Bluetooth security

Bluetooth Security

By

Mohammed A. AhmedAmjad M. MuslehAsmat K. Marouf

AdvisorsDr. Ashraf S. H. Mahmoud

Dr. Marwan H. Abu-Amara

Project Description

• Study Bluetooth security aspects

• Blue-attacks mechanism analysis

• Implementation of Java Bluetooth Applications

Agenda

• Introduction• Security Mechanism• Bluesnarfing Attack• Bluetooth Programming Environment• J2ME into J2SE• Bluetooth Application Programming• Difficulties Faced• Conclusion

Introduction

•What is Bluetooth?

- Short area wireless technology

- Developed by SIG (Special Interest Group)

•Properties

- 2.4 GHz ISM (industrial,scientific,medical) band

- Spread frequency hopping

- Point to Multipoint

Introduction

• Bluetooth Stack

-Bluetooth host (software)-Bluetooth controller (hardware) -HCI (host controller interface)

Introduction

•Bluetooth attacks examples

• Blue-snarf attack get personal information

• Blue-jack attack send unwanted messages

• Blue-bug attack full access (AT command)

Security Mechanism

• Looking for Blue-attacks causes

– Searching on security mechanism• Holes in security architecture or Bluetooth spec.

– Searching on security implementation• Holes in vendor’s implementation

Security Mechanism

• Bluetooth security: service-dependent– What service What security level required

• Bluetooth link level security– Not always enforced– Device Authentication– Link Encryption ( pairing )

• Bluetooth higher-level security– Up to vendors implementation

Security Mechanism

• Analysis of link level security

Find a Bluetooth Device

Enter PIN, generate

Auth.Key: K1 Enter PIN

Device 2Server

Device 1Client

Challenge

respond

Process Auth. and respond

Response OK?

Generate Encryption key

Generate Encryption key

Device 2Server

Device 1Client

Exchang link key

yes

Device found ?

Yes

No

Dissconnect!

Device 2Server

Device 1Client

Terminate

Exchange encrypted data

No

Encrypted-secure link

Security Mechanism

• Results– Weakness in link level : PIN

• Solution: Long & random PIN

– Key exchange• Solution: Do it in private !!

– BUT• Other wireless protocols ~ same problem• Even if I got the PIN,ATTACKS SHOULD NOT HAPPEN!!

Bluesnarfing Attack

• Why Bluesnarfing attack happens ?- vendors implementation of OBEX protocol

• Three profiles use the OBEX protocol:- Synchronization Profile (secure)

- File Transfer Profile (secure)

- Object Push (insecure)

File Transfer Profile

Aplication

Object Push

Business Card

Synchronization

Phone Book,Calender

OBEX

Lower Layers

Application Layer

Session Layer

Bluesnarfing Attack

• What is OBEX protocol ?- Exchange objects between devices• The main four operations used in OBEX:

– Connect Operation– Put Operation– Get Operation – Disconnect Operation

• OBEX protocol Layers

Bluesnarfing Attack

Normal OBEX session Client Server

Connect (Target #)

Get/put operation (Connection ID# , Who #)

Disconnect (Connection ID #, Who #)

Initiating the security procedure depending on the

target application if any

Bluesnarfing Attack

How Bluesnarfing

Attack Happens :

Bluetooth Programming Environment

• Why Java ?– Platform independent– Multiple vendors (choices!)– Widespread industry acceptance

• Java Platforms:– J2SE for desktop applications – J2ME for resource-constrained computing devices


• What is J2ME ?

• Configuration -core classes

• Profile - example :MIDP (Mobile Information Device

Profile)

• Optional Packages- To include additional technologies

- Example Bluetooth Package:

1. Javax.bluetooth 2. Javax.obex

Optional Packages

Profile

Configuration

Host Operating System

J2ME


• J2ME toolkit ( compile & emulate)


• Working in a Real EnvironmentTo discover and communicate with other devices

• To run our Bluetooth applications in a real environment:– Using a Bluetooth mobile device – Using our desktop with a Bluetooth adapter

• For the first approach:– NOKIA 6810 mobile phone

It did not work (Java Bluetooth API is missing )!

J2ME into J2SE

• To support J2ME features:– javax.microedition.io

• To support Bluetooth:– javax.bluetooth

• Is it enough?– Other classes are missed

J2ME into J2SE

• Ready Solution (GCF)– GCF ( Generic Connection Framework)

– Define ALL packages to migrate J2ME to J2SE

– Different implementations• Example: aveLink Bluetooth for java

Bluetooth Application Programming

• Short-term goal– Bluetooth programming & attack preparation

• Long-term goal– Bluetooth attacks implementation

• Application components– Bluetooth Controller– Connection Controller– Attack Executor


• General scenario


• Bluetooth Controller– Job

• Device discovery

• Service discovery

– Implementation • javax.bluetooth built-in methods

Bluetooth Application Programming: Bluetooth Controller


• Connection Controller– Connect to what service (service inquiry)

– URL of the service (service record as response)

– Establish appropriate connection

• Connection to service: 2-parties operation– Server mobile may respond differently


• Attack executor

– Message Advertiser• Advertise messages to mobiles in range• Use OBEX

– Infinite SMS sender• Send SMS from one victim to another• Use AT commands over serial port profile

Bluetooth Application Programming: Message Advertiser

Bluetooth Application Programming: Infinite SMS sender

Difficulties Faced

• Lack of resources– Cost– Non-Vulnerability

• Pre-work: environment adaptation– Software & hardware requirements

• Illegality of hacking limited guidance

Conclusion

• General wireless programming sense• Theoretical Experience

– Bluetooth in general– Bluetooth security issues

• Practical experience – Different java platforms programming– Bluetooth programming in particular

• FinallyKnowledge-based hacking =Knowledge + Time + effort + KEEP TRYING

MORE INFORMATION

http://student.kfupm.edu.sa/s208675

http://student.kfupm.edu.sa/s208675

THANK YOU

Bluetooth security

Education

Transcript of Bluetooth security