Upload
ramasubbu-p
View
3.278
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Presentation
Citation preview
Bluetooth Security
By
Mohammed A. AhmedAmjad M. MuslehAsmat K. Marouf
AdvisorsDr. Ashraf S. H. Mahmoud
Dr. Marwan H. Abu-Amara
Project Description
• Study Bluetooth security aspects
• Blue-attacks mechanism analysis
• Implementation of Java Bluetooth Applications
Agenda
• Introduction• Security Mechanism• Bluesnarfing Attack• Bluetooth Programming Environment• J2ME into J2SE• Bluetooth Application Programming• Difficulties Faced• Conclusion
Introduction
•What is Bluetooth?
- Short area wireless technology
- Developed by SIG (Special Interest Group)
•Properties
- 2.4 GHz ISM (industrial,scientific,medical) band
- Spread frequency hopping
- Point to Multipoint
Introduction
• Bluetooth Stack
-Bluetooth host (software)-Bluetooth controller (hardware) -HCI (host controller interface)
Introduction
•Bluetooth attacks examples
• Blue-snarf attack get personal information
• Blue-jack attack send unwanted messages
• Blue-bug attack full access (AT command)
Security Mechanism
• Looking for Blue-attacks causes
– Searching on security mechanism• Holes in security architecture or Bluetooth spec.
– Searching on security implementation• Holes in vendor’s implementation
Security Mechanism
• Bluetooth security: service-dependent– What service What security level required
• Bluetooth link level security– Not always enforced– Device Authentication– Link Encryption ( pairing )
• Bluetooth higher-level security– Up to vendors implementation
Security Mechanism
• Analysis of link level security
Find a Bluetooth Device
Enter PIN, generate
Auth.Key: K1 Enter PIN
Device 2Server
Device 1Client
Challenge
respond
Process Auth. and respond
Response OK?
Generate Encryption key
Generate Encryption key
Device 2Server
Device 1Client
Exchang link key
yes
Device found ?
Yes
No
Dissconnect!
Device 2Server
Device 1Client
Terminate
Exchange encrypted data
No
Encrypted-secure link
Security Mechanism
• Results– Weakness in link level : PIN
• Solution: Long & random PIN
– Key exchange• Solution: Do it in private !!
– BUT• Other wireless protocols ~ same problem• Even if I got the PIN,ATTACKS SHOULD NOT HAPPEN!!
Bluesnarfing Attack
• Why Bluesnarfing attack happens ?- vendors implementation of OBEX protocol
• Three profiles use the OBEX protocol:- Synchronization Profile (secure)
- File Transfer Profile (secure)
- Object Push (insecure)
File Transfer Profile
Aplication
Object Push
Business Card
Synchronization
Phone Book,Calender
OBEX
Lower Layers
Application Layer
Session Layer
Bluesnarfing Attack
• What is OBEX protocol ?- Exchange objects between devices• The main four operations used in OBEX:
– Connect Operation– Put Operation– Get Operation – Disconnect Operation
• OBEX protocol Layers
Bluesnarfing Attack
Normal OBEX session Client Server
Connect (Target #)
Get/put operation (Connection ID# , Who #)
Disconnect (Connection ID #, Who #)
Initiating the security procedure depending on the
target application if any
Bluesnarfing Attack
How Bluesnarfing
Attack Happens :
Bluetooth Programming Environment
• Why Java ?– Platform independent– Multiple vendors (choices!)– Widespread industry acceptance
• Java Platforms:– J2SE for desktop applications – J2ME for resource-constrained computing devices
Bluetooth Programming Environment
• What is J2ME ?
• Configuration -core classes
• Profile - example :MIDP (Mobile Information Device
Profile)
• Optional Packages- To include additional technologies
- Example Bluetooth Package:
1. Javax.bluetooth 2. Javax.obex
Optional Packages
Profile
Configuration
Host Operating System
J2ME
Bluetooth Programming Environment
• J2ME toolkit ( compile & emulate)
Bluetooth Programming Environment
• Working in a Real EnvironmentTo discover and communicate with other devices
• To run our Bluetooth applications in a real environment:– Using a Bluetooth mobile device – Using our desktop with a Bluetooth adapter
• For the first approach:– NOKIA 6810 mobile phone
It did not work (Java Bluetooth API is missing )!
J2ME into J2SE
• To support J2ME features:– javax.microedition.io
• To support Bluetooth:– javax.bluetooth
• Is it enough?– Other classes are missed
J2ME into J2SE
• Ready Solution (GCF)– GCF ( Generic Connection Framework)
– Define ALL packages to migrate J2ME to J2SE
– Different implementations• Example: aveLink Bluetooth for java
Bluetooth Application Programming
• Short-term goal– Bluetooth programming & attack preparation
• Long-term goal– Bluetooth attacks implementation
• Application components– Bluetooth Controller– Connection Controller– Attack Executor
Bluetooth Application Programming
• General scenario
Bluetooth Application Programming
• Bluetooth Controller– Job
• Device discovery
• Service discovery
– Implementation • javax.bluetooth built-in methods
Bluetooth Application Programming: Bluetooth Controller
Bluetooth Application Programming
• Connection Controller– Connect to what service (service inquiry)
– URL of the service (service record as response)
– Establish appropriate connection
• Connection to service: 2-parties operation– Server mobile may respond differently
Bluetooth Application Programming
• Attack executor
– Message Advertiser• Advertise messages to mobiles in range• Use OBEX
– Infinite SMS sender• Send SMS from one victim to another• Use AT commands over serial port profile
Bluetooth Application Programming: Message Advertiser
Bluetooth Application Programming: Infinite SMS sender
Difficulties Faced
• Lack of resources– Cost– Non-Vulnerability
• Pre-work: environment adaptation– Software & hardware requirements
• Illegality of hacking limited guidance
Conclusion
• General wireless programming sense• Theoretical Experience
– Bluetooth in general– Bluetooth security issues
• Practical experience – Different java platforms programming– Bluetooth programming in particular
• FinallyKnowledge-based hacking =Knowledge + Time + effort + KEEP TRYING
THANK YOU