GLOBUS ENGINEERING COLLEGE BHOPAL (M.P.

SEMINAR REPORT On
BLUETOOTH NETWORK SECURITY: THREATS & PREVENTIONS

GUIDED BYMr. LALIT JAIN Dept. of Electronics & Communications, GEC, BHOPAL

SUBMITTED BYRAVINDRA MATHANKER 0130EC071046 E.C. 7th sem. GEC, BHOPAL

GLOBUS ENGINEERING COLLEGE, BHOPAL

ACKNOWLEDGMENT
We extend our heartiest thanks to Mr. Arvind Kaurav, HOD, Electronics Dept. for his support in accomplishment of this project successfully. Furthermore it was his valuable guidance which helped us immensely in various areas of troubleshooting. We would also like to thank Mr. Anil Sharma, Principal, Globus Engineering College. He provides us an opportunity to present this paper. We also thank to our faculties of Electronics Dept. who supported us by their valuable knowledge. Last but not the least we would like to extend thank to my seniors who helped us to reveal various aspect of this project. We also thank to my friends for production support.

- Ravindra Mathanker 0130EC071046, EC 7th sem

GLOBUS ENGINEERING COLLEGE, BHOPAL

Preface
The modern age technology has many advantages and disadvantages. The use of technology depends on the nature of the user, hence the scientists and engineers developed the devices and equipments as safe as possible for all. This report includes the security threats and mindset behind the misuse of Bluetooth. The introductory part of report told about the possible threats of wireless networking. The basic knowledge about the Bluetooth is summarized in further pages. Readers and viewers can easily get the information about security tools of Bluetooth device and connection process. The tricks and tools of attack part really aware the reader to secure use of Bluetooth. The mentality of hacker and how people become cheese of hackers is described in the end part of report.

Department of Electronics & Communication.

0130ec071046

TABLE OF CONTENT

INTRODUCTION ABOUT BLUETOOTH BLUETOOTH NETWORKS BLUETOOTH ARCHITECTURE SECURITY ASPECTS IN BLUETOOTH CONNECTION ESTABLISHMENT BREAKING INTO SECURITY ATTACKING TOOLS & TRICKS USED SOFTWERE A) FOR DISCOVERING DEVICES B) FOR HACKING EFFECTIVENESS OF ATTACK SECURE YOUR DEVICE REFERENCES

__________________1 __________________2 __________________3 __________________5 __________________6 __________________8 __________________9 __________________10

__________________13 __________________14 __________________15 __________________16 __________________17

GLOBUS ENGINEERING COLLEGE, BHOPAL

Department of Electronics & Communication.

0130ec071046

BLUETOOTH HACKING THREATS & PREVENTIONS

INTRODUCTION Wireless communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Ad hoc networks, such as those enabled by Bluetooth, allow users to: Data synchronization with network systems and application sharing between devices. Eliminates cables for printer and other peripheral device connections. Synchronize personal databases. Provide access to network services such as wireless e-mail, Web browsing, and Internet access. However, risks are inherent in any wireless technology. The loss of confidentiality and integrity and the threat of denial of service (DoS) attacks are risks typically associated with wireless communications. Specific threats and vulnerabilities to wireless networks and handheld devices include the following: All the vulnerabilities that exist in a conventional wired network apply to wireless technologies. Malicious entities may gain unauthorized access to an agencys computer network through wireless connections, bypassing any firewall protections. Sensitive information that is not encrypted (or that is encrypted with poor cryptographic techniques) and that is transmitted between two wireless devices may be intercepted and disclosed. Sensitive data may be corrupted during improper synchronization. Data may be extracted without detection from improperly configured devices.

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 1

Department of Electronics & Communication.

0130ec071046

ABOUT BLUETOOTH The original architecture for Bluetooth was developed by Ericson Mobile Communication Co. Bluetooth was originally designed primarily as a cable replacement protocol for wireless communications. Among the array of devices that are anticipated are cellular phones, PDAs, notebook computers, modems, cordless phones, pagers, laptop computers, cameras, PC cards, fax machines, and printers. Now Bluetooth specification is: The 802.11 WLAN standards. Unlicensed 2.4 GHz2.4835 GHz ISM(industrial, scientific, medical applications) frequency band. Frequency-hopping spread-spectrum (FHSS) technology to solve interference problems. Transmission speeds up to 1 Mbps. The FHSS scheme uses 79 different radio channels by changing frequency about 1,600 times per second. One channel is used in 625 microseconds followed by a hop in a pseudo-random order to another channel for another 625 microsecond transmission; this process is repeated continuously. As stated previously, the ISM band has become popular for wireless communications because it is available worldwide and does not require a license.

Bluetooth SIG (Special Interest Group): Founded in year 1998. IBM, Intel, Nokia, and Toshiba, Agere, Ericsson, are promoters. Today more than 2,000 organizations are part of the Bluetooth SIG. Bluetooth Classes and Specifications

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 2

Department of Electronics & Communication.

0130ec071046

BLUETOOTH NETWORKS Bluetooth devices can form three types of networks: Point to Point Link Piconet Network Ad-hoc or Scatternet Network

Point to Point Link

When two Bluetooth enabled devices share information or data that is called point to point link.
Slave Network/Link Device Device

Master

Piconet Network
When there is a collection of devices paired with each other, it forms a small personal area network called Piconet. A Piconet consists of a master and at most seven active slaves. Each Piconet has its own hopping sequence and the master and all slaves share the same channel.
Master Device

Slave Device

Slave Device

Slave GLOBUS ENGINEERING COLLEGE, BHOPAL Device Page 3

Department of Electronics & Communication.

0130ec071046

Ad-hoc or Scatternet Network Two or more piconets connected to each other by means of a device (called bridge) participating in both the piconets, form a Scatternet Network. The role of bridge is to transmit data across piconets.

Picont1 Fig: Scatternet Network

Piconet 2

When a number of Bluetooth devices communicate to each other in same vicinity, there is a high level of interference. To combat interference, Bluetooth technology applies a fast frequency-hopping scheme which hoops over 79 channels 1600 times per second. For devices to communicate to each other using Bluetooth they need to be paired with each other to have synchronized frequency-hopping sequence.

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 4

Department of Electronics & Communication.

0130ec071046

BLUETOOTH ARCHITECTURE The Bluetooth core system has three parts: RF transceiver Baseband
Protocol-stack

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 5

Department of Electronics & Communication.

0130ec071046

SECURITY ASPECTS IN BLUETOOTH The Bluetooth-system provide security at two level At Link layer At Application layer Link layer security Four different entities are used for maintaining security at the link layer: a Bluetooth device address, two secret, keys, and a pseudo-random number that shall be regenerated for each new transaction. The four entities and their sizes are summarized in TableEntity Size

BD_ADDR Private user key, authentication Private user key, encryption Configurable length (byte-wise) RAND

48 bits 128 bits 8-128 bits 128 bits

Table 1.1: Entities used in authentication and encryption procedures Application layer security specification

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 6

Department of Electronics & Communication.

0130ec071046

L2CAP: enforce security for cordless telephony. RFCOMM: enforce security for Dial-up networking. OBEX: files transfer and synchronization. The encryption key in Bluetooth changes every time the encryption is activated, the authentication key depends on the running application to change the key or not. Another fact regarding the keys is that the encryption key is derived from the authentication key during the authentication process. The time required to refresh the encryption key is 228 Bluetooth clocks which is equal to approx. 23 hours. RAND or the random number generator is used for generating the encryption and authentication key. Each device should have its own random number generator. It is used in pairing (the process of authentication by entering two PIN-codes) for passed keys in the authentication process. Security modes in Bluetooth In Bluetooth there are three security modes which are: Mode 1: Non-secure. Mode 2: Service level security Trusted device. Un-trusted devices. Unknown devices. Mode 3: Link level. The trusted device is a device that has been connected before, its link key is stored and its flagged as a trusted device in the device database. The un-trusted devices are devices that have also previously connected and authenticated, link key is stored but they are not flagged as a trusted devices. The unknown devices are the devices that have not connected before. In Bluetooth service level we have three type of service in regard to the security: Services that need authentication and authorization: this is automatically granted to the trusted devices but for the un-trusted devices manual authentication is required. Services that need authentication only: in this case the authorization process is not necessary. Open services.
GLOBUS ENGINEERING COLLEGE, BHOPAL Page 7

Department of Electronics & Communication.

0130ec071046

Establishing a connection (from the layers) This part discusses how Bluetooth connection is established and how the operation passed from Bluetooth layers. The first thing is defining the accessed service and which security level is related to this service, and then an authentication process will occur. The authentication process takes place only when a request to a service submitted. We can summarize the authentication process as; first, a connection request to L2CAP, and L2CAP request access from the security manager. Then, the security manager looks in service and device DBs to determine if an authentication and encryption is needed or not. After granting the access by the security manager L2CAP continue to set up a connection.

Regarding the protocol stack, for any new connection request, the request submitted to L2CAP, in some cases also in RFCOMM for multiplexing, and then the protocol parameters are passed to the security manager for decision making. These parameters enter as query values to the security manager. Finally, the security manager according to it is query results; may either grant access or reject the access.
GLOBUS ENGINEERING COLLEGE, BHOPAL Page 8

Department of Electronics & Communication.

0130ec071046

BREAKING INTO SECURITY Bluetooth devices themselves have inherent security vulnerabilities. For example, malicious users can use wireless microphones as bugging devices. Although such attacks have not been documented because Bluetooth is not yet commercially prevalent, incidents have been recorded of successful attacks on PCs using programs such as Back Orifice and Netbus. If a malicious user has a program such as Back Orifice installed on a device in the Bluetooth network, that user could access other Bluetooth devices and networks that have limited or no security. These same programs could be used against Bluetooth devices and networks. Bluetooth devices are further vulnerable because the system authenticates the devices, not the users. As a result, a compromised device can gain access to the network and compromise both the network and devices on the network. Attack Tools & Programs Hardware Used: Dell XPS, Nokia N95, Nokia 6150, Hp IPAQ HX2790b. Operating Systems: Ubuntu, Backtrack, Windows Vista, Symbian OS, windows mobile. Software used: Bluebugger, Bluediving, BTscanner, Redfang, Blooover2, Ftp_bt. Bluescanner, Bluesnarfer,

Dell laptop with windows vista to be broken into and for scanning then with Linux to attempt attacks. Pocket pc for being attacked, and one mobile for attacking one for being attacked. Attacking methodology The first & last thing to break security of a Bluetooth device is set up a connection or pairing. After that we can use the program to access into device data. Using tools to find the MAC address of nearby devices to attack. This generally finds devices set to discoverable although programs exist with a brute force approach that detects them when hidden. These programs also provide other basic information such as device classes and names.
GLOBUS ENGINEERING COLLEGE, BHOPAL Page 9

Department of Electronics & Communication.

0130ec071046

Attacking Tools or Tricks Bluejacking Sending an unsolicited message over Bluetooth generally harmless but can be considered annoying at worst. Bluejacking is generally done by sending a V-card (electronic business card) to the phone and using the name field as the message.

OBEX Push A way of bypassing authentication by sending a file designed to be automatically accepted such as a vcard and instead using OBEX to forward a request for data or in some cases control. Used in the below attacks.

Bluesnarfing Through it we can access to data on a device via Bluetooth such as text messages, contact lists, calendar, emails etc. This uses the OBEX push profile to attempt to send an OBEX GET command to retrieve known filenames such as telecom/pb.vcf. The enhancement to this Bluesnarf++ connects to the OBEX FTP server to transfer the files. Here 'Snarf' - networking slang for 'unauthorized copy. Bluesnarfing consists of: Data Theft Calendar Appointments Images 1. Phone Book Names, Addresses, Numbers PINs and other codes Images Devices: Ericsson R520m, T39m, T68, Sony Ericsson T68i, T610, Z1010, Nokia 6310, 6310i, 8910, 8910i

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 10

Department of Electronics & Communication.

0130ec071046

HeloMoto It can have full control of a device using AT commands. Either OBEX is used to create a connection is a Bluesnarf or a vcard card is sent and then the request is automatically cancelled leaving the attacking device as a trusted device in the target. This allows AT commands to be used. It requires entry in 'Device History'. Connect RFCOMM to Hands free or Headset No Authentication required. Full AT command set access. Devices: Motorola V80, V5xx, V6xx and E398 Bluebugging Through it we can create unauthorized connection to serial profile. Full access to AT command set Read/Write access to SMS store Read/Write access to Phone Book Take control of the phone, make calls, and listen to calls etc anything a user can do. This attacks gains access to the mobile through the RFCOMM channel 17 which on certain phones is unsecured and can be used as a backdoor. Once connected AT commands are used to take control of the mobile. How come!? Various Manufacturers poorly implemented the Bluetooth security mechanisms. Unpublished services on RFCOMM channels - Not announced via SDP Affected Devices: Nokia has quite a lot of models (6310, 6310i, 8910, 8910i...) Sony Ericsson T86i, T610. DOS (Denial of service) Attacks There are various attacks such as Bluesmack, Bluestab and in some cases Bluejacking that can be used to cause a DOS attack. This can range from using Bluejacking to repeatedly send messages to a phone that requires them to be accepted to using AT commands to crash to phone or malformed packets (ping of death). This can cause strange behavior in devices or they simply crash.
GLOBUS ENGINEERING COLLEGE, BHOPAL Page 11

Department of Electronics & Communication.

0130ec071046

Long Distance Attacking (Blue Sniper) This trick is tested in beginning of August 2004. This experiment has done in Santa Monica California. The attacker has a class 1 Bluetooth device (called dongle) with software. The bugged or snarfed device was class 2 device (Nokia 6310i) at distance of 1.78 km (1.01 miles). Blueprinting Blueprinting is fingerprinting Bluetooth Wireless Technology interfaces of devices. This work has been started by Collin R. Mulliner and Martin Herfurt. Relevant to all kinds of applications: Security auditing. Device Statistics. Automated Application Distribution. Released paper and tool at 21C3 in December 2004 in Berlin related to this technique. Blueprinting basics: 2. Hashing Information from Profile Entries. Record Handle RFCOMM channel number Adding it all up(RecHandle1*Channel1) + (RecHandle2*Channel2) +...+ (RecHandlen*Channeln). 3. It used the Bluetooth device address for bugging purpose. Example of Blueprint: 00:60:57@2621543

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 12

Department of Electronics & Communication.

0130ec071046

Attacking software For Discovering Bluetooth Devices

BlueScanner

searches out for Bluetooth-enabled devices. It will try to extract as much information as possible for each newly discovered device.
BlueSniff - BlueSniff is a GUI-based utility for finding discoverable and hidden

- BlueScanner

Bluetooth-enabled devices.
BTBrowser - Bluetooth Browser is a J2ME application that can browse and

explore the technical specification of surrounding Bluetooth-enabled devices. You can browse device information and all supported profiles and service records of each device. BTBrowser works on phones that supports JSR-82 - the Java Bluetooth specification.
BTCrawler - BTCrawler is a scanner for Windows Mobile based devices. It scans

for other devices in range and performs service query. It implements the BlueJacking and BlueSnarfing attacks.

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 13

Department of Electronics & Communication.

0130ec071046

For Hacking Bluetooth Devices

BlueBugger -BlueBugger exploits the BlueBug vulnerability. BlueBug is the name of a set of Bluetooth security holes found in some Bluetooth-enabled mobile phones. By exploiting those vulnerabilities, one can gain an unauthorized access to the phonebook, calls lists and other private information. CIHWB - Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing framework for Windows Mobile 2005. Currently it only support some Bluetooth exploits and tools like BlueSnarf, BlueJack, and some DoS attacks. Should work on any PocketPC with the Microsoft Bluetooth stack. Bluediving - Bluediving is a Bluetooth penetration testing suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, has features such as Bluetooth address spoofing, an AT and a RFCOMM socket shell and implements tools like carwhisperer, bss, L2CAP packetgenerator, L2CAP connection resetter, RFCOMM scanner and greenplaque scanning mode. Transient Bluetooth Environment Auditor - T-BEAR is a security-auditing platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery tools, sniffing tools and various cracking tools. Bluesnarfer - Bluesnarfer will download the phone-book of any mobile device vulnerable to Bluesnarfing If a mobile phone is vulnerable, it is possible to connect to the phone without alerting the owner, and gain access to restricted portions of the stored data. BTcrack - BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to reconstruct the Passkey and the Link key from captured Pairing exchanges. Blooover II - Blooover II is a J2ME-based auditing tool. It is intended to serve as an auditing tool to check whether a mobile phone is vulnerable. BlueTest - BlueTest is a Perl script designed to do data extraction from vulnerable Bluetooth-enabled devices. BTAudit - BTAudit is a set of programs and scripts for auditing Bluetooth-enabled devices.
GLOBUS ENGINEERING COLLEGE, BHOPAL Page 14

Department of Electronics & Communication.

0130ec071046

Effectiveness of Attacks Laptop This attacks here where a resounding failure with all devices being attacked requiring user input to function. Bluebugging and Bluesnarfing where both attempted several times with trial and error the correct channels for these attacks where found and used to successfully contact the phone but failed to work without authentication. Vs Mobiles Attacks made against the Nokia N95 and Nokia 6250 both connected to the phone but required the user to accept to continue and thus where considered a failure. Attacks were also made against other nearby mobiles with either the same result or in a single case a successful transfer with Bluesnarfing but no data gathered (Unusual filenames where assumed). Vs Laptops A single laptop with Bluetooth came into range and after asking the owner attacks where performed without success even when he decided to accept the connection. Mobile Vs Mobiles The primary success was through this device and a program called blooover2. An auditing tool blooover2 tests the possible effect of various attacks and did a few minor attacks of its own. While the test devices required authentication for this audit to function passing devices showed several vulnerabilities and after hunting down owners and asking permission successful attacks where performed. The software inserted phonebook entrys,copied phone books and changed call forwarding effectively taking phones off the network. The other program that had a single successful attack was called Super Bluetooth attack while the majority of phones required authentication a Sony Eriksson (model unknown) allowed access without. Phonebook, messages where accessible while calls could also be made andgeneral settings changed (display, sounds etc).

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 15

Department of Electronics & Communication.

0130ec071046

SECURE YOUR DEVICE

Bluetooth social engineering

Bluetooth is used by people daily so it is possible to use social engineering techniques to attack devices. One of the most common uses of Bluetooth is with Mobile Phone can be an interesting part of social engineering to examine. Some users tend to accept incoming connections leaving themselves at risk to outside attack. More a lack of education than anything else causes people not to recognize a threat when they see one and accept incoming connections. This is an interesting way of using social engineering to break into devices.

Security Effectiveness The standard security method for Bluetooth is to simple have the device hidden or turned off and many devices require user input for any incoming message or connection. This is surprisingly effective as when a device requires authentication for even a vcard it is difficult to find a way in without an unsecured channel. The biggest security risk seems to be the users themselves several attacks succeeded simple because the users accepted the incoming connection (many harmless audits where performed on bypassers) allowing access on their device (we considered this a failure of the attack). No amount of security can prevent a user opening the door so to speak. No additional security software was found for Bluetooth.

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 16

Department of Electronics & Communication.

0130ec071046

References
1. Data Communication and Networking, 4th edition, Behrouz A Forouzan. 2. http://trifinite.org 3. http://en.wikipedia.org/wiki/Bluetooth/ 4. Wireless Network Security 802.11, Bluetooth and Handheld Devices, National Institute of Standards and Technology, Technology Administation, U.S. Department of Commerce. 5. BLUETOOTH SPECIFICATION Version 2.1 + EDR [vol 0] , www.Bluetooth.com 6. Andreas Becker,Bluetooth Security and Hacks, Ruhr-University Bochum, 2007. 7. Essential Bluetooth hacking tools, http://www.securityhacks.com/2007/05/25/essentialbluetooth hacking-tools. 8. Marek Bialoglowy, Bluetooth http://www.securityfocus.com/infocus/1830, Security Review,

GLOBUS ENGINEERING COLLEGE, BHOPAL

Page 17