Ben Cumber Kyle Swenson

Slides:



Advertisements
Similar presentations
Bluetooth.
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Z-Wave Technology - P.S.R.K Chaitanya(A1225). Introduction Zensys a Danish-American company founded in 1999 invented the Z-wave technology. They are basically.
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
BLUETOOTH. INTRODUCTION A look around at the moment! Keyboard connected to the computer, as well as a printer, mouse, monitor and so on. What (literally)
1 Introduction to Bluetooth v1.1 (Part I) Overview Radio Specification Baseband Specification LMP L2CAP.
Design Description Java Bluetooth stack (JBS). What is a Bluetooth stack? In short, to get any functionality out of a Bluetooth device, one needs to implement.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
CPET 260 Bluetooth. What is Bluetooth? Not IEEE (Wi-Fi) or HomeRF Originally designed to replace wires Short-range, lower-power wireless technology.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
A Comparison of Bluetooth and competing technologies
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Networks Evolving? Justin Champion C208 Ext:3723
® The Bluetooth Architecture APIs, L2CAP, Link Management, Baseband, and the Radio.
 An electrical device that sends or receives radio or television signals through electromagnetic waves.
Bluetooth Profile. Bluetooth profile A Bluetooth profile is a wireless interface specification for Bluetooth-based communication between devices. A Bluetooth.
How secure is Darren Adams, Kyle Coble, and Lakshmi Kasoji.
Hacking the Bluetooth Pairing Authentication Process Graduate Operating System Mini Project Siyuan Jiang and Haipeng Cai.
Distributed systems – Part 2  Bluetooth – 2 nd set of slides Anila Mjeda.
Bluetooth Profile. Bluetooth profile A Bluetooth profile is a wireless interface specification for Bluetooth-based communication between devices. A Bluetooth.
ECE 424 Embedded Systems Design Networking Connectivity Chapter 12 Ning Weng.
“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.
Lab 4 ZigBee & with PICDEM Z Boards 55:088 Fall 2006.
INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.
Bluetooth Kirthika Parmeswaran Telcordia Technologies OOPSLA’2000.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
University of Virginia 1 Gregory LammGerlando Falauto Jorge EstradaJag Gadiyaram November 29, 2000 Identifying and Assessing Security Issues related to.
An Analysis of Bluetooth Security
Bluetooth Techniques ECE 591. Overview  Universal short-range wireless capability  Uses 2.4-GHz band  Available globally for unlicensed users  Devices.
Bluetooth Presented by Venkateshwar R Gotur CMPT
© 2009 Research In Motion Limited Advanced Java Application Development for the BlackBerry Smartphone Trainer name Date.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
10/15/ Short-Range Radio Frequency Networking B. Ramamuthy.
BLUETOOTH Created By: Ajay Bahoriya. Agenda Introduction to Bluetooth Bluetooth Basics Mode of operation Technology Security Advantages Integrating BT.
Wireless Networks Instructor: Fatima Naseem Computer Engineering Department, University of Engineering and Technology, Taxila.
PRESENTED BY M.A.M.JANI S.AMRUTHA RAJU M.A.M.JANI S.AMRUTHA RAJU.
Bluetooth Techniques Chapter 15. Overview of Bluetooth Initially developed by Swedish mobile phone maker in 1994 to let laptop computers make calls over.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
발표자 : 현근수 Bluetooth. Overview wireless protocol short-range communications technology single digital wireless protocol connecting multiple devices mobile.
Team Topic Presentation Team 6 BLUETOOTH What is Bluetooth? Cable Replacement Automatic Connectivity Hidden Computing Few Examples: 1.Automatic Door.
An Analysis of Bluetooth Security Team A: Padmaja Sriraman Padmapriya Gudipati Sreenivasulu Lekkala.
National Institute of Science & Technology WIRELESS LAN SECURITY Swagat Sourav [1] Wireless LAN Security Presented By SWAGAT SOURAV Roll # EE
Open System Interconnection Describe how information from a software application in one computer moves through a network medium to a software application.
Bluetooth In 1994, the L. M. Ericsson company became interested in connecting its mobile phones to other devices without cables. A SIG (Special Interest.
Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.
Network Security Introduction
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
BLUETOOTH HACKING - Image the world without wireless By Indra Divya.K Kalasalingam University CSE-Final yr.
Bluetooth Low Energy RTLAB YuJin Park.
1 Seminar: Pervasive Computing 2004 Automatic mobile device configuration: Status & open challenges Stefan Hoferer Supervisor: Andreas Fasbender.
Bluetooth Technology -Prepared By Jasmin Patel -Guided By Jagruti Goswami.
Bluetooth Technology -Prepared By Jasmin Patel -Guided By Jagruti Goswami.
IEEE : High-rate WPAN Overview
Agenda BLE in IoT devices Bluetooth Low Energy Protocol Stack
Physical layer protocol bluetooth
Bluetooth Low Energy Overview.
Configuring and Troubleshooting Routing and Remote Access
Advanced Penetration testing
A Wireless LAN technologies IEEE
“I don’t have to be careful, I’ve got a gun.”
Advanced Penetration testing
Bluetooth Profiles.
Short-Range Radio Frequency Networking
Short-Range Radio Frequency Networking
Advanced Penetration testing
Presentation transcript:

Ben Cumber Kyle Swenson Bluetooth Security Ben Cumber Kyle Swenson

Overview Introduction to Bluetooth Proliferation and Applications Protocol stack Profiles Proliferation and Applications Security Past attacks Current state of the art Known vulnerabilities Examples; Demonstration Future attacks Hardening Options: Mitigating the Risk Conclusion

Introduction to Bluetooth Convenience IEEE 802.15.1 : Personal Area Network Defines the medium access control (MAC) mechanisms Baseband/ Physical 2.4 GHz ( Same as Wi-Fi) Adaptive Frequency Hopping Currently Maintained by the Bluetooth Special Interest Group (SIG) AFH = 1600 channel hops per second, determined by negotiated pseudo random sequence Bluetooth Special interest group Corporation that licenses Bluetooth To sell, manufacture or rebrand any product with Bluetooth requires SIG membership.

Introduction to Bluetooth: Protocols Mandatory Bluetooth Protocols Link Manager Protocol Logical Link Control and Adaptation Protocol (L2CAP) Service Discovery Protocol (SDP) Audio Streaming Protocols RFCOMM (Most common) Link Manager protocol Manages radio link between devices for the session L2CAP Manages logical connections to higher layers with the protocol service multiplexer(PSM) Service Discovery Protocol (SDP) Standardized format for devices to list offered profiles and serveries RFCOMM EIA RS-232 Emulation, token based, reliable Meant to be a cable replacement Transmitted in plaintext http://www.mnl.com/images/thelink/bluetooth_fig2.gif http://upload.wikimedia.org/wikipedia/commons/9/9f/Bluetooth_protokoly.svg

Relevant Bluetooth Profiles Defines how a device uses the Bluetooth protocols All built on core Bluetooth stack Widespread integration and interoperability. Defines the authentication and encryption (if any) Human Interface Device (HID) Built off the USB HID specification Includes RTUs, data acquisition equipment Audio Control and Distribution Bluetooth headset phone control and audio streaming Object Exchange (OBEX) Allows file transfer, contact transfer Profiles: Widespread integration and interoperability Over 40 different profiles have been defined and adopted HID: Universal plug-n-play The idea of Virtual Cables

Bluetooth Security Mechanisms Pairing: usually requires user verification, version dependent Bonding: allows for seamless reconnection after two devices have been paired Based off a link-key generated during the pairing process If either device forgets the link-key, then it is renegotiated automatically Plaintext negotiation of encryption key Encryption: Completely optional, dependent upon device capability. Bluetooth leaves security up to the user. Depends on short range communication which offers a little security Pairing: Enter a 4-16 digit pin Verify a pin number If one device doesn’t support security, just forget it. Bonding: When two devices are bonded its possible to force a pairing by injecting a few bad packets. WE WANT TO STRESS: Authentication and encryption is Profile and Device Dependent Encryption and authentication is optional, but suggested

Bluetooth Security: The MAC Address Basis for all Bluetooth communication All devices are required to at least respond to direct connection requests, regardless of discoverability setting Assumed to be unique With the right module, it’s easy to imitate a legitimate device. Specification doesn’t define behavior when two devices have the same MAC address Part of the MAC address is allocated by the SIG/IEEE Publicly available Other part is assigned by the manufacturer The MAC Address Basis for all BT Comm Affects channel hopping sequence and timing Implicitly defines seeds for pseudo-random number generation used in encryption and authentication. Devices Required to respond All encapsulated in the Frequency Hop Synchronization packet (FHS) FHS packet completely describes communication parameters Required response when a direct connection request is received Contains “unique” 48-bit Bluetooth MAC, class of device, clock information, channel information, Bluetooth Version, etc.

Bluetooth Security: The MAC Address Lower Address Portion (LAP) Mandatory part of baseband communication Upper Address Portion (UAP) Contains time delay information for frequency hopping. Non-significant Address Portion UAP + NAP form the organizationally unique identifier Once the MAC address has been determined, the device is potentially compromised LAP Easily discovered as you will see in our demo. UAP Can be discovered through brute force once you know the LAP

Known Exploits BlueRanger BTCrack SpoofTooph Uses the required direct connection response to gauge relative distance through the integrity of the link SpoofTooph Scans for discoverable devices Clones the device Imitates MAC address, profiles, services, names, and other “unique” characteristics BTCrack How it works: Observe a pairing Guess a 4-16 digit pin Check to see if the hashed value of the pin matches the hashed value that you observed. BlueRanger Also collects data on the target. Gets the relative location of the device. SpoofTooph Extracts info using SDP (Service Discovery Protocol) and the Frequency Hopping Spectrum Packet Causing disconnections and MITM attacks BTCrack Challenges Forcing a pairing (By injecting a bad packet) Actually observing the pairing Requires a large-bandwidth spectrum analyzer, which cost around $10,000 or the ubertooth one

Known Exploits BlueBugging – Control a remote smartphone Making/forwarding calls, sending and receiving text messages. Snarfing – Retrieve contacts or calendar Uses the OBEX Push Profile OBEX Push doesn’t require any authentication Carwhisperer – Uses vehicular audio profiles Send audio messages to driver Listen to conversations in the vehicle vCardBlaster (Virtual Business Card) Contains contact information Sends a continuous stream of vCards using Bluetooth Bluetooth v4.0 has already been exploited BlueBugging Idea is to emulate a headset Snarfing OBEX “Object Exchange” Often doesn’t even notify the users vCardBlaster Target a single user or all devices in range Contact info can be specific or generated Used to Fill up Disk Space Add a bunch of random contacts

Collecting Information Ubertooth One A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3 microcontroller attached via USB $120 module, allows sniffing of Bluetooth traffic Able to export packets to Wireshark traffic, get sensitive information Spectrum Analyzer Simple to program, modify, and use With some embedded systems experience and motivation, every exploit is possible Open Source project Ability to follow a specific device through its hopping scheme

Bluetooth and SCADA SEL-2925 – RS-232 emulation over wireless link Convenience Remote Telemetry and Data Acquisition Same performance degradation as WiFi in noisy environments Uses HID profile: simple, fast, negligible configuration Increasingly being used for automation Built off a commercially available Bluetooth module Encryption likely based off v2.1 SSP, with known vulnerabilities Source: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf

Hardening Bluetooth Encrypt the data at a higher layer (application layer) in the protocol stack Don’t use it! Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t matter) Bluetooth in SCADA and critical infrastructure Bluetooth was designed for convenience, not security Other than lower power consumption, Bluetooth has no advantage over WiFi. Integrating Bluetooth into SCADA is inappropriate- use something else Don’t depend on Bluetooth protocol for security Bluetooth is vulnerable at nearly every layer in the protocol stack Device imitation and MITM attacks are easily completed

Conclusion Bluetooth security needs more attention Lack of appropriate tools cripples penetration testing and security analysis Embedded applications Most completely omit security, assume protection in complexity Demonstrates the need for a reliable, secure, wireless communication Security must be an integral component in the initial design process, not added after the fact Realize the risk when using Bluetooth for your SCADA application.

References http://trifinite.org/ http://www.eng.tau.ac.il/~yash/shaked- wool-mobisys05/ http://en.wikipedia.org/wiki/SAFER https://github.com/greatscottgadgets/ubert ooth/releases/tag/2014-02-R2 http://openciphers.sourceforge.net/oc/inde x.php http://www.hackfromacave.com/ http://en.wikipedia.org/wiki/Bluetooth http://en.wikipedia.org/wiki/Bluetooth_proto cols http://en.wikipedia.org/wiki/Bluetooth_Speci al_Interest_Group https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id=40560 https://www.bluetooth.org/docman/handler s/downloaddoc.ashx?doc_id=241363 https://www.bluetooth.org/DocMan/handler s/DownloadDoc.ashx?doc_id=174214 https://www.bluetooth.org/docman/handler s/DownloadDoc.ashx?doc_id=263754 https://www.bluetooth.org/en- us/specification/adopted-specifications http://bluetooth-pentest.narod.ru/ http://linuxpoison.blogspot.com/2008/04/dis covering-and-hacking-bluetooth.html http://pen-testing.sans.org/blog/pen- testing/2011/10/20/the-bluetooth-dilemma http://blog.zoller.lu/2009/02/btcrack-11-final- version-fpga-support.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.