pp1 (Autosaved)

download pp1 (Autosaved)

of 31

Transcript of pp1 (Autosaved)

  • 8/6/2019 pp1 (Autosaved)

    1/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    ABSTRACT

    Current Bluetooth worms pose relatively little danger compared to Internet scanningworms-but things might change soon. The authors BlueBag project shows targeted attacksthrough Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility. Basically, it's a Bluetooth-sniffing computer hidden in a suitcase that was rolledthrough train stations, a shopping center, and even a computer security Conference showfloor this year to see how many Bluetooth-enabled devices attackers could potentially infectwith a worm or a virus.

    The BlueBag project shows targeted attacks through Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility. The purpose of BlueBag to

    gather data on the prevalence of insecure devices to understand how susceptible people areto simple social engineering attacks, and to demonstrate the easibility of attacks in securedareas. To mount any type of attack without being noticed, led to create a covert attack andscanning device, which later came to call the BlueBag.

  • 8/6/2019 pp1 (Autosaved)

    2/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    INTRODUCTION

    Mobile computing is quickly gaining ground in our daily experience; for this reason itis very important to understand the potential risks linked with all types of wireless devices.Bluetooth became the pervasive technology to support wireless communication in variouscontexts of everyday life. It is basically the new alternative to infrareds and is based on ashortwave radio technology able to transmit data across physical obstacles such as walls or other objects. At present, the greatest level of diffusion is witnessed in so-called smart

    phones, the latest generation of cellular phones, devices that, on top of offering all thefunctions of cutting- edge telephone technology enclose functions and applications typical of

    palm pilots, managed by an operative system, such as Symbian or Microsoft WindowsMobile. Now Bluetooth group was working hard to show hardware firms and users thetechnology's versatility. Finding and connecting to other Bluetooth using devices wassometimes difficult. Future versions of the Bluetooth software will hide this complexity andmake devices negotiate a radio link without the need for setting up pairing codes.

    The cellular phone represents in fact a precious source of personal data with its phonebook, messages agenda and much more. Wireless networks pose a threat to thesecurity of anyone using them, warn security experts. Many organizations and individualsare turning to wireless networks because they are easy to set up and make it much easier tore-arrange offices or computer equipment. The cost of this convenience can be a significantdrop in security, particularly now that tools are available to let people spot and penetratethese wireless networks. Smart phones are now very similar to personal computers because

    of this; they are at the same time more vulnerable, more useful and more attractive for a potential attack. This increased vulnerability is due to the presence of a system of evolvedconnectivity applications that expose the telephone and the data it contains to a series of risks deriving from

  • 8/6/2019 pp1 (Autosaved)

    3/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    activities such as sending e-mail, the transfer of data through the Internet, the exchange of MMS and WAP messages and the use of accessories .

    viral epidemic, using well-known attacks that are constantly evolving. Specifically,communications that take place through Bluetooth connections become potential vehiclesfor viruses and the target of attacks that can extract information from the smart phone.Mobile phones are more vulnerable than PCs because a computer typically has a singleentry port, whereas a phone has many: GSM, GPRS, Bluetooth, IR and so on.

    The immediate need for Bluetooth came from the desire to connect peripherals anddevices without cables. The available technology-IrDA OBEX (IR Data Association ObjectExchange Protocol) is based in IR links those are limited to line of site connections.Bluetooth integration is further fueled by the demand for mobile and wireless access to

    LANs, Internet over mobile and other existing networks, where the backbone is wired butthe interface is free to move. This not only makes the network easier to use but also extendsits reach. The advantages and rapid proliferation of LANs suggest that setting up personalarea networks, that is, connections among devices in the proximity of the user, will havemany beneficial uses.

    Bluetooth could also be used in home networking applications. With increasingnumbers of homes having multiple PCs, the need for networks that are simple to install andmaintain, is growing. There is also the commercial need to provide "information push"capabilities, which is important for handheld and other such mobile devices and this has

    been partially incorporated in Bluetooth. Bluetooth's main strength is its ability tosimultaneously handle both data and voice transmissions, allowing such innovativesolutions as a mobile hands-free headset for voice calls, print to fax capability, andautomatically synchronizing PDA, laptop, and cell phone address book applications

  • 8/6/2019 pp1 (Autosaved)

    4/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    CHAPTER 2

    BASICS

    Bluetooth wireless technology is a short-range communications technology intended toreplace the cables connecting portable and/or fixed devices while maintaining high levels of security. The objective of the Bluetooth protocol is in fact to unify different wireless datatransmission technology among mobile and static electronic devices. The key features of Bluetooth technology are robustness, low power, and low cost. Bluetooth technology hasachieved global acceptance such that any Bluetooth enabled device, almost everywhere inthe world, can connect to other Bluetooth enabled devices in proximity. A fundamentalBluetooth wireless technology strength is the ability to simultaneously handle both data andvoice transmissions.

    Bluetooth is the term used to describe the protocol of a short range frequency-hoppingradio link between devices. These devices are then termed Bluetooth - enabled. Bluetoothtechnology operates in the unlicensed industrial, scientific and medical (ISM) band at 2.4 to2.485 GHz, using a spread spectrum, frequency hopping, full-duplex signal at a nominal rateof 1600 hops/sec. The 2.4 GHz ISM band is available and unlicensed in most countries.Bluetooth technology's adaptive frequency hopping (AFH) capability was designed toreduce interference between wireless technologies sharing the 2.4 GHz spectrum. The signalhops among 79 frequencies at 1 MHz intervals to give a high degree of interferenceimmunity. AFH works within the spectrum to take advantage of the available frequency.

    This is done by detecting other devices in the spectrum and avoiding the frequencies theyare using. This adaptive hopping allows for more efficient transmission within the spectrum, providing users with greater performance even if using other technologies along withBluetooth technology.

  • 8/6/2019 pp1 (Autosaved)

    5/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    CHAPTER3

    ARCHITECTURE

    The Bluetooth specification was developed in 1994 by Jaap .Haartsen and SvenMattisson, who were working for Ericsson Mobile Platforms in Lund, Sweden. Thespecification is based on frequency-hopping spread spectrum technology. The specificationswere formalized by the Bluetooth Special Interest Group (SIG). It was established byEricsson, IBM, Intel, Toshiba, and Nokia. Standard or Basic Rate transmission uses theGaussian Frequency Shift Keying (GFSK) method, while EDR uses a combination of GFSK and Phase Shift Keying (PSK). Bluetooth protocols simplify the discovery and setup of services between devices. The Bluetooth core system consists of an RF transceiver,

    baseband, and protocol stack. Bluetooth controller is a sub-system containing the BluetoothRF, baseband, resource controller, link manager, device manager and a Bluetooth HCI.

    3.1 PICONETS

    Bluetooth enabled electronic devices connect and communicate wirelessly throughshort- range, ad-hoc networks known as piconets. Each device can also belong to several

    piconets simultaneously. The low range and low power of Bluetooth was intended for

    devices within a few meters of each other swap information. Ad-hoc is a network typicallycreated in a spontaneous manner. An ad hoc network requires no formal infrastructure and islimited in temporal and spatial extent. A piconet is an ad-hoc computer network, usingBluetooth technology protocols to allow one master device to interconnect with up to sevenactive devices. Bluetooth specification allows connecting two or more piconets together toform a scatternet, with some devices acting as a bridge by simultaneously playing the master role and the slave role in one piconet. Piconets are established dynamically and automaticallyas Bluetooth enabled devices enter and leave radio proximity. A piconet consists of two or more devices that occupy the same physical channel. The common clock is identical to the

  • 8/6/2019 pp1 (Autosaved)

    6/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Bluetooth clock of one of the devices in the piconet, known as the master of the piconet, andthe hopping sequence is derived from the master clock and the master Bluetooth deviceaddress.

    All other synchronized devices are referred to as slaves in the piconet. The termsmaster and slave are only used when describing these roles in a piconet. Within a commonlocation a number of independent piconets may exist. Each piconet has a different physicalchannel.

    A Bluetooth enabled device may participate concurrently in two or more piconets. Itdoes this on a time-division multiplexing basis. A Bluetooth enabled device can never be amaster of more than one piconet. Any Bluetooth device can host any other Bluetooth device.This makes using services easier because there is no longer a need to set up network addresses or permissions as in many other networks. When an individual connects differentBluetooth devices together, he creates around himself a so called PAN that is a small network with the possibility to exchange data and information as it usually occurs with a regular company LAN.

    3.2 CLASSIFICATION

    With regards to power, Bluetooth devices can be grouped in grades, eachcorresponding to a different reach:

    Grade 1 - able to communicate with Bluetooth devices in a 100 m range.

  • 8/6/2019 pp1 (Autosaved)

    7/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Grade 2 - able to communicate with Bluetooth devices up to a 10 m

    range.

    Grade 3 - able to communicate with Bluetooth devices within a lm

    range.

    Class M aximum Permitted Power mW(dBm)

    Grade 1 100 mW (20 dBm)Grade 2 2.5 mW (4 dBm)Grade 3 1 mW (0 dBm)

    T able 1. Various Bluetooth devices and their maximum power

    T he various classes of Bluetooth devices and their maximum

    power.

    Version D ata Rate 1

    Version 1.2 IMbit/s

    Version 2.0 + EDR 3Mbit/s

    WiMedia Alliance (Proposed) 53 - 480Mbit/s

    T able 2. D ata rates of various Bluetooth versions. T he data rates of

    various Bluetooth versions are given in above table.

    D ocumentation on Bluetooth is split into two sections, the Bluetooth

    Specification and Bluetooth Profiles.

  • 8/6/2019 pp1 (Autosaved)

    8/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    T he Specification describes how the technology works (the Bluetooth protocol

    architecture).

    The Profiles describe how the technology is used (how different parts of the specification can be used to fulfill adesired function for a Bluetooth device).

    3.3 CORE SYSTEM ARCHITECTURE

    The Bluetooth core system covers the four lowest layers and associated protocols defined by the Bluetooth

    specification as well as one common service layer protocol, the

    Service discovery protocol (SDP) and the overall profile requirements are specified in the generic access

    profile (GAP). A complete Bluetooth application requires a number of additional services and higher layer protocols

    that are defined in the Bluetooth specification.

    The lowest three layers are sometimes grouped into a subsystem known as the Bluetooth controller. This is a

    common implementation involving a standard physical communications interface between the Bluetooth contro ller

    and remainder of the Bluetooth system including the L2CAP, service layers and higher layers (known as the

    Bluetooth host). Although this interface is optional, the architecture is designed to allow for its existence and

    characteristics. The Bluetooth specification enables interoperability between independent Bluetooth enabled

    systems by defining the protocol messages exchanged between equivalent layers, and also interoperability between

    independent Bluetooth sub-systems by defining a common interface between Bluetooth controllers and Bluetooth

    hosts.

  • 8/6/2019 pp1 (Autosaved)

    9/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Figure 2. Core System Architecture

    3.4 BLUETOOTH PROTOCOL STACK

  • 8/6/2019 pp1 (Autosaved)

    10/31

    B lu

    g S min r

    Dep t f C pu t er Sc ience & Engg. I ES C E, C

    ittil pp ill

    Fi 3. Bl t t Pro toco l St ck

    The e h Sp ec f ca a w f r de e ping int erac tive

    service s and appli ca tions ov er int eropera le radio modul es and d ata communi ca tion p roto cols. Th e ultim ate obj ec tive of the Spec if ica tion is toallow appli ca tions wr itten in a manner that is conf ormant to th e Spec if ica tion to int eropera te with eac h oth er . To ac hieve thisint eropera bility, m atching appli ca tions in remot e device s must run ov er identi ca l proto col st ac s. E ac h on e of these differe nt p roto col st ac s us e a common Blu etooth d ata link and physi ca l layer .

    Protoco l l r Pro toco l i t st ck Bl t oot Core Pro toco ls C le B seband [1], L MP {2], L2 C P [3], SDP [4]

    R eplacemen t Pro toco l R FC MM [5] Te lephony Control Pro toco ls T CS Binary [6], AT-commands [7],[8],[9] Adop ted Pro toco ls PPP [10], UDP /TCP/ P [10], O B [11], WAP

    [12], v Card [13], v Cal [14], Ir MC1 [15], WAE [16] Table 3.Th e proto cols and l ayer s in th e Blu etooth p roto col st ac k.

    3.5 BLUETOOTH CORE PROTOCOLS

  • 8/6/2019 pp1 (Autosaved)

    11/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Baseband - Baseband protocol forms the lowest layer in Bluetooth

    architecture. It is responsible for the functionality contained in the physical

    layer of the OSI/IS O model, but also performs some tasks from higher layers.

    Its main tasks are synchronization, transmission of the information, error

    correction, logical channels division and data whitening. Bluetooth supports

    both synchronous and asynchronous channels.

    ACCESS CODE HEADER PAYLOAD

    Figure 4. Standard Basic Rate packet format

    Figure 5. Standard Enhanced Data Rate packet format

    y Link Manager Protocol (LMP) - The link manager protocol is responsible for link set-up between Bluetooth devices. This includes security aspects like authenticationand encryption by generating, exchanging and checking of link and encryption keysand the control and negotiation of baseband packet sizes. Furthermore it controls the

    power.

    y Modes and duty cycles of the Bluetooth radio device, and the connection states of aBluetooth unit in a piconet.

    y Service Discovery Protocol (SDP) - Discovery services are crucial part of theBluetooth framework. These services provide the basis for all the usage models.Using SDP, device information, services and the characteristics of the services can

    be queried and after that, a connection between two or more Bluetooth devices can be established. SDP is defined in the Service Discovery Protocol specification.

  • 8/6/2019 pp1 (Autosaved)

    12/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    y Logical Link Control and Adaptation Protocol (L2CAP) - The Bluetooth logicallink control and adaptation protocol) adapts upper layer protocols over the

    baseband. It can be thought to work in parallel with LMP in difference that L2CAP

    provides services to the upper layer when the payload data is never sent at LMPmessages. L2CAP provides connection-oriented and connectionless data services tothe upper layer protocols with protocol multiplexing capability, segmentation andreassembly operation, and group abstractions. L2CAP permits higher level

    protocols and applications to transmit and receive L2CAP data packets up to 64kilobytes in length. Although the Baseband protocol provides the SCO and ACLlink types, L2CAP is defined only for ACL links and no support for SCO links isspecified in Bluetooth Specification 1.0. The figure above illustrates the use of channel identifier (CID) in a communication between corresponding peer L2CAPentities in separate devices.

    Figure 6. Bluetooth Core Protocol

    3.6 CABLE REPLACEMENT PROTOCOLS

  • 8/6/2019 pp1 (Autosaved)

    13/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    RFCOMM - RFCOMM is a serial line emulation protocol and is based on ETSI 07.10specification. This "cable replacement" protocol emulates RS-232 control and datasignals over Bluetooth baseband, providing both transport capabilities for upper levelservices that use serial line as transport mechanism. The figure below illustrates point-to-

    point signaling to establish a voice or data call in a single-point configuration. First the

    other device is notified of the call request using the point-to-point signaling channel (A). Next, this signaling channel is used to further establish the speech or data channel (B).

    Figure 7. Signalling in a single point configuration

  • 8/6/2019 pp1 (Autosaved)

    14/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Figure 8.Point-to-point signalling in a single point configuration

    3.8 BLUETOOTH PROFILES

    The Generic Object Exchange profile defines the protocols and procedures that shall be used by the applications providing the usage modelswhich need the object exchange capabilities. The usage model can be, for example, Synchronization, File Transfer, or Object Push model.

    The most common devices using these usage models can be notebook PCs, PDAs, smart phones, and mobile phones. The Bluetooth profile structureand the dependencies of the profi les are depicted. A profile is dependent uponanother profile if it re-uses parts of that profile, by implicitly or explicitlyreferencing it. Dependency is illustrated in the figure: a profile hasdependencies on the profile(s) in which it is contained - directly and indirectly.For example, the Object Push profile is dependent on Generic ObjectExchange, Serial Port, and Generic Access profiles.

  • 8/6/2019 pp1 (Autosaved)

    15/31

  • 8/6/2019 pp1 (Autosaved)

    16/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    frequency at the same time. It is unlikely that two transmitters will be on the same frequencyat the same time. This same technique minimizes the risk that portable devices will disruptBluetooth devices, since any interference on a particular frequency will last only a tinyfraction of a second. When Bluetooth-capable devices come within range of one another, anelectronic conversation takes place to determine whether they have data to share or whether

    one needs to control the other. Any Bluetooth device will transmit the following informationon demand:

    Device name. Device class. List of services.

    Technical information, for example, device features, manufacturer, Bluetoothspecification used, clock offset.

    Pairs of devices may establish a trusted relationship by learning a shared secret knownas a passkey. A device that wants to communicate only with a trusted device cancryptographically authenticate the identity of the other device. Trusted devices may alsoencrypt the data that they exchange over the airwaves so that no one can listen in. Theencryption can be turned off, and passkeys are stored on the device file system. Since theBluetooth address is permanent, a pairing is preserved, even if the Bluetooth name is

    changed. Pairs can be deleted at any time by either device. Devices generally require pairingor prompt the owner before they allow a remote device to use any or most of their services.Some devices, such as mobile phones, usually accept OBEX business cards and noteswithout any pairing or prompts. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 Kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR)and reach 2.1 Mbit/s.

    The steps involved in trusted Bluetooth pairing are:

  • 8/6/2019 pp1 (Autosaved)

    17/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Charge the Devices.

    Power up the Devices.

    Turn the Bluetooth Functionality On.

    Make the Devices Visible.

    Place Both Devices in the Connection Mode.

    Enter the Passcode.

    Deleting or Disconnecting Trusted Devices.

    CHAPTER 5

    SECURITY ISSUESBluetooth implements confidentiality, authentication and key derivation with custom

    algorithms. In Bluetooth, key generation is generally based on a Bluetooth PIN, which must

    be entered into both devices. This procedure might be modified if one of the devices has a

    fixed PIN. During pairing, an initialization key or master key is generated. The stream

    cipher is used for encrypting packets, granting confidentiality and is based on a shared

    cryptographic secret, namely a previously generated link key or master key. Bluetooth

    offers several security modes, and device manufacturers determine which mode to include

    in a Bluetooth-enabled gadget. The Bluetooth specification includes security features at the

    link level. These features are based on a secret link key that is shared by a pair of devices.

    To generate this key a pairing procedure is used when the two devices communicate for the

  • 8/6/2019 pp1 (Autosaved)

    18/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    first time. Service level security and device level security work together to protect Bluetooth

    devices from unauthorized data transmission.

    Trusted Device: Device with fixed relationship that is trusted and has unrestricted access

    to all services.

    Untrusted Device: Device with no permanent fixed relationship or device that has a fixedrelationship, but is not considered as trusted. The access to services is restricted.

    Security methods include authorization and identification procedures that limit the

    use of Bluetooth services to the registered user. As long as these measures are enabled on

    the user's phone or other device, unauthorized access is unlikely. A user can also simply

    switch his Bluetooth mode to "non-discoverable" and avoid connecting with other Bluetooth

    devices entirely. . Cell-phone virus writers have taken advantage of Bluetooth's automated

    connection process to send out infected files. When the virus arrives in the user's cell phone,

    the user has to agree to open it and then agree to install it. Security can be defined by four

    fundamental elements: availability, access, integrity, and confidentiality. A security

    architecture defines the protocols and functionality required to implement the four elements

    of security within a specific application category. The rules that determine the access rights

    to different resources on the devices are called the access policy. There are threemodes of security for Bluetooth access between two devices.

    Security Mode 1: non-secure (Public)

    Security Mode 2: service level enforced security(Private)

    Security Mode 3: link level enforced security(Silent)

  • 8/6/2019 pp1 (Autosaved)

    19/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Figure 10. Bl uetooth security threat s

    Some reported viruses and their vital statistics are listed below.

  • 8/6/2019 pp1 (Autosaved)

    20/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Table 4. Reported viruses and their vital staThe names bluesnarfing and bluebugging have been given to these

    methods of illegal and improper access to information. Although the Bluetooth standard

    incorporates very robust security mechanisms that application developers can use to createsecure architectures, researchers have discovered a series of theoretical glitches and

    possible attacks in Bluetooth's core specifications. The most serious of these can lead to a

    compromise of the cryptographic algorithm protecting communication through sniffing,

    but this attack is impractical because the attacker must be present at the pairing of devices

    and then must be able to sniff communications between them. The specific attacks through

    Bluetooth are:

    y BlueSnarf - Bluesnarfing allows hackers to gain access to data stored on a Bluetooth

    enabled phone using Bluetooth wireless technology without alerting the phones user of

    the connection made to the device. The information that can be accessed in this manner

    includes the phonebook and associated images, calendar, and IMEI (international

    mobile equipment identity). By setting the device in non-discoverable, it becomes

    significantly more difficult to find and attack the device. Without specialized

  • 8/6/2019 pp1 (Autosaved)

    21/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    equipment the hacker must be within a 10 meter range of the device while running a

    device with specialized software. Only specific older Bluetooth enabled phones are

    susceptible to bluesnarfing. Bluejacking - Bluejacking allows phone users to send

    business cards anonymously using Bluetooth wireless technology. Bluejacking does

    NOT involve the removal or alteration of any data from the device. These businesscards often have a clever or flirtatious message rather than the typical name and phone

    number. Bluejackers often

    y Look for the receiving phone to ping or the user to react. They then send another,

    more personal message to that device. Once again, in order to carry out a

    bluejacking, the sending and receiving devices must be within 10 meters of one

    another. Phone owners who receive bluejack messages should refuse to add the

    contacts to their address book. Devices that are set in non-discoverable mode are

    not susceptible to bluejacking.

    y HeloMoto- A combination of BlueSnarf and BlueBug, this attack's name comes

    from the fact that it was originally discovered on Motorola phones.

    y BlueSmack- This denial-of-service (DoS) attack knocks out certain types of

    devices; attackers can perform it with standard tools.

    y BlueDump- This attack causes a Bluetooth device to dump its stored link key,

    creating an opportunity for key-exchange sniffing or for another pairing to occur

    with the attacker's device of choice.

    y Car Whisperer- This attack abuses the default configuration of many hands-free

    and headset devices, which come with fixed PINs for pairing and transmission.

    y BlueChop- This DoS attack can disrupt any established Bluetooth piconet by

    means of a device that isn't participating in it, if the piconet master supports

    multiple connections. BlueBugging - Bluebugging allows skilled individuals to

    access the mobile phone commands using Bluetooth wireless technology without

    notifying or alerting the phones user. This vulnerability allows the hacker to

    initiate phone calls, send and receive text messages, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with

    all the attacks, without specialized equipment, the hacker must be within a 10

    meter range of the phone. This is a separate vulnerability from bluesnarfing and

    does not affect all of the same phones as bluesnarfing. The code below is an

    example of bluebugging program.

  • 8/6/2019 pp1 (Autosaved)

    22/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    y Denial of service (DoS)- The Well known denial of service (DoS) attack, which

    has been most popular for attacking internet Web sites and networks, is now an

    option for hackers of Bluetooth wireless technology enabled devices. This

    nuisance is neither original nor ingenious and is, very simply, a constant request

    for response from a hackers. Bluetooth enabled computer to another Bluetoothenabled device such that it causes some temporary battery degradation in the

    receiving device. While occupying the Bluetooth link with invalid

    communication requests, the hacker can temporarily disable the products

    Bluetooth.

    y Blue Bump- This attack takes advantage of a Weakness in the handling of

    Bluetooth link keys, giving devices that are no longer authorized the ability to

    access services as if still paired. It can lead to data theft or to the abuse of mobile

    Internet connectivity services, such as Wireless Application Protocol (WAP) and

    General Packet Radio Services (GPRS)

    CHAPTER 6

  • 8/6/2019 pp1 (Autosaved)

    23/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    CREATING A BLUEBAG

    The BlueBag project shows targeted attacks through Bluetooth malware using proof-

    of- concept codes and devices that demonstrate their feasibility. The purpose of BlueBag

    to gather data on the prevalence of insecure devices to understand how susceptible peopleare to simple social engineering attacks, and to demonstrate the easibility of attacks in

    secured areas. To mount any type of attack without being noticed, led to create a covert

    attack and scanning device, which later came to call the BlueBag. A Linux-based

    embedded system with several Bluetooth dongles to process many discovered devices in

    parallel, using an omni directional antenna to improve the range and cover a wide area.

    Researchers needed both a hidden tool and an instrument that could easily be carried

    around and still have a long battery life. To fulfill these requirements, we created the

    BlueBag by modifying a standard blue trolley and inserting a Mini-ITX system with thefollowing off-the shelf components:

    y a VIA EPIA Mini-ITX motherboard (model PD6000E)y 256 MBytes of RAM in a DDR400 DIMM module;y EPIA Mil PCI back plate to extend the available onboard USB connections from

    two to six

    y A 20-Gbyte iPod, with a 1.8-inch hard drive that can resist an acceleration of up to

    3gs;y eight class-1 Bluetooth dongles with Broadcom chipsets (some were connected to a

    four-port USB hub);

    y A modified class-1 Linksys Bluetooth dongle (Cambridge Silicon Radio chipset)

    modified with a Net gear Omni directional antenna with 5dBi gain.

    y a picoPSU, DC-DC converter (this small power supply can generate up to 120 watts

    at over 96 percent efficiency);

    y A 12 V-26Ah lead acid battery to power our lengthy surveying sessi

  • 8/6/2019 pp1 (Autosaved)

    24/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Figure 11. The Bluebag open

    The BlueBag runs on GNU/Linux OS on top of which researchers created a softwareinfrastructure in Python that makes it easy to devise, control, and perform survey sessions.

    The software is completely multithreaded, and can use the available dongles to performdifferent tasks concurrently. They implemented a simple but useful dongle management andallocation scheme to dynamically learn about available resources and lock them whenneeded. By doing so, they can reserve specific dongles to run applications that need to lock single physical interfaces for some time. The software is quite modular and was designedwith the typical producer/consumer pattern: producers put found devices in a queue, usingthe standard utilities that come with BlueZ (official Linux Bluetooth stack) in order tocollect information. The software also includes customized versions of well-knownBluetooth information-gathering techniques such as blueprinting. A distinct thread managesthe queue and assigns tasks to different consumers. They designed the BlueBag software

    suite to allow us to monitor and control the test's execution from a palmtop or smart phonevia a web interface that runs on top of a TCP/IP over Bluetooth connection.

  • 8/6/2019 pp1 (Autosaved)

    25/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    CHAPTER 7

    THE BLUEBAG PROJECT

    Researchers initially focused on identifying how many active Bluetooth devices were in

    discoverable or visible mode. They have demonstrated that it's possible to find devices with

    active Bluetooth technology in nondiscoverable mode using a brute-force attack. An attack

    with this method is possible only if attackers want to target a specific device they know to be

    active and in range, and even then, they must first identify the brand and model in order to

    prune the address space. Therefore, keeping a phone in nondiscoverable mode provides a

    basic form of protection against targeted attacks. For this reason, their test focused

    exclusively on detecting devices in discoverable modethe only ones actually in a condition

    of potential risk of attack from Bluetooth malware. Researchers conducted survey in several

    high-transit locations surrounding Milan:

    Milan's Exhibition Centre, during the InfoSecurity 2006 trade show;

    the Orio Center Shopping Mall;

    the MM2 Cadorna Metro Station;

    the Assago MilanoFiori Office District;

    Milan's Central Station;

    the Milan Malpensa Airport; and

    Politecnico di Milano Technical University, Leonardo Branch.

    Table 5 shows the results; "unique devices" denotes the number of unique devices in

    discoverable mode that researchers found during a specific session, and "device rate"

    indicates the average number of unique devices discovered per minute. This data shows the

    capillary diffusion of Bluetooth technology in everyday life and also highlights the huge

    number of potentially vulnerable devices researchers found, even in such a short duration.

    After grouping the devices, researchers tried analyzing the types of services the devices

    offered and, in particular, those that can be used to propagate worms.

    LOCATION DATE DURATION(HH:MM) 1

    UNIQUEDE VICES

    DE VICERATE

  • 8/6/2019 pp1 (Autosaved)

    26/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Insecurity 2006 02/08-10/06 4:42 149 0.53Ono Center ShoppingMall

    03/01-11/06 6:45 377 0.93

    MM2 Metro Station 03/09/06 0:39 56 1,44Assago Office District 03/09/06 111 236 1.60

    Milan Central Station 03/09/06 1:12 185 157Mian Malpensa Airport 03/13/06 4:25 321 1.21Politecnico di Milano

    Technical University 03/14/06 2:48 81 0.48Total 22:58 1405

    T able 5.Summery of surveying results

    SER VICE TYPE NUMBER OF

    DE VICESOBEX Object Push, OBEX file transfer 313Headset hands-free audio gateway 303Dial-up networking 292

    T able 6.Services offered by mobile devices

    Tab le 6 s how s, the OBEX Push service wa s active and in range f or enough time to a llow the

    scanning o f 313 device s; thi s s ervice is norma lly used f or tran sf erring in f ormation or f iles and

    app lication s inc luding worm s. Important f inding f rom the survey wa s " visibility time " that is,

    the average time in which a device remain s in a potentia l attacker' s range , or the time in which

    an aggre ss or cou ld exp loit the device . This time depend s s ub stantia lly on the diff erent activity

    pattern s o f peop le in diff erent context s and in some ca ses. S ome ce ll phone mode ls on the

    market are con f igured to be in discoverab le mode by de f au lt if the Bluetooth connection is

    activated , thu s requiring the user to manua lly modi f y the setting to the secure , nondi scoverab le

    mode . M ost existing worm s re ly on the user accepting a f ile to propagate , s o they wanted to

    know the ratio o f user s who wou ld accept an unknown f ile tran sf er f rom an unknown source . To

    obtain thi s data , they deve loped an

  • 8/6/2019 pp1 (Autosaved)

    27/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    OBEX Pusher , an add-on to their norma l survey script s, which searche s f or a ll discoverab le Bluetooth device s with OBEX Push support enab led and then send s them a f ile . Us ing thi s too l,they f ound that an astounding 7.5 percent o f device owner s care le ssl y accepted unknown f ile tran sf er s f rom unknown source s and were thu s high ly vu lnerab le to socia l engineering attack s.

    Enve lope

    Figure 12. Ps eudocode o f Bluetooth worm with dynamic pay load s f or targeted attack s

    All the elements are thus in place for a huge risk, to both companies and individuals;they can almost certainly foresee an increase in attacks that aim not only to make a mobiledevice unusable or connect it to premium-rate telephone numbers but also target specificinformation on the device. The effort it takes to reach a target device is often thought of as aform of protection. To prove this assumption wrong, they created a network of viral agentsthat can spread among mobile devices looking for a target, zero in on it, and then reportinformation back to the attacker. They designed a proof-of-concept worm infrastructure thatuses an envelope-payload mechanism. The envelope component is a piece of software thatcan scan for Bluetooth devices and propagate to found devices; it has a list of targets to

    propagate to and a set of payloads that it can "deploy" on the targets. The payloadcomponents can be any type of malicious code that we want to execute on victim deviceswithin the limits of cell phone operating systems. Such payloads can use the highconnectivity of Bluetooth-enabled devices to transmit harvested information back to the

  • 8/6/2019 pp1 (Autosaved)

    28/31

  • 8/6/2019 pp1 (Autosaved)

    29/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    Figure 13.I n f ection ratio

    Summary of Bluetooth securityoperations

    Figure 14. S ummary o f Bluetooth security operation s

  • 8/6/2019 pp1 (Autosaved)

    30/31

    Bluebag Seminar 2011

    Dept. Of Computer Science & Engg. I ESCE, Chittilappilly

    CHAPTER 8

    CONCLUSION

    Bluetooth device should never be public as default or as fixed factory setting. A user

    should have at least a possibility to change the factory setting of security level somehow.

    Other possibility is to set private security level as mandatory and print the BD ADDR of the

    device in every manual. 16 case sensitive.

    Alphanumerical characters long PIN codes should always be used when possible. This also

    requires minor changes to the Bluetooth specification if Bluetooth SIG wants to force device

    manufacturers to use it. On the other hand, some public Bluetooth services are not possible

    if all devices must be nondiscoverable. Bluetooth device manufacturers and users should

    also take security issues much more seriously.

  • 8/6/2019 pp1 (Autosaved)

    31/31

    Bluebag Seminar 2011

    9. REFERENCES

    BOOK S1. S.F. Hager and C.T. Midkiff, "Demonstrating Vulnerability in Bluetooth

    Security," Proc I EEE Global Telecommunications Conf. (GLOBECOM 03), vol. 3,2003, IEEE CS Press, pp. 1420-1424.

    2. R. Morrow, Bluetooth I mplementation and Use , McGraw-Hill Professional, 2002.

    ONLINE REFERENCE

    1. www.computer.org

    2. www.bluetooth.com

    3.www.f-secure.com

    4.www.wikipedia.org