1

Bluetooth SecurityBEN CUMBER

KYLE SWENSON

2Overview

Introduction to Bluetooth Protocol stack

Profiles

Proliferation and Applications

Security Past attacks

Current state of the art Known vulnerabilities

Examples; Demonstration

Future attacks

Hardening Options: Mitigating the Risk

Conclusion

3Introduction to Bluetooth

Convenience

IEEE 802.15.1 : Personal Area Network Defines the medium access control (MAC) mechanisms

Baseband/ Physical

2.4 GHz ( Same as Wi-Fi)

Adaptive Frequency Hopping

Currently Maintained by the Bluetooth Special Interest Group (SIG)

4Introduction to Bluetooth: Protocols

http://www.mnl.com/images/thelink/bluetooth_fig2.gif

Mandatory Bluetooth Protocols

Link Manager Protocol

Logical Link Control and Adaptation Protocol (L2CAP)

Service Discovery Protocol (SDP)

Audio Streaming Protocols

RFCOMM (Most common)

http://upload.wikimedia.org/wikipedia/commons/9/9f/Bluetooth_protokoly.svg

5Relevant Bluetooth Profiles

Human Interface Device (HID) Built off the USB HID

specification Includes RTUs, data acquisition

equipment Audio Control and Distribution

Bluetooth headset phone control and audio streaming

Object Exchange (OBEX) Allows file transfer, contact

transfer

Bluetooth Profiles

Defines how a device uses the Bluetooth protocols

All built on core Bluetooth stack

Widespread integration and interoperability.

Defines the authentication and encryption (if any)

6Bluetooth Security Mechanisms

Pairing: usually requires user verification, version dependent

Bonding: allows for seamless reconnection after two devices have been paired

Based off a link-key generated during the pairing process

If either device forgets the link-key, then it is renegotiated automatically

Plaintext negotiation of encryption key

Encryption:

Completely optional, dependent upon device capability.

7Bluetooth Security: The MAC Address Basis for all Bluetooth communication

All devices are required to at least respond to direct connection requests, regardless of discoverability setting

Assumed to be unique

With the right module, it’s easy to imitate a legitimate device.

Specification doesn’t define behavior when two devices have the same MAC address

Part of the MAC address is allocated by the SIG/IEEE

Publicly available

Other part is assigned by the manufacturer

8Bluetooth Security: The MAC Address

Lower Address Portion (LAP)

Mandatory part of baseband communication

Upper Address Portion (UAP)

Contains time delay information for frequency hopping.

Non-significant Address Portion

UAP + NAP form the organizationally unique identifier

Once the MAC address has been determined, the device is potentially compromised

9Known Exploits

BlueRanger

Uses the required direct connection response to gauge relative distance through the integrity of the link

SpoofTooph

Scans for discoverable devices

Clones the device

Imitates MAC address, profiles, services, names, and other “unique” characteristics

BTCrack

How it works:

Observe a pairing

Guess a 4-16 digit pin

Check to see if the hashed value of the pin matches the hashed value that you observed.

10Known Exploits

BlueBugging – Control a remote smartphone

Making/forwarding calls, sending and receiving text messages.

Snarfing – Retrieve contacts or calendar

Uses the OBEX Push Profile

OBEX Push doesn’t require any authentication

Carwhisperer – Uses vehicular audio profiles

Send audio messages to driver

Listen to conversations in the vehicle

vCardBlaster (Virtual Business Card)

Contains contact information

Sends a continuous stream of vCards using Bluetooth

Bluetooth v4.0 has already been exploited

11Collecting Information

Ubertooth One A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3

microcontroller attached via USB

$120 module, allows sniffing of Bluetooth traffic

Able to export packets to Wireshark traffic, get sensitive information

Spectrum Analyzer

Simple to program, modify, and use

With some embedded systems experience and motivation, every exploit is possible

12Bluetooth and SCADA

SEL-2925 – RS-232 emulation over wireless link Convenience

Remote Telemetry and Data Acquisition Same performance degradation

as WiFi in noisy environments

Uses HID profile: simple, fast, negligible configuration

Increasingly being used for automation

Source: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf

13Hardening Bluetooth

Encrypt the data at a higher layer (application layer) in the protocol stack

Don’t use it! Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t

matter)

Bluetooth in SCADA and critical infrastructure Bluetooth was designed for convenience, not security

Other than lower power consumption, Bluetooth has no advantage over WiFi.

Integrating Bluetooth into SCADA is inappropriate- use something else

14Conclusion

Bluetooth security needs more attention Lack of appropriate tools cripples penetration testing and security

analysis

Embedded applications

Most completely omit security, assume protection in complexity

Demonstrates the need for a reliable, secure, wireless communication Security must be an integral component in the initial design process,

not added after the fact

Realize the risk when using Bluetooth for your SCADA application.

15References

http://trifinite.org/

http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/

http://en.wikipedia.org/wiki/SAFER

https://github.com/greatscottgadgets/ubertooth/releases/tag/2014-02-R2

http://openciphers.sourceforge.net/oc/index.php

http://www.hackfromacave.com/

http://en.wikipedia.org/wiki/Bluetooth

http://en.wikipedia.org/wiki/Bluetooth_protocols

http://en.wikipedia.org/wiki/Bluetooth_Special_Interest_Group

https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=40560

https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=241363

https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=174214

https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=263754

https://www.bluetooth.org/en-us/specification/adopted-specifications

http://bluetooth-pentest.narod.ru/

http://linuxpoison.blogspot.com/2008/04/discovering-and-hacking-bluetooth.html

http://pen-testing.sans.org/blog/pen-testing/2011/10/20/the-bluetooth-dilemma

http://blog.zoller.lu/2009/02/btcrack-11-final-version-fpga-support.html