3. What Is BlueTooth?
♦ A unique new wireless technology specifically for:
♦ Short range
10 - 100 meters typically
♦ Modest performance
(780Kbps)
♦ Dynamically configurable
ad hoc networking/ roaming
♦ Low power
Well suited to handheld
applications
♦ Support for both voice and data
4. BlueTooth - What is the Technology ?
♦ Uses 2.4 GHZ unlicensed ISM band
♦ Frequency hopping spread spectrum radio for
higher interference immunity.
♦ Supports point to point and point to multipoint
connection with single radio link.
♦ Designed to provide low cost, robust, efficient,
high capacity voice and data networking.
♦ Uses a combination of circuit and packet
switching.
5. Why BlueTooth?
♦ Simple to install and expand
♦ Need not be in line of sight
♦ Low Cost
♦ Perfect for File transfer and printing
application
♦ Simultaneous handling of data and voice on
the same channel
6. Application Of BlueTooth
♦ PC and Peripheral networking
♦ Hidden Computing
♦ Data synchronization for Address book and
calendars
♦ Cellphone acting as a modem for PDA or Laptop
♦ Personal Area Networking (PAN)
– Enabling a collection of YOUR personal
devices to cooperatively work together
7. Bluetooth in the Home - No Wires
xDSL
Access Point
PDA
Cell Phone
Cordless Phone
Base Station
Inkjet
Printer
Scanner
Home Audio System
Computer
Digital Camera
MP3
Player
8. Hotel Phone
& Access Point
And On the Road
Car Audio System
Pay Phone
& Access Point
Headset
MP3
Player
PDA
Cell Phone
Laptop
10. BLUETOOTH PICONET
♦ Bluetooth devices create a piconet
♦ One master per piconet
♦ Up to seven active slaves
♦ Over 200 passive members are possible
♦ Master sets the hopping sequence
♦ Transfer rates of 721 Kbit/sec
♦ Bluetooth 1.2 and EDR (aka 2.0)
♦ Adaptive Frequency Hopping
♦ Transfer rates up to 2.1 Mbit/sec
11. BLUETOOTH SCATTERNET
♦ Connected piconets create a
scatternet
♦ Master in one and slave in another
piconet
♦ Slave in two different piconets
♦ Only master in one piconet
♦ Scatternet support is optional
18. A COMMON
MISCONCEPTION
♦ No practical Bluetooth vulnerabilities
♦ The core bluetooth protocol has maintained
its integrity
♦ A corectly implemented Bluetooth stack
should have no vulnerabilities
19. MYTHS DEBUNKED
♦ Bluetooth needs pairing
♦ Short Range(1.7miles achieved)
♦ Only mobile devices affected
♦ Non-Discoverable saves me
♦ Secure as Encryption is Used
20. SECURITY MODES
♦ Security mode 1
♦ No active security enforcement
♦ Security mode 2
♦ Service level security
♦ On device level no difference to mode 1
♦ Security mode 3
♦ Device level security
♦ Enforce security for every low-level
connection
21. Who is Vulnerable
♦ Both individuals and corporations
♦ Owners of various popular phones.nokia
6310,Ericsson T series
♦ PC owners,Laptop users and other pocket
PC owners
♦ Symbion device owners
♦ Embedded devices,Bluetooth heating
systems etc
22. What is Possible?
♦ Theft of Information,personal,or corporate
♦ Device DoS
♦ Remote Code execution
♦ Corporate espionage
♦ Airborn viruses or worms
23. ATTACKS IDENTIFIED
♦ June 2003 Ollie Whitehouse releases
RedFang
♦ Pentest Ltd release btscanner
♦ Nov 2003 BLUEJACKING comes to open
♦ Jan 2004 BLUESNARFING unveilled
24. VARIOUS ATTACKS
♦ The BlueSnarf Attack
♦ The HeloMoto Attack
♦ The BlueBug Attack
♦ Bluetooone
♦ Blueprinting
25. BLUESNARFING
Trivial OBEX PUSH channel attack
– obexapp (FreeBSD)
– PULL known objects instead of PUSH
– No authentication
● Infrared Data Association
– IrMC (Specifications for Ir Mobile
Communications)
● e.g. telecom/pb.vcf
● Ericsson R520m, T39m, T68
● Sony Ericsson T68i, T610, Z1010
● Nokia 6310, 6310i, 8910, 8910i
26. HELOMOTO
♦ Requires entry in 'Device History'
♦ OBEX PUSH to create entry
♦ Connect RFCOMM to Handsfree or
Headset
♦ No Authentication required
♦ Full AT command set access
♦ Motorola V80, V5xx, V6xx and E398
27. BLUEBUGGING
BlueBug is based on AT Commands (ASCII
Terminal)
– Very common for the configuration and
control of
telecommunications devices
– High level of control...
● Call control (turning phone into a bug)
● Sending/Reading/Deleting SMS
● Reading/Writing Phonebook Entries
● Setting Forwards
28. BLUETOONE
♦ Enhancing the range
of a Bluetooth dongle
by connecting a directional
antenna -> as done in the
Long Distance Attack
29. BLUEPRINTING
♦ Blueprinting is fingerprinting Bluetooth
Wireless
♦ Technology interfaces of devices
♦ Relevant to all kinds of applications
♦ Security auditing
♦ Device Statistics
♦ Automated Application Distribution
♦ Released paper and tool at 21C3 in
December
2004 in Berlin
30. BLUESMACK
♦ Using L2CAP echo feature
♦ Signal channel request/response
♦ L2CAP signal MTU is unknown
♦ No open L2CAP channel needed
♦ Buffer overflow
♦ Denial of service attack
31. AFFECTED DEVICES
♦ A small number of Bluetooth
implementations are common across many
platforms
♦ The most popular devices are vulnerable
♦ Result is a large number of affected devices
in public
♦ Tests show between 85% and 94%
vulnerability
32. IMPACT ON INDIVIDUALS
♦ Information theft by advertisers
♦ Location based SPAM
♦ ID theft
♦ Theft through billing
♦ Call theft