. Weaknesses
• unit keys: one shared key with all trusted units
- trusted units can impersonate the unit distributing the key
- no protection against trusted units
• not all attacks need to know frequence-sequence
• scanner that listens on all 79 channels can spy
hopping-sequence
17

18. 3. Weaknesses
• 3 security modes
- mode 1: no encryption : (
- mode 2: activated by application - therefore possibly off : (
- mode 3: always on : )
18

19. 4. Known Attacks
• BlueJacking
- sending vCard contact, containing a message as name
• BlueSnarfing
- allows access to calendar, contact list, emails and text-
messages
- patched in newer Bluetooth standards
• BlueBug
- calls, SMS, phonebook, forward calls, www, use provider, ...
19

20. 4. Known Attacks
• CommWarrior
- presented by Jörg last week
• Location Tracking
- can be used for advertising combined with Bluejacking
• DOS attack
- e.g. stop device to switch in energy-saving standby mode
20

21. 5. Conclusion
• most dangerous in crowded, public places due to
limited range of class 2 devices
• hiding the phone does not protect completely, but
increases effort dramatically
• relatively secure technology
- depends highly on implementation of manufacturer
(chosen class, security mode, build in PIN, etc.)
21

22. 5. Recommendations
• pairing process at secure place
• choose strong PIN
• turn off completely when not in use
• at least hide your phone
22

23. Questions?
Discussion!

24. Sources
• Hochschule der Medien Stuttgart
Mathias Leidecker und Alexander Ultsch: Bluetooth Sicherheitsanalyse
• HU Berlin - Dipl.-Inf. J. Richling: Drahtlose Kommunikation (Teil 2)
http://www2.informatik.hu-berlin.de/~richling/emes2003/10-wireless.pdf
• Systems and Network Analysis Center / Information Assurance Directorate:
Bluetooth Security
• Offical Bluetooth Technology Web Site
http://www.bluetooth.com/
• Wikipedia
http://de.wikipedia.org/wiki/Bluetooth
http://en.wikipedia.org/wiki/Bluetooth
• Bruce Schneier: Schneier.com
http://www.schneier.com/blog/archives/2005/06/attack_on_the_b_1.html

25. Sources
• Internet-Sicherheit.de
http://www.internet-sicherheit.de/service/glossar/eintrag/eintrag-detail/bluetooth-pairing/
• Shmoo.com: Bluesniff - The next wardriving frontier
http://bluesniff.shmoo.com/
http://www.shmoo.com/~gdead/dc-11-brucepotter.ppt
• PC Games Hardware (Bluetooth Logo)
http://www.pcgameshardware.de/screenshots/original/2009/04/Bluetooth_LOGO.gif