Slides

Bluetooth Security Issues,Threats and Consequences Presented by: Ankush Hans. 208 MCA 2nd sem.

BLUETOOTH INTRODUCTION ♦ Wire replacement technology ♦ Low power ♦ Short range 10m - 100m ♦ 2.4 GHz ♦ 1 Mb/s data rate

What Is BlueTooth? ♦ A unique new wireless technology specifically for: ♦ Short range 10 - 100 meters typically ♦ Modest performance

(780Kbps) ♦ Dynamically configurable ad hoc networking/ roaming

♦ Low power Well suited to handheld applications ♦ Support for both voice and data

BlueTooth - What is the Technology ? ♦ Uses 2.4 GHZ unlicensed ISM band ♦ Frequency hopping spread spectrum radio for

higher interference immunity. ♦ Supports point to point and point to multipoint connection with single radio link. ♦ Designed to provide low cost, robust, efficient, high capacity voice and data networking. ♦ Uses a combination of circuit and packet switching.

Why BlueTooth? ♦ Simple to install and expand ♦ Need not be in line of sight ♦ Low Cost ♦ Perfect for File transfer and printing

application ♦ Simultaneous handling of data and voice on the same channel

Application Of BlueTooth ♦ PC and Peripheral networking ♦ Hidden Computing ♦ Data synchronization for Address book and

calendars ♦ Cellphone acting as a modem for PDA or Laptop ♦ Personal Area Networking (PAN) – Enabling a collection of YOUR personal devices to cooperatively work together

Bluetooth in the Home - No Wires Digital Camera Computer

Scanner

Inkjet Printer xDSL Access Point

Home Audio System

MP3 Player

PDA Cell Phone

Cordless Phone Base Station

And On the Road

Car Audio System

PDA Cell Phone

Headset

Pay Phone & Access Point

MP3 Player Laptop

Hotel Phone & Access Point

BLUETOOTH NETWORKS ♦ PICONET ♦ SACTTERNET

BLUETOOTH PICONET ♦ ♦ ♦ ♦

Bluetooth devices create a piconet One master per piconet Up to seven active slaves Over 200 passive members are possible ♦ Master sets the hopping sequence ♦ Transfer rates of 721 Kbit/sec ♦ Bluetooth 1.2 and EDR (aka 2.0) ♦ Adaptive Frequency Hopping ♦ Transfer rates up to 2.1 Mbit/sec

BLUETOOTH SCATTERNET ♦ Connected piconets create a

scatternet ♦ Master in one and slave in another piconet ♦ Slave in two different piconets ♦ Only master in one piconet ♦ Scatternet support is optional

Scatternet D

F

H

A

B

O E

N

M

G

P

K

J

L I

C

Q

Inquiry (Discovering Who’s Out There) Note that a device can be “Undiscoverable” D

F

H

G

M

A O J

E

N

P

B K L

I

Q C

Paging (Creating a Piconet) D

F

H

G

M

A O

E

P

B K

J 10 meters

N

L I

Q C

Parking D

F

H

M

G

A K

J

L I

10 meters

P

B

O E

N

Q C

SECURITY ISSUES AND ATTACKS UNVEILED

AGENDA ♦ Issues and Origin ♦ Threat Sources ♦ Risks ♦ Demonstration

A COMMON MISCONCEPTION ♦ No practical Bluetooth vulnerabilities ♦ The core bluetooth protocol has maintained

its integrity ♦ A corectly implemented Bluetooth stack should have no vulnerabilities

MYTHS DEBUNKED ♦ Bluetooth needs pairing ♦ Short Range(1.7miles achieved) ♦ Only mobile devices affected ♦ Non-Discoverable saves me ♦ Secure as Encryption is Used

SECURITY MODES ♦ Security mode 1 ♦ No active security enforcement ♦ Security mode 2 ♦ Service level security ♦ On device level no difference to mode

1 ♦ Security mode 3 ♦ Device level security ♦ Enforce security for every low-level connection

VULNERABILITY ORIGINS ♦ Bad coding practices when developing

RFCOMM services ♦ Lack of knowledge regarding Bluetooth or other security protocols ♦ Re-Use of older services for different protocols ♦ “Bluetooth is secure”-just plug in and go

Who is Vulnerable ♦ Both individuals and corporations ♦ Owners of various popular phones.nokia

6310,Ericsson T series ♦ PC owners,Laptop users and other pocket PC owners ♦ Symbion device owners ♦ Embedded devices,Bluetooth heating systems etc

THREATS ♦ Am I vulnerable? ♦ Who is a threat? ♦ What is the impact?

Who is a threat? ♦ Large scale scammers ♦ Advertisers ♦ Dedicated Crackers ♦ Groups/Individuals with precise goals

What is Possible? ♦ Theft of Information,personal,or corporate ♦ Device DoS ♦ Remote Code execution ♦ Corporate espionage ♦ Airborn viruses or worms

ATTACKS IDENTIFIED ♦ June 2003 Ollie Whitehouse releases

RedFang ♦ Pentest Ltd release btscanner ♦ Nov 2003 BLUEJACKING comes to open ♦ Jan 2004 BLUESNARFING unveilled

VARIOUS ATTACKS ♦ The BlueSnarf Attack ♦ The HeloMoto Attack ♦ The BlueBug Attack ♦ Bluetooone ♦ Blueprinting

BLUESNARFING Trivial OBEX PUSH channel attack – obexapp (FreeBSD) – PULL known objects instead of PUSH – No authentication ● Infrared Data Association – IrMC (Specifications for Ir Mobile Communications) ● e.g. telecom/pb.vcf ● Ericsson R520m, T39m, T68 ● Sony Ericsson T68i, T610, Z1010 ● Nokia 6310, 6310i, 8910, 8910i

HELOMOTO ♦ Requires entry in 'Device History' ♦ OBEX PUSH to create entry ♦ Connect RFCOMM to Handsfree or

Headset ♦ No Authentication required ♦ Full AT command set access ♦ Motorola V80, V5xx, V6xx and E398

BLUEBUGGING BlueBug is based on AT Commands (ASCII Terminal) – Very common for the configuration and control of telecommunications devices – High level of control... ● Call control (turning phone into a bug) ● Sending/Reading/Deleting SMS ● Reading/Writing Phonebook Entries ● Setting Forwards

BLUETOONE ♦ Enhancing the range

of a Bluetooth dongle by connecting a directional antenna -> as done in the Long Distance Attack

BLUEPRINTING ♦ Blueprinting is fingerprinting Bluetooth

Wireless ♦ Technology interfaces of devices ♦ Relevant to all kinds of applications ♦ Security auditing ♦ Device Statistics ♦ Automated Application Distribution ♦ Released paper and tool at 21C3 in December 2004 in Berlin

BLUESMACK ♦ Using L2CAP echo feature ♦ Signal channel request/response ♦ L2CAP signal MTU is unknown ♦ No open L2CAP channel needed ♦ Buffer overflow ♦ Denial of service attack

AFFECTED DEVICES ♦ A small number of Bluetooth

implementations are common across many platforms ♦ The most popular devices are vulnerable ♦ Result is a large number of affected devices in public ♦ Tests show between 85% and 94% vulnerability

IMPACT ON INDIVIDUALS ♦ Information theft by advertisers ♦ Location based SPAM ♦ ID theft ♦ Theft through billing ♦ Call theft

CORPORATE IMPACT ♦ Information theft ♦ Corporate espionage ♦ Bribery

REFERENCES ♦ http://trifinite.org ♦ Symbian Ltd. Symbian OS.

http://www.symbian.com ♦ http://bluestumbler.org ♦ www.bluetooth.org.

Thank You