Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ben Cumber Kyle Swenson

Similar presentations

Presentation on theme: "Ben Cumber Kyle Swenson"— Presentation transcript:

1 Ben Cumber Kyle Swenson
Bluetooth Security Ben Cumber Kyle Swenson

2 Overview Introduction to Bluetooth Proliferation and Applications
Protocol stack Profiles Proliferation and Applications Security Past attacks Current state of the art Known vulnerabilities Examples; Demonstration Future attacks Hardening Options: Mitigating the Risk Conclusion

3 Introduction to Bluetooth
Convenience IEEE : Personal Area Network Defines the medium access control (MAC) mechanisms Baseband/ Physical 2.4 GHz ( Same as Wi-Fi) Adaptive Frequency Hopping Currently Maintained by the Bluetooth Special Interest Group (SIG) AFH = 1600 channel hops per second, determined by negotiated pseudo random sequence Bluetooth Special interest group Corporation that licenses Bluetooth To sell, manufacture or rebrand any product with Bluetooth requires SIG membership.

4 Introduction to Bluetooth: Protocols
Mandatory Bluetooth Protocols Link Manager Protocol Logical Link Control and Adaptation Protocol (L2CAP) Service Discovery Protocol (SDP) Audio Streaming Protocols RFCOMM (Most common) Link Manager protocol Manages radio link between devices for the session L2CAP Manages logical connections to higher layers with the protocol service multiplexer(PSM) Service Discovery Protocol (SDP) Standardized format for devices to list offered profiles and serveries RFCOMM EIA RS-232 Emulation, token based, reliable Meant to be a cable replacement Transmitted in plaintext

5 Relevant Bluetooth Profiles
Defines how a device uses the Bluetooth protocols All built on core Bluetooth stack Widespread integration and interoperability. Defines the authentication and encryption (if any) Human Interface Device (HID) Built off the USB HID specification Includes RTUs, data acquisition equipment Audio Control and Distribution Bluetooth headset phone control and audio streaming Object Exchange (OBEX) Allows file transfer, contact transfer Profiles: Widespread integration and interoperability Over 40 different profiles have been defined and adopted HID: Universal plug-n-play The idea of Virtual Cables

6 Bluetooth Security Mechanisms
Pairing: usually requires user verification, version dependent Bonding: allows for seamless reconnection after two devices have been paired Based off a link-key generated during the pairing process If either device forgets the link-key, then it is renegotiated automatically Plaintext negotiation of encryption key Encryption: Completely optional, dependent upon device capability. Bluetooth leaves security up to the user. Depends on short range communication which offers a little security Pairing: Enter a 4-16 digit pin Verify a pin number If one device doesn’t support security, just forget it. Bonding: When two devices are bonded its possible to force a pairing by injecting a few bad packets. WE WANT TO STRESS: Authentication and encryption is Profile and Device Dependent Encryption and authentication is optional, but suggested

7 Bluetooth Security: The MAC Address
Basis for all Bluetooth communication All devices are required to at least respond to direct connection requests, regardless of discoverability setting Assumed to be unique With the right module, it’s easy to imitate a legitimate device. Specification doesn’t define behavior when two devices have the same MAC address Part of the MAC address is allocated by the SIG/IEEE Publicly available Other part is assigned by the manufacturer The MAC Address Basis for all BT Comm Affects channel hopping sequence and timing Implicitly defines seeds for pseudo-random number generation used in encryption and authentication. Devices Required to respond All encapsulated in the Frequency Hop Synchronization packet (FHS) FHS packet completely describes communication parameters Required response when a direct connection request is received Contains “unique” 48-bit Bluetooth MAC, class of device, clock information, channel information, Bluetooth Version, etc.

8 Bluetooth Security: The MAC Address
Lower Address Portion (LAP) Mandatory part of baseband communication Upper Address Portion (UAP) Contains time delay information for frequency hopping. Non-significant Address Portion UAP + NAP form the organizationally unique identifier Once the MAC address has been determined, the device is potentially compromised LAP Easily discovered as you will see in our demo. UAP Can be discovered through brute force once you know the LAP

9 Known Exploits BlueRanger BTCrack SpoofTooph
Uses the required direct connection response to gauge relative distance through the integrity of the link SpoofTooph Scans for discoverable devices Clones the device Imitates MAC address, profiles, services, names, and other “unique” characteristics BTCrack How it works: Observe a pairing Guess a 4-16 digit pin Check to see if the hashed value of the pin matches the hashed value that you observed. BlueRanger Also collects data on the target. Gets the relative location of the device. SpoofTooph Extracts info using SDP (Service Discovery Protocol) and the Frequency Hopping Spectrum Packet Causing disconnections and MITM attacks BTCrack Challenges Forcing a pairing (By injecting a bad packet) Actually observing the pairing Requires a large-bandwidth spectrum analyzer, which cost around $10,000 or the ubertooth one

10 Known Exploits BlueBugging – Control a remote smartphone
Making/forwarding calls, sending and receiving text messages. Snarfing – Retrieve contacts or calendar Uses the OBEX Push Profile OBEX Push doesn’t require any authentication Carwhisperer – Uses vehicular audio profiles Send audio messages to driver Listen to conversations in the vehicle vCardBlaster (Virtual Business Card) Contains contact information Sends a continuous stream of vCards using Bluetooth Bluetooth v4.0 has already been exploited BlueBugging Idea is to emulate a headset Snarfing OBEX “Object Exchange” Often doesn’t even notify the users vCardBlaster Target a single user or all devices in range Contact info can be specific or generated Used to Fill up Disk Space Add a bunch of random contacts

11 Collecting Information
Ubertooth One A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3 microcontroller attached via USB $120 module, allows sniffing of Bluetooth traffic Able to export packets to Wireshark traffic, get sensitive information Spectrum Analyzer Simple to program, modify, and use With some embedded systems experience and motivation, every exploit is possible Open Source project Ability to follow a specific device through its hopping scheme

12 Bluetooth and SCADA SEL-2925 – RS-232 emulation over wireless link
Convenience Remote Telemetry and Data Acquisition Same performance degradation as WiFi in noisy environments Uses HID profile: simple, fast, negligible configuration Increasingly being used for automation Built off a commercially available Bluetooth module Encryption likely based off v2.1 SSP, with known vulnerabilities Source:

13 Hardening Bluetooth Encrypt the data at a higher layer (application layer) in the protocol stack Don’t use it! Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t matter) Bluetooth in SCADA and critical infrastructure Bluetooth was designed for convenience, not security Other than lower power consumption, Bluetooth has no advantage over WiFi. Integrating Bluetooth into SCADA is inappropriate- use something else Don’t depend on Bluetooth protocol for security Bluetooth is vulnerable at nearly every layer in the protocol stack Device imitation and MITM attacks are easily completed

14 Conclusion Bluetooth security needs more attention
Lack of appropriate tools cripples penetration testing and security analysis Embedded applications Most completely omit security, assume protection in complexity Demonstrates the need for a reliable, secure, wireless communication Security must be an integral component in the initial design process, not added after the fact Realize the risk when using Bluetooth for your SCADA application.

15 References
wool-mobisys05/ ooth/releases/tag/ R2 x.php cols al_Interest_Group s/DownloadDoc.ashx?doc_id=40560 s/downloaddoc.ashx?doc_id=241363 s/DownloadDoc.ashx?doc_id=174214 s/DownloadDoc.ashx?doc_id=263754 us/specification/adopted-specifications covering-and-hacking-bluetooth.html testing/2011/10/20/the-bluetooth-dilemma version-fpga-support.html

Download ppt "Ben Cumber Kyle Swenson"

Similar presentations

Ads by Google