GLOBUS ENGINEERING COLLEGE, BHOPAL
GLOBUS ENGINEERING COLLEGE
BHOPAL (M.P.)
SEMINAR REPORT
On
BLUETOOTH NETWORK SECURITY: THREATS & PREVENTIONS
GUIDED BY-
Mr. LALIT JAIN
Dept. of Electronics &
Communications, GEC, BHOPAL
SUBMITTED BY-
RAVINDRA MATHANKER
0130EC071046
E.C. 7th
sem. GEC, BHOPAL
GLOBUS ENGINEERING COLLEGE, BHOPAL
ACKNOWLEDGMENT
We extend our heartiest thanks to Mr. Arvind Kaurav, HOD, Electronics Dept. for his support in accomplishment of this project successfully. Furthermore it was his valuable guidance which helped us immensely in various areas of troubleshooting.
We would also like to thank Mr. Anil Sharma, Principal, Globus Engineering College. He provides us an opportunity to present this paper.
We also thank to our faculties of Electronics Dept. who supported us
by their valuable knowledge.
Last but not the least we would like to extend thank to my seniors who
helped us to reveal various aspect of this project.
We also thank to my friends for production support.
- Ravindra Mathanker
0130EC071046, EC 7th sem
Preface
The modern age technology has many advantages and disadvantages.
The use of technology depends on the nature of the user, hence the scientists and
engineers developed the devices and equipments as safe as possible for all.
This report includes the security threats and mindset behind the misuse of
Bluetooth. The introductory part of report told about the possible threats of
wireless networking. The basic knowledge about the Bluetooth is summarized in
further pages.
Readers and viewers can easily get the information about security tools of
Bluetooth device and connection process. The “tricks and tools of attack” part
really aware the reader to secure use of Bluetooth. The mentality of hacker and
how people become cheese of hackers is described in the end part of report.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Department of Electronics & Communication.
0130ec071046
TABLE OF CONTENT
INTRODUCTION __________________1
ABOUT BLUETOOTH __________________2
BLUETOOTH NETWORKS __________________3
BLUETOOTH ARCHITECTURE __________________5
SECURITY ASPECTS IN BLUETOOTH __________________6
CONNECTION ESTABLISHMENT __________________8
BREAKING INTO SECURITY __________________9
ATTACKING TOOLS & TRICKS __________________10
USED SOFTWERE
A) FOR DISCOVERING DEVICES __________________13
B) FOR HACKING __________________14
EFFECTIVENESS OF ATTACK __________________15
SECURE YOUR DEVICE __________________16
REFERENCES __________________17
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 1
Department of Electronics & Communication. 0130ec071046
BLUETOOTH HACKING THREATS & PREVENTIONS
INTRODUCTION
Wireless communications offer organizations and users many benefits such as
portability and flexibility, increased productivity, and lower installation costs.
Wireless local area network (WLAN) devices, for instance, allow users to move
their laptops from place to place within their offices without the need for wires and
without losing network connectivity.
Ad hoc networks, such as those enabled by Bluetooth, allow users to:
Data synchronization with network systems and application sharing between
devices.
Eliminates cables for printer and other peripheral device connections.
Synchronize personal databases.
Provide access to network services such as wireless e-mail, Web browsing,
and Internet access.
However, risks are inherent in any wireless technology. The loss of confidentiality
and integrity and the threat of denial of service (DoS) attacks are risks typically
associated with wireless communications.
Specific threats and vulnerabilities to wireless networks and handheld devices
include the following:
All the vulnerabilities that exist in a conventional wired network apply to
wireless technologies.
Malicious entities may gain unauthorized access to an agency‟s computer
network through wireless connections, bypassing any firewall protections.
Sensitive information that is not encrypted (or that is encrypted with poor
cryptographic techniques) and that is transmitted between two wireless
devices may be intercepted and disclosed.
Sensitive data may be corrupted during improper synchronization.
Data may be extracted without detection from improperly configured
devices.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 2
Department of Electronics & Communication. 0130ec071046
ABOUT BLUETOOTH
The original architecture for Bluetooth was developed by
Ericson Mobile Communication Co. Bluetooth was originally designed primarily
as a cable replacement protocol for wireless communications.
Among the array of devices that are anticipated are cellular phones, PDAs,
notebook computers, modems, cordless phones, pagers, laptop computers,
cameras, PC cards, fax machines, and printers.
Now Bluetooth specification is:
The 802.11 WLAN standards.
Unlicensed 2.4 GHz–2.4835 GHz ISM(industrial, scientific, medical
applications) frequency band.
Frequency-hopping spread-spectrum (FHSS) technology to solve
interference problems.
Transmission speeds up to 1 Mbps.
The FHSS scheme uses 79 different radio channels by changing frequency about
1,600 times per second. One channel is used in 625 microseconds followed by a
hop in a pseudo-random order to another channel for another 625 microsecond
transmission; this process is repeated continuously. As stated previously, the ISM
band has become popular for wireless communications because it is available
worldwide and does not require a license.
Bluetooth SIG (Special Interest Group):
Founded in year 1998.
IBM, Intel, Nokia, and Toshiba, Agere, Ericsson, are promoters.
Today more than 2,000 organizations are part of the Bluetooth SIG.
Bluetooth Classes and Specifications
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 3
Department of Electronics & Communication. 0130ec071046
BLUETOOTH NETWORKS
Bluetooth devices can form three types of networks:
Point to Point Link
Piconet Network
Ad-hoc or Scatternet Network
Point to Point Link When two Bluetooth enabled devices share
information or data that is called point to point link.
Piconet Network When there is a collection of devices paired with each other, it
forms a small personal area network called „Piconet‟. A Piconet consists of a
master and at most seven active slaves.
Each Piconet has its own hopping sequence and the master and all slaves share the
same channel.
Master
Device
Slave
Device Network/Link
Master
Device
Slave
Device
Slave
Device
Slave
Device
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 4
Department of Electronics & Communication. 0130ec071046
Ad-hoc or Scatternet Network
Two or more piconets connected to each other
by means of a device (called „bridge‟) participating in both the piconets, form a
Scatternet Network.
The role of bridge is to transmit data across piconets.
Picont1 Piconet 2
Fig: Scatternet Network
When a number of Bluetooth devices communicate to each other in same vicinity,
there is a high level of interference. To combat interference, Bluetooth technology
applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times
per second.
For devices to communicate to each other using Bluetooth they need to be paired
with each other to have synchronized frequency-hopping sequence.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 5
Department of Electronics & Communication. 0130ec071046
BLUETOOTH ARCHITECTURE
The Bluetooth core system has three parts:
RF transceiver
Baseband
Protocol-stack
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 6
Department of Electronics & Communication. 0130ec071046
SECURITY ASPECTS IN BLUETOOTH
The Bluetooth-system provide security at two level-
At Link layer
At Application layer
Link layer security
Four different entities are used for maintaining security at
the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random
number that shall be regenerated for each new transaction.
The four entities and their sizes are summarized in Table-
Entity Size
BD_ADDR 48 bits
Private user key, authentication 128 bits
Private user key, encryption
Configurable length (byte-wise)
8-128 bits
RAND 128 bits
Table 1.1: Entities used in authentication and encryption procedures
Application layer security specification
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 7
Department of Electronics & Communication. 0130ec071046
L2CAP: enforce security for cordless telephony.
RFCOMM: enforce security for Dial-up networking.
OBEX: files transfer and synchronization.
The encryption key in Bluetooth changes every time the encryption is activated,
the authentication key depends on the running application to change the key or not.
Another fact regarding the keys is that the encryption key is derived from the
authentication key during the authentication process.
The time required to refresh the encryption key is 228 Bluetooth clocks which is
equal to approx. 23 hours. RAND or the random number generator is used for
generating the encryption and authentication key. Each device should have its own
random number generator. It is used in pairing (the process of authentication by
entering two PIN-codes) for passed keys in the authentication process.
Security modes in Bluetooth
In Bluetooth there are three security modes which are:
Mode 1: Non-secure.
Mode 2: Service level security
Trusted device.
Un-trusted devices.
Unknown devices.
Mode 3: Link level.
The trusted device is a device that has been connected before, its link key
is stored and it‟s flagged as a trusted device in the device database.
The un-trusted devices are devices that have also previously connected
and authenticated, link key is stored but they are not flagged as a trusted devices.
The unknown devices are the devices that have not connected before.
In Bluetooth service level we have three type of service in regard to the security:
Services that need authentication and authorization: this is automatically
granted to the trusted devices but for the un-trusted devices manual
authentication is required.
Services that need authentication only: in this case the authorization
process is not necessary.
Open services.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 8
Department of Electronics & Communication. 0130ec071046
Establishing a connection (from the layers)
This part discusses how Bluetooth
connection is established and how the operation passed from Bluetooth layers. The
first thing is defining the accessed service and which security level is related to this
service, and then an authentication process will occur. The authentication process
takes place only when a request to a service submitted. We can summarize the
authentication process as; first, a connection request to L2CAP, and L2CAP
request access from the security manager. Then, the security manager looks in
service and device DBs to determine if an authentication and encryption is needed
or not. After granting the access by the security manager L2CAP continue to set up
a connection.
Regarding the protocol stack, for any new connection request, the request
submitted to L2CAP, in some cases also in RFCOMM for multiplexing, and then
the protocol parameters are passed to the security manager for decision making.
These parameters enter as query values to the security manager. Finally, the
security manager according to it is query results; may either grant access or reject
the access.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 9
Department of Electronics & Communication. 0130ec071046
BREAKING INTO SECURITY
Bluetooth devices themselves have inherent security
vulnerabilities. For example, malicious users can use wireless microphones as
bugging devices. Although such attacks have not been documented because
Bluetooth is not yet commercially prevalent, incidents have been recorded of
successful attacks on PCs using programs such as Back Orifice and Netbus. If a
malicious user has a program such as Back Orifice installed on a device in the
Bluetooth network, that user could access other Bluetooth devices and networks
that have limited or no security. These same programs could be used against
Bluetooth devices and networks. Bluetooth devices are further vulnerable because
the system authenticates the devices, not the users. As a result, a compromised
device can gain access to the network and compromise both the network and
devices on the network.
Attack Tools & Programs
Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b.
Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS,
windows mobile.
Software used: Bluebugger, Bluediving, Bluescanner, Bluesnarfer,
BTscanner, Redfang, Blooover2, Ftp_bt.
Dell laptop with windows vista to be broken into and for scanning then with
Linux to attempt attacks. Pocket pc for being attacked, and one mobile for
attacking one for being attacked.
Attacking methodology
The first & last thing to break security of a Bluetooth
device is set up a connection or pairing. After that we can use the program to
access into device data. Using tools to find the MAC address of nearby devices to
attack. This generally finds devices set to discoverable although programs exist
with a brute force approach that detects them when hidden. These programs also
provide other basic information such as device classes and names.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 10
Department of Electronics & Communication. 0130ec071046
Attacking Tools or Tricks
Bluejacking
Sending an unsolicited message over Bluetooth generally harmless
but can be considered annoying at worst. Bluejacking is generally done by sending
a V-card (electronic business card) to the phone and using the name field as the
message.
OBEX Push
A way of bypassing authentication by sending a file designed to be
automatically accepted such as a vcard and instead using OBEX to forward a
request for data or in some cases control. Used in the below attacks.
Bluesnarfing
Through it we can access to data on a device via Bluetooth such as
text messages, contact lists, calendar, emails etc. This uses the OBEX push profile
to attempt to send an OBEX GET command to retrieve known filenames such as
telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP
server to transfer the files.
Here 'Snarf' - networking slang for 'unauthorized copy.
Bluesnarfing consists of:
Data Theft
Calendar
● Appointments
● Images
1. Phone Book
● Names, Addresses, Numbers
● PINs and other codes
● Images
Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010,
Nokia 6310, 6310i, 8910, 8910i
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 11
Department of Electronics & Communication. 0130ec071046
HeloMoto
It can have full control of a device using AT commands. Either OBEX
is used to create a connection is a Bluesnarf or a vcard card is sent and then the
request is automatically cancelled leaving the attacking device as a trusted device
in the target. This allows AT commands to be used.
It requires entry in 'Device History'.
Connect RFCOMM to Hands free or Headset
– No Authentication required.
– Full AT command set access.
Devices: Motorola V80, V5xx, V6xx and E398
Bluebugging
Through it we can create unauthorized connection to serial profile.
– Full access to AT command set
– Read/Write access to SMS store
– Read/Write access to Phone Book
Take control of the phone, make calls, and listen to calls etc anything a user can
do. This attacks gains access to the mobile through the RFCOMM channel 17
which on certain phones is unsecured and can be used as a backdoor. Once
connected AT commands are used to take control of the mobile.
How come!?
– Various Manufacturers poorly implemented the Bluetooth security mechanisms.
– Unpublished services on RFCOMM channels
- Not announced via SDP
Affected Devices: Nokia has quite a lot of models (6310, 6310i, 8910,
8910i...) Sony Ericsson T86i, T610….
DOS (Denial of service) Attacks
There are various attacks such as Bluesmack, Bluestab and in
some cases Bluejacking that can be used to cause a DOS attack. This can range
from using Bluejacking to repeatedly send messages to a phone that requires them
to be accepted to using AT commands to crash to phone or malformed packets
(ping of death). This can cause strange behavior in devices or they simply crash.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 12
Department of Electronics & Communication. 0130ec071046
Long Distance Attacking (Blue Sniper)
This trick is tested in beginning of August 2004. This experiment has
done in Santa Monica California.
The attacker has a class 1 Bluetooth device (called „dongle‟) with software. The
bugged or snarfed device was class 2 device (Nokia 6310i) at distance of 1.78 km
(1.01 miles).
Blueprinting
Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of
devices. This work has been started by Collin R. Mulliner and Martin Herfurt.
Relevant to all kinds of applications:
– Security auditing.
– Device Statistics.
– Automated Application Distribution.
Released paper and tool at 21C3 in December 2004 in Berlin related to this
technique.
Blueprinting basics:
2. Hashing Information from Profile Entries.
Record Handle
RFCOMM channel number
Adding it all up(RecHandle1*Channel1) + (RecHandle2*Channel2)
+...+ (RecHandlen*Channeln).
3. It used the Bluetooth device address for bugging purpose.
Example of Blueprint:
00:60:57@2621543
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 13
Department of Electronics & Communication. 0130ec071046
Attacking software
For Discovering Bluetooth Devices
BlueScanner
- BlueScanner searches out for Bluetooth-enabled devices. It will try
to extract as much information as possible for each newly discovered device.
BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden
Bluetooth-enabled devices.
BTBrowser - Bluetooth Browser is a J2ME application that can browse and
explore the technical specification of surrounding Bluetooth-enabled devices. You
can browse device information and all supported profiles and service records of
each device. BTBrowser works on phones that supports JSR-82 - the Java
Bluetooth specification.
BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans
for other devices in range and performs service query. It implements the
BlueJacking and BlueSnarfing attacks.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 14
Department of Electronics & Communication. 0130ec071046
For Hacking Bluetooth Devices
BlueBugger -BlueBugger exploits the BlueBug vulnerability. BlueBug is the name of
a set of Bluetooth security holes found in some Bluetooth-enabled mobile phones. By
exploiting those vulnerabilities, one can gain an unauthorized access to the phone-
book, calls lists and other private information.
CIHWB - Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing
framework for Windows Mobile 2005. Currently it only support some Bluetooth
exploits and tools like BlueSnarf, BlueJack, and some DoS attacks. Should work on
any PocketPC with the Microsoft Bluetooth stack.
Bluediving - Bluediving is a Bluetooth penetration testing suite. It implements attacks
like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, has features such as Bluetooth
address spoofing, an AT and a RFCOMM socket shell and implements tools like
carwhisperer, bss, L2CAP packetgenerator, L2CAP connection resetter, RFCOMM
scanner and greenplaque scanning mode.
Transient Bluetooth Environment Auditor - T-BEAR is a security-auditing
platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery
tools, sniffing tools and various cracking tools.
Bluesnarfer - Bluesnarfer will download the phone-book of any mobile device
vulnerable to Bluesnarfing If a mobile phone is vulnerable, it is possible to connect to
the phone without alerting the owner, and gain access to restricted portions of the
stored data.
BTcrack - BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to
reconstruct the Passkey and the Link key from captured Pairing exchanges.
Blooover II - Blooover II is a J2ME-based auditing tool. It is intended to serve as an
auditing tool to check whether a mobile phone is vulnerable.
BlueTest - BlueTest is a Perl script designed to do data extraction from vulnerable
Bluetooth-enabled devices.
BTAudit - BTAudit is a set of programs and scripts for auditing Bluetooth-enabled
devices.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 15
Department of Electronics & Communication. 0130ec071046
Effectiveness of Attacks
Laptop
This attacks here where a resounding failure with all devices being
attacked requiring user input to function. Bluebugging and Bluesnarfing where
both attempted several times with trial and error the correct channels for these
attacks where found and used to successfully contact the phone but failed to work
without authentication.
Vs Mobiles
Attacks made against the Nokia N95 and Nokia 6250 both
connected to the phone but required the user to accept to continue and thus where
considered a failure. Attacks were also made against other nearby mobiles with
either the same result or in a single case a successful transfer with Bluesnarfing but
no data gathered (Unusual filenames where assumed).
Vs Laptops
A single laptop with Bluetooth came into range and after asking the
owner attacks where performed without success even when he decided to accept
the connection.
Mobile
Vs Mobiles
The primary success was through this device and a program called
blooover2. An auditing tool blooover2 tests the possible effect of various attacks
and did a few minor attacks of its own. While the test devices required
authentication for this audit to function passing devices showed several
vulnerabilities and after hunting down owners and asking permission successful
attacks where performed.
The software inserted phonebook entry‟s,copied phone books
and changed call forwarding effectively taking phones off the network. The other
program that had a single successful attack was called “Super Bluetooth attack”
while the majority of phones required authentication a Sony Eriksson (model
unknown) allowed access without. Phonebook, messages where accessible while
calls could also be made andgeneral settings changed (display, sounds etc).
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 16
Department of Electronics & Communication. 0130ec071046
SECURE YOUR DEVICE
Bluetooth social engineering
Bluetooth is used by people daily so it is possible to use social
engineering techniques to attack devices. One of the most common uses of
Bluetooth is with Mobile Phone can be an interesting part of social engineering to
examine.
Some users tend to accept incoming connections leaving
themselves at risk to outside attack. More a lack of education than anything else
causes people not to recognize a threat when they see one and accept incoming
connections. This is an interesting way of using social engineering to break into
devices.
Security Effectiveness
The standard security method for Bluetooth is to simple
have the device hidden or turned off and many devices require user input for any
incoming message or connection.
This is surprisingly effective as when a device requires
authentication for even a vcard it is difficult to find a way in without an unsecured
channel. The biggest security risk seems to be the users themselves several attacks
succeeded simple because the users accepted the incoming connection (many
harmless audits where performed on bypassers) allowing access on their device
(we considered this a failure of the attack). No amount of security can prevent a
user opening the door so to speak. No additional security software was found for
Bluetooth.
GLOBUS ENGINEERING COLLEGE, BHOPAL
Page 17
Department of Electronics & Communication. 0130ec071046
References
1. Data Communication and Networking, 4th edition, Behrouz A Forouzan.
2. http://trifinite.org
3. http://en.wikipedia.org/wiki/Bluetooth/
4. Wireless Network Security 802.11, Bluetooth and Handheld Devices,
National Institute of Standards and Technology, Technology Administation,
U.S. Department of Commerce.
5. BLUETOOTH SPECIFICATION Version 2.1 + EDR [vol 0] ,
www.Bluetooth.com
6. Andreas Becker,”Bluetooth Security and Hacks”, Ruhr-University Bochum,
2007.
7. Essential Bluetooth hacking tools, http://www.security-
hacks.com/2007/05/25/essentialbluetooth hacking-tools.
8. Marek Bialoglowy,” Bluetooth Security Review”,
http://www.securityfocus.com/infocus/1830,
Recommended