This document summarizes vulnerabilities in Bluetooth technology, including eavesdropping, impersonation, and cipher vulnerabilities. It describes "bluejacking", "bluesnarfing", and other attacks that exploit flaws in Bluetooth functionality and permissions. The document recommends turning off Bluetooth when not in use, setting devices to non-discoverable, using random PINs, and avoiding transmitting sensitive data over Bluetooth to help protect against these vulnerabilities and attacks.

1. Bluetooth Vulnerabilities
ECE 478 Winter 05
Victor Yee

2. Topics
• What is Bluetooth? • Eavesdropping
• History • Impersonation
• SIG
• Cipher Vulnerabilities
• Modes
• Address
• Bluejacking
• Pairing • Bluesnarfing
• Bluetooone
• Bluesniper

3. What is Bluetooth?
• Wirelessly connect to
– Wireless headsets
– Handhelds
– Personal computers
– Printers
– Mobile phones
– Digital cameras
– GPS receivers
– Digital pens
– Automobiles

4. What is Bluetooth?
• Short-range (10m-100m) wireless specification
• Operating at 2.4GHz radio spectrum
• Allows up to 7 simultaneous connections
maintained by a signal radio.
• Data transfers at least 2Mb/s

5. History
• Named from Danish King Harold Bluetooth from
the 10th century
– instrumental in uniting warring factions that is now
Norway, Sweden, and Denmark
• The logo was designed by a Scandinavian firm
in which the runic character H & B were used

6. SIG
• Bluetooth Special Interest Group
– Privately held trade associations made up of leaders
• Telecom
• Computing
• Automotive
• Industrial automation
• Network industries.
– They are marketing and advancing the development
of the technology

7. Bluetooth Protocol Stack
• L2CAP - Logical Link Control and Adaptation
Protocol
• OBEX - Generalized Multi-Transport Object
Exchange Protocol
• RFCOMM - Serial Port Emulation
• SDP - Service Discovery Protocol
• TCS - Telephony Control protocol Specification

8. Modes
• Bluetooth devices can be in different modes
– Discoverable
• Device can be found by others searching in range
– Connectable
• Respond to messages from connected devices
– Non-Discoverable
– Non-Connectable

9. Address
• Bluetooth device address (MAC)
– Unique identifier for the device for all communication
– Device Access Code (DAC) is used to address the
device
– Channel Access Code (CAC) is used to identify the
channel
– DAC & CAC
• Determined by device address
• Not encrypted

10. Address
• Unique Address
– Track and monitor behavior of user
– Logs = Violation of privacy

11. Security Modes
• Mode 1
– No Security
• Mode 2
– Application/Service
based (L2CAP)
• Mode 3
– Link-Layer
• PIN Authentication
• Address Security
• encryption

12. Security Modes
• Difference between Mode 2 and Mode 3
– Bluetooth device initiates security procedures before
the channel is established during Mode 3

13. Security Modes
• Different security Modes for devices and
services
– Devices (2 Levels)
• Trusted Device – unrestricted access to all services
• Untrusted Device
– Services (3 Levels)
• Require authorization and authentication
• Require authentication only
• Open to all devices

14. How does Pairing Work?
• Two Bluetooth devices need to pair up before
data can be exchanged.
• PIN consisting of numeric digits from 0-9 is
established
• Device sends a random number to the other
device.
• Both devices compute the initiation key based
on a function of the shared PIN, Bluetooth
device address that received the random
number, and the random number.

15. PIN
• 0000 is default
– 50% of used PINs are 0000 (Laziness)
• 4 digits
– 10,000 Possibilities

16. Verification
• Other device responds the computed
computation back to the first device
• First device compares the received value to its
computed value if they are the same
• Then the roles switch

17. Eavesdropping
• Attacker is able to listen to messages or data
exchanged between devices.
– No application layer encryption
– Middle-person attack
• Voice data between phone and headset
• Obtain credit card information (Internet
purchases)
• Exhaustively guesses all PIN up to a certain
length

18. Impersonation
• If PIN is known, Attacker is able to impersonate
– Alter email responses (Internet Access)
– Data to be printed (Printer)

19. Cipher Vulnerabilities
• 128 bit key can be broken in 2^64
• Divide-and-conquer attacks are not
possible
– Need access to key stream over long periods
– Bluetooth has high resynchronization
frequencies

20. Bluejacking
• Sending anonymous messages to another
device without approval or authorization
• Example
– Tourists admirers Swedish handicrafts in a storefront
window, cell phone chirped with an anonymous note:
quot;Try the blue sweaters. They keep you warm in the
winter.quot;
Tourist is oblivious to who the sender is.

21. Bluesnarfing
• Snarf is network slang for unauthorized copy
• Theft of Data, Calendar Information, Phonebook
Contacts, Phone’s IMEI
– Stolen IMEI can be used for cloning a phone
• Attacker establishes connection without
confirmation
• Cell phones vulnerable to privacy invasion
• Devices can be purchased on the Internet
• Attackers exploit a flaw through OBEX Protocol
using a PUSH Channel attack

22. BlueBug
• Based on AT Commands
• Gives the attacker high levels of control to mobile
phones
– Phone calls
– Text Messages (SMS)
– Phonebook entries (Reading/Writing)
– Call Forwards
• Flaw on the RFCOMM channels
– Not announced over the Service Discovery Protocol (SDP)
– RFCOMM protocol provides emulation of serial ports over the
L2CAP protocol

23. Bluetooone
• Increasing the range
by attaching a
directional antenna
• Long Range attacks
• Not limited to 100
meters distance

24. Bluesniper
• Tested at 1.1 miles in
2004

25. Other Flaws
• Battery draining denial of service attack
– Occupies channel
– Drain battery from continuous scanning

26. Protection?
• Turn off Bluetooth when not in use
• Set to Non-Discoverable
• Choose Random PIN numbers (16 Octets)
• Confidential and Sensitive information should
not be transmitted

27. Sources
• Bluetooth.com
• Bluetooth.org
• Bluetooth Protocol Stack. thewirelessdirectory.com
• Ellie, Jelly (2004). Why ‘bluejacking’? Bluejackq.com
• Jakobsson, Markus. Security Weaknesses in Bluetooth. Lucent
Technologies.
• Laurie, Adam. (2003). Bluetooth Hacking – Full Disclosure.
trifinite.org.
• Laurie, Ben (2004). Bluetooth Security Briefs. thebunker.net
• Vainio, Juha (2000). Bluetooth Security. Helsinki Univ.
• Whitehouse, Ollie (2003). War Nibbling: Bluetooth Insecurity.
@stake Research Report.