Bluetooth Security Issues,Threats and Consequences Presented by: Ankush Hans. 208 MCA 2nd sem.
BLUETOOTH INTRODUCTION ♦ Wire replacement technology ♦ Low power ♦ Short range 10m - 100m ♦ 2.4 GHz ♦ 1 Mb/s data rate
What Is BlueTooth? ♦ A unique new wireless technology specifically for: ♦ Short range 10 - 100 meters typically ♦ Modest performance
(780Kbps) ♦ Dynamically configurable ad hoc networking/ roaming
♦ Low power Well suited to handheld applications ♦ Support for both voice and data
BlueTooth - What is the Technology ? ♦ Uses 2.4 GHZ unlicensed ISM band ♦ Frequency hopping spread spectrum radio for
higher interference immunity. ♦ Supports point to point and point to multipoint connection with single radio link. ♦ Designed to provide low cost, robust, efficient, high capacity voice and data networking. ♦ Uses a combination of circuit and packet switching.
Why BlueTooth? ♦ Simple to install and expand ♦ Need not be in line of sight ♦ Low Cost ♦ Perfect for File transfer and printing
application ♦ Simultaneous handling of data and voice on the same channel
Application Of BlueTooth ♦ PC and Peripheral networking ♦ Hidden Computing ♦ Data synchronization for Address book and
calendars ♦ Cellphone acting as a modem for PDA or Laptop ♦ Personal Area Networking (PAN) – Enabling a collection of YOUR personal devices to cooperatively work together
Bluetooth in the Home - No Wires Digital Camera Computer
Scanner
Inkjet Printer xDSL Access Point
Home Audio System
MP3 Player
PDA Cell Phone
Cordless Phone Base Station
And On the Road
Car Audio System
PDA Cell Phone
Headset
Pay Phone & Access Point
MP3 Player Laptop
Hotel Phone & Access Point
BLUETOOTH NETWORKS ♦ PICONET ♦ SACTTERNET
BLUETOOTH PICONET ♦ ♦ ♦ ♦
Bluetooth devices create a piconet One master per piconet Up to seven active slaves Over 200 passive members are possible ♦ Master sets the hopping sequence ♦ Transfer rates of 721 Kbit/sec ♦ Bluetooth 1.2 and EDR (aka 2.0) ♦ Adaptive Frequency Hopping ♦ Transfer rates up to 2.1 Mbit/sec
BLUETOOTH SCATTERNET ♦ Connected piconets create a
scatternet ♦ Master in one and slave in another piconet ♦ Slave in two different piconets ♦ Only master in one piconet ♦ Scatternet support is optional
Scatternet D
F
H
A
B
O E
N
M
G
P
K
J
L I
C
Q
Inquiry (Discovering Who’s Out There) Note that a device can be “Undiscoverable” D
F
H
G
M
A O J
E
N
P
B K L
I
Q C
Paging (Creating a Piconet) D
F
H
G
M
A O
E
P
B K
J 10 meters
N
L I
Q C
Parking D
F
H
M
G
A K
J
L I
10 meters
P
B
O E
N
Q C
SECURITY ISSUES AND ATTACKS UNVEILED
AGENDA ♦ Issues and Origin ♦ Threat Sources ♦ Risks ♦ Demonstration
A COMMON MISCONCEPTION ♦ No practical Bluetooth vulnerabilities ♦ The core bluetooth protocol has maintained
its integrity ♦ A corectly implemented Bluetooth stack should have no vulnerabilities
MYTHS DEBUNKED ♦ Bluetooth needs pairing ♦ Short Range(1.7miles achieved) ♦ Only mobile devices affected ♦ Non-Discoverable saves me ♦ Secure as Encryption is Used
SECURITY MODES ♦ Security mode 1 ♦ No active security enforcement ♦ Security mode 2 ♦ Service level security ♦ On device level no difference to mode
1 ♦ Security mode 3 ♦ Device level security ♦ Enforce security for every low-level connection
VULNERABILITY ORIGINS ♦ Bad coding practices when developing
RFCOMM services ♦ Lack of knowledge regarding Bluetooth or other security protocols ♦ Re-Use of older services for different protocols ♦ “Bluetooth is secure”-just plug in and go
Who is Vulnerable ♦ Both individuals and corporations ♦ Owners of various popular phones.nokia
6310,Ericsson T series ♦ PC owners,Laptop users and other pocket PC owners ♦ Symbion device owners ♦ Embedded devices,Bluetooth heating systems etc
THREATS ♦ Am I vulnerable? ♦ Who is a threat? ♦ What is the impact?
Who is a threat? ♦ Large scale scammers ♦ Advertisers ♦ Dedicated Crackers ♦ Groups/Individuals with precise goals
What is Possible? ♦ Theft of Information,personal,or corporate ♦ Device DoS ♦ Remote Code execution ♦ Corporate espionage ♦ Airborn viruses or worms
ATTACKS IDENTIFIED ♦ June 2003 Ollie Whitehouse releases
RedFang ♦ Pentest Ltd release btscanner ♦ Nov 2003 BLUEJACKING comes to open ♦ Jan 2004 BLUESNARFING unveilled
VARIOUS ATTACKS ♦ The BlueSnarf Attack ♦ The HeloMoto Attack ♦ The BlueBug Attack ♦ Bluetooone ♦ Blueprinting
BLUESNARFING Trivial OBEX PUSH channel attack – obexapp (FreeBSD) – PULL known objects instead of PUSH – No authentication ● Infrared Data Association – IrMC (Specifications for Ir Mobile Communications) ● e.g. telecom/pb.vcf ● Ericsson R520m, T39m, T68 ● Sony Ericsson T68i, T610, Z1010 ● Nokia 6310, 6310i, 8910, 8910i
HELOMOTO ♦ Requires entry in 'Device History' ♦ OBEX PUSH to create entry ♦ Connect RFCOMM to Handsfree or
Headset ♦ No Authentication required ♦ Full AT command set access ♦ Motorola V80, V5xx, V6xx and E398
BLUEBUGGING BlueBug is based on AT Commands (ASCII Terminal) – Very common for the configuration and control of telecommunications devices – High level of control... ● Call control (turning phone into a bug) ● Sending/Reading/Deleting SMS ● Reading/Writing Phonebook Entries ● Setting Forwards
BLUETOONE ♦ Enhancing the range
of a Bluetooth dongle by connecting a directional antenna -> as done in the Long Distance Attack
BLUEPRINTING ♦ Blueprinting is fingerprinting Bluetooth
Wireless ♦ Technology interfaces of devices ♦ Relevant to all kinds of applications ♦ Security auditing ♦ Device Statistics ♦ Automated Application Distribution ♦ Released paper and tool at 21C3 in December 2004 in Berlin
BLUESMACK ♦ Using L2CAP echo feature ♦ Signal channel request/response ♦ L2CAP signal MTU is unknown ♦ No open L2CAP channel needed ♦ Buffer overflow ♦ Denial of service attack
AFFECTED DEVICES ♦ A small number of Bluetooth
implementations are common across many platforms ♦ The most popular devices are vulnerable ♦ Result is a large number of affected devices in public ♦ Tests show between 85% and 94% vulnerability
IMPACT ON INDIVIDUALS ♦ Information theft by advertisers ♦ Location based SPAM ♦ ID theft ♦ Theft through billing ♦ Call theft
CORPORATE IMPACT ♦ Information theft ♦ Corporate espionage ♦ Bribery
REFERENCES ♦ http://trifinite.org ♦ Symbian Ltd. Symbian OS.
http://www.symbian.com ♦ http://bluestumbler.org ♦ www.bluetooth.org.
Thank You