Presentation is loading. Please wait.

Presentation is loading. Please wait.

BLUETOOTH DEVICE DETECTION

Published byRonald Willis Modified over 7 years ago

Similar presentations

Presentation on theme: "BLUETOOTH DEVICE DETECTION"— Presentation transcript:

1

2 BLUETOOTH DEVICE DETECTION
MARTIN DAVIES, CISA, CISM, CRISC PRAMERICA SYSTEMS IRELAND LTD.

3 Today’s Presentation Today’s Presentation a Summary of a Dissertation submitted for a taught Masters course: MSc in Computing in Systems & Software Security From: Letterkenny Institute of Technology Thesis Title: Improving Compliance With Bluetooth Device Detection Thesis Supervisor: Dr. Eoghan Furey Thesis Available Here:

4 Bluetooth – The Leaky Sieve of the Wireless World

5 Presentation Outline Bluetooth Technology Basics Bluetooth Hardware
Ubertooth One Bluetooth Software Experiment – Bluetooth Discovery Current Guidance Conclusions & Advice

6 1. Bluetooth Technology Basics

7 Bluetooth background Stable, well documented, well established technology over 20 years old. five companies (Ericsson, Nokia, IBM, Toshiba and Intel) formed the Bluetooth Special Interest Group (SIG). Primary purpose to replace wires and cables. Now a ubiquitous technology 10 Billion Devices by 2018 (Statista, 2015)

8 Bluetooth background Discoverable devices are easy to audit with standard class 1 Bluetooth dongles Until recently, there was no reasonable solution* to detect and characterize non-discoverable Bluetooth devices. Bluetooth was Difficult to passively monitor Expensive to passively monitor This has now changed: Ubertooth One Keeping a Bluetooth device in ‘discoverable’ mode allows other gadgets with Bluetooth to locate it within a certain range. Non-discoverable – similar to telling your WiFi SSID (Service Set Identifier) to stop broadcasting.

9 Bluetooth vs WiFi WiFi Bluetooth (Classic) 802.11 (WiFi) 802.15 (WPAN)
GHz & GHz GHz Stays on Frequency (unless interference) Frequency Hopping Spread Spectrum (FHSS) High power consumption Low power consumption 250 Mbps (10x faster) 25 Mbps (Bluetooth 4.0) <100 meters typically <30 meters typically MAC Address: BD_ADDR: 11:22:33:44:55:FF Electrical and Electronics Engineers (IEEE) Standards. FHSS – 1600 hops per second COMMON VARIANTS: 802.11a 5GHz 802.11b 2.4GHz 802.11g 2.4GHz 802.11n 2.4 & 5 GHz The BD_ADDR is a 48 bit MAC address, just like the MAC address of an Ethernet device 48-bit identifier with six bytes of information

10 Bluetooth Channels Chl MHz 1 2402 11 2412 21 2422 31 2432 41 2442 51
2452 61 2462 71 2472 2 2403 12 2413 22 2423 32 2433 42 2443 52 2453 62 2463 72 2473 3 2404 13 2414 23 2424 33 2434 43 2444 53 2454 63 2464 73 2474 4 2405 14 2415 24 2425 34 2435 44 2445 54 2455 64 2465 74 2475 5 2406 15 2416 25 2426 35 2436 45 2446 55 2456 65 2466 75 2476 6 2407 16 2417 26 2427 36 2437 46 2447 56 2457 66 2467 76 2477 7 2408 17 2418 27 2428 37 2438 47 2448 57 2458 67 2468 77 2478 8 2409 18 2419 28 2429 38 2439 48 2449 58 2459 68 2469 78 2479 9 2410 19 2420 29 2430 39 2440 49 2450 59 2460 69 2470 79 2480 10 2411 20 2421 30 2431 40 2441 50 2451 60 2461 70 2471 The Bluetooth channels are spaced 1MHz apart, beginning at 2402MHz and ending at 2480MHz. This arrangement of 79 individual Bluetooth channels gives a guard band of 2MHz at the bottom and 3.5MHz at the top. It should be noted that the 2472MHz and 2480MHz bands are outside the standard operating frequencies for WiFi (in the US), and are highlighted in red.

11 Maximum Permitted Power (mW)
Bluetooth Classes Class Maximum Permitted Power (mW)  Typical Range 200 mW (Aircable Host XR) >100 metres Class 1 100 mW ~100 metres Class 2 2.5 mW ~10 metres Class 3 1 mW ~1 metre Class 1 devices have the ability to increase or decrease their transmission power to the appropriate level based on the Received Strength Signal Indictor (RSSI) reading. This has implications when attempting to physically track a device. Class 2 and 3 devices do not have this capability, as they seek to conserve power and focus on shorter communication distances. Class 1 Bluetooth devices transmitting at 100mW may have a range of 100 meters (328 feet), comparable to an b WLAN device.

12 Bluetooth Device Address
MAC Address vs BD_ADDR WiFi MAC Address Bluetooth Device Address 11:22:33:44:55:FF Organizationally Unique Identifier (OUI) 11:22 – Non-Significant Address Part (NAP) 33 – Upper Address Part (UAP) Network Interface Controller (NIC) Specific 44:55:FF – Lower Address Part (LAP) Manufacturer ensures this part is unique The BD_ADDR is a 6 byte (48 bit) MAC address, just like the MAC address of an Ethernet device 11:22  2 bytes  Non-significant address part 33  1 byte  Upper Address Part (UAP) 44:55:FF  3 bytes  Lower Address Part (LAP) NAP+UAP (3 bytes)  OUI, assigned to manufacturer LAP (3 bytes) Assigned by manufacturer Apple MAC example

13 Bluetooth Only - BD_ADDR
OUI, assigned to Manufacturer Assigned by Manufacturer NAP UAP LAP 2 bytes 1 byte 3 bytes 11:22 33 44:55:FF 33  Upper Address Part (1 bytes) 44:55:FF  Lower Address Part (3 bytes) Since the Upper Address Part (UAP) is only 1 byte, if you have the LAP, you will very quickly be able to interact with the device, as you only need 28 (256) at most guesses, before it is found

14 BD_ADDR – UAP Guessing The LAP (44:55:FF) consists of the lower 3 bytes of the BD_ADDR and is the only part of the address that is transmitted with every packet – so can be sniffed… + Only need LAP+UAP (00:00:33:44:55:FF ) the lower 4 bytes to communicate with the Bluetooth device, not all 6 bytes. = If you can sniff the 44:55:FF, then you only need 2^8 guesses (256 guesses) to find 33 (UAP) 33  Upper Address Part 44:55:FF  Lower Address Part Since the Upper Address Part (UAP) is only 8 bits long, if you have the LAP, you will very quickly be able to interact with the device, as you only need 28 (256) at most guesses, before it is found

15 2. Bluetooth Hardware

16 Antennas 101 An antenna (aerial) is an electrical device which converts electric power into radio waves, and vice versa. It is usually used with a radio transmitter or radio receiver. Or Both – Transceiver. Antennas can be designed to transmit and receive radio waves in all horizontal directions equally - omnidirectional antennas. Or in a particular direction - directional antennas (high gain). Information Source:

17 Let’s talk antenna’s These are obviously class 3 devices… maybe class 2?? How do we know? Typically these types of devices will roll off the manufacturing belt with the same Manufacturer LAPs….

18 Antennas - Tiny

19 Antennas - Bigger is Better
Antenna’s are obviously an issue – this respected Bluetooth dongle from Linksys had a three inch one built in…

20 Antennas - Size does matter
Cantenna – plugged into a wireless router in this shot – Not a problem, WiFi and Bluetooth both use the GHz range….

21 Antennas - Size does matter
2.4GHz outdoor yagi antenna18dBi for wifi signal booster These bogger antenna’s need a cable…

22 Pigtails – Difficult Some difficult soldering and glueing – time consuming… Adding an RP-SMA connector (Reverse Polarity – Sub miniature version A)

23 Pigtails – Difficult Some difficult soldering and glueing – time consuming…

24 Pigtails – Easy Class 1 device

25 Pigtails – Easy Class 1 device

26 3. Ubertooth One

27 Ubertooth One Created by Michael Ossmann
Transmit power and receive sensitivity comparable to a Class 1 Bluetooth device. 2.4 GHz transmit and receive. Can sniff LAPs LAP sniffing allows you to identify devices operating in your vicinity. Six indicator LEDs. 33  Upper Address Part 44:55:FF  Lower Address Part Since the Upper Address Part (UAP) is only 8 bits long, if you have the LAP, you will very quickly be able to interact with the device, as you only need 28 (256) at most guesses, before it is found Standard Coretex Debug Connector (10-pin 50-mil JTAG). In-System Programming (ISP) serial connector.

28 Ubertooth One

29 Ubertooth One The Business Side of the device
Arm Cortex-M3 been around since 2004, used in Arduino’s, 32-bit RISC ARM processor cores

30 Ubertooth One – in armour
Comes without a case – a dremel and an old orange highlighter came in handy Never operate your Ubertooth One without an antenna connected – Advise from Michael Ossmann

31 Ubertooth One – Competition
2015 price…

32 4. Bluetooth Software

33 BlueZ Tool Name Tool Description hciconfig
Configure the basic properties of local adapters hcitool Detect nearby devices; display information on and adjust low-level connections sdptool Search for and browse SDP services. Basic configuration of locally advertised services hcidump Low-level debugging of connection setup and data traffic l2ping Test L2CAP connection functionality uuidgen Generates unique UUID for use with SDP Table taken from Bluetooth Linux Tools Quick Reference (Huang & Rudolph, 2007, p. 180)

34 BlueZ command example 1:
hciconfig (provides BD_ADDR) running the hciconfig command without any options, the connected devices are displayed

35 BlueZ command example 2:
hciconfig hciX –a (provides more information) Hciconfig hci0 –a - produces a wealth of information… Hci  Host Controller Interface (lowest level that can be accessed by developers) LMP  Link Manager Protocol (hardware level information) Very useful for verifying your own hardware class is a 24-bit hex number describing the class of device, as specified in section 1.2 of the Bluetooth Assigned Numbers document. The effective range varies due to propagation conditions, material coverage, production sample variations, antenna configurations and battery conditions. Most Bluetooth applications are for indoor conditions, where attenuation of walls and signal fading due to signal reflections make the range far lower than specified line-of-sight ranges of the Bluetooth products. Most Bluetooth applications are battery powered Class 2 devices, with little difference in range whether the other end of the link is a Class 1 or Class 2 device as the lower powered device tends to set the range limit. In some cases the effective range of the data link can be extended when a Class 2 device is connecting to a Class 1 transceiver with both higher sensitivity and transmission power than a typical Class 2 device. Mostly, however, the Class 1 devices have a similar sensitivity to Class 2 devices. Connecting two Class 1 devices with both high sensitivity and high power can allow ranges far in excess of the typical 100m, depending on the throughput required by the application. Some such devices allow open field ranges of up to 1 km and beyond between two similar devices without exceeding legal emission limits. The Bluetooth Core Specification mandates a range of not less than 10 metres (33 ft), but there is no upper limit on actual range. Manufacturers' implementations can be tuned to provide the range needed for each case.

36 Why is this Useful? hciconfig can throw up a few problems: Manufacturers will often mislabel devices as Class 1, when they are actually Class 2, or even sometimes Class 3. Cheap Bluetooth devices very often come off the conveyor belt with the same BD_ADDR Entirely different chipsets is also common for the very cheap adaptors to have duplicate MAC addresses; rather than writing a new MAC address to each device’s firmware as it rolls off the line, it is cheaper for the manufacturer to leave them all with the default

37 Linksys Unmodified Device Linksys Modified Device
Problem example Name Linksys Unmodified Device Linksys Modified Device Manufacturer Linksys USBBT100 Power Class Class 1 (13~17dBm) Antenna 1.2 dBi 5 dBi (attached to pigtail) BD Address 00:0C:41:E2:77:7B 00:13:10:5D:3F:55 HCI Version 1.1 1.2 LMP Version Manufacturer ID Cambridge Silicon Radio (10) Broadcom Corporation (15) Bluetooth Specification Bluetooth Core Specification 1.1 Did not expect to see an entirely different Chipset in each device…. What if you wanted to use CSRCrack - (Max Moser)

38 5. Experiment – Bluetooth Discovery

39 Experiment – Bluetooth Discovery
Experiment combined Ubertooth One hardware and it’s dedicated host software: ubertooth-scan command requires both an Ubertooth One AND a Standard Bluetooth dongle. Five Bluetooth dongles tested 3 types of scan used Built-in laptop device Linksys Linksys-modified Sena Parani UD100 Aircable Host XR Basic scan HCI Type scan Extended scan

40 Results – maybe 2 slides of the main graphs
Aircable Host XR - Bluetooth Core Specification 1.2 (limited to 1 Mbit/second) SENA Parani UD100 - Bluetooth Core Specification EDR (limited to 3 Mbit/second) Both Class 1 devices. Both used CSR chipset. Both had RP-SMA connectors.

41 Device Discovery Results (by adaptor)
Sena finding 50% more devices than the built in laptop device

42 Bluetooth Device Results
Overall, both the Aircable Host XR & the Sena Parani UD100 achieved the best (similar) results Sena Parani UD100 device has the edge… More discrete design Better pricing More recent Bluetooth version supported: Bluetooth Core Specification EDR Also useful as a Standalone Bluetooth Device Results – maybe 2 slides of the main graphs Aircable Host XR - Bluetooth Core Specification 1.2 (limited to 1 Mbit/second) SENA Parani UD100 - Bluetooth Core Specification EDR (limited to 3 Mbit/second) Both Class 1 devices. Both used CSR chipset. Both had RP-SMA connectors.

43 Discoverable Versus Non-Discoverable
4.7 times non discoverable devices compared to discoverable Vastly increases the attack surface for Bluetooth… Thesis and results available at:

44 6. Current Guidance

45 Current Guidance Guide to Bluetooth Security (NIST Special Publication SP rev1, 2012) : Includes a very useful Bluetooth Piconet Security Checklist Non-discoverability not covered Bluetooth hardware inventories (what about storing class information?) 8 – Security Recommendation: Set Bluetooth devices to the lowest necessary and sufficient power level so that transmissions remain within the secure perimeter of the organization. Security Need, Requirement, or Justification: Setting Bluetooth devices to the lowest necessary and sufficient power level ensures a secure range of access to authorized users. The use of Class 1 devices, as well as external amplifiers or high-gain antennas, should be avoided because of their extended range. 16 – Security Recommendation: Bluetooth devices should be configured by default as undiscoverable and remain undiscoverable except as needed for pairing. Security Need, Requirement, or Justification: This prevents visibility to other Bluetooth devices except when discovery is absolutely required. In addition, the default Bluetooth device names sent during discovery should be changed to non-identifying values.

46 Current Guidance PCI DSS Wireless Guideline from the Wireless Special Interest Group (SIG) (2011) Standards appear to focus on WiFi (not Bluetooth) Reliance on physical inspection Recommends Non-discoverability Non-discoverable in a system on the same network segment as Cardholder Data Environment (CDE)? (2009) (2012) The cardholder data environment (CDE) is comprised of people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. PCI DSS applies to all system components included in or connected to the CDE. This section looks at some common wireless deployment scenarios and their associated scoping considerations. For Bluetooth devices: F. Choose PIN codes that are sufficiently random and long. Avoid static and weak PINs, such as all zeroes. G. Bluetooth devices should be configured by default as, and remain, undiscoverable except as needed for pairing. H. Ensure that link keys are based on combination keys rather than unit keys. Do not use unit keys. I. For v2.1 devices using Secure Simple Pairing, do not use the ―Just Works‖ model. J. Perform service and profile lockdown of device Bluetooth stacks. Do not allow the use of multiple profiles in the unit. K. In the event a Bluetooth device is lost or stolen, immediately unpair the missing device from all other Bluetooth devices with which it was previously paired.

47 7. Conclusions & Advice

48 Conclusions & Advice Both NIST & PCI-DSS very helpful but in need of updates 82.5% devices are in non-discoverable mode compared to 17.5% discoverable A real need for Bluetooth device detection to meet compliance standards Ubertooth can go a long way to addressing this need, in combination with the right Class-1 device

49 Conclusions & Advice Unless you need it, turn Bluetooth off
If Bluetooth is required, make it non-discoverable, and turn on encryption features, if available. Store Bluetooth Device details in an Asset/Hardware Inventory Include BD_ADDRs Include Power Class details (especially Class 1 devices) Demand more: ask your security assessors/auditors to include Bluetooth as part of their security audits/sweeps (at the same time as they’re looks for Rogue WAPs for WiFi) Reconcile these Rogue BD_ADDR’s with your Asset/Hardware Inventory

50 Conclusions & Advice Additionally, consider the use of additional physical or logical controls that prevent or alert personnel to the addition or removal of devices to networks or systems in your environment (CDE). Train & educate personnel on the risks of introducing unauthorized Bluetooth devices to the network. Immediately report the appearance of any ‘new’ devices in their environment or if a device is missing or stolen.

51 Questions ?

52

Download ppt "BLUETOOTH DEVICE DETECTION"

Similar presentations

INTRODUCTION TO Wi-Fi TECHNOLOGY.

INTRODUCTION TO Wi-Fi TECHNOLOGY.
1 Introduction to Bluetooth v1.1 (Part I) Overview Radio Specification Baseband Specification LMP L2CAP.

1 Introduction to Bluetooth v1.1 (Part I) Overview Radio Specification Baseband Specification LMP L2CAP.
Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.
Wi-Fi Technology.

Wi-Fi Technology.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
1 Mini Course Programming Context-aware Mobile Phones Thomas Bodin IT University of Copenhagen.

1 Mini Course Programming Context-aware Mobile Phones Thomas Bodin IT University of Copenhagen.
A Comparison of Bluetooth and competing technologies

A Comparison of Bluetooth and competing technologies
Wireless Networking. Wi-Fi or 802.11 Uses radio waves (like cell phones, tv and radio). Just like wired networking except without the wires. A hot spot.

Wireless Networking. Wi-Fi or Uses radio waves (like cell phones, tv and radio). Just like wired networking except without the wires. A hot spot.
IE 419/519 Wireless Networks Lecture Notes #2 Wireless LAN Technology.

IE 419/519 Wireless Networks Lecture Notes #2 Wireless LAN Technology.
CCTV SYSTEMS WIRELESS BASED CCTV.

CCTV SYSTEMS WIRELESS BASED CCTV.
1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.

1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.
How secure is Darren Adams, Kyle Coble, and Lakshmi Kasoji.

How secure is Darren Adams, Kyle Coble, and Lakshmi Kasoji.
Bluetooth Introduction The Bluetooth Technology

Bluetooth Introduction The Bluetooth Technology
Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.
WIRELESS NETWORKING Presenter: Nhan Nguyên Phương.

WIRELESS NETWORKING Presenter: Nhan Nguyên Phương.
Stacy Drake Bluetooth Vs. Wi-Fi. What is Bluetooth?

Stacy Drake Bluetooth Vs. Wi-Fi. What is Bluetooth?
Wireless Networking 102.

Wireless Networking 102.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved Mike Meyers’ CompTIA A+ ® Guide to 802: Managing and Troubleshooting PCs Fourth Edition (Exam.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved Mike Meyers’ CompTIA A+ ® Guide to 802: Managing and Troubleshooting PCs Fourth Edition (Exam.
Wireless Versus Wired Network Components By: Steven R. Yasoni & Dario Strazimiri.

Wireless Versus Wired Network Components By: Steven R. Yasoni & Dario Strazimiri.
Distributed systems – Part 2  Bluetooth – 2 nd set of slides Anila Mjeda.

Distributed systems – Part 2  Bluetooth – 2 nd set of slides Anila Mjeda.

Similar presentations

Ads by Google