Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev."— Presentation transcript:

1 Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev

2 What are we talking about today? Bluetooth: what it is, why is it vulnerable and can we fix it?

3 Overview What is bluetooth? How does it work? What are the problems? How do we fix it? Conclusion Personal Remarks

4 What is bluetooth? Bluetooth - is a standard and communications protocol primarily designed for low power consumption, with a short range (1-50 meters) based on low-cost microchips in each device.

5 What is bluetooth? Bluetooth enables these devices to communicate with each other when they are in range. The devices use a radio communications system, so they do not have to be in line of sight of each other

6 What is bluetooth? Essentially it is a mini wireless network between communicating nodes called Piconet. Piconet - allows one master device to interconnect with up to seven active slave devices

7 What is bluetooth?

8

9 How does it work? There are two modes of operation:  Discoverable – nodes respond to queries made by unknown devices and begin negotiations  Non-discoverable – nodes only respond to devices that it has communicated with previously Cryptography in Bluetooth is based on the SAFER+ algorithm. It defines 4 different cryptography functions E1, E21, E22, E3

10 How does it work? When communication is initiated between nodes, which just discovered each other, they begin by negotiating a link key which is later used for purposes of encryption for this and later sessions.

11 How does it work? Generation of unit key Generation of initialization key Generation of link key Mutual authentication Generation of encryption key Generation of key stream Encryption of data

12 How does it work? XXX = public value XXX = secret value XXX = sent in clear XXX = sent encrypted

13 1. Generation unit key E21 RAND A ADDR A KAKA

14 2. Generation initialization key E22 PIN IN_RAND PIN Length IN_RAND K init Length

15 3. Generation link key (1)‏ K init K A = K link K K init K A = K link

16 3. Generation link key (2)‏ K AB = K link LK_RAND A LK_RAND B E21 ADDR A ADDR B LK_RAND A LK_RAND B K AB = K link ADDR B ADDR A LK_RAND B LK A LK B

17 4. Mutual authentication ADDR B E1 ADDR B AU_RAND K link AU_RAND SRES AU_RAND K link ADDR B SRES ACO

18 5. Generation encryption key EN_RAND E3 EN_RAND K link ACO KCKC KCKC

19 6. Generation key stream E0 ADDR A clock MASTER KCKC K CIPHER ADDR A clock MASTER KCKC

20 7. Encryption of data K CIPHER DATA

21 How does it work? If for some reason a device in the network is running out of resources bluetooth utilizes a simpler version of communication.

22 Unit key K A = K link AB

23 What are the problems? Limited battery power Computational power Small amount of memory Small range Ad-hoc network Not always I/O-interface

24 What are the problems? A lot of data is transmitted in the clear If an attacker can obtain an initialisation key he/she is able to compute the link key and thus mount Man-in-The Middle attacks.

25 What are the problems? Sniffing can be done as well to an extent. Devices that are being sniffed need to be in discoverable mode. With proper equipment distribution an attacker is able to pin point the location of a node.

26 What are the problems? Location, location, location – this is the hardest and most expensive (money wise) attack that can be mounted. If an attacker is able to spread a large number of “passively” sniffing nodes then he/she will be able to record multiple identities for later use, as well as be able to pin point the location of the node based on where it has most recently been seen.

27 What are the problems? There are several problems that I see with this attack:  Money - the authors estimate $10 which is not true even 7 years later. The smallest equipped PC that I am aware of are Gum-Stick PCs which start at $80 (that's without the bluetooth module)‏

28 What are the problems?  Quantity – even with today's devices the longest straight distance you can get is about 50m in practice. So if you want to cover a building for example you will have to deploy a very large number of devices.

29 What are the problems? Eavesdropping and Impersonation – since the entire communication is based around the initialisation key if an attacker is able to guess and create a hash database of these then he/she will be able to listen in or become any of the devices in the piconet.

30 What are the problems? Eavesdropping –  Method One: in order to achieve this an attacker does not need to do much more than initiate a brute-force attack on the PIN used to setup communication. He/She can start guessing PIN # with length up to 5-6 digits and verify their correctness by engaging the victim in verification stage of the protocol.

31 What are the problems?  Method Two: the attacker will attempt to setup communication with a node using a PIN he/she has chosen, at this point the initialisation protocol kicks in and the victim sends all the needed information for the attacker to be able to run a simulated communication until he is able to generate a valid PIN and initialisation key pair.

32 What are the problems? Finally, if an attacker is able to guess a correct PIN and initialisation key pair then he is able to perform a MitM attack on the network.  Since devices can be both masters and slaves and neither has a predefined role. An attacker can force the devices to both enter a master role or a slave one, which puts them out of sync, unless the attacker transmits messages to them.

33 What are the problems? Final attack on the protocol involves the ciphers used.  In a pre-computation phase, an attacker randomly selects N internal states of the cipher, and computes the corresponding output key stream. These N key streams are sorted and stored in a database. Then M bits of the actual key-stream are observed.

34 What are the problems?  If M ∗ N > 2^132 then one expects to see a collision between the actual key-stream and a key-stream in the database.  By choosing M = N = 2^66, this shows that the cipher can be broken with time and memory complexity 2^66

35 How do we fix it? PIN Length - In order to avoid a situation in which an attacker is able to obtain the secret keys of victim devices, it is important to use su ffi ciently long and su ffi ciently random PINs. The authors determine that 64 bit PINs should be sufficient enough. Application Layer Security – using something similar to Certificates can prevent MitM attacks from happening.

36 How do we fix it? Master/Slave Relations – making sure that certain devices are not able to change status will help with MitM attacks since an attacker will not be able to jam the devices.

37 How do we fix it? Physical Protection - Our attacks on the key exchange rely on the attacker being able to detect the signals transmitted by the victim devices. The use of a Faraday’s cage (with the form factor of a metal coated plastic bag) may be useful to obtain security against this attack.

38 How do we fix it? Cipher - the attacks against the cipher can be avoided by replacing the cipher, e.g., with AES, and not to use plaintext communication in order to setup the encryption of later plaintexts.

39 Conclusion This paper is based on now defunct bluetooth standard. Most of the problems described in this paper are now taken care of in the latest version of the protocol (currently at version 2.1 with version 3.0 being in the works).

40 Personal Remarks Enable Bluetooth only when you need it Keep the device in non-discoverable mode Use long and difficult to guess PIN key when pairing the device (key such as 1234 is unacceptable)‏ Reject all unexpected pairing requests Check list of paired devices from time to time to ensure there are no unknown devices on the list Enable encryption when establishing BT connection to your PC.

41 Personal Remarks There is an attack the authors did not explore at all and that is DoSing a device: during the PIN brute-force verification, an attacker can just flood a node with these requests and prevent legitimate uses of the device due to its inability to process them. Authors never discuss the fact that the bluetooth protocol allows modifications to certain devices without any prior pairing: phonebook sharing and contact sharing. No prevention of replay attacks

42 Questions?

Download ppt "Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev."

Similar presentations

Gone in 360 Seconds: Hijacking with Hitag2

Gone in 360 Seconds: Hijacking with Hitag2
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Trust relationships in sensor networks Ruben Torres October 2004.

Trust relationships in sensor networks Ruben Torres October 2004.
Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.

Presented By: Hathal ALwageed 1.  R. Anderson, H. Chan and A. Perrig. Key Infection: Smart Trust for Smart Dust. In IEEE International Conference on.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys07 2007.

KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless & Network Security Lecture 10:

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless & Network Security Lecture 10:

Similar presentations

Ads by Google