1

CONTENTS

SUPERVISORS DECLARATION ........................................................................... 2
STUDENTS DECLARATION ................................................................................. 3
ACKNOWLEDGEMENTS ........................................................................................ 4
ABSTRACT................................................................................................................ 5
ABSTRAK .................................................................................................................. 6
ABBREVIATIONS AND NOTATIONS ................................................................... 7
LIST OF TABLES .................................................................................................... 10
LIST OF FIGURES .................................................................................................. 11
CHAPTER 1 ............................................................................................................. 12
INTRODUCTION AND GENERAL INFORMATION .......................................... 12
1.1 OVERVIEW ............................................................................................... 12
1.2 BACKGROUND OF STUDIES ................................................................. 13
1.3 PROBLEM STATEMENT ......................................................................... 14
1.4 RESEARCH OBJECTIVE ............................................................................. 14
CHAPTER 2 ............................................................................................................. 15
LITERATURE REVIEW ......................................................................................... 15
2.1 INTRODUCTION .......................................................................................... 15
2.2 ANALYSES OF DIFFERENT BLUETOOTH VERSIONS ......................... 16
2.3 PRINCIPLES OF BLUETOOTH COMMUNICATION ............................... 20
2.4 SPECIFICATION OF BLUETOOTH PROTOCOL ...................................... 21
2.5 ANALYSES OF MAIN TYPES OF BLUETOOTH ATTACKS .................. 24
2.6 VULNERABILITIES IN BLUETOOTH TECHNOLOGY........................... 27
CHAPTER 3 ............................................................................................................. 32
METHODOLOGY ................................................................................................... 32
3.1 INTRODUCTION .......................................................................................... 32
3.2 RESEARCH METHODOGY ......................................................................... 32
3.3 BLUETOOTH SIMULATION MODEL SUITE (SUITEOOTH) ................. 34
REFERENCES ......................................................................................................... 36

2




SUPERVISORS DECLARATION

I hereby declare that I have checked this thesis and in my opinion, this thesis is adequate in
terms of scope and quality for the award of the degree of Master of Science in Computer
Networking (Coursework)



Signature
Name of Supervisor: DR. MOHAMED ARIFF AMEEDEEN
Position: LECTURER
Date: 4 JUNE 2014


















3




STUDENTS DECLARATION

I hereby declare that the work in this thesis is my own except for quotations and summaries
which have been duly acknowledged. The thesis

has not been accepted for any degree and
is not concurrently submitted for award of other degree.



Signature
Name: SITI HUSNA BINTI ABDUL RAHMAN @ SULIMAN
ID Number:KCT13006
Date:4 JUNE 2014
















4




ACKNOWLEDGEMENTS

In the name of Allah, the Most Merciful and the Most Compassionate. Firstly, I
would like to express my deepest gratitude to the Almighty God, because for His blessings
I am able to manage to get this report done.
I would like to express my appreciation and thanks to my supervisors, Dr. Mohamed
Ariff bin Ameedeen for all the knowledge he shared, all the encouragement had shown, all
those insightful suggestion, continued interest and unlimited assistance given to complete
this report proposal
I also would like to thanks all staffs in Faculty of Computer Systems and Software
Engineering, University Malaysia Pahang whom are involved directly and indirectly
including all post-graduate students for their cooperation and advice. Thanks for the
patience that you all need to have in order to get me get through my project proposal
I acknowledge my sincere indebtedness and gratitude to the most important person
in my life, my parents who are always there for me through my ups and downs. Especially
for my mother, thanks for all your support throughout my studies and thanks for not giving
up on me. I am also grateful to my husband for his sacrifice, patience, and understanding
that are inevitable to make this work possible. I cannot find the appropriate words that
could properly describe my appreciation for his devotion, support and faith in my ability to
attain my goals.

Thank you.








5




ABSTRACT

Bluetooth offers users the low cost, short range and low power radio technology that is used
to connect the devices such as mobile phone, portable computers to each other without
cables or any other physical medium. Bluetooth technology primarily invented to establish
wireless personal area networks (WPAN).This thesis provided some background
information about Bluetooth system, its applications and various security issues involve in
Bluetooth. In addition, vulnerabilities in Bluetooth technologies and threats against those
vulnerabilities were discussed. In methodology part, the proposed method to overcome
Bluetooth Vulnerability was discussed. Based on the common vulnerabilities and threats,
recommendations for possible countermeasures that may be used to improve Bluetooth
security are also outlined. Therefore by having better understanding of the problem, the
issues involved in Bluetooth security may be minimized
















6




ABSTRAK

Bluetooth menawarkan teknologi radio kuasa rendah yang digunakan untuk
menyambung peranti dengan penggunaan kos yang rendah untuk jarak dekat seperti telefon
bimbit, komputer mudah alih untuk untuk berhubung tanpa wayar diantara satu sama lain
atau mana-mana medium fizikal lain. Teknologi Bluetooth dicipta untuk menubuhkan
rangkaian tanpa wayar kawasan peribadi (WPAN). Tesis ini menyediakan beberapa
maklumat tentang latar belakang sistem Bluetooth, aplikasi dan pelbagai isu-isu
keselamatan yang terlibat dalam Bluetooth. Di samping itu, kelemahan dalam teknologi
Bluetooth dan ancaman penyerang dari kelemehan juga dibincangkan. Di dalam bahagian
perkaedahan kajian, kaedah yang dicadangkan untuk mengatasi kelemahan Bluetooth telah
dibincangkan. Berdasarkan kelemahan biasa dan ancaman, cadangan-cadangan untuk
langkah-langkah tindakan yang mungkin boleh digunakan untuk meningkatkan
keselamatan Bluetooth juga digariskan. Oleh itu dengan mempunyai pemahaman yang
lebih baik daripada masalah itu, isu-isu yang terlibat dalam keselamatan Bluetooth boleh
dikurangkan







7




ABBREVIATIONS AND NOTATIONS

ACL Asynchronous Connection-Less
AFH Adaptive frequency-hopping spread spectrum
BER Bit-Error-Rate
BNEP Bluetooth Network Encapsulation Protocol
CL Connection-Less
CO Connection-Oriented
CSRK Connection Signature Resolving Key
DoS Denial-of-Service
EDR Enhanced Data Rate
eSCO Extended Synchronous Connections
HCI Host Controller Interface
HID Human Interface Devices
HS High Speed
HV1 High-quality Voice 1
IBM International Business Machines
IMEI International Mobile Equipment Identity
8

IP Internet Protocol
IRK Identity Resolving Key
L2CAP Logical Link Control and Adaptation Protocol
LAN Local Area Network
LC Link Controller
LE Low Energy
LM Link Manager
LMP Link Manager Protocol
LTK Long-Term Key
MAC/PHY Message Authentication Code/ Physical Layer
MITM Man in the Middle
OBEX Object Exchange Protocol
PDUs Protocol Data Units
PPP Point-to-Point Protocol
QoS Quality of Service
RF Radio Frequency
RFCOMM Radio Frequency Communication
RSSI Received Signal Strength Indicator
SDP Service Discovery Protocol
SIG Special Interest Group
SSP Secure Simple Pairing
9

TCP/IP Transmission Control Protocol/Internet Protocol
TCS Telephony Control protocol Specification
UART Asynchronous receiver/transmitter
UDP User Datagram Protocol
WPAN Wireless Personal Area Network



















10




LIST OF TABLES
Table 1: Bluetooth Security Threats
Table 2: Bluetooth Attack with area affected in Bluetooth Protocol















11




LIST OF FIGURES
Figure 1: Piconets with a single slave operation (a), a multi-slave operation (b) and a
scatternet operation (c)
Figure 2: Bluetooth protocol stack
Figure 3: General Step in Research Methodology













12




CHAPTER 1

INTRODUCTION AND GENERAL INFORMATION

1.1 OVERVIEW
Bluetooth is one of the emerging technologies that evolve from a cable replacement
technology into a wireless technology, providing connectivity between portable or
stationary devices within a close range. This technology developed for home, office and
mobile Personal Area Networks use [1]. Bluetooth is a technology for short range wireless
data and realtime two-way voice transfer providing data rates up to 1 Mb/s. Almost any
device can be connected to another device by using Bluetooth. Many kinds of Bluetooth
devices, such as mobile phones, headsets, PCs, laptops, printers, mice and keyboards, are
widely used all over the world. By 2014, close to 100% of Smartphone and almost 90% of
notebooks will also be fitted with Bluetooth devices [2]. A procedure called pairing needs
to be performed when two devices are set to connect each other. Many industries have
integrated Bluetooth into their products and this integration can be found especially in
mobile phones, notebooks and other customer devices. An important element in ensuring
the widespread use and the utilization of Bluetooth technology by the public is the need to
lower the expectations of end users technical ability as well as minimum user setup and
configuration for ease of use [1]. As a result some users are not aware of the functionality
Bluetooth offers and its potential for exploitation and in many cases leave the default
settings on their devices unchanged, a situation compounded by the relatively low power
consumption of the Bluetooth chipsets and consequent impact on battery usage [1].

13

1.2 BACKGROUND OF STUDIES
The use of wireless communication systems and their interconnections via networks
have grown rapidly in recent years. Because RF (Radio Frequency) waves can penetrate
obstacles, wireless devices can communicate with no direct line-of-sight between them.
This makes RF communication easier to use than wired or infrared communication, but it
also makes eavesdropping easier. Moreover, it is easier to disrupt and jam wireless RF
communication than wired communication.
The issue of security remains a major concern as many users keep sensitive personal
or corporate information in their Bluetooth enabled devices. Poor Bluetooth
implementation into mobile devices has led to some high profile Bluetooth hackings. Weak
security protocol designs expose the Bluetooth system to some devastating protocol attacks
[3]. In addition, security issues in wireless ad-hoc networks are much more complex than
those of more traditional wired or centralized wireless networks.
Based on previous research, there are many security issues found in the Bluetooth
environment. Many works have been done to enhance the Bluetooth security as result to
mitigate the threat but the attacker always looking for a news way to attack. The aim of
this research is to evaluate Bluetooth security threats and vulnerabilities in Bluetooth
enabled systems. The research work can be roughly divided into three parts. First,
Bluetooth technology and Bluetooth vulnerabilities are studied. Secondly, different types of
attacks against Bluetooth security are investigated and the feasibility of some of them is
demonstrated. Proposed the new technique to overcome the vulnerabilities issue in last step.
The rest of the thesis is organized as follows. Chapter 2 gives an overview of
Bluetooth technology. Different Bluetooth versions are explained and a brief survey of the
Bluetooth vulnerabilities and security issue is given. Bluetooth communication, special
characteristics of Bluetooth, and Bluetooth protocols are also explained. In Chapter 3
explain detail about methodology of this research. This part is important to make sure this
research success.



14

1.3 PROBLEM STATEMENT
Recently vendor are adapting Bluetooth technology into their product, based on [2] ,
close to 100% of Smartphone and almost 90% of notebooks will also be fitted with
Bluetooth devices. However, Security remains a major concern because some of these
devices often contain sensitive personal or corporate information; security is always an
issue when using Bluetooth with these devices. In response to this problem, the purposed of
this research is to analyze the security features of the Bluetooth system and presents an
experimental analysis of security vulnerabilities
1.4 RESEARCH OBJECTIVE
The objectives of this research as stated as follows:
To analyze different type of Bluetooth vulnerabilities in Bluetooth environment by
using OPNET simulation.
To investigate which part of Bluetooth protocol that has vulnerabilities which can
lead to the attack
To propose suggestions on how to overcome these vulnerabilities.







15




CHAPTER 2

LITERATURE REVIEW

2.1 INTRODUCTION
In previous decades, cables were an essential element to make computing and
telecommunication devices function and stay connected. The emergence of Bluetooth
technology in the recent years allows users to get easily connected with different devices
within a relatively wide range of area even without the cables. Bluetooth is one of the
Wireless Personal Area Network (WPANs) which complements IEEE 802.11 wireless
Local Area Network (LAN). In addition to its portability, Bluetooth technology is also
inexpensive, user-friendly and able to operate with low-power WPANs. Bluetooth data
transmit on the unlicensed 2.4GHz ISM band and can vary from 10m up to 100m
[1][3][4][5] . ISM band stands for industrial, scientific, and medical radio bands. It defines
and reserves radio frequency for industrial, scientific, and medical purposes.
The main aims of Bluetooth invention are to connect Bluetooth compatible devices
with ease, without the difficulty of cable installation. Bluetooth technology had encouraged
the usage of hand free devices such as car kit that allow user to talk hands-free in the car
even without a built-in hands-free system. Recently, Bluetooth was available in data entry
devices like mouse, keyboard and joysticks and output devices such as monitor, printer,
speaker, and photo viewer [2]. By 2014, close to 100% of Smartphone and almost 90% of
notebooks will also be equipped with Bluetooth devices [4].
16

Furthermore, Bluetooth allows devices such as Smartphone to function like wireless
modem that provide internet connection to other devices [6]. This function offers an
alternative way to have an internet connection. On the hand Bluetooth also offers file
transfer between Bluetooth-compatible devices are the wireless transmission of data such as
ringtones, documents, multimedia, program files, photos and videos. File transfer is either
uploading files or downloading files [6]. Finally, Bluetooth provides automatic
synchronization between Bluetooth-enabled devices. For example, Bluetooth allows
synchronization of contact information contained in electronic address books and calendars
[6].
Section 2.1 gives an introduction to Bluetooth. Bluetooth version is described in
Section 2.2. Section 2.3 explains the Bluetooth communication. Bluetooth protocols,
Bluetooth attacks and vulnerabilities in Bluetooth are outlined in Section 2.4, 2.5 and 2.6
respectively.
2.2 ANALYSES OF DIFFERENT BLUETOOTH VERSIONS
The primary work for developing Bluetooth technology started in 1994, when
Ericsson began investigating the possible ways of replacing cables between accessories and
mobile phones with wireless links [7], [8] [9]. The objective was to eliminate the cables
between the mobile telephones and cards of PCs, headsets, desktop devices, etc. Ericsson
quickly realized the potential market for Bluetooth products, but worldwide cooperation
was needed for the products to succeed [9]. Therefore, the Bluetooth SIG was founded in
February 1998 by Ericsson, Nokia, IBM, Intel and Toshiba. 3Com, Lucent, Microsoft and
Motorola joined the Bluetooth SIG in December 1999. These nine members of the
Bluetooth SIG are known as the Bluetooth SIG Promoters. They are responsible for upper-
level SIG administration, and for providing manpower to run the marketing, qualification
and legal processes [7], [8], [10].
The first public version of Bluetooth specification, Bluetooth 1.0A, was released in
July 1999 [10], [11]. Many device manufacturers had difficulties in making their Bluetooth
1.0A compatible products interoperable. Therefore, the Bluetooth 1.0B specification [11]
was released later in the same year (December 1999) to fix the interoperability problems.
17

Under Bluetooth 1.0b, the two devices could get into an incompatible race condition during
the initial link negotiation. The devices would execute the algorithm to generate the key,
but each device would generate a different key. The problem revolves around timing [11].
Generating the correct key depends on which device initiates the conversation (the master)
and how fast the responding device (the slave) replies to the master's communications. If
the slave can process information faster than the master, the ensuing race condition can
leave each device calculating that it is the master. Based on that error, the devices fail to
generate matching keys.
The Bluetooth 1.1 specification was released in February 2001[11], [12].Bluetooth
1.1 rectifies this problem by more thoroughly defining the steps required for device
authentication. Specifically, Version 1.1 requires that each device confirm its role in the
master/slave relationship by reconciling and/or acknowledging which device initiated
interaction[11]. It fixed many errors that were found in the Bluetooth 1.0B specification
and added support for unencrypted communication as well as support for RSSI (Received
Signal Strength Indicator). RSSI is a measurement of the received radio signal strength that
is used for controlling power in Bluetooth devices. It can also be used for Bluetooth
positioning purposes, for example.
Besides that, under Bluetooth 1.0b, slave devices couldn't tell master devices how
many slots could be used during communications. Bluetooth 1.1 fixes this problem by
letting the slave communicate back to the master with information about the packet sizes.
In Version 1.1, a slave can tell a master to send fewer (or more) slots per packet when
necessary.
The Bluetooth 1.2 specification was released in November 2003 [11]. This version
is backward-compatible with 1.1 and the major enhancements include the following
Faster Connection and Discovery
Adaptive frequency-hopping spread spectrum (AFH), which improves
resistance to radio frequency interference by avoiding the use of crowded
frequencies in the hopping sequence.
18

Higher transmission speeds in practice, up to 721 kbit/s, as in 1.1.
Extended Synchronous Connections (eSCO), which improve voice quality
of audio links by allowing retransmissions of corrupted packets.
Host Controller Interface (HCI) support for three-wire universal
asynchronous receiver/transmitter (UART)
The Bluetooth 2.0+EDR (Enhanced Data Rate) specification [13] was released in
November 2004. The main improvement was the introduction of EDR, which provides data
rates up to 3 Mb/s. The original Bluetooth data rate before EDR was 1 Mb/s. According to
the Bluetooth SIG, EDR has the following effects on Bluetooth communication [13]
Three times faster transmission speed (up to 10 times in certain cases).
Lower power consumption through a reduced duty cycle.
Simplification of multilink scenarios due to more available bandwidth.
Further improved BER (Bit-Error-Rate) performance.
New Bluetooth versions are backward-compatible with the older versions.
Bluetooth 2.1+EDR, was released in July 2007 [14]. It provides many improvements such
as:
Encryption Pause Resume: Encryption Pause Resume will further enhance
security by allowing encrypted links to change their encryption keys
periodically. Master-slave role switches (Section 2.3 explains the master-
slave relationship) will also be possible on an encrypted link.
Extended Inquiry Response: Extended Inquiry Response will provide more
information, such as the name of the device and a list of supported services,
during the inquiry procedure, allowing better device filtering before the
connection is established.
Secure Simple Pairing (SSP): radically improves the Bluetooth pairing
experience by simplifying the pairing process from the user's point of view.
It will also increase the strength of security by providing the protection
19

against both passive eavesdropping attacks and Man in the Middle (MITM)
attacks (active eavesdropping attacks). The Bluetooth SIG expects that this
feature will significantly increase the use of Bluetooth technology.
Sniff Subrating: Sniff Subrating will further reduce the power consumption
of Bluetooth devices. For example, it will increase the battery life of HID
(Human Interface Devices) devices, such as mice and keyboards, by 3 to 10
times compared with the battery life times of older Bluetooth HID devices.
QoS improvements: QoS improvements will further enhance the quality of
audio and video transmissions.
The Bluetooth SIG announced the release of Bluetooth high speed technology in
April 2009 when it completed Bluetooth Core Specification Version 3.0 + HS (high
speed)[15].The v3.0 + HS enhancement to the Core Specification provides consumers with
powerful, wireless connections that are more robust and reliable than ever before. Features
include [15], [16]:
Power Optimization - By using the high speed radio only when you need it,
Bluetooth high speed reduces power consumption, which means a longer
battery life for your devices.
Improved Security - The Generic Alternate MAC/PHY in Bluetooth high
speed enables the radio to discover other high speed devices only when they
are needed to transfer your music, pictures or other data. Not only does this
optimize power, but it also aids in the security of the radios.
Enhanced Power Control - Limited drop-outs are now a reality. The
enhanced power control of Bluetooth high speed makes power control faster
and ensures limited drop-outs, reducing consumer experience of impacts
from power. Users are now less likely to lose a headset connectioneven
when the phone is in a coat pocket or deep inside a purse.
Lower Latency Rates - Unicast Connectionless Data improves the customer
experience of speed by lowering latency rates, sending small amounts of
data more quickly.
20

Bluetooth 4.0 was released on 2010 with several new features are introduced in
Bluetooth Core Specification v4.0. Bluetooth Low Energy (LE) was introduced in the
Bluetooth 4.0 specification. Formerly known as Wibree and Ultra Low Power
Bluetooth, LE is primarily designed to bring Bluetooth technology to coin cell battery-
powered devices such as medical devices and other sensors. The key technology goals of
Bluetooth LE (compared with Bluetooth BR/EDR) include lower power consumption,
reduced memory requirements, efficient discovery and connection procedures, short packet
lengths, and simple protocols and services. The major areas of improvement are:
Low Energy Physical Layer
Low Energy Link Layer
Enhancements to HCI for Low Energy
Low Energy Direct Test Mode
AES Encryption
Enhancements to L2CAP for Low Energy
Enhancements to GAP for Low Energy
Attribute Protocol (ATT)
Generic Attribute Profile (GATT)
Security Manager (SM)
2.3 PRINCIPLES OF BLUETOOTH COMMUNICATION
Bluetooth devices that communicate with each other form a piconet [7], [8], [17]
[19]. The device that initiates a connection is the piconet master. One piconet can have a
maximum of seven active slave devices and one master device [7], [8], [17][19]. Special
cases In Bluetooth 4.0, which are unlimited number of piconet slave [6]
All communication within a piconet goes through the piconet master. Scatternet is
formed when the devices act as master or slave devices in multiple piconet in the same
time [20]. Figure 1 illustrates the Bluetooth communication network.

21


Figure 1: Piconets with a single slave operation (a), a multi-slave operation (b) and
a scatternet operation (c)
Source: https://developer.bluetooth.org/TechnologyOverview/Pages/Baseband.aspx
2.4 SPECIFICATION OF BLUETOOTH PROTOCOL
A Bluetooth protocol stack is illustrated in Figure [14]Protocols below the HCI are
built-in to the Bluetooth microchip, and protocols above the HCI are located as a part of the
host device's software package [9]. A HCI is needed between the hardware and software
protocols. The purpose of the HCI is to enable the manufacturer independent combining of
Bluetooth chips (Host Controller) and the actual host device. The HCI takes care of security
communication between the host and the Bluetooth module [5].

22


Figure 2: Bluetooth protocol stack[14]
Baseband and LMP (Link Manager Protocol) together enable the physical RF
connection. The LC (Link Controller) is a state machine that defines the current state of the
Bluetooth device [21]. A Bluetooth device can be in low-power mode for saving batteries,
in the connected state for normal piconet operation, or in the paging state for the master to
bring new slaves to the piconet, for example. The LC has a pseudorandom number
generation capability, methods for managing security keys, and the capability for providing
the mathematical operation needed for authentication and encryption[21].
The LM (Link Manager) acts as a liaison between the application and the LC on the
local device, and it also communicates with the remote LM via PDUs (Protocol Data Units)
using the LMP, the LM communicates with three different entities during a Bluetooth
session: the local host through the HCI, the local LC (local operations), and the remote LM
(link configuration, link information, and link management operations) [7]. The PDU is
acknowledged at the Baseband level, but it is acted upon by the LM. The local LM usually
resides on the Bluetooth module as a complete host-module implementation. The remote
23

LM can be defined as the LM at the other end of the Bluetooth link. The LM also has
several commands for handling security issues [2].
SCO and eSCO links are used for transferring realtime two-way voice [20]. They
are established directly from the Baseband level, so the overhead of upper layer protocols
does not cause any delays for realtime two-way voice connections. Four packet types have
been defined for SCO links, whereas eSCO links support seven packet types. One of these
11 packet types, SCO link's HV1 (High-quality Voice 1), is really interesting from the
security point of view, because one single HV1 SCO link reserves all Bluetooth piconet
resources and therefore makes various DoS (Denial-of-Service) attacks possible [20].
The L2CAP (Logical Link Control and Adaptation Protocol) is a software module
that normally resides on the host [22]. It fits upper layer protocols to the Baseband, it acts
as a conduit for data on the ACL link between the Baseband and host applications. The
L2CAP also offers CO (Connection-Oriented; from master to one slave and from slave to
master) and CL (Connection-Less; from master to multiple slaves) services, and it is
defined only for ACL links. Lower layer protocols do not have to know how layers above
the L2CAP work and vice versa. The L2CAP can initiate security procedures when a CO or
a CL channel connection attempt is made[20].
The SDP (Service Discovery Protocol) is used to find the services of Bluetooth
devices in the range. RFCOMM (Radio Frequency Communication) emulates serial ports
over the L2CAP, and therefore it is possible to use existing serial port applications via
Bluetooth[22].
The OBEX (Object Exchange Protocol) is used to exchange objects, such as
calendar notes, business cards and data files, between devices by using the client-server
model[21]. The OBEX supports six simple and self-explanatory operations: Connect
(choose your partner, negotiate capabilities and establish connection), Disconnect
(terminate connection), Put (push objects to the server), Get (pull objects from the server),
Abort (abort an object exchange that is in progress), and SetPath (set server's directory path
to a new value) [22].
24

The TCS (Telephony Control protocol Specification) binary defines the call control
signaling for the establishment/release of speech and data calls between Bluetooth devices
[22]. It also provides functionality for exchanging signaling information that is unrelated to
ongoing calls. Many AT commands are also supported for transmitting control signals for
telephony control.
The BNEP (Bluetooth Network Encapsulation Protocol) is used to provide
networking capabilities for Bluetooth devices. It allows IP (Internet Protocol) packets to be
carried in the payload of L2CAP packets [20]. The IP is a network layer protocol in the
TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite. TCP and UDP
(User Datagram Protocol) are transport layer core protocols used in the TCP/IP protocol
suite. PPP (Point-to-Point Protocol) can also be used to provide TCP/IP networking
capabilities for Bluetooth devices, but it is slower, it works over RFCOMM whereas BNEP
works directly over the L2CAP, and therefore PPP is rarely used now [5].
2.5 ANALYSES OF MAIN TYPES OF BLUETOOTH ATTACKS
Over the years, Bluetooth technology has been used for various communicational
and computing purposes. On July 2010, Bluetooth 4.0 was released and unlike other
communication technologies, it is a technology of zero-cost. A zero-cost technology
implies that the deploying of the technologies is free of royalty fee [3]. Although Bluetooth
technology is evolving, experts are still unable to guarantee a high security level of
Bluetooth enabled devices. This issue arises because Bluetooth is a wireless
communication, the communication medium is open, and thus, there are not any physical
restrictions to transmit or receive communication signals.
Based on the previous studies, there are many security threats to Bluetooth that are
highly likely to affect the confidentiality of users data. In security threats were divided into
nine different classes which are explained in Table 1.Table 1 lists the classifications and
some example attacks and methods.


25

A. Surveillance
Surveillance is used to obtain specific information about a device to assess possible
vulnerable vectors. Often, these tools and methods do not cause adverse effects to the target
device. These attacks take place because many computers, PDA, and cell phone models
ship with the same Bluetooth interface type. So its possible to determine the device model
and interface from this information. Attackers can use this service information to profile the
device and get information on potential vulnerable vectors [10].
B. Range Extension
The specifications for many wireless technologies restrict their range of operation.
The limitations are in place to prevent interference and to bind the usage of power.
Extending a devices range may be against U.S. Federal Communications Commission
(FCC) rules, but an attacker can use it to launch an attack from a distance. Bluetooone
extends the range of the Bluetooth interface far beyond the scope of its standard. This
method involves by attaching high-gain antenna to the standard Bluetooth radio to extend
the range from meters to kilometers [10]. Yagi-directional antennas are used in this method
that provides the Bluetooth interface a small-angle, long-range boosts, and allowing many
of the attacks to be conducted from a discreet distance.
C. Obfuscation
Attackers can use obfuscation to achieve a level of anonymity for launching an
attack. For example, a hacker can masquerade as a device with another valid identity or
create an entirely fictitious identity. Bluetooth device addresses are assumed to be unique
static identities. However, bdaddr can change device addresses on certain Bluetooth chip
sets by modifying the Bluetooth inter-faces firmware. By permanently resetting the inter-
face device address, bdaddr nullifies the assumption of the device address as a unique
identifier[10].


26


Attack Classification Threats

Surveillance
Blueprinting, bt_audit, redfang,
War-nibbling, Bluefish, sdptool,
Bluescanner, BTScanner

Range Extension BlueSniping, bluetooone, Vera-
NG

Obfuscation

Bdaddr, hciconfig, Spooftooph

Fuzzer

BluePass, Bluetooth Stack,
Smasher, BlueSmack, Tanya,
BlueStab

Sniffing

FTS4BT, Merlin, BlueSniff,
HCIDump, Wireshark, kismet
Denial Of Service


Battery exhaustion, signal
jamming, BlueSYN, Blueper,
BlueJacking, vCardBlaster

Malware


BlueBag, Caribe, CommWarrior

Unauthorized Direct Data
Access



Bloover, BlueBug, BlueSnarf,
BlueSnarf++, BTCrack, Car
Whisperer, HeloMoto, btpincrack

Man In The Middle Attack


BT-SSP-Printer-MITM,
BlueSpooof, bthidproxy
Table 1: Bluetooth Security Threats
27


2.6 VULNERABILITIES IN BLUETOOTH TECHNOLOGY
As mentioned earlier in this paper, Bluetooth 4.0 is the latest version of that
technology. Recent years have seen a drop in the number of hacking cases involving
Bluetooth enabled devices. The situation speculated to happen following the release of
Bluetooth 4.0 [3]. This latest version has a better equipped system to prevent security
breach [5]. Unfortunately, Bluetooth version 2.0 and 3.0 are still in regular use amongst
many mobile users [3]. Having said so, those users are still vulnerable to attacks. However,
even the latest version of Bluetooth application has its own limitations. These limitations
are linked to the inbuilt protocol embedded in the application which. In order to conform to
this protocol, network designer has to make some compromise in the Bluetooth design that
will result to a susceptible security system. This situation is unavoidable. Every version of
Bluetooth is vulnerable to numerous cyber threats. Even though Bluetooth 4.0 is claimed to
resolve some of vulnerabilities that the previous versions had, it is still prone to another
type of information breach which is eavesdropping.
The Bluetooth SIG (Special Interest Group), added a whole new pairing scheme in
Bluetooth version 2.1[5] and also were remained in version 3.0 [5]and 4.0 [5], called
Secure Simple Pairing. Once two devices intend to connect with each other, public-private
key pairs as well as their input/output (I/O) capabilities, unique addresses of devices, and
several random nonces are required in order to generate the link key [3]. One of the most
important features is that even if the PIN is guessed by the attackers, the session key cannot
be compromised. Secure simple pairing is comprised of several steps, aiming to generate
the link key for data transmission.
There are four in Secure Simple Pairing, classified association models according to
I/O capabilities of devices, which are Numeric Comparison, Just Works, Passkey Entry, and
Out of Band. Pairing provides no eavesdropping protection. Pairing is the mechanism for
two Bluetooth devices to get connected. If the hacking is successful, eavesdroppers can
capture secret keys to unlock the safety program. Further, the Just Works pairing (Long-
Term Key (LTK), the Connection Signature Resolving Key (CSRK) and the Identity
28

Resolving Key (IRK)) distributed during pairing method provides no Man in the Middle
(MITM) protection [3], [10]. Further, MITM attackers can capture and manipulate data
transmitted between trusted devices.
Although Secure Simple Pairing paid much attention on security issues, several
security weaknesses are discovered, including passive off-line guessing attack and active
on-line guessing attacks. With these attacks, the adversary can impersonate an honest user
with ease [3]. In the following of this section, the major threats which affect functionality
of Bluetooth device most were discussed.
Bluejacking. It comes under the category of denial of service attack [3]. In this
attack, the attacker hijacks others mobile phone by sending anonymous text messages to
him using Bluetooth wirelesses networking system. Bluejacking initiated by the attacker to
send unsolicited messages to users of Bluetooth-enabled devices [8]. Actual message does
not cause harm to the consumer device, but it is used to attract consumers to respond in
some fashion or add a new contact to the address book of the device. Offensive messages
sent resemble spam and phishing attacks carried out against e-mail users. Bluejacking can
cause harm when consumers start response to a message that is sent with a malicious intent.
Bluesnarf. Attacks are the use of Bluetooth technology to access restricted areas of
consumer devices without their knowledge for the purpose of capturing data such as
contacts, images, the list of called missed, received or dialed, calendars, business cards and
the device's International Mobile Equipment Identity (IMEI)[6] [8]. Bluesnarfing works by
using Object Exchange protocol push profile (Obex) which is a built-in Bluetooth
functionality for exchanging electronic business cards. This vulnerability exists due to the
manner in which Obex push profile has been implemented in a number of early Bluetooth
phone, which does not require confirmation from other Bluetooth devices attempting to
communicate with it.
Bluebugging. In this attack, the attacker tries to read data on a Bluetooth enabled
mobile phones, eavesdropping on conversations and even send executable commands to the
phone to initiate phone calls, send text messages, connect to the Internet, and more [8].
29

Table2 illustrate the Bluetooth attack and the target area in Bluetooth protocol.
TYPE OF ATTACK

TARGET AREA IN PROTOCOL

Bluejacking : sent anonymous messages to another
device without approval or authorization.

Object Exchange protocol (OBEX).

BlueSnarf is an attack that makes use of the Object
Exchange Push Service, which is commonly used to
exchange business cards. It allows the attacker read
access to a vulnerable device allowing them access to
the phone book and calendar without authentication.

Object Exchange protocol (OBEX).
BlueBump takes advantage of a weakness in the
handling of Bluetooth link keys, giving devices that are
no longer authorized the ability to access services as if
still paired

A loophole in the initialization stage of the
Bluetooth communication protocol enables this
attack
BlueSmack is a Denial of Service (DOS) attack that can
be performed with standard tools, such as the Linux
Bluez utils package.

L2CAP layer
BlueDumping is the act of causing a Bluetooth device to
'dump' its stored link key, thereby creating an
opportunity for key-exchange sniffing to take place.

A loophole in the initialization stage of the
Bluetooth communication protocol enables this
attack
BlueChop is an attack that disturbs any established
Bluetooth piconet by means of a device that is not
participating the piconet. A precondition for this attack
is that the master of the piconet supports multiple
connections

A loophole in the initialization stage of the
Bluetooth communication protocol enables this
attack
BlueSpam finds out the other bluetooth enabled devices
and sends a file to them (spam them)

Object Exchange protocol (OBEX).
Table 2: Bluetooth Attack with area affected in Bluetooth Protocol
30


There are three basic security services specified in the Bluetooth standard as
discussed in [6] [8]; Confidentiality. Confidentiality ensures that only authorized devices
can access and analysis data. It prevents information compromise caused by
eavesdropping.Authentication.it deals with verifying the identity of communicating
devices. User authentication is not provided natively by Bluetooth. Authorization. It allows
the control of resources by ensuring that a device is authorized to use a service before
permitting it to do so.
With all of these Bluetooth hacking methods available, users might be wondering,
Should they use Bluetooth at all? The answer for this in many cases was Yes if proper
security was in place. Bluetooth was a wonderful technology with many practical
applications. In general, devices with properly configured security settings are safe from
most Bluetooth threats. Most weaknesses come from lax default security settings, poor
software development practices, and users lack of understanding about Bluetooth security
[10].
Bluetooth security has several systemic problems that cannot be mitigated [10]. This
issue arises because it transmits data wirelessly. A third party can monitor the data within a
limited range. Furthermore Bluetooth does not rely on a centralized communication
medium like Internet. No third party entities can verify device addresses, names, or classes.
Users must be responsible for device security. Many low-resource devices also cause
problems because these devices cannot install updates or patches. Having said so, users
must consider these systemic problems before implementing Bluetooth [10].
Organizations or individual user should apply countermeasures to address specific
threats and vulnerabilities to networks Bluetooth. The primary solution provided an
adequate level of knowledge and understanding for those who will be dealing with a
Bluetooth enabled device. Organizations using Bluetooth technology should design and
document security policies that address the use of Bluetooth-enabled devices and the
responsibility of the user. Organizations should also include awareness-based education to
support staff to improve their understanding and knowledge about Bluetooth [3], [6], [10].
31

However, since too many Bluetooths user over the world, it was impossible to make sure
that every user was educated enough regarding Bluetooth security. So, with a secure
Bluetooth protocol will help users to eliminate the attack.

32




CHAPTER 3

METHODOLOGY
3.1 INTRODUCTION
Previous chapter has discussed about literature review of the research and the
previous work about vulnerabilities in Bluetooth. This chapter describes and explains the
methodology deployed in this study. Each methodology step has briefly defined to provide
readers a better understanding toward the research.
3.2 RESEARCH METHODOGY
The framework of the research methodology described below in Figure 3 is
developed based on the literature review and research problems. It shows the steps involved
from the beginning until the end of the research development. The framework begins with
(i) research and collecting data, (ii) proof that an attack may occurs, (iii) show the existence
of vulnerabilities, (iv) propose an enhancement in the Bluetooth security and last but no
least (v) proof the enhancement is working. Generally, the methodology of this project is
focused based on this framework design in order to get the real data and finding a new
solution


33


Figure 3: General Step in Research Methodology
I. Research and collecting data
Survey and collecting data is the beginning phase of this research. The researcher
makes a research based on the journal, conference paper and reliable website. Besides, in
this phase all the information will be analyzed in order to make sure that all the information
needed for this research gather. The crucial part of this step is to identify problems in the
Bluetooth architecture that promote to the attack.
II. Proof that an attack may occur
The second step of this project has proof that an attacks are possible to occur based on
the collection of the information. This is the critical step on this project because the existing
attacks need to be analyzed. There are some Bluetooth hacking tool available and can be
used in this step. The available Bluetooth Hacking Tools are listed below:
a) BTScanner
b) Bluesnarfer
c) Bluediving
Research and collecting data
Proof that an attack may occurs
Show the existence of vulnerabilities
Propose an enhancement in the Bluetooth
security
Proof the enhancement is working
34

d) TBEAR - Transient Bluetooth Environment auditor
e) BTCrack
f) Blooover
g) Wireshark

III. Show the existence vulnerabilities
In this part, the existence vulnerabilities are shows by using OPNET simulation. In
this part the affected area in the Bluetooth security and protocol are shown.
IV. Propose an enhancement in the Bluetooth security
In this part, a diagram or algorithm are proposed for the enhancement in the
Bluetooth security or protocol. This step is crucial to develop in order to get a reliable
result.
V. Proof the enhancement is working
In this part Opnet simulation will be used to model the Bluetooth environment as
well to proof the proposed an enhancement in previous step is working.
3.3 BLUETOOTH SIMULATION MODEL SUITE (SUITEOOTH)
OPNET Modeler used for all network simulations. OPNET Modeler is a powerful
communication system developed by OPNET Technologies. OPNET Modeler assists with
the design and testing of communications protocols and networks, by simulating network
performance for wired and or wireless environment. For Bluetooth, there are Bluetooth
Simulation Model Suite (Suitetooth) is an open, modular framework for advanced PAN
network performance engineering. Built for the OPNET simulation environment, Suitetooth
models allow users to predict performance characteristics and study behavioral interaction
for personal area network applications that use both existing and emerging wireless
technologies. The suite includes component models for RF, Baseband and L2CAP sub-
layers, with additional provisions for LMP, ISM-band coexistence and traffic source
modeling [5]
35


36




REFERENCES

[1] A. J. Solon, M. J. Callaghan, J. Harkin, and T. M. Mcginnity, Case Study on the
Bluetooth Vulnerabilities in Mobile Devices, vol. 6, no. 4, pp. 125129, 2006.
[2] J. Xu, T. Zhang, D. Lin, Y. Mao, X. Liu, S. Chen, S. Shao, B. Tian, and S. Yi,
Pairing and Authentication Security Technologies in Low-Power Bluetooth, 2013
IEEE Int. Conf. Green Comput. Commun. IEEE Internet Things IEEE Cyber, Phys.
Soc. Comput., pp. 10811085, Aug. 2013.
[3] A. Evesti, J. Suomalainen, and R. Savola, Security risks in the short-range
communication of ubiquitous application, 2013 IEEE Third Int. Conf. Inf. Sci.
Technol., pp. 612617, Dec. 2013.
[4] Sandhya, S., & Devi, K. A. S. (2012, February). Analysis of Bluetooth threats and
v4. 0 security features. In Computing, Communication and Applications (ICCCA),
2012 International Conference on (pp. 1-4). IEEE.
[5] D. Harris and M. Roberts, Quantifying Bluetooth Piconet Mutual Interference, pp.
16.
[6] P. Number, P. Date, S. Publication, B. Security, F. Publication, R. Information, N.
Computer, and S. Division, The attached DRAFT document ( provided here for
HISTORICAL purposes ) has been superseded by the following publication:, 2012.
[7] Inigo Puy, Bluetooth, pp. 120. Hochschule Furtwangen University, 2008
[8] Our History | Bluetooth Technology Website. [Online]. Available:
http://www.bluetooth.com/Pages/History-of-Bluetooth.aspx. [Accessed: 23-May-
2014].
[9] C. Bisdikian and Y. Heights, IBM Research Report An Overview of the Bluetooth
Wireless Technology An Overview of the Bluetooth Wireless Technology, vol.
22109, no. June, 2001.
37

[10] 15 Years of Bluetooth Technology | Bluetooth Technology Website. [Online].
Available: http://www.bluetooth.com/Pages/15-Years-of-Bluetooth-
Technology.aspx. [Accessed: 23-May-2014].
[11] Bluetooth. [Online]. Available: http://blue-tooth.50webs.com/index.html.
[Accessed: 23-May-2014].
[12] S. Volume, Specification of the Bluetooth System 1.0A, vol. 1, 1999.
[13] S. Volume, Specification of the Bluetooth System Master Table of Contents &
Compliance, vol. 0, no. November, 2004.
[14] S. Volume, C. C. Package, E. D. R. Current, and M. Toc, Master Table of Contents
& Compliance Requirements, vol. 0, no. July, 2007.
[15] High Speed | Bluetooth Technology Website. [Online]. Available:
http://www.bluetooth.com/Pages/High-Speed.aspx. [Accessed: 26-May-2014].
[16] S. Volume, C. C. Package, H. S. Current, and M. Toc, Master Table of Contents &
Compliance Requirements, vol. 0, no. April, 2009.
[17] C. From, A CCEPTED FROM O PEN C ALL B LUETOOTH AND W I -F I W
IRELESS P ROTOCOLS:, no. February, pp. 1226, 2005.
[18] Chatschik BisdikianAn Overview of the Bluetooth Wireless Technology.pdf. IBM
Corporation,2001.
[19] I. Inherent and S. Issues, Interested in learning SANS Institute InfoSec Reading
Room tu , A ho ll r igh ts.
[20] N. B. I. Minar and M. Tarique, B LUETOOTH S ECURITY T HREATS AND S
OLUTIONS: A SURVEY, vol. 3, no. 1, 2012.
[21] P. K. Pendli, M. Schwarz, H. D. Wacker, and J. Boercsoek, Bluetooth for Safety
Systems, 2011.
[22] Dunning, J. P. (2010). Taming the Blue Beast. IEEE Security & Privacy, 8(2), 0020-
27..