Bluetooth Security

Issues,Threats and
Consequences
Presented by:
Abhishek Rana
1501225
CO-4
BLUETOOTH
INTRODUCTION
 Wire replacement technology
 Low power
 Short range 10m - 100m
 2.4 GHz
 1 Mb/s data rate
What Is BlueTooth?
 A unique new wireless technology specifically for:
 Short range
10 - 100 meters typically
 Modest performance
(780Kbps)
 Dynamically configurable
ad hoc networking/ roaming
 Low power
Well suited to handheld
applications
 Support for both voice and data
BlueTooth - What is the Technology ?
 Uses 2.4 GHZ unlicensed ISM band
 Frequency hopping spread spectrum radio for
higher interference immunity.
 Supports point to point and point to multipoint
connection with single radio link.
 Designed to provide low cost, robust, efficient,
high capacity voice and data networking.
 Uses a combination of circuit and packet
switching.
Why BlueTooth?
 Simple to install and expand
 Need not be in line of sight
 Low Cost
 Perfect for File transfer and printing
application
 Simultaneous handling of data and voice on
the same channel
Application Of BlueTooth
 PC and Peripheral networking
 Hidden Computing
 Data synchronization for Address book and
calendars
 Cellphone acting as a modem for PDA or Laptop
 Personal Area Networking (PAN)
– Enabling a collection of YOUR personal
devices to cooperatively work together
Bluetooth in the Home - No Wires
Digital Camera
Computer

Scanner

Inkjet
Printer

xDSL
Access Point

Home Audio System PDA Cordless Phone

MP3 Cell Phone Base Station
Player
 And On the Road
Car Audio System

PDA
Cell Phone

Headset
Pay Phone
& Access Point

MP3
Player
Laptop
Hotel Phone
& Access Point
BLUETOOTH NETWORKS
 PICONET
 SACTTERNET
BLUETOOTH PICONET
 Bluetooth devices create a piconet
 One master per piconet
 Up to seven active slaves
 Over 200 passive members are possible
 Master sets the hopping sequence
 Transfer rates of 721 Kbit/sec
 Bluetooth 1.2 and EDR (aka 2.0)
 Adaptive Frequency Hopping
 Transfer rates up to 2.1 Mbit/sec
BLUETOOTH SCATTERNET
 Connected piconets create a scatternet
 Master in one and slave in another piconet
 Slave in two different piconets
 Only master in one piconet
 Scatternet support is optional
Scatternet
D
F H
G M N

A
B
O P
E K
J L
I
C Q
Inquiry (Discovering Who’s Out There)
Note that a device can
be “Undiscoverable”
D
F N
H
G M

A P
B
O
E
J K
L
I Q
C
Paging (Creating a Piconet)
D
F N
H
G M

A B P
O
E
K
J L
I Q
10 meters C
Parking

D F H N
G M

A B P
O
E K
J L
I Q
C
10 meters
SECURITY ISSUES AND
ATTACKS UNVEILED
AGENDA
 Issues and Origin
 Threat Sources
 Risks
 Demonstration
A COMMON
MISCONCEPTION
 No practical Bluetooth vulnerabilities
 The core bluetooth protocol has maintained
its integrity
 A corectly implemented Bluetooth stack
should have no vulnerabilities
MYTHS DEBUNKED
 Bluetooth needs pairing
 Short Range(1.7miles achieved)
 Only mobile devices affected
 Non-Discoverable saves me
 Secure as Encryption is Used
SECURITY MODES
 Security mode 1
 No active security enforcement
 Security mode 2
 Service level security
 On device level no difference to mode 1
 Security mode 3
 Device level security
 Enforce security for every low-level connection
VULNERABILITY ORIGINS
 Bad coding practices when developing
RFCOMM services
 Lack of knowledge regarding Bluetooth or
other security protocols
 Re-Use of older services for different
protocols
 “Bluetooth is secure”-just plug in and go
Who is Vulnerable
 Both individuals and corporations
 Owners of various popular phones.nokia
6310,Ericsson T series
 PC owners,Laptop users and other pocket
PC owners
 Symbion device owners
 Embedded devices,Bluetooth heating
systems etc
THREATS
 Am I vulnerable?
 Who is a threat?
 What is the impact?
Who is a threat?
 Large scale scammers
 Advertisers
 Dedicated Crackers
 Groups/Individuals with precise goals
What is Possible?
 Theft of Information,personal,or corporate
 Device DoS
 Remote Code execution
 Corporate espionage
 Airborn viruses or worms
ATTACKS IDENTIFIED
 June 2003 Ollie Whitehouse releases
RedFang
 Pentest Ltd release btscanner
 Nov 2003 BLUEJACKING comes to open
 Jan 2004 BLUESNARFING unveilled
VARIOUS ATTACKS

 The BlueSnarf Attack

 The HeloMoto Attack
 The BlueBug Attack
 Bluetooone
 Blueprinting
BLUESNARFING
Trivial OBEX PUSH channel attack
– obexapp (FreeBSD)
– PULL known objects instead of PUSH
– No authentication
● Infrared Data Association
– IrMC (Specifications for Ir Mobile Communications)
● e.g. telecom/pb.vcf
● Ericsson R520m, T39m, T68
● Sony Ericsson T68i, T610, Z1010
● Nokia 6310, 6310i, 8910, 8910i
HELOMOTO
 Requires entry in 'Device History'
 OBEX PUSH to create entry
 Connect RFCOMM to Handsfree or
Headset
 No Authentication required
 Full AT command set access
 Motorola V80, V5xx, V6xx and E398
BLUEBUGGING
BlueBug is based on AT Commands (ASCII
Terminal)
– Very common for the configuration and control of
telecommunications devices
– High level of control...
● Call control (turning phone into a bug)
● Sending/Reading/Deleting SMS
● Reading/Writing Phonebook Entries
● Setting Forwards
BLUETOONE
 Enhancing the range
of a Bluetooth dongle
by connecting a directional
antenna -> as done in the
Long Distance Attack
BLUEPRINTING
 Blueprinting is fingerprinting Bluetooth Wireless
 Technology interfaces of devices
 Relevant to all kinds of applications
 Security auditing
 Device Statistics
 Automated Application Distribution
 Released paper and tool at 21C3 in December
2004 in Berlin
BLUESMACK
 Using L2CAP echo feature
 Signal channel request/response
 L2CAP signal MTU is unknown
 No open L2CAP channel needed
 Buffer overflow
 Denial of service attack
AFFECTED DEVICES
 A small number of Bluetooth
implementations are common across many
platforms
 The most popular devices are vulnerable
 Result is a large number of affected devices
in public
 Tests show between 85% and 94%
vulnerability
IMPACT ON INDIVIDUALS
 Information theft by advertisers
 Location based SPAM
 ID theft
 Theft through billing
 Call theft
CORPORATE IMPACT
 Information theft
 Corporate espionage
 Bribery
REFERENCES
 http://trifinite.org
 Symbian Ltd. Symbian OS.
http://www.symbian.com
 http://bluestumbler.org
 www.bluetooth.org.
Thank You