Bluetooth network-security-seminar-report

BLUETOOTH NETWORK SECURITY BY S.ROHIT SAGAR

TABLE OF CONTENT

INTRODUCTION ABOUT BLUETOOTH BLUETOOTH NETWORKS BLUETOOTH ARCHITECTURE SECURITY ASPECTS IN BLUETOOTH CONNECTION ESTABLISHMENT

USED SOFTWERE

A) FOR DISCOVERING DEVICES

B) FOR HACKING EFFECTIVENESS OF ATTACK CONCLUSION

BLUETOOTH HACKING THREATS & PREVENTIONS

INTRODUCTION

Wireless communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity.

Ad hoc networks, such as those enabled by Bluetooth, allow users to:

Data synchronization with network systems and application sharing between devices.

Eliminates cables for printer and other peripheral device connections.

Specific threats and vulnerabilities to wireless networks and handheld devices include the following:

All the vulnerabilities that exist in a conventional wired network apply to wireless technologies.

Malicious entities may gain unauthorized access to an agency‟s computer network through wireless connections, bypassing any firewall protections.

ABOUT BLUETOOTHThe original architecture for Bluetooth was developed

by Ericson Mobile Communication Co. Bluetooth was originally designed primarily as a cable replacement protocol for wireless communications.

Among the array of devices that are anticipated are cellular phones, PDAs, notebook computers, modems, cordless phones, pagers, laptop computers, cameras, PC cards, fax machines, and printers.

Now Bluetooth specification is: The 802.11 WLAN standards. Unlicensed 2.4 GHz–2.4835 GHz ISM(industrial, scientific, medical

applications) frequency band. Frequency-hopping spread-spectrum (FHSS) technology

to solveinterference problems.

Transmission speeds up to 1 Mbps

Bluetooth Classes and Specifications

BLUETOOTH NETWORKSBluetooth devices can form three types of networks:

Point to Point Link

Piconet Network

Ad-hoc or Scatternet Network

Point to Point Link enableddevices

shareWhen twoBluetooth information or data that is called point to point link.

Master

DeviceNetwork /Link

SlaveDevice

Piconet NetworkWhen there is a collection of devices paired with each other, it

forms a small personal area network called „Piconet‟. A Piconet consists of a master and at most seven active slaves.

Each Piconet has its own hopping sequence and the master and all slaves share the same channel.

Master

Device

Slave

Device

SlaveDevice

Slave

Device

Department of Electronics & Communication.

Ad-hoc or Scatternet NetworkTwo or more piconets connected to each

other by means of a device (called „bridge‟) participating in both the piconets, form a Scatternet Network.

The role of bridge is to transmit data across piconets.

Picont1 Piconet 2

Fig: Scatternet Network

When a number of Bluetooth devices communicate to each other in same vicinity, there is a high level of interference. To combat interference, Bluetooth technology applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times per second.

For devices to communicate to each other using Bluetooth they need to be paired with each other to have synchronized frequency-hopping sequence.

BLUETOOTH ARCHITECTUREThe Bluetooth core system has three parts:

RF transceiver

Baseband

Protocol-stack


SECURITY ASPECTS IN BLUETOOTH

The Bluetooth-system provide security at two level-

At Link layer

At Application layer

Link layer securityFour different entities are used for maintaining security

at the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random number that shall be regenerated for each new transaction.

The four entities and their sizes are summarized in Table-

Table 1.1: Entities used in authentication and encryption procedures

Application layer security specification

Entity Size

BD_ADDR 48 bitsPrivate user key, authentication 128 bitsPrivate user key, encryptionConfigurable length (byte-wise)

8-128 bits

RAND 128 bits

.

BREAKING INTO SECURITYBluetooth devices themselves have inherent security

vulnerabilities. For example, malicious users can use wireless microphones as bugging devices. Although such attacks have not been documented because Bluetooth is not yet commercially prevalent, incidents have been recorded of successful attacks on PCs using programs such as Back Orifice and Netbus

Attack Tools & Programs

Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b.

Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS, windows mobile.

Software used: Bluebugger, Bluediving, Bluescanner,Bluesnarfer, BTscanner, Redfang, Blooover2, Ftp_bt.

Dell laptop with windows vista to be broken into and for scanning then with Linux to attempt attacks. Pocket pc for being attacked, and one mobile for attacking one for being attacked.

Attacking methodologyThe first & last thing to break security of a Bluetooth

device is set up a connection or pairing. After that we can use the program toaccess into device data. Using tools to find the MAC

address of nearby devices to attack. This generally finds devices set to discoverable although programs exist with a brute force approach that detects them when hidden. These programs also

provide other basic information such as device classes and names.


Attacking Tools or Tricks

Bluejacking

Sending an unsolicited message over Bluetooth generally harmless but can be considered annoying at worst. Bluejacking is generally done by sending a V-card (electronic business card) to the phone and using the name field as the message.

OBEX PushA way of bypassing authentication by sending a file designed to be

automatically accepted such as a vcard and instead using OBEX to forward a request for data or in some cases control. Used in the below attacks.

BluesnarfingThrough it we can access to data on a device via Bluetooth such

as text messages, contact lists, calendar, emails etc. This uses the OBEX push profile to attempt to send an OBEX GET command to retrieve known filenames such as telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP server to transfer the files.

Here 'Snarf' - networking slang for 'unauthorized copy. Bluesnarfing consists of:

Data Theft Calendar

●Appointments●Images

1. Phone Book● Names, Addresses, Numbers● PINs and other codes● Images

Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010, Nokia 6310, 6310i, 8910, 8910i


Long Distance Attacking (Blue Sniper)This trick is tested in beginning of August 2004. This experiment

has done in Santa Monica California.The attacker has a class 1 Bluetooth device (called „dongle‟) with

software. Thebugged or snarfed device was class 2 device (Nokia 6310i) at

distance of 1.78 km (1.01 miles).

BlueprintingBlueprinting is fingerprinting Bluetooth Wireless Technology

interfaces of devices. This work has been started by Collin R. Mulliner and Martin Herfurt.

Relevant to all kinds of applications:

– Security auditing.

– Device Statistics.

– Automated Application Distribution.

Attacking software

For Discovering Bluetooth Devices

BlueScanner

- BlueScanner searches out for Bluetooth-enabled devices. It will try to extract as much information as possible for each newly discovered device.

BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices.

BTBrowser - Bluetooth Browser is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth-enabled devices. You can browse device information and all supported profiles and service records of each device. BTBrowser works on phones that supports JSR-82 - the Java Bluetooth specification.

BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans for other devices in range and performs service query. It implements the BlueJacking and BlueSnarfing attacks.

Effectiveness of Attacks

LaptopThis attacks here where a resounding failure with all devices being

attacked requiring user input to function. Bluebugging and Bluesnarfing where both attempted several times with trial and error the correct channels for these attacks where found and used to successfully contact the phone but failed to work without authentication.

Vs MobilesAttacks made against the Nokia N95 and Nokia 6250 both

connected to the phone but required the user to accept to continue and thus where considered a failure. Attacks were also made against other nearby mobiles with either the same result or in a single case a successful transfer with Bluesnarfing but no data gathered (Unusual filenames where assumed).


CONCLUSION:

SECURE YOUR DEVICE

Bluetooth social engineering

Bluetooth is used by people daily so it is possible to use social engineering techniques to attack devices. One of the most common uses of Bluetooth is with Mobile Phone can be an interesting part of social engineering to examine.

Some users tend to accept incomingconnections leavingthemselves at risk to outside attack. More a lack of education

than anything else causes people not to recognize a threat when they see one and accept incoming connections. This is an interesting way of using social engineering to break into devices.

Security EffectivenessThe standard security method for Bluetooth is to simple

have the device hidden or turned off and many devices require user input for any incoming message or connection.

This is surprisingly effective as when a device requires authentication for even a vcard it is difficult to find a way in without an unsecured

channel. The biggest security risk seems to be the users themselves several attacks

succeeded simple because the users accepted the incoming connection (many harmless audits where performed on bypassers) allowing access on their device (we considered this a failure of the attack). No amount of security can prevent a

user opening the door so to speak. No additional security software was found for Bluetooth.

THANK YOU

Engineering

Bluetooth network-security-seminar-report