This document discusses Bluetooth security issues, threats, and consequences. It provides an introduction to Bluetooth technology and describes how Bluetooth networks are formed. It then outlines several security issues with Bluetooth, including that many devices operate in insecure modes by default. It describes specific attacks like Bluesnarfing, Helomoto, and Bluebugging that take advantage of these issues to access devices without authorization. These attacks can steal information from both individuals and corporations. The document concludes by noting a large number of popular devices are potentially vulnerable and references are provided.

1. Bluetooth Security
Issues,Threats and
Consequences

2. BLUETOOTH
INTRODUCTION
♦ Wire replacement technology
♦ Low power
♦ Short range 10m - 100m
♦ 2.4 GHz
♦ 1 Mb/s data rate

3. What Is BlueTooth?
♦ A unique new wireless technology specifically for:
♦ Short range
10 - 100 meters typically
♦ Modest performance
(780Kbps)
♦ Dynamically configurable
ad hoc networking/ roaming
♦ Low power
Well suited to handheld
applications
♦ Support for both voice and data

4. BlueTooth - What is the Technology ?
♦ Uses 2.4 GHZ unlicensed ISM band
♦ Frequency hopping spread spectrum radio for
higher interference immunity.
♦ Supports point to point and point to multipoint
connection with single radio link.
♦ Designed to provide low cost, robust, efficient,
high capacity voice and data networking.
♦ Uses a combination of circuit and packet
switching.

5. Why BlueTooth?
♦ Simple to install and expand
♦ Need not be in line of sight
♦ Low Cost
♦ Perfect for File transfer and printing
application
♦ Simultaneous handling of data and voice on
the same channel

6. Application Of BlueTooth
♦ PC and Peripheral networking
♦ Hidden Computing
♦ Data synchronization for Address book and
calendars
♦ Cellphone acting as a modem for PDA or Laptop
♦ Personal Area Networking (PAN)
– Enabling a collection of YOUR personal
devices to cooperatively work together

7. Bluetooth in the Home - No Wires
xDSL
Access Point
PDA
Cell Phone
Cordless Phone
Base Station
Inkjet
Printer
Scanner
Home Audio System
Computer
Digital Camera
MP3
Player

8. Hotel Phone
& Access Point
And On the Road
Car Audio System
Pay Phone
& Access Point
Headset
MP3
Player
PDA
Cell Phone
Laptop

9. BLUETOOTH NETWORKS
♦ PICONET
♦ SACTTERNET

10. BLUETOOTH PICONET
♦ Bluetooth devices create a piconet
♦ One master per piconet
♦ Up to seven active slaves
♦ Over 200 passive members are possible
♦ Master sets the hopping sequence
♦ Transfer rates of 721 Kbit/sec
♦ Bluetooth 1.2 and EDR (aka 2.0)
♦ Adaptive Frequency Hopping
♦ Transfer rates up to 2.1 Mbit/sec

11. BLUETOOTH SCATTERNET
♦ Connected piconets create a
scatternet
♦ Master in one and slave in another
piconet
♦ Slave in two different piconets
♦ Only master in one piconet
♦ Scatternet support is optional

12. Scatternet
J
F
I
E
A
G
D
M
O
B
L
H
K
C
N
P
Q

13. Inquiry (Discovering Who’s Out There)
D
A
H
M
N
L
P
O
Q
B
C
F
KJ
G
I
E
H
Note that a device can
be “Undiscoverable”

14. Paging (Creating a Piconet)
D
E
F
H
G
I
K
J
C
M
N
L
P
O
Q
BBAA
10 meters

15. Parking
BB
JJ
D
H
K
F
I
E
G
C
M
N
L
P
O
Q
A BB
JJ
D
H
K
F
I
E
G
C
M
N
L
P
O
Q
A
10 meters

16. SECURITY ISSUES AND
ATTACKS UNVEILED

17. AGENDA
♦ Issues and Origin
♦ Threat Sources
♦ Risks
♦ Demonstration

18. A COMMON
MISCONCEPTION
♦ No practical Bluetooth vulnerabilities
♦ The core bluetooth protocol has maintained
its integrity
♦ A corectly implemented Bluetooth stack
should have no vulnerabilities

19. MYTHS DEBUNKED
♦ Bluetooth needs pairing
♦ Short Range(1.7miles achieved)
♦ Only mobile devices affected
♦ Non-Discoverable saves me
♦ Secure as Encryption is Used

20. SECURITY MODES
♦ Security mode 1
♦ No active security enforcement
♦ Security mode 2
♦ Service level security
♦ On device level no difference to mode 1
♦ Security mode 3
♦ Device level security
♦ Enforce security for every low-level
connection

21. Who is Vulnerable
♦ Both individuals and corporations
♦ Owners of various popular phones.nokia
6310,Ericsson T series
♦ PC owners,Laptop users and other pocket
PC owners
♦ Symbion device owners
♦ Embedded devices,Bluetooth heating
systems etc

22. What is Possible?
♦ Theft of Information,personal,or corporate
♦ Device DoS
♦ Remote Code execution
♦ Corporate espionage
♦ Airborn viruses or worms

23. ATTACKS IDENTIFIED
♦ June 2003 Ollie Whitehouse releases
RedFang
♦ Pentest Ltd release btscanner
♦ Nov 2003 BLUEJACKING comes to open
♦ Jan 2004 BLUESNARFING unveilled

24. VARIOUS ATTACKS
♦ The BlueSnarf Attack
♦ The HeloMoto Attack
♦ The BlueBug Attack
♦ Bluetooone
♦ Blueprinting

25. BLUESNARFING
Trivial OBEX PUSH channel attack
– obexapp (FreeBSD)
– PULL known objects instead of PUSH
– No authentication
● Infrared Data Association
– IrMC (Specifications for Ir Mobile
Communications)
● e.g. telecom/pb.vcf
● Ericsson R520m, T39m, T68
● Sony Ericsson T68i, T610, Z1010
● Nokia 6310, 6310i, 8910, 8910i

26. HELOMOTO
♦ Requires entry in 'Device History'
♦ OBEX PUSH to create entry
♦ Connect RFCOMM to Handsfree or
Headset
♦ No Authentication required
♦ Full AT command set access
♦ Motorola V80, V5xx, V6xx and E398

27. BLUEBUGGING
BlueBug is based on AT Commands (ASCII
Terminal)
– Very common for the configuration and
control of
telecommunications devices
– High level of control...
● Call control (turning phone into a bug)
● Sending/Reading/Deleting SMS
● Reading/Writing Phonebook Entries
● Setting Forwards

28. BLUETOONE
♦ Enhancing the range
of a Bluetooth dongle
by connecting a directional
antenna -> as done in the
Long Distance Attack

29. BLUEPRINTING
♦ Blueprinting is fingerprinting Bluetooth
Wireless
♦ Technology interfaces of devices
♦ Relevant to all kinds of applications
♦ Security auditing
♦ Device Statistics
♦ Automated Application Distribution
♦ Released paper and tool at 21C3 in
December
2004 in Berlin

30. BLUESMACK
♦ Using L2CAP echo feature
♦ Signal channel request/response
♦ L2CAP signal MTU is unknown
♦ No open L2CAP channel needed
♦ Buffer overflow
♦ Denial of service attack

31. AFFECTED DEVICES
♦ A small number of Bluetooth
implementations are common across many
platforms
♦ The most popular devices are vulnerable
♦ Result is a large number of affected devices
in public
♦ Tests show between 85% and 94%
vulnerability

32. IMPACT ON INDIVIDUALS
♦ Information theft by advertisers
♦ Location based SPAM
♦ ID theft
♦ Theft through billing
♦ Call theft

33. CORPORATE IMPACT
♦ Information theft
♦ Corporate espionage
♦ Bribery

34. REFERENCES
♦ PARVEEN KAUSHIK

35. Thank You