You are on page 1of 37

Table of Contents 1. 2. 3. Appendix ......................................................................................................................... 4 Introduction ..................................................................................................................... 5 Overview of Bluetooth Technology ............................................................................ 6 3.1. 3.2.

Bluetooth Stack Architecture .......................................................................... 6 Advantages and Disadvantages of Bluetooth Technology .............................. 9 Advantages ............................................................................................... 9 Disadvantages .......................................................................................... 9

3.2.1. 3.2.2. 3.3. 3.4. 3.5. 4.

Piconet ........................................................................................................... 10 Scatternet ....................................................................................................... 11 Types of Bluetooth ........................................................................................ 11

Bluetooth Security Feature ......................................................................................... 12 4.1. 4.2. 4.3. Basic Security Feature ................................................................................... 12 Service Level of Bluetooth Technology........................................................ 13 Key Management .......................................................................................... 14

5.

Key Generation and Security Mode .......................................................................... 15 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.7. 5.8. 5.9. Security Modes .............................................................................................. 15 Types of Key in Bluetooth ............................................................................ 17 Generation of the initialization key, Kinit ...................................................... 18 Generation of Unit Key, KA .......................................................................... 19 Generation of Combination Key, KAB........................................................... 19 Generation of Master Key, Kmaster ................................................................. 20 Generation of Encryption Key, KC ................................................................ 21 Algorithm that used to generate Keys ........................................................... 21 Pairing Process .............................................................................................. 23

6.

Authentication and Confidentiality............................................................................ 24 Page 1 of 37

6.1. 6.2. 7.

Authentication ............................................................................................... 24 Confidentiality............................................................................................... 26

Bluetooth Vulnerabilities & Threats.......................................................................... 28 7.1. Vulnerabilities ............................................................................................... 28 Vulnerabilities before Bluetooth v1.2 .................................................... 28 Vulnerabilities before Bluetooth v2.1 .................................................... 28 Vulnerabilities in Bluetooth v2.1 and v3.0 ............................................ 29 Vulnerabilities in Bluetooth before v4.0 ................................................ 29

7.1.1. 7.1.2. 7.1.3. 7.1.4. 7.2. 8. 9. 10.

Threats ........................................................................................................... 30

Bluetooth Countermeasures ........................................................................................ 32 Conclusion .................................................................................................................... 35 Reference ................................................................................................................... 36

Page 2 of 37

List of Figures Figure 3.1: Overview of Bluetooth Stack Architecture (msdn, 2006) .......................................... 6 Figure 3.2: Example of a Piconet temporary network ............................................................... 10 Figure 3.3: Example of a Scatternet ......................................................................................... 11 Figure 3.4: Overview of types of Bluetooth (Padgette, Scarfone and Chen , 2012) ................. 11 Figure 5.1: Generation of Initialization Key (Giousouf, n.d.) ..................................................... 18 Figure 5.2: Generation of Unit Key (Giousouf, n.d.) ................................................................. 19 Figure 5.3: Generation of Combination Key (Giousouf, n.d.).................................................... 19 Figure 5.4: Generation of Master Key (Giousouf, n.d.) ............................................................. 20 Figure 5.5: Generation of Encryption Key (Giousouf, n.d.) ....................................................... 21 Figure 5.6: Algorithm E21 (Giousouf, n.d.) ................................................................................ 21 Figure 5.7: Algorithm E22 (Giousouf, n.d.) ................................................................................ 22 Figure 5.8: Algorithm E3 (Giousouf, n.d.).................................................................................. 22 Figure 5.9: Pairing process between Bluetooth device (NATIONALINSTRUMENTS, 2008).... 23 Figure 6.1: Authentication Process in Bluetooth (Padgette and Scarfone, 2008) ..................... 24 Figure 6.2: Overview of Encryption Process in Bluetooth (Padgette and Scarfone, 2008) ....... 27

Page 3 of 37

1. Appendix

Page 4 of 37

2. Introduction
In modern era every technologys growing tendency is direct to wireless technology. What is wireless technology? Wireless technology is a technique that allows its user to transmit data or information in the air, in other term is that the transmission can be done without using any visible wire. In this research paper we will focus on one of the wireless technology which is found in the early stage in wireless technologys history, Bluetooth.

The name Bluetooth is come from the name of a king which lived in Denmark in 10 century (Lai, 2001). The reason of choosing the king name is unknown for me but I think it is better to include some interesting information at the starting of this research paper. Bluetooth is actually found and develop by 5 big organizations which included Ericsson, Nokia, IBM, Intel and Toshiba (Lai, 2001). Back the beginning stage of mobile industry Ericsson and Nokia can be considered as the biggest organization during the era. But when come to the current state, the biggest organization in the mobile industry already changed to Apple and Samsung.
th

Bluetooth actually simplify the lives of people during the old era, even though this technology is still available in modern smart phone but the usage of its application is become lesser and lesser. Besides, user also did not use Bluetooth as often as before. The most basic example of Bluetooth application will be it allows the user to transmit a file from a users phone to another users phone or mobile devices which also support Bluetooth. To perform this activity it needs no setup, it will always on in the background (Lai, 2001). But of course the connectivity of Bluetooth can also turn off manually. One of the weaknesses of Bluetooth is that its connectivity for both the sender and receiver is very short. The ranges of functional connection are about 10 meters only (Lai, 2001).

Of course Bluetooth used some protocol and feature to ensure the security of the connection. The multiple levels of security and security feature will be discussed more in the coming sub-topic. On this research paper, we will focus more on the security area. There is more security issues will be describe and discussed later.

Page 5 of 37

3. Overview of Bluetooth Technology


3.1. Bluetooth Stack Architecture

In Bluetooth its specification can be divided into two parts, the core portion and the profile specifications (Kardach, n.d.). Core portion is used to describe how Bluetooth work, in the other hand the profile specification is mainly concentrate on how to build interoperating devices using the core technologies (Kardach, n.d.). In Figure 3.1 is the architecture view of Bluetooth stack.

Figure 3.1: Overview of Bluetooth Stack Architecture (msdn, 2006)

Page 6 of 37

Lets do a very quick and brief discussion about this Bluetooth stack architecture. Due to the limitation of time constrain we will only go through those layer which is important in Bluetooth. TDI

OBEX

It is stand for Object Exchange. Obex client module: Obexapi.dll Obex server module: Obexsvr.dll Primarily used as a push or pull application. It is stand for Transport Driver Interface It separate the highly asynchronous callbackbased architecture of the stack presenting a Window Sockets Specification

COM Port Emulation SDP

It is host dial-up and LAN access profiles It is stand for Service Discovery Protocol. It is used to handles publishing and discovery of services. This protocol empowers portable Bluetooth to permits devices to deal with the dynamically changing Bluetooth environment when the Bluetooth technology is operating in motion.

RFCOMM

SDP client module: Btdrt.dll SDP server module: Btd.dll Serial Cable Emulation Protocol It can support maximum 60 simultaneous connections between two Bluetooth devices. It serves as a base for COM port emulation facilities. It makes data synchronization possible between Bluetooth devices and other mobile devices such as PDA and smart phone.

Control the data flow between devices and applications.

Page 7 of 37

PAN

Personal Area Network Piconet and Scatternet (will be discuss in coming section)

L2CAP

Logical Link Control and Adaptation Protocol Do not have the responsible to control data flow, it is depend on the reliable device to device baseband link provided by Bluetooth hardware.

Bluetooth Universal Transport Manager (BthUniv) HCI Transport Layer

Included in Btd.dll It is the intermediate transport driver which located in the middle of HCI layer and Transport layer. It is used to spot the Plug and Play devices and responsible to execute correct transport driver/ Located in Bthuniv.dll Operate in transport layer and is responsible to transfer the HCI commands to the Bluetooth hardware.

LMP Have the services of authentication and encryption. Stand for Link Manager Protocol. Standard that used to manage link establishment between Bluetooth devices. BB It is stand for Baseband Used to permit the physical radio frequency link among Bluetooth units that produce a Piconet.

The table above is reference from (msdn, 2006)

Page 8 of 37

3.2. Advantages and Disadvantages of Bluetooth Technology 3.2.1. Advantages The most obvious advantage of using Bluetooth is that it is accepted by the entire world and it is a standard which is supported by more than two thousand manufacturers (InterBluetooth, n.d.). Can be used on most of the mobile computing devices such as lap top, PDA, smart phone, headset and so on (InterBluetooth, n.d.). Another significant advantages its installation fees is very cheap compare to other wireless technologies. It is because Bluetooth is license free and it did not require any charges compare to other wireless network service (InterBluetooth, n.d.). It is similar with Non- Line of Sight (NLON) technology which will not interrupt by obstacles (InterBluetooth, n.d.). By using channel hopping, Bluetooth can dodging the interference from any other wireless devices and help to provide an error free data transmission environment (InterBluetooth, n.d.). Support maximum number of 7 devices to inside a range which up to 10 meters, which is the best solution for a home network (InterBluetooth, n.d.). This network also known as Piconet, we will discuss it in detail on coming sub-topic. It consumes very less power because generally the range of Bluetooth support user to communicate with others is only up to 10 meters (InterBluetooth, n.d.). 3.2.2. Disadvantages Compare with infrared technology, Bluetooth only support 2.1Mbps data transfer rates where infrared technology can support 4Mbps data transfer rates. Although it consumes very less power but it will still waste power if you left it running at background.

Page 9 of 37

3.3. Piconet Piconet in Bluetooth is meaning that several node are connected and to form a connection which similar with a LAN connection. But in Bluetooth we call it as a Personal Area Network (PAN). It is built by Slave and Master (Al-Hasani, n.d.). Each node in the Piconet has 28-bit internal clock and 48-bit address (Al-Hasani, n.d.). During the beginning stage, each of the node do not recognize each other, to establish the communication each of the node will send out an inquiry to other slaves which is located in the same range (Al-Hasani, n.d.). After that it will entered in to the paging state (Al-Hasani, n.d.). It is the state where the packet is starting to exchange between the nominated Master and the prospective slaves (Al-Hasani, n.d.). There are a reverse in the paging state and inquiry state. In paging state the master disclose the slave (Al-Hasani, n.d.). In inquiry state, the slaves disclose their master (Al-Hasani, n.d.). The maximum number of devices connect to a Piconet is 8, one Master and 7 slaves (Al-Hasani, n.d.). This network is temporary network and the data connection within the Piconet can be added or removed dynamically (Al-Hasani, n.d.).

Figure 3.2: Example of a Piconet temporary network

Page 10 of 37

3.4. Scatternet

Scatternet is also one type of the network that can be found in Bluetooth. It is similar with the Piconet. In fact, it is actually is the bigger size of Piconet. Scatternet is formed by two or more Piconet which connected together (NOKIADeveloper, n.d.). The formation of Scatternet is that a slave from a Piconet can become a master for another Piconet (NOKIADeveloper, n.d.). This merge is known as the Scatternet (NOKIADeveloper, n.d.). The maximum number of Scatternet is 10.

Figure 3.3: Example of a Scatternet 3.5. Types of Bluetooth

Figure 3.4: Overview of types of Bluetooth (Padgette, Scarfone and Chen , 2012)

Bluetooth can be categories into three types. Figure 3.3 is the summary of the types of classes which available in Bluetooth technology. mW is stand for miliwatts and decibels referenced to one miliwatt dBm (Padgette, Scarfone and Chen, 2012). Class 2 type of Bluetooth is the type we will always interact with in our daily operation. Page 11 of 37

4. Bluetooth Security Feature


Again we will talk about the security. No matter what category, industry you are in security concern is always the major issues that we need to focus. In business their security is how to ensure their money can keep in a safety place and how to ensure their confidential information will not leak out and known by its competitor. In IT world, the security is about how to protect the data during the data transmission and how to secure the data and information which is stored in the database or server. In this topic, we will show some security feature that the Bluetooth technology used to secure its services to their users. 4.1. Basic Security Feature

When we talk about basic security feature, as an IT field student or workers usually we will know that it is about CIA, Confidentiality, Integrity and Authentication. This three is the most basic security features that every program should have. In Bluetooth it did not support all this three function, but it is actually very similar, it just replacing the Integrity into Authorization. In my opinion it is because Bluetooth is usually used for short range data transmission, so that it is very hard to interrupt the data connection and changing the data within the same area very quickly. So that, they did not state Integrity in their basic security feature lists. Just to recap that, there are three basic security features or we may call it as security services that are specified in Bluetooth standard. First one is the Authentication service. It is used to verify the identity of the communicating devices based on their Bluetooth device address by Padgette, Scarfone and Chen. Besides this service also offer and extra function, if the Bluetooth devices that attempt to connect to the Piconet are not able to authenticate correctly it will use the abort mechanism to abort the attempt (Ivris Marcelo, n.d.). Then the second is the Confidentiality. It is used to preventing information compromise caused by eavesdropping by ensuring that only authorized device can access and view transmitted data by Padgette, Scarfone and Chen. Its mean that only the sender and receiver can have access to the content. The last one will be the Authorization. This feature is design to control the resources to avoid un-authorized devices to use the service (Ivris Marcelo, n.d.). Bluetooth will always operate this this question are this devices authorized? Can it have access to Page 12 of 37

this service during its operation (Ivris Marcelo, n.d.). By implementing this services, Bluetooth can secure the resources will not be used by any other third party member or any other un-authorized devices.

4.2. Service Level of Bluetooth Technology

There are three available service level can be found in Bluetooth. Because of these three level of services is provided, it made the demands for authorization, encryption and authentication can be set all alone (Ivris Marcelo, n.d.). The three security levels are: Service Lv1 Those that need authentication and authorization (Ivris Marcelo, n.d.). Only the trusted Bluetooth devices can obtain automatic access (Ivris Marcelo, n.d.). Manual authorization operation is assign to untrusted Bluetooth devices (Ivris Marcelo, n.d.).

Service Lv2 Those that need only authentication (Ivris Marcelo, n.d.). After finishing and passed the authentication process, the access to the application is granted (Ivris Marcelo, n.d.). In this service level it does not require authorization process (Ivris Marcelo, n.d.).

Service Lv3 Those that is open to all devices (Ivris Marcelo, n.d.). Do not go through the authentication process (Ivris Marcelo, n.d.). The access to an application is allocated automatically (Ivris Marcelo, n.d.).

The architecture of Bluetooth technology allows for defining security policies that can set trust relationship (Ivris Marcelo, n.d.). Its mean that, not all device can get Page 13 of 37

access to all other services (Ivris Marcelo, n.d.). This policy allows the trusted devices to access some specific services only (Ivris Marcelo, n.d.). It is very essential that to gain knowledge about this critical point, because the Bluetooth core protocols can only authenticate the device itself not the user itself (Ivris Marcelo, n.d.). However, it not meaning that user-based access control is not available in Bluetooth (Ivris Marcelo, n.d.). Bluetooths security architecture also supports the application to implement or execute their own security policies (Ivris Marcelo, n.d.). Furthermore, the link layer (Bluetooth specific security control layer) of Bluetooth is open to the security controls imposed by the application layers (Ivris Marcelo, n.d.). Therefore, there is a way to operate the user-based authentication process and fine-grained access control inside the Bluetooth security architecture (Ivris Marcelo, n.d.). 4.3. Key Management

In the security architecture of Bluetooth, it provides Bluetooth a secure data communication environment by implementing the symmetric key cryptography (Lee, 2006). Symmetric key cryptography in Bluetooth is used to generate and shared the public key (also known as common link key) for the two communicating Bluetooth devices (Lee, n.d.). This procedure is used to provide the services of authentication process and encryption (Lee, n.d.). Encryption is the method that transforms plain text into cipher text which is not readable by human. This key management feature will be further discussed on the coming sub-topic.

Page 14 of 37

5. Key Generation and Security Mode


5.1. Security Modes

In Bluetooth there are four different types of security mode. In this sub-topic we will talk about it. Besides that, we will also talk about the two faith levels which are also available in Bluetooth technology. First at all we will discuss about the three modes:

Mode 1 In this mode there are no securities at all (Akhavan and Vakily, 2011). The Bluetooth devices will not start any security feature or protocol to ensure the security (Akhavan and Vakily, 2011).

Mode 2 Service-level security A channel on Logical Link Control and Adaptation Protocol (L2CAP) level is initiated without any security process (Akhavan and Vakily, 2011). There are different security necessities can be set for each of the application, if the application that running on the Bluetooth device require low security then its requirement can be set to low, if it require high security to transmit confidential data the security requirement can be set to high (Akhavan and Vakily, 2011).

Mode 3 Link-level security Will start the security procedures for a secure connection before creating a channel on L2CAP level (Akhavan and Vakily, 2011). It is an default assembly security mechanism It is not aware of service or application-layer security by Akhavan and Vakily

Page 15 of 37

Mode 4 Introduced at Bluetooth v2.1 + EDR (Radio-Electronics.com, n.d.) It is used to secure simple pairing process by using Elliptic Curve Diffie Hellman (ECDH) method for key exchange and link key generation (Radio-Electronics.com, n.d.). There are four security necessities for services protected by this mode is: Authenticated link key (Radio-Electronics.com, n.d.) Unauthenticated link key (Radio-Electronics.com, n.d.) No security required (Radio-Electronics.com, n.d.)

This mode is the compulsory mode which make communication possible between v2.1 + EDR devices (Radio-Electronics.com, n.d.).

After briefing all the three security mode, now we try to go a litter bit more detail here. In the security mode 2, setting per service and per device basis are made (Akhavan and Vakily, 2011). It required two databases in Bluetooth technology, one of the databases is used to store device information and another one is used to store service information (Akhavan and Vakily, 2011). Furthermore, the application software provides the security configuration contained in the service database (Akhavan and Vakily, 2011). In the other than the information about the past sessions with other Bluetooth devices is store in the device database (Akhavan and Vakily, 2011). Then we now go to the two faith levels. The level stated here is the trusted and untrusted level. As the name goes to trust, it means the device is already passed the authentication process or it is already paired so that it will be marked as trusted in the device database (Akhavan and Vakily, 2011). In trusted level it has 15 unrestricted accesses to all services (Akhavan and Vakily, 2011). When go to untrusted level it has restricted access to services (Akhavan and Vakily, 2011). It is untrusted because it is unknown or new devices or it never paired with the Bluetooth devices before so that it did not save inside the device database (Akhavan and Vakily, 2011). By default, the new devices will always be treating as untrusted (Akhavan and Vakily, 2011).

Page 16 of 37

5.2. Types of Key in Bluetooth

In Bluetooth there are four different types of key that will used to secure the data transmission and also making authorized the Bluetooth devices to communicate with another Bluetooth devices. The four type of key is Initialization Key, Combination or unit keys, Master Key and Encryption Key (Akhavan and Vakily, 2011).

Initialization Key It is the first key that being produce during the pairing procedure (Akhavan and Vakily, 2011). It is used to generate the next type of key in the later pairing procedure (Akhavan and Vakily, 2011). After the next type of key is generated this key will be expired (Akhavan and Vakily, 2011). The strength of this key relies solely on a 4 to 16bytes PIN (Akhavan and Vakily, 2011).

Combination or Unit Keys Combination key is known as Kab and Unit Key is known as Ka (Akhavan and Vakily, 2011). Both of this key will store at the Bluetooth devices permanently unless the devices updated through the link key update process or the broadcast encryption scheme (Akhavan and Vakily, 2011). These two key can be used at any time, but it is only limit to the Bluetooth devices which is sharing this key (Akhavan and Vakily, 2011)

Master key The Bluetooth specification defines shared master key to allow Piconet master to encrypt broadcast traffic b y Akhavan and Vakily. Page 17 of 37

Encryption Key Also known as Kc, it is generated from the current link keys and it will be updated when the Bluetooth devices entered to the encryption mode (Akhavan and Vakily, 2011). Another function of Kc is to create a cipher stream KCipher that in turn will be XORed with payloads (Akhavan and Vakily, 2011).

5.3. Generation of the initialization key, Kinit

The link key that is used in the initialization process is also known as initialization key Kinit (Giousouf, n.d.). It is generated by using a BD_ADDR which is a pin code and also a random number IN_RAND (Giousouf, n.d.). Both of this two value BD_ADDR and IN_RAND will go through an algorithm E22 to generate this initialization key (Giousouf, n.d.). The pin code which used to generate BD_ADDR is enter by the user into both Bluetooth devices (Giousouf, n.d.). This code will be saved as the original secret used for the key generation (Giousouf, n.d.). Note that the PIN shall not more than 16 bytes since the algorithm that used to produce the BD_ADDR are not support more than 16 bytes (Giousouf, n.d.).

Figure 5.1: Generation of Initialization Key (Giousouf, n.d.)

Page 18 of 37

5.4. Generation of Unit Key, KA

This key is generated by using E21 algorithm (Giousouf, n.d.).

Figure 5.2: Generation of Unit Key (Giousouf, n.d.)

5.5. Generation of Combination Key, KAB

Combination key is the combination of two devices generated random value and using the algorithm E21 to generate LK_KA and LK_KB (Giousouf, n.d.). Before LK_KA and LK_KB is generated by using the random value which generated by the two device LK_RANDA and LK_RANDB (Giousouf, n.d.). After that LK_KA and LK_KB will be XORed with the current link key and exchanged (Giousouf, n.d.). After both the Bluetooth devices generated the new combination key, a mutual authentication process is initiated to ensure that the success of the transaction (Giousouf, n.d.). Then the link key will be drop or expired after a successful exchange of a new combination key (Giousouf, n.d.).

Figure 5.3: Generation of Combination Key (Giousouf, n.d.) Page 19 of 37

5.6. Generation of Master Key, Kmaster

First at all we need to create a new link key from two 128-bit random number which also technically known as RAND1 and RAND2 (Giousouf, n.d.). After these two random numbers are generated they will be process by using algorithm E22 to generate Kmaster (Giousouf, n.d.). Kmaster = E22 (RAND1 and RAND2,16) After that another RAND is send to the slave (Giousouf, n.d.). On each side an overlay (OVL) is calculated using algorithm E22 with the current link key and the RAND as the input (Giousouf, n.d.).

OVL = E22 (K,RAND,16) The master will then sending the bitwise XOR of the OVL and the new link to the slave and the slave will start calculating the Kmaster (Giousouf, n.d.). In order to completing this transaction successfully the devices will then operate an authentication process by using the new generated link key (Giousouf, n.d.). This process will be repeat when each of the slave receives the new link key (Giousouf, n.d.).

Figure 5.4: Generation of Master Key (Giousouf, n.d.)

Page 20 of 37

5.7. Generation of Encryption Key, KC

The Encryption key is generated by using algorithm E3. To use E3 we need used three component, first is the current link key, second is the 96-bit Cipher OFset number (COF) and the third is the 128-bit random generated number (Giousouf, n.d.).

Figure 5.5: Generation of Encryption Key (Giousouf, n.d.)

5.8. Algorithm that used to generate Keys

Figure 5.6: Algorithm E21 (Giousouf, n.d.)

Page 21 of 37

Figure 5.7: Algorithm E22 (Giousouf, n.d.)

Figure 5.8: Algorithm E3 (Giousouf, n.d.)

Page 22 of 37

5.9. Pairing Process

There is a critical process that must be going through when Bluetooth wanted to generate a common key for authentication and encryption between two Bluetooth devices (Akhavan and Vakily, 2011). The process is known as pairing process. First at all, both the Bluetooth devices need to enter a security code which is matched for the two devices. This process means that both of the devices users are agree to establish a connection (seguridadmobile, n.d.). Actually the pairing process is very simple it just keep on exchanging a set of random number and identify the exchanged random number either it is matched with the previous sent out random number or not. After the first match, an authentication key is generated, then after the second match link key is being created. This pairing procedure only have to do one time, after the connection is terminated it will generate a new session with new Encryption key (NATIONALINSTRUMENTS, 2008). During the time the Bluetooth devices wanted to be connected again they can use the Encryption key to secure data communication (NATIONALINSTRUMENTS, 2008). Then the Authentication identify by using the Link keys (NATIONALINSTRUMENTS, 2008).

Figure 5.9: Pairing process between Bluetooth device (NATIONALINSTRUMENTS, 2008). Page 23 of 37

6. Authentication and Confidentiality


6.1. Authentication

Base on the research paper of Padgette and Scarfone in 2008, the authentication process of Bluetooth technology is in the form of a challenge-response scheme. By referring to this method each of the Bluetooth devices which are involved in the authentication process are known as the claimant or the verifier (Padgette and Scarfone, 2008). Claimant, it is the term that used to identify the Bluetooth devices which wanted to prove its identity (Padgette and Scarfone, 2008). In the other hand verifier, is the Bluetooth devices which are authenticating the identity of the claimant (Padgette and Scarfone, 2008). Challenge-response protocol is the method that authenticating the devices by verifying the knowledge of the secret key that used in Bluetooth technology (Padgette and Scarfone, 2008). The key is known as Bluetooth Link Key (Padgette and Scarfone, 2008).

Figure 6.1: Authentication Process in Bluetooth (Padgette and Scarfone, 2008)

Page 24 of 37

The step that involved in the process of Figure 6.1 are as follows:

1. The process starts from the verifier transmitting a 128-bit random number to the claimant (Padgette and Scarfone, 2008). The random numbers are also called as random challenge (AU_RAND) (Padgette and Scarfone, 2008). 2. Then the verifier and claimant will proceed to generate a critical 32 bits output by using E1 algorithm (Padgette and Scarfone, 2008). To use this algorithm both of them will use their unique 48-bit Bluetooth device address (BD_ADDR), the link key and also the random numer (AU_RAND) as an input for the algorithm (Padgette and Scarfone, 2008). As I mention just now only the critical 32-bits output will be used for authentication process the remaining 96 bits will be used to create Bluetooth encryption key (Padgette and Scarfone, 2008). This 96 bits output is known as Authenticated Ciphering Offset (ACO) value (Padgette and Scarfone, 2008). 3. Then the claimant will returns the critical 32bits of the E1 output as the response to the verifier (Padgette and Scarfone, 2008). This output is also known as SRES (Padgette and Scarfone, 2008). 4. After receiving the SRES the verifier will then compares the SRES with its own SRES which calculated by itself (Padgette and Scarfone, 2008). 5. If both of the values are matching then the authentication process is completed successfully (Padgette and Scarfone, 2008). In the other hand, if both the values are mismatched, the authentication process is marked as failed (Padgette and Scarfone, 2008).

For additional information, Bluetooth standard is actually supporting authentication process by using one-way authentication and mutual authentication so that it is more secure because the attacker cannot guess what method the Bluetooth devices are using to authenticate each other (Padgette and Scarfone, 2008).

Page 25 of 37

6.2. Confidentiality

In order to provide a confidentiality services to the user, Bluetooth standard introduced three encryption modes (Padgette and Scarfone, 2008). The purpose of these three modes is to obstruct eavesdropping attacks to the payloads of the transmitting data between Bluetooth devices (Padgette and Scarfone, 2008). However, there are actually two of these modes providing confidentiality (Padgette and Scarfone, 2008). The three modes are:

Encryption Mode 1 No encryption is executing on any traffic (Padgette and Scarfone, 2008).

Encryption Mode 2 Individual addressed traffic is encrypted using encryption keys based on individual link keys by (Padgette and Scarfone, 2008) Broadcast traffic is not encrypted by (Padgette and Scarfone, 2008)

Encryption Mode 3 All the traffic in this mode is encrypted by using the master link key (Padgette and Scarfone, 2008).

Furthermore, the same encryption mechanism are applied on both Encryption Mode 2 and 3 (Padgette and Scarfone, 2008). In Figure 6.2, the encryption key provided to the encryption algorithm is created using an internal key generator (KG) (Padgette and Scarfone, 2008). KG create stream cipher key based on the 128-bit link key (Padgette and Scarfone, 2008). This link key is the secret of Bluetooth devices, the EN_RAND and ACO (Padgette and Scarfone, 2008). The ACO value is created during the authentication process which can be review on Figure 6.1 (Padgette and Scarfone, 2008).

The Bluetooth encryption process is based on a stream cipher algorithm, E0 (Padgette and Scarfone, 2008). The key stream output is sent to the receiving devices Page 26 of 37

after it is exclusive-OR-ed with the payload bits (Padgette and Scarfone, 2008). This key stream is created byusing Liner Feedback Shift Registers (LFSR) (Padgette and Scarfone, 2008). BD_ADDR, ENRAND, slot number and encryption is taken as the inputs of the encryption function when combined initialize the LFSRs before the transmission of each packet (Padgette and Scarfone, 2008). The encryption key (KC) is created from the current link key and may vary from 8 bits to 128 bits (Padgette and Scarfone, 2008). For extra information here, the E0 algorithm is not the Federal Information Processing Standards (FIPS) approved algorithm (Padgette and Scarfone, 2008).

Figure 6.2: Overview of Encryption Process in Bluetooth (Padgette and Scarfone, 2008)

Page 27 of 37

7. Bluetooth Vulnerabilities & Threats


7.1. Vulnerabilities

Although Bluetooth technology are not a very frequent used techniques in modern world but it still used many protocol and method to secure data transmission between Bluetooth devices. However, nothing is perfect, human will make mistake, of course the machine and protocol which designed and developed by human will make mistake too. In this topic we are going to discuss about the vulnerabilities that found on Bluetooth technology.

7.1.1. Vulnerabilities before Bluetooth v1.2 Link Key is based on Unit Key The major problem in here is not that link key cannot based on unit key, the problem is because the key is static and reusable so that it is less of security. Besides it can lead to eavesdropping and spoofing if the key is obtain by attacker (Padgette, Scarfone and Chen , 2012). 7.1.2. Vulnerabilities before Bluetooth v2.1 Three problem Security Mode 1 does not initiate security method. It make that the communicated made in this mode is insecure (Padgette, Scarfone and Chen , 2012). PIN code can be very short even through it can support up to 16bits (Padgette, Scarfone and Chen , 2012). Short PIN is easy to guess and hack. Encryption key stream will be re-use afer 23.3 hours (Padgette, Scarfone and Chen , 2012). If the connection lasts more than 23.3 hour the clock value will be repreted hence generating an identical key stream to that user earlier in the connection by Padgette, Scarfone and Chen on 2012.

Page 28 of 37

7.1.3. Vulnerabilities in Bluetooth v2.1 and v3.0 Static SSP passkey Random key or session key should be used for each pairing try (Padgette, Scarfone and Chen , 2012). Security Mode 4 Because it is not supported by every bluetooth devices, when the Bluetooth device does not support this mode, the devices can fall back to mode 1 which did not secure by any security protocol or method (Padgette, Scarfone and Chen , 2012).

7.1.4. Vulnerabilities in Bluetooth before v4.0

Attempts for authentication are repeatable Because this process can be repeat so that the attacker can keeping requesting the random number so that they might able to guess the information about secret link key (Padgette, Scarfone and Chen , 2012). It should limit the authentication request to prevent attacker keeping attempt for authentication (Padgette, Scarfone and Chen , 2012).

Master key problem The master key is used by all the member in the Piconet for broadcast encryption. (Padgette, Scarfone and Chen , 2012). Which mean that if the Piconet have 7 connecting devices all of them are using the same master key (Padgette, Scarfone and Chen , 2012). This secret key should not share to more than 2 party, because it is insecure (Padgette, Scarfone and Chen , 2012).

Page 29 of 37

7.2. Threats

In this section we will show out a brief overview of threats that the Bluetooth technology are facing.

Threats Bluesnarfing

Description This attack is about the attackers obtain the access to a Bluetooth devices by exploiting a firmware flaw in the older Bluetooth devices (Padgette, Scarfone and Chen , 2012). This attack will allow access to get IMEI information, after obtain this information the attacker can used it to route all incoming call from the user devices to the attacker devices (Padgette, Scarfone and Chen , 2012).

Bluejacking

This attack start from sending unsolicited message to the Bluetooth devices (Padgette, Scarfone and Chen , 2012).

This message create no harm but seduce the user to respond some phishing message (Padgette, Scarfone and Chen , 2012).

Bluebugging

This attack is achieved by using the security flaw in the firmware of some older version of Bluetooth devices to get access to the devices data and its commands (Padgette, Scarfone and Chen , 2012).

The command can by executed without noticing the user itself (Padgette, Scarfone and Chen , 2012).

Denial of Service

This type of attack is not very harmful but annoying. This attack is about draining the devices battery by making the interfaces not functional Page 30 of 37

(Padgette, Scarfone and Chen , 2012). Car Whisperer It is a software tools which is introduced by European security researchers that exploits a key implementation problem in hands-free Bluetooth car kits (Padgette, Scarfone and Chen , 2012). It makes the attacker can access the audio from the microphone in the car or even sending audio to the cars speaker (Padgette, Scarfone and Chen , 2012). Fuzzing Attacks This attack is about sending malformed or non-standard data to the devices and to check how the devices will operate after the attack (Padgette, Scarfone and Chen , 2012). If the devices is stop functioning a serious vulnerability is exposed and more attack will be found later, because it is related with the protocol stack of the technology (Padgette, Scarfone and Chen , 2012). Secure Simple Pairing Attacks To force the devices to operate in Just Works SSP which will cause MITM (Padgette, Scarfone and Chen , 2012). This means that the devices will not able to perform input and output (Padgette, Scarfone and Chen , 2012). This attack can be also achieved by using the fixed passkey to perform MITM attack (Padgette, Scarfone and Chen , 2012).

Page 31 of 37

8. Bluetooth Countermeasures
In order to provide a more secure and provide confidentiality and integrity services to the user, Bluetooth standards organizations should come out with some proper and well planning countermeasures to ensure that their planning can be implemented successfully. In this sub-topic we going to discuss some of the possible item or entity which may be implemented by the Bluetooth standard to mitigating the risk or threats of Bluetooth standard are facing or dealing with. But of course it does not mean by implementing and developing this set of recommendation countermeasures will guaranty that the Bluetooth can be operate in a hundred percent safety environment but for sure it may help to improving and enhancing the security level in Bluetooth standard. This set of suggestion is not fully about technically it also involved some personal behavior about the user, by follow the guideline which will be stated later it should help to reduce the threat or risk that Bluetooth are facing currently (Padgette, Scarfone and Chen , 2012).

Here we going to list some recommendation of security that the Bluetooth standard can used it to further enhance their security. We try to separate it into two categories which are highly recommended practice. This is the categories that we think that is important and more executable to help Bluetooth to secure their services. Another categories is should consider, in this categories the recommendation is required more resources to implement and should be considered carefully by the organization.

Highly Recommended Practice Developing an organizational wireless security policy that addresses Bluetooth technology (Padgette, Scarfone and Chen, 2012). Confirm that the Bluetooth users in the network will highly aware of their security-related responsibilities about Bluetooth use (Padgette, Scarfone and Chen, 2012). Set up a timetable to perform overall security assessments, it can assist them to understand their organizations Bluetooth security posture (Padgette, Scarfone and Chen, 2012). Page 32 of 37

Can try to document the possible risk and vulnerability of Bluetooth devices, this can help the user having more awareness to avoid this type of attack to be happened and also helping them to have an overall understanding of the connectivity between each Bluetooth devices (Padgette, Scarfone and Chen, 2012). The organization can also prepare a set or precautionary measures which can help the user to take better action to protect the Bluetooth devices from theft (Padgette, Scarfone and Chen, 2012). By changing the default setting of Bluetooth devices to match the organization security policy it can help to enhance the security level (Padgette, Scarfone and Chen, 2012). It is because the default setting is not matching with the organization security policy and those setting are usually not secure enough (Padgette, Scarfone and Chen, 2012). Change the Bluetooth devices to the lowest power level which means that reduces the connectivity range can help to prevent others unauthorized user attempt to attack the network (Padgette, Scarfone and Chen, 2012). Another technical practice that the organization should practice is to change the PIN code which is not convenient to use (Padgette, Scarfone and Chen , 2012). It means that the PIN code should be long and complicated and also preventing the user using static PIN code for more than 1 month (Padgette, Scarfone and Chen, 2012). This can help to avoid PIN code being track by intentional attacker. Ensuring that the link keys are not based on unit key because the shared unit keys can exposed many vulnerability and several attack is started at this area (Padgette, Scarfone and Chen, 2012). Example of attack that can start from this area are eavesdropping and MITM (Padgette, Scarfone and Chen, 2012). Always set the Bluetooth devices to be undiscoverable by other devices unless a pairing process is required at the particular period (Padgette, Scarfone and Chen, 2012). Ensuring that when the Bluetooth devices is connected to any other device interface a password input is requested (Padgette, Scarfone and

Page 33 of 37

Chen, 2012). It can help to prevent unauthorized user gaining access to the device (Padgette, Scarfone and Chen, 2012).

Should Consider The organization can prepare a complete inventory list of Bluetoothenable wireless devices which can be refer when they wanted to perform an audit that is searching for un-authenticated use of wireless technologies (Padgette, Scarfone and Chen, 2012). Use application-level authentication and encryption atop the Bluetooth stack for sensitive data communication by Padgette, Scarfone and Chen in 2012. It is because Bluetooth devices can always refer to the local memory can obtain the link key which can make them able to connect to the previous paired Bluetooth devices (Padgette, Scarfone and Chen, 2012). This procedure is very insecure because if the devices is lost and obtain by an attacker, the attacker will be able to access the data without noticing another user in the network (Padgette, Scarfone and Chen, 2012). It can also enhanced by employing more authentication method such as biometrics, public key infrastructure (PKI) or two-factor authentication (Padgette, Scarfone and Chen, 2012).

Page 34 of 37

9. Conclusion
At the end of this research paper, I would like to describe some of my personal opinion about Bluetooth technology. In this modern era, almost everyday organizations are introducing some kind of new technology. The growing speed of electrical and technical industry is very fast. Many new technology getting old and not interest by people after the new technique is introduced. For Bluetooth, it already quit from the list of frequently used technology for data transmission or data synchronization. But it still maintains its own strengths and advantages compare with other competitor technique.

However, it still can be further enhanced. As we mentioned in the earlier topic, in order to secure the data transmission between Bluetooth and avoiding intentional attacker to get access to the Bluetooth network, we are suggested to reset the setting to make the connection range become smaller. There is a consequence found on this countermeasure. It actually reducing the effectiveness of Bluetooth, because the data connectivity range of Bluetooth is already very small now we still setting it become smaller, means that the data transmission can only be done in very particular small area. What I would like to suggest here is, try to finding a new solution which is about to reset the connectivity range from horizontally, to vertically. It is because usually the office is located in tall building, the range the user needs for transmission should be vertically and not horizontally, so that I think that is good to have such technology can be utilize in an office like this case. I believe all the organization would like to implement this cheap, easy to implement and provide effective and efficient data transmission and synchronization technology to run their daily operation instead of using high charge WiMax or LTE or brand new 4G or 5G technique.

Page 35 of 37

10. Reference
Al-Hasani, H., n.d. BLUETOOTH SCATTERNET BASED ON CCC [pdf].Available at :< http://archive.cone.informatik.uni-freiburg.de/teaching/seminar/p2p-networks-

s09/deliverables/Al-Hasani_report.pdf > [Accessed 11 June 2013]

Akhavan, M. and Vakily, V.T. 2011. Improvement Bluetooth Authentication and pairing protocol using Encrypted Key Exchange and Station-to-Station MAC Protocols [pdf].Available at :< http://www.ipcsit.com/vol3/081N002.pdf > [Accessed 13 June 2013]

Giousouf,

A.

n.d.

Bluetooth

Security

[pdf].Available

at

:<

http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/seminar_giousof_bl uetooth.pdf > [Accessed 16 June 2013]

InterBluetooth, n.d. The Pros and Cons of Bluetooth Technology [Online].Available at:< http://www.interbluetooth.co.uk/bluetooth-pros-cons.html > [Accessed 12 June 2013]

Ivris Marcelo, B.N., n.d. Bluetooth Security Features [pdf].Available at :< http://www.urel.feec.vutbr.cz/ra2008/archive/ra2006/abstracts/085.pdf > [Accessed 12 June 2013]

Kardach, J., n.d. Bluetooth* Architecture Overview [pdf].Available at :< http://www.blueradios.com/bluetooth_architecture.pdf > [Accessed 13 June 2013]

Lai, J., May 2006. Introduction to Bluetooth Technology [Online].Available at:< http://www2.ensc.sfu.ca/~ljilja/cnl/presentations/jeffrey/btpresentation/sld001.ht m > [Accessed 11 June 2013]

Lee, CS., n.d. Bluetooth Security Protocol Analysis and Improvements [pdf].Available at :<

https://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&cad=

Page 36 of 37

rja&ved=0CDkQFjACOAo&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc %2Fdownload%3Fdoi%3D10.1.1.122.3116%26rep%3Drep1%26type%3Dpdf&ei=ng a5UcmeJNGxrAejxYDgAg&usg=AFQjCNH3icrNZ5fyO94WcBLtFRUDUPnxAA& sig2=eRHjqHwiomeNT0Aw23JYVg&bvm=bv.47883778,d.bmk > [Accessed 13 June 2013]

NOKIADeveloper., n.d. Bluetooth

Overview

[Online].Available >

at:< http://www.developer.nokia.com/Community/Wiki/Bluetooth_Overview [Accessed 12 June 2013]

NATIONALINSTRUMENTS., 11

April

2008. Bluetooth

[Online].Available

at:< http://www.ni.com/white-paper/7104/en > [Accessed 13 June 2013]

msdn., 2006. Bluetooth Stack Architecture (Window CE5.0) [Online].Available at:< http://msdn.microsoft.com/en-us/library/ms890956.aspx > [Accessed 13 June 2013]

Padgette, J. Scarfone, K. Chen, L., June 2012. Guide to Bluetooth Security [pdf].Available at :< http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800121_rev1.pdf > [Accessed 12 June 2013]

Padgette, J. Scarfone, K., September 2008. Guide to Bluetooth Security [pdf].Available at :< http://www.mcs.csueastbay.edu/~lertaul/BluetoothSECV1.pdf > [Accessed 16 June 2013]

Radio-Electronics.com,

n.d.

Bluetooth

Security

[Online].Available

at

:<

http://www.radio-electronics.com/info/wireless/bluetooth/security.php > [Accessed 16 June 2013]

seguridadmobile., n.d. Bluetooth

security

mechanisms

[Online].Available

at:< http://www.seguridadmobile.com/bluetooth/bluetooth-security/securitymechanisms.html > [Accessed 13 June 2013]

Page 37 of 37

You might also like