Bluetooth Network Security Seminar Report

GLOBUS ENGINEERING COLLEGE, BHOPAL

GLOBUS ENGINEERING COLLEGE

BHOPAL (M.P.)

SEMINAR REPORT

On

BLUETOOTH NETWORK SECURITY: THREATS & PREVENTIONS

GUIDED BY-

Mr. LALIT JAIN

Dept. of Electronics &

Communications, GEC, BHOPAL

SUBMITTED BY-

RAVINDRA MATHANKER

0130EC071046

E.C. 7th

sem. GEC, BHOPAL


ACKNOWLEDGMENT

We extend our heartiest thanks to Mr. Arvind Kaurav, HOD, Electronics Dept. for his support in accomplishment of this project successfully. Furthermore it was his valuable guidance which helped us immensely in various areas of troubleshooting.

We would also like to thank Mr. Anil Sharma, Principal, Globus Engineering College. He provides us an opportunity to present this paper.

We also thank to our faculties of Electronics Dept. who supported us

by their valuable knowledge.

Last but not the least we would like to extend thank to my seniors who

helped us to reveal various aspect of this project.

We also thank to my friends for production support.

- Ravindra Mathanker

0130EC071046, EC 7th sem

Preface

The modern age technology has many advantages and disadvantages.

The use of technology depends on the nature of the user, hence the scientists and

engineers developed the devices and equipments as safe as possible for all.

This report includes the security threats and mindset behind the misuse of

Bluetooth. The introductory part of report told about the possible threats of

wireless networking. The basic knowledge about the Bluetooth is summarized in

further pages.

Readers and viewers can easily get the information about security tools of

Bluetooth device and connection process. The “tricks and tools of attack” part

really aware the reader to secure use of Bluetooth. The mentality of hacker and

how people become cheese of hackers is described in the end part of report.


Department of Electronics & Communication.

0130ec071046

TABLE OF CONTENT

INTRODUCTION __________________1

ABOUT BLUETOOTH __________________2

BLUETOOTH NETWORKS __________________3

BLUETOOTH ARCHITECTURE __________________5

SECURITY ASPECTS IN BLUETOOTH __________________6

CONNECTION ESTABLISHMENT __________________8

BREAKING INTO SECURITY __________________9

ATTACKING TOOLS & TRICKS __________________10

USED SOFTWERE

A) FOR DISCOVERING DEVICES __________________13

B) FOR HACKING __________________14

EFFECTIVENESS OF ATTACK __________________15

SECURE YOUR DEVICE __________________16

REFERENCES __________________17


Page 1

Department of Electronics & Communication. 0130ec071046

BLUETOOTH HACKING THREATS & PREVENTIONS

INTRODUCTION

Wireless communications offer organizations and users many benefits such as

portability and flexibility, increased productivity, and lower installation costs.

Wireless local area network (WLAN) devices, for instance, allow users to move

their laptops from place to place within their offices without the need for wires and

without losing network connectivity.

Ad hoc networks, such as those enabled by Bluetooth, allow users to:

Data synchronization with network systems and application sharing between

devices.

Eliminates cables for printer and other peripheral device connections.

Synchronize personal databases.

Provide access to network services such as wireless e-mail, Web browsing,

and Internet access.

However, risks are inherent in any wireless technology. The loss of confidentiality

and integrity and the threat of denial of service (DoS) attacks are risks typically

associated with wireless communications.

Specific threats and vulnerabilities to wireless networks and handheld devices

include the following:

All the vulnerabilities that exist in a conventional wired network apply to

wireless technologies.

Malicious entities may gain unauthorized access to an agency‟s computer

network through wireless connections, bypassing any firewall protections.

Sensitive information that is not encrypted (or that is encrypted with poor

cryptographic techniques) and that is transmitted between two wireless

devices may be intercepted and disclosed.

Sensitive data may be corrupted during improper synchronization.

Data may be extracted without detection from improperly configured

devices.


Page 2


ABOUT BLUETOOTH

The original architecture for Bluetooth was developed by

Ericson Mobile Communication Co. Bluetooth was originally designed primarily

as a cable replacement protocol for wireless communications.

Among the array of devices that are anticipated are cellular phones, PDAs,

notebook computers, modems, cordless phones, pagers, laptop computers,

cameras, PC cards, fax machines, and printers.

Now Bluetooth specification is:

The 802.11 WLAN standards.

Unlicensed 2.4 GHz–2.4835 GHz ISM(industrial, scientific, medical

applications) frequency band.

Frequency-hopping spread-spectrum (FHSS) technology to solve

interference problems.

Transmission speeds up to 1 Mbps.

The FHSS scheme uses 79 different radio channels by changing frequency about

1,600 times per second. One channel is used in 625 microseconds followed by a

hop in a pseudo-random order to another channel for another 625 microsecond

transmission; this process is repeated continuously. As stated previously, the ISM

band has become popular for wireless communications because it is available

worldwide and does not require a license.

Bluetooth SIG (Special Interest Group):

Founded in year 1998.

IBM, Intel, Nokia, and Toshiba, Agere, Ericsson, are promoters.

Today more than 2,000 organizations are part of the Bluetooth SIG.

Bluetooth Classes and Specifications


Page 3


BLUETOOTH NETWORKS

Bluetooth devices can form three types of networks:

Point to Point Link

Piconet Network

Ad-hoc or Scatternet Network

Point to Point Link When two Bluetooth enabled devices share

information or data that is called point to point link.

Piconet Network When there is a collection of devices paired with each other, it

forms a small personal area network called „Piconet‟. A Piconet consists of a

master and at most seven active slaves.

Each Piconet has its own hopping sequence and the master and all slaves share the

same channel.

Master

Device

Slave

Device Network/Link

Master

Device

Slave

Device

Slave

Device

Slave

Device


Page 4


Ad-hoc or Scatternet Network

Two or more piconets connected to each other

by means of a device (called „bridge‟) participating in both the piconets, form a

Scatternet Network.

The role of bridge is to transmit data across piconets.

Picont1 Piconet 2

Fig: Scatternet Network

When a number of Bluetooth devices communicate to each other in same vicinity,

there is a high level of interference. To combat interference, Bluetooth technology

applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times

per second.

For devices to communicate to each other using Bluetooth they need to be paired

with each other to have synchronized frequency-hopping sequence.


Page 5


BLUETOOTH ARCHITECTURE

The Bluetooth core system has three parts:

RF transceiver

Baseband

Protocol-stack


Page 6


SECURITY ASPECTS IN BLUETOOTH

The Bluetooth-system provide security at two level-

At Link layer

At Application layer

Link layer security

Four different entities are used for maintaining security at

the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random

number that shall be regenerated for each new transaction.

The four entities and their sizes are summarized in Table-

Entity Size

BD_ADDR 48 bits

Private user key, authentication 128 bits

Private user key, encryption

Configurable length (byte-wise)

8-128 bits

RAND 128 bits

Table 1.1: Entities used in authentication and encryption procedures

Application layer security specification


Page 7


L2CAP: enforce security for cordless telephony.

RFCOMM: enforce security for Dial-up networking.

OBEX: files transfer and synchronization.

The encryption key in Bluetooth changes every time the encryption is activated,

the authentication key depends on the running application to change the key or not.

Another fact regarding the keys is that the encryption key is derived from the

authentication key during the authentication process.

The time required to refresh the encryption key is 228 Bluetooth clocks which is

equal to approx. 23 hours. RAND or the random number generator is used for

generating the encryption and authentication key. Each device should have its own

random number generator. It is used in pairing (the process of authentication by

entering two PIN-codes) for passed keys in the authentication process.

Security modes in Bluetooth

In Bluetooth there are three security modes which are:

Mode 1: Non-secure.

Mode 2: Service level security

Trusted device.

Un-trusted devices.

Unknown devices.

Mode 3: Link level.

The trusted device is a device that has been connected before, its link key

is stored and it‟s flagged as a trusted device in the device database.

The un-trusted devices are devices that have also previously connected

and authenticated, link key is stored but they are not flagged as a trusted devices.

The unknown devices are the devices that have not connected before.

In Bluetooth service level we have three type of service in regard to the security:

Services that need authentication and authorization: this is automatically

granted to the trusted devices but for the un-trusted devices manual

authentication is required.

Services that need authentication only: in this case the authorization

process is not necessary.

Open services.


Page 8


Establishing a connection (from the layers)

This part discusses how Bluetooth

connection is established and how the operation passed from Bluetooth layers. The

first thing is defining the accessed service and which security level is related to this

service, and then an authentication process will occur. The authentication process

takes place only when a request to a service submitted. We can summarize the

authentication process as; first, a connection request to L2CAP, and L2CAP

request access from the security manager. Then, the security manager looks in

service and device DBs to determine if an authentication and encryption is needed

or not. After granting the access by the security manager L2CAP continue to set up

a connection.

Regarding the protocol stack, for any new connection request, the request

submitted to L2CAP, in some cases also in RFCOMM for multiplexing, and then

the protocol parameters are passed to the security manager for decision making.

These parameters enter as query values to the security manager. Finally, the

security manager according to it is query results; may either grant access or reject

the access.


Page 9


BREAKING INTO SECURITY

Bluetooth devices themselves have inherent security

vulnerabilities. For example, malicious users can use wireless microphones as

bugging devices. Although such attacks have not been documented because

Bluetooth is not yet commercially prevalent, incidents have been recorded of

successful attacks on PCs using programs such as Back Orifice and Netbus. If a

malicious user has a program such as Back Orifice installed on a device in the

Bluetooth network, that user could access other Bluetooth devices and networks

that have limited or no security. These same programs could be used against

Bluetooth devices and networks. Bluetooth devices are further vulnerable because

the system authenticates the devices, not the users. As a result, a compromised

device can gain access to the network and compromise both the network and

devices on the network.

Attack Tools & Programs

Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b.

Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS,

windows mobile.

Software used: Bluebugger, Bluediving, Bluescanner, Bluesnarfer,

BTscanner, Redfang, Blooover2, Ftp_bt.

Dell laptop with windows vista to be broken into and for scanning then with

Linux to attempt attacks. Pocket pc for being attacked, and one mobile for

attacking one for being attacked.

Attacking methodology

The first & last thing to break security of a Bluetooth

device is set up a connection or pairing. After that we can use the program to

access into device data. Using tools to find the MAC address of nearby devices to

attack. This generally finds devices set to discoverable although programs exist

with a brute force approach that detects them when hidden. These programs also

provide other basic information such as device classes and names.


Page 10


Attacking Tools or Tricks

Bluejacking

Sending an unsolicited message over Bluetooth generally harmless

but can be considered annoying at worst. Bluejacking is generally done by sending

a V-card (electronic business card) to the phone and using the name field as the

message.

OBEX Push

A way of bypassing authentication by sending a file designed to be

automatically accepted such as a vcard and instead using OBEX to forward a

request for data or in some cases control. Used in the below attacks.

Bluesnarfing

Through it we can access to data on a device via Bluetooth such as

text messages, contact lists, calendar, emails etc. This uses the OBEX push profile

to attempt to send an OBEX GET command to retrieve known filenames such as

telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP

server to transfer the files.

Here 'Snarf' - networking slang for 'unauthorized copy.

Bluesnarfing consists of:

Data Theft

Calendar

● Appointments

● Images

1. Phone Book

● Names, Addresses, Numbers

● PINs and other codes

● Images

Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010,

Nokia 6310, 6310i, 8910, 8910i


Page 11


HeloMoto

It can have full control of a device using AT commands. Either OBEX

is used to create a connection is a Bluesnarf or a vcard card is sent and then the

request is automatically cancelled leaving the attacking device as a trusted device

in the target. This allows AT commands to be used.

It requires entry in 'Device History'.

Connect RFCOMM to Hands free or Headset

– No Authentication required.

– Full AT command set access.

Devices: Motorola V80, V5xx, V6xx and E398

Bluebugging

Through it we can create unauthorized connection to serial profile.

– Full access to AT command set

– Read/Write access to SMS store

– Read/Write access to Phone Book

Take control of the phone, make calls, and listen to calls etc anything a user can

do. This attacks gains access to the mobile through the RFCOMM channel 17

which on certain phones is unsecured and can be used as a backdoor. Once

connected AT commands are used to take control of the mobile.

How come!?

– Various Manufacturers poorly implemented the Bluetooth security mechanisms.

– Unpublished services on RFCOMM channels

- Not announced via SDP

Affected Devices: Nokia has quite a lot of models (6310, 6310i, 8910,

8910i...) Sony Ericsson T86i, T610….

DOS (Denial of service) Attacks

There are various attacks such as Bluesmack, Bluestab and in

some cases Bluejacking that can be used to cause a DOS attack. This can range

from using Bluejacking to repeatedly send messages to a phone that requires them

to be accepted to using AT commands to crash to phone or malformed packets

(ping of death). This can cause strange behavior in devices or they simply crash.


Page 12


Long Distance Attacking (Blue Sniper)

This trick is tested in beginning of August 2004. This experiment has

done in Santa Monica California.

The attacker has a class 1 Bluetooth device (called „dongle‟) with software. The

bugged or snarfed device was class 2 device (Nokia 6310i) at distance of 1.78 km

(1.01 miles).

Blueprinting

Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of

devices. This work has been started by Collin R. Mulliner and Martin Herfurt.

Relevant to all kinds of applications:

– Security auditing.

– Device Statistics.

– Automated Application Distribution.

Released paper and tool at 21C3 in December 2004 in Berlin related to this

technique.

Blueprinting basics:

2. Hashing Information from Profile Entries.

Record Handle

RFCOMM channel number

Adding it all up(RecHandle1*Channel1) + (RecHandle2*Channel2)

+...+ (RecHandlen*Channeln).

3. It used the Bluetooth device address for bugging purpose.

Example of Blueprint:

00:60:57@2621543


Page 13


Attacking software

For Discovering Bluetooth Devices

BlueScanner

- BlueScanner searches out for Bluetooth-enabled devices. It will try

to extract as much information as possible for each newly discovered device.

BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden

Bluetooth-enabled devices.

BTBrowser - Bluetooth Browser is a J2ME application that can browse and

explore the technical specification of surrounding Bluetooth-enabled devices. You

can browse device information and all supported profiles and service records of

each device. BTBrowser works on phones that supports JSR-82 - the Java

Bluetooth specification.

BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans

for other devices in range and performs service query. It implements the

BlueJacking and BlueSnarfing attacks.


Page 14


For Hacking Bluetooth Devices

BlueBugger -BlueBugger exploits the BlueBug vulnerability. BlueBug is the name of

a set of Bluetooth security holes found in some Bluetooth-enabled mobile phones. By

exploiting those vulnerabilities, one can gain an unauthorized access to the phone-

book, calls lists and other private information.

CIHWB - Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing

framework for Windows Mobile 2005. Currently it only support some Bluetooth

exploits and tools like BlueSnarf, BlueJack, and some DoS attacks. Should work on

any PocketPC with the Microsoft Bluetooth stack.

Bluediving - Bluediving is a Bluetooth penetration testing suite. It implements attacks

like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, has features such as Bluetooth

address spoofing, an AT and a RFCOMM socket shell and implements tools like

carwhisperer, bss, L2CAP packetgenerator, L2CAP connection resetter, RFCOMM

scanner and greenplaque scanning mode.

Transient Bluetooth Environment Auditor - T-BEAR is a security-auditing

platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery

tools, sniffing tools and various cracking tools.

Bluesnarfer - Bluesnarfer will download the phone-book of any mobile device

vulnerable to Bluesnarfing If a mobile phone is vulnerable, it is possible to connect to

the phone without alerting the owner, and gain access to restricted portions of the

stored data.

BTcrack - BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to

reconstruct the Passkey and the Link key from captured Pairing exchanges.

Blooover II - Blooover II is a J2ME-based auditing tool. It is intended to serve as an

auditing tool to check whether a mobile phone is vulnerable.

BlueTest - BlueTest is a Perl script designed to do data extraction from vulnerable

Bluetooth-enabled devices.

BTAudit - BTAudit is a set of programs and scripts for auditing Bluetooth-enabled

devices.


Page 15


Effectiveness of Attacks

Laptop

This attacks here where a resounding failure with all devices being

attacked requiring user input to function. Bluebugging and Bluesnarfing where

both attempted several times with trial and error the correct channels for these

attacks where found and used to successfully contact the phone but failed to work

without authentication.

Vs Mobiles

Attacks made against the Nokia N95 and Nokia 6250 both

connected to the phone but required the user to accept to continue and thus where

considered a failure. Attacks were also made against other nearby mobiles with

either the same result or in a single case a successful transfer with Bluesnarfing but

no data gathered (Unusual filenames where assumed).

Vs Laptops

A single laptop with Bluetooth came into range and after asking the

owner attacks where performed without success even when he decided to accept

the connection.

Mobile

Vs Mobiles

The primary success was through this device and a program called

blooover2. An auditing tool blooover2 tests the possible effect of various attacks

and did a few minor attacks of its own. While the test devices required

authentication for this audit to function passing devices showed several

vulnerabilities and after hunting down owners and asking permission successful

attacks where performed.

The software inserted phonebook entry‟s,copied phone books

and changed call forwarding effectively taking phones off the network. The other

program that had a single successful attack was called “Super Bluetooth attack”

while the majority of phones required authentication a Sony Eriksson (model

unknown) allowed access without. Phonebook, messages where accessible while

calls could also be made andgeneral settings changed (display, sounds etc).


Page 16


SECURE YOUR DEVICE

Bluetooth social engineering

Bluetooth is used by people daily so it is possible to use social

engineering techniques to attack devices. One of the most common uses of

Bluetooth is with Mobile Phone can be an interesting part of social engineering to

examine.

Some users tend to accept incoming connections leaving

themselves at risk to outside attack. More a lack of education than anything else

causes people not to recognize a threat when they see one and accept incoming

connections. This is an interesting way of using social engineering to break into

devices.

Security Effectiveness

The standard security method for Bluetooth is to simple

have the device hidden or turned off and many devices require user input for any

incoming message or connection.

This is surprisingly effective as when a device requires

authentication for even a vcard it is difficult to find a way in without an unsecured

channel. The biggest security risk seems to be the users themselves several attacks

succeeded simple because the users accepted the incoming connection (many

harmless audits where performed on bypassers) allowing access on their device

(we considered this a failure of the attack). No amount of security can prevent a

user opening the door so to speak. No additional security software was found for

Bluetooth.


Page 17


References

1. Data Communication and Networking, 4th edition, Behrouz A Forouzan.

2. http://trifinite.org

3. http://en.wikipedia.org/wiki/Bluetooth/

4. Wireless Network Security 802.11, Bluetooth and Handheld Devices,

National Institute of Standards and Technology, Technology Administation,

U.S. Department of Commerce.

5. BLUETOOTH SPECIFICATION Version 2.1 + EDR [vol 0] ,

www.Bluetooth.com

6. Andreas Becker,”Bluetooth Security and Hacks”, Ruhr-University Bochum,

2007.

7. Essential Bluetooth hacking tools, http://www.security-

hacks.com/2007/05/25/essentialbluetooth hacking-tools.

8. Marek Bialoglowy,” Bluetooth Security Review”,

http://www.securityfocus.com/infocus/1830,

http://trifinite.org/

http://en.wikipedia.org/wiki/Bluetooth/

http://www.bluetooth.com/

Documents

Bluetooth Network Security Seminar Report