Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bluetooth Security BEN CUMBER KYLE SWENSON 1. Overview  Introduction to Bluetooth  Protocol stack  Profiles  Proliferation and Applications  Security.

Similar presentations


Presentation on theme: "Bluetooth Security BEN CUMBER KYLE SWENSON 1. Overview  Introduction to Bluetooth  Protocol stack  Profiles  Proliferation and Applications  Security."— Presentation transcript:

1 Bluetooth Security BEN CUMBER KYLE SWENSON 1

2 Overview  Introduction to Bluetooth  Protocol stack  Profiles  Proliferation and Applications  Security  Past attacks  Current state of the art  Known vulnerabilities  Examples; Demonstration  Future attacks  Hardening Options: Mitigating the Risk  Conclusion 2

3 Introduction to Bluetooth  Convenience  IEEE : Personal Area Network  Defines the medium access control (MAC) mechanisms  Baseband/ Physical  2.4 GHz ( Same as Wi-Fi)  Adaptive Frequency Hopping  Currently Maintained by the Bluetooth Special Interest Group (SIG) 3

4 Introduction to Bluetooth: Protocols 4  Mandatory Bluetooth Protocols  Link Manager Protocol  Logical Link Control and Adaptation Protocol (L2CAP)  Service Discovery Protocol (SDP)  Audio Streaming Protocols  RFCOMM (Most common) oly.svg

5 Relevant Bluetooth Profiles 5  Human Interface Device (HID)  Built off the USB HID specification  Includes RTUs, data acquisition equipment  Audio Control and Distribution  Bluetooth headset phone control and audio streaming  Object Exchange (OBEX)  Allows file transfer, contact transfer  Bluetooth Profiles  Defines how a device uses the Bluetooth protocols  All built on core Bluetooth stack  Widespread integration and interoperability.  Defines the authentication and encryption (if any)

6 Bluetooth Security Mechanisms  Pairing: usually requires user verification, version dependent  Bonding: allows for seamless reconnection after two devices have been paired  Based off a link-key generated during the pairing process  If either device forgets the link-key, then it is renegotiated automatically  Plaintext negotiation of encryption key  Encryption:  Completely optional, dependent upon device capability. 6

7 Bluetooth Security: The MAC Address  Basis for all Bluetooth communication  All devices are required to at least respond to direct connection requests, regardless of discoverability setting  Assumed to be unique  With the right module, it’s easy to imitate a legitimate device.  Specification doesn’t define behavior when two devices have the same MAC address  Part of the MAC address is allocated by the SIG/IEEE  Publicly available  Other part is assigned by the manufacturer 7

8 Bluetooth Security: The MAC Address  Lower Address Portion (LAP)  Mandatory part of baseband communication  Upper Address Portion (UAP)  Contains time delay information for frequency hopping.  Non-significant Address Portion  UAP + NAP form the organizationally unique identifier 8 Once the MAC address has been determined, the device is potentially compromised

9 Known Exploits  BlueRanger  Uses the required direct connection response to gauge relative distance through the integrity of the link  SpoofTooph  Scans for discoverable devices  Clones the device  Imitates MAC address, profiles, services, names, and other “unique” characteristics  BTCrack  How it works:  Observe a pairing  Guess a 4-16 digit pin  Check to see if the hashed value of the pin matches the hashed value that you observed. 9

10 Known Exploits  BlueBugging – Control a remote smartphone  Making/forwarding calls, sending and receiving text messages.  Snarfing – Retrieve contacts or calendar  Uses the OBEX Push Profile  OBEX Push doesn’t require any authentication  Carwhisperer – Uses vehicular audio profiles  Send audio messages to driver  Listen to conversations in the vehicle  vCardBlaster (Virtual Business Card)  Contains contact information  Sends a continuous stream of vCards using Bluetooth  Bluetooth v4.0 has already been exploited 10

11 Collecting Information  Ubertooth One  A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3 microcontroller attached via USB  $120 module, allows sniffing of Bluetooth traffic  Able to export packets to Wireshark traffic, get sensitive information  Spectrum Analyzer  Simple to program, modify, and use  With some embedded systems experience and motivation, every exploit is possible 11

12 Bluetooth and SCADA  SEL-2925 – RS-232 emulation over wireless link  Convenience  Remote Telemetry and Data Acquisition  Same performance degradation as WiFi in noisy environments  Uses HID profile: simple, fast, negligible configuration  Increasingly being used for automation 12 Source: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdfhttps://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf

13 Hardening Bluetooth  Encrypt the data at a higher layer (application layer) in the protocol stack  Don’t use it!  Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t matter)  Bluetooth in SCADA and critical infrastructure  Bluetooth was designed for convenience, not security  Other than lower power consumption, Bluetooth has no advantage over WiFi.  Integrating Bluetooth into SCADA is inappropriate- use something else 13

14 Conclusion  Bluetooth security needs more attention  Lack of appropriate tools cripples penetration testing and security analysis  Embedded applications  Most completely omit security, assume protection in complexity  Demonstrates the need for a reliable, secure, wireless communication  Security must be an integral component in the initial design process, not added after the fact  Realize the risk when using Bluetooth for your SCADA application. 14

15 References   wool-mobisys05/ wool-mobisys05/   https://github.com/greatscottgadgets/ubert ooth/releases/tag/ R2 https://github.com/greatscottgadgets/ubert ooth/releases/tag/ R2  x.php x.php    cols cols  al_Interest_Group al_Interest_Group  https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id=40560 https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id=40560  https://www.bluetooth.org/docman/handler s/downloaddoc.ashx?doc_id= https://www.bluetooth.org/docman/handler s/downloaddoc.ashx?doc_id=  https://www.bluetooth.org/DocMan/handler s/DownloadDoc.ashx?doc_id= https://www.bluetooth.org/DocMan/handler s/DownloadDoc.ashx?doc_id=  https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id= https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id=  https://www.bluetooth.org/en- us/specification/adopted-specifications https://www.bluetooth.org/en- us/specification/adopted-specifications   covering-and-hacking-bluetooth.html covering-and-hacking-bluetooth.html  testing/2011/10/20/the-bluetooth-dilemma testing/2011/10/20/the-bluetooth-dilemma  version-fpga-support.html version-fpga-support.html 15


Download ppt "Bluetooth Security BEN CUMBER KYLE SWENSON 1. Overview  Introduction to Bluetooth  Protocol stack  Profiles  Proliferation and Applications  Security."

Similar presentations


Ads by Google