Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev

What are we talking about today? Bluetooth: what it is, why is it vulnerable and can we fix it?

Overview What is bluetooth? How does it work? What are the problems? How do we fix it? Conclusion Personal Remarks

What is bluetooth? Bluetooth - is a standard and communications protocol primarily designed for low power consumption, with a short range (1-50 meters) based on low-cost microchips in each device.

What is bluetooth? Bluetooth enables these devices to communicate with each other when they are in range. The devices use a radio communications system, so they do not have to be in line of sight of each other

What is bluetooth? Essentially it is a mini wireless network between communicating nodes called Piconet. Piconet - allows one master device to interconnect with up to seven active slave devices

What is bluetooth?

How does it work? There are two modes of operation:  Discoverable – nodes respond to queries made by unknown devices and begin negotiations  Non-discoverable – nodes only respond to devices that it has communicated with previously Cryptography in Bluetooth is based on the SAFER+ algorithm. It defines 4 different cryptography functions E1, E21, E22, E3

How does it work? When communication is initiated between nodes, which just discovered each other, they begin by negotiating a link key which is later used for purposes of encryption for this and later sessions.

How does it work? Generation of unit key Generation of initialization key Generation of link key Mutual authentication Generation of encryption key Generation of key stream Encryption of data

How does it work? XXX = public value XXX = secret value XXX = sent in clear XXX = sent encrypted

1. Generation unit key E21 RAND A ADDR A KAKA

2. Generation initialization key E22 PIN IN_RAND PIN Length IN_RAND K init Length

3. Generation link key (1)‏ K init K A = K link K K init K A = K link

3. Generation link key (2)‏ K AB = K link LK_RAND A LK_RAND B E21 ADDR A ADDR B LK_RAND A LK_RAND B K AB = K link ADDR B ADDR A LK_RAND B LK A LK B

4. Mutual authentication ADDR B E1 ADDR B AU_RAND K link AU_RAND SRES AU_RAND K link ADDR B SRES ACO

5. Generation encryption key EN_RAND E3 EN_RAND K link ACO KCKC KCKC

6. Generation key stream E0 ADDR A clock MASTER KCKC K CIPHER ADDR A clock MASTER KCKC

7. Encryption of data K CIPHER DATA

How does it work? If for some reason a device in the network is running out of resources bluetooth utilizes a simpler version of communication.

Unit key K A = K link AB

What are the problems? Limited battery power Computational power Small amount of memory Small range Ad-hoc network Not always I/O-interface

What are the problems? A lot of data is transmitted in the clear If an attacker can obtain an initialisation key he/she is able to compute the link key and thus mount Man-in-The Middle attacks.

What are the problems? Sniffing can be done as well to an extent. Devices that are being sniffed need to be in discoverable mode. With proper equipment distribution an attacker is able to pin point the location of a node.

What are the problems? Location, location, location – this is the hardest and most expensive (money wise) attack that can be mounted. If an attacker is able to spread a large number of “passively” sniffing nodes then he/she will be able to record multiple identities for later use, as well as be able to pin point the location of the node based on where it has most recently been seen.

What are the problems? There are several problems that I see with this attack:  Money - the authors estimate $10 which is not true even 7 years later. The smallest equipped PC that I am aware of are Gum-Stick PCs which start at $80 (that's without the bluetooth module)‏

What are the problems?  Quantity – even with today's devices the longest straight distance you can get is about 50m in practice. So if you want to cover a building for example you will have to deploy a very large number of devices.

What are the problems? Eavesdropping and Impersonation – since the entire communication is based around the initialisation key if an attacker is able to guess and create a hash database of these then he/she will be able to listen in or become any of the devices in the piconet.

What are the problems? Eavesdropping –  Method One: in order to achieve this an attacker does not need to do much more than initiate a brute-force attack on the PIN used to setup communication. He/She can start guessing PIN # with length up to 5-6 digits and verify their correctness by engaging the victim in verification stage of the protocol.

What are the problems?  Method Two: the attacker will attempt to setup communication with a node using a PIN he/she has chosen, at this point the initialisation protocol kicks in and the victim sends all the needed information for the attacker to be able to run a simulated communication until he is able to generate a valid PIN and initialisation key pair.

What are the problems? Finally, if an attacker is able to guess a correct PIN and initialisation key pair then he is able to perform a MitM attack on the network.  Since devices can be both masters and slaves and neither has a predefined role. An attacker can force the devices to both enter a master role or a slave one, which puts them out of sync, unless the attacker transmits messages to them.

What are the problems? Final attack on the protocol involves the ciphers used.  In a pre-computation phase, an attacker randomly selects N internal states of the cipher, and computes the corresponding output key stream. These N key streams are sorted and stored in a database. Then M bits of the actual key-stream are observed.

What are the problems?  If M ∗ N > 2^132 then one expects to see a collision between the actual key-stream and a key-stream in the database.  By choosing M = N = 2^66, this shows that the cipher can be broken with time and memory complexity 2^66

How do we fix it? PIN Length - In order to avoid a situation in which an attacker is able to obtain the secret keys of victim devices, it is important to use su ffi ciently long and su ffi ciently random PINs. The authors determine that 64 bit PINs should be sufficient enough. Application Layer Security – using something similar to Certificates can prevent MitM attacks from happening.

How do we fix it? Master/Slave Relations – making sure that certain devices are not able to change status will help with MitM attacks since an attacker will not be able to jam the devices.

How do we fix it? Physical Protection - Our attacks on the key exchange rely on the attacker being able to detect the signals transmitted by the victim devices. The use of a Faraday’s cage (with the form factor of a metal coated plastic bag) may be useful to obtain security against this attack.

How do we fix it? Cipher - the attacks against the cipher can be avoided by replacing the cipher, e.g., with AES, and not to use plaintext communication in order to setup the encryption of later plaintexts.

Conclusion This paper is based on now defunct bluetooth standard. Most of the problems described in this paper are now taken care of in the latest version of the protocol (currently at version 2.1 with version 3.0 being in the works).

Personal Remarks Enable Bluetooth only when you need it Keep the device in non-discoverable mode Use long and difficult to guess PIN key when pairing the device (key such as 1234 is unacceptable)‏ Reject all unexpected pairing requests Check list of paired devices from time to time to ensure there are no unknown devices on the list Enable encryption when establishing BT connection to your PC.

Personal Remarks There is an attack the authors did not explore at all and that is DoSing a device: during the PIN brute-force verification, an attacker can just flood a node with these requests and prevent legitimate uses of the device due to its inability to process them. Authors never discuss the fact that the bluetooth protocol allows modifications to certain devices without any prior pairing: phonebook sharing and contact sharing. No prevention of replay attacks

Questions?