Upload
rohit-sagar
View
944
Download
29
Embed Size (px)
Citation preview
BLUETOOTH NETWORK SECURITY BY S.ROHIT SAGAR
TABLE OF CONTENT
INTRODUCTION ABOUT BLUETOOTH BLUETOOTH NETWORKS BLUETOOTH ARCHITECTURE SECURITY ASPECTS IN BLUETOOTH CONNECTION ESTABLISHMENT
USED SOFTWERE
A) FOR DISCOVERING DEVICES
B) FOR HACKING EFFECTIVENESS OF ATTACK CONCLUSION
BLUETOOTH HACKING THREATS & PREVENTIONS
INTRODUCTION
Wireless communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity.
Ad hoc networks, such as those enabled by Bluetooth, allow users to:
Data synchronization with network systems and application sharing between devices.
Eliminates cables for printer and other peripheral device connections.
Specific threats and vulnerabilities to wireless networks and handheld devices include the following:
All the vulnerabilities that exist in a conventional wired network apply to wireless technologies.
Malicious entities may gain unauthorized access to an agency‟s computer network through wireless connections, bypassing any firewall protections.
ABOUT BLUETOOTHThe original architecture for Bluetooth was developed
by Ericson Mobile Communication Co. Bluetooth was originally designed primarily as a cable replacement protocol for wireless communications.
Among the array of devices that are anticipated are cellular phones, PDAs, notebook computers, modems, cordless phones, pagers, laptop computers, cameras, PC cards, fax machines, and printers.
Now Bluetooth specification is: The 802.11 WLAN standards. Unlicensed 2.4 GHz–2.4835 GHz ISM(industrial, scientific, medical
applications) frequency band. Frequency-hopping spread-spectrum (FHSS) technology
to solveinterference problems.
Transmission speeds up to 1 Mbps
Bluetooth Classes and Specifications
BLUETOOTH NETWORKSBluetooth devices can form three types of networks:
Point to Point Link
Piconet Network
Ad-hoc or Scatternet Network
Point to Point Link enableddevices
shareWhen twoBluetooth information or data that is called point to point link.
Master
DeviceNetwork /Link
SlaveDevice
Piconet NetworkWhen there is a collection of devices paired with each other, it
forms a small personal area network called „Piconet‟. A Piconet consists of a master and at most seven active slaves.
Each Piconet has its own hopping sequence and the master and all slaves share the same channel.
Master
Device
Slave
Device
SlaveDevice
Slave
Device
Department of Electronics & Communication.
Ad-hoc or Scatternet NetworkTwo or more piconets connected to each
other by means of a device (called „bridge‟) participating in both the piconets, form a Scatternet Network.
The role of bridge is to transmit data across piconets.
Picont1 Piconet 2
Fig: Scatternet Network
When a number of Bluetooth devices communicate to each other in same vicinity, there is a high level of interference. To combat interference, Bluetooth technology applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times per second.
For devices to communicate to each other using Bluetooth they need to be paired with each other to have synchronized frequency-hopping sequence.
BLUETOOTH ARCHITECTUREThe Bluetooth core system has three parts:
RF transceiver
Baseband
Protocol-stack
Department of Electronics & Communication.
SECURITY ASPECTS IN BLUETOOTH
The Bluetooth-system provide security at two level-
At Link layer
At Application layer
Link layer securityFour different entities are used for maintaining security
at the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random number that shall be regenerated for each new transaction.
The four entities and their sizes are summarized in Table-
Table 1.1: Entities used in authentication and encryption procedures
Application layer security specification
Entity Size
BD_ADDR 48 bitsPrivate user key, authentication 128 bitsPrivate user key, encryptionConfigurable length (byte-wise)
8-128 bits
RAND 128 bits
.
BREAKING INTO SECURITYBluetooth devices themselves have inherent security
vulnerabilities. For example, malicious users can use wireless microphones as bugging devices. Although such attacks have not been documented because Bluetooth is not yet commercially prevalent, incidents have been recorded of successful attacks on PCs using programs such as Back Orifice and Netbus
Attack Tools & Programs
Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b.
Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS, windows mobile.
Software used: Bluebugger, Bluediving, Bluescanner,Bluesnarfer, BTscanner, Redfang, Blooover2, Ftp_bt.
Dell laptop with windows vista to be broken into and for scanning then with Linux to attempt attacks. Pocket pc for being attacked, and one mobile for attacking one for being attacked.
Attacking methodologyThe first & last thing to break security of a Bluetooth
device is set up a connection or pairing. After that we can use the program toaccess into device data. Using tools to find the MAC
address of nearby devices to attack. This generally finds devices set to discoverable although programs exist with a brute force approach that detects them when hidden. These programs also
provide other basic information such as device classes and names.
Department of Electronics & Communication.
Attacking Tools or Tricks
Bluejacking
Sending an unsolicited message over Bluetooth generally harmless but can be considered annoying at worst. Bluejacking is generally done by sending a V-card (electronic business card) to the phone and using the name field as the message.
OBEX PushA way of bypassing authentication by sending a file designed to be
automatically accepted such as a vcard and instead using OBEX to forward a request for data or in some cases control. Used in the below attacks.
BluesnarfingThrough it we can access to data on a device via Bluetooth such
as text messages, contact lists, calendar, emails etc. This uses the OBEX push profile to attempt to send an OBEX GET command to retrieve known filenames such as telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP server to transfer the files.
Here 'Snarf' - networking slang for 'unauthorized copy. Bluesnarfing consists of:
Data Theft Calendar
●Appointments●Images
1. Phone Book● Names, Addresses, Numbers● PINs and other codes● Images
Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010, Nokia 6310, 6310i, 8910, 8910i
Department of Electronics & Communication.
Long Distance Attacking (Blue Sniper)This trick is tested in beginning of August 2004. This experiment
has done in Santa Monica California.The attacker has a class 1 Bluetooth device (called „dongle‟) with
software. Thebugged or snarfed device was class 2 device (Nokia 6310i) at
distance of 1.78 km (1.01 miles).
BlueprintingBlueprinting is fingerprinting Bluetooth Wireless Technology
interfaces of devices. This work has been started by Collin R. Mulliner and Martin Herfurt.
Relevant to all kinds of applications:
– Security auditing.
– Device Statistics.
– Automated Application Distribution.
Attacking software
For Discovering Bluetooth Devices
BlueScanner
- BlueScanner searches out for Bluetooth-enabled devices. It will try to extract as much information as possible for each newly discovered device.
BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices.
BTBrowser - Bluetooth Browser is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth-enabled devices. You can browse device information and all supported profiles and service records of each device. BTBrowser works on phones that supports JSR-82 - the Java Bluetooth specification.
BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans for other devices in range and performs service query. It implements the BlueJacking and BlueSnarfing attacks.
Effectiveness of Attacks
LaptopThis attacks here where a resounding failure with all devices being
attacked requiring user input to function. Bluebugging and Bluesnarfing where both attempted several times with trial and error the correct channels for these attacks where found and used to successfully contact the phone but failed to work without authentication.
Vs MobilesAttacks made against the Nokia N95 and Nokia 6250 both
connected to the phone but required the user to accept to continue and thus where considered a failure. Attacks were also made against other nearby mobiles with either the same result or in a single case a successful transfer with Bluesnarfing but no data gathered (Unusual filenames where assumed).
Department of Electronics & Communication.
CONCLUSION:
SECURE YOUR DEVICE
Bluetooth social engineering
Bluetooth is used by people daily so it is possible to use social engineering techniques to attack devices. One of the most common uses of Bluetooth is with Mobile Phone can be an interesting part of social engineering to examine.
Some users tend to accept incomingconnections leavingthemselves at risk to outside attack. More a lack of education
than anything else causes people not to recognize a threat when they see one and accept incoming connections. This is an interesting way of using social engineering to break into devices.
Security EffectivenessThe standard security method for Bluetooth is to simple
have the device hidden or turned off and many devices require user input for any incoming message or connection.
This is surprisingly effective as when a device requires authentication for even a vcard it is difficult to find a way in without an unsecured
channel. The biggest security risk seems to be the users themselves several attacks
succeeded simple because the users accepted the incoming connection (many harmless audits where performed on bypassers) allowing access on their device (we considered this a failure of the attack). No amount of security can prevent a
user opening the door so to speak. No additional security software was found for Bluetooth.
THANK YOU