You are on page 1of 19

CSE597a - Cell Phone OS Security

Bluetooth Security

William Enck
Prof. Patrick McDaniel

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 1
Removing the Wires
• Bluetooth provides short-range RF communication for devices
‣ Device-specific communication defined by a Bluetooth profile

• Many profiles exist


‣ Hands-free/Headset
‣ Phone Book Access
‣ Synchronization (SYNCH) (for PIM)
‣ Stereo audio
‣ Printing
‣ Dial-up Networking (DUN)
‣ Human Interface Device (HID)
‣ Personal Area Network (PAN)
‣ Serial Port
‣ etc ...
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 2
Bluetooth Standards
• Transmission via frequency hopping in ISM band (2.4-2.4835 GHz)
‣ 3 classes of devices: 1: high (300ft), 2: medium (30ft), 3: low (3ft)

‣ 1 Mbps transfer (720 Kbps throughput) in older standards

‣ 3 Mbps transfer (2.1 Mbps throughput) with Enhanced Data Rate (EDR)

• Bluetooth 1.0 and 1.0B - interoperability problems between devices


• Bluetooth 1.1 - ratified as IEEE 802.15.1-2002
• Bluetooth 1.2 - new features (adaptive freq. hopping; improved audio)
• Bluetooth 2.0 (+EDR) - EDR is optional (November 2004)
• Bluetooth 2.1 (+EDR) - (July 2007)
‣ New pairing techniques

‣ Near Field Communication (NFC) cooperation for enhanced pairing


CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 3
Network Topologies
• Bluetooth allows both ad hoc and infrastructure mode (AP)
• In an ad hoc configuration:
‣ Bluetooth devices setup as master or slave
‣ A piconet has 1 master and up to 7 active (+255 inactive) slaves

• TDM allows a master of one piconet to act as a slave for


another -- known as a scatternet
scatternet
Master piconet
Slave

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 4
Protocol Stack
• Link Management Protocol (LMP) - keeps track of connected devices
• Audio/Visual (data and control) - AVCTP, AVDTP
• Logical Link Control & Adaption Protocol (L2CAP) - multiplexes logical connections
• Service Discovery Protocol (SDP) - finds devices, determines profile support
• Telephone Control Protocol (TCS)
• Radio Frequency Communications (RFCOMM) - cable replacement (RS-232)
‣ Object Exchange Protocol (OBEX)
• Used for OBEX Object Push Profile (OPP) TCP
and Synchronization Profile (SYNCH) vCard IP
‣ AT command interface OBEX PPP AT
SDP RFCOMM TCS
‣ PPP Interface
LMP L2CAP Audio
Baseband
Radio
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 5
Security Modes
• Security Mode 1: No security (v2.0+EDR and earlier)
• Security Mode 2: Service-level security (v2.1+EDR and earlier)
‣ After LMP link establishment, but before L2CAP channel
‣ Security manager controls service access (apps register requirements)

• Security Mode 3: Link-level security (v2.0+EDR and earlier)


‣ Before LMP link establishment

• Security Mode 4: Service-level security (v2.1+EDR only)


‣ New pairing algorithm (Secure Simple Pairing)
‣ Uses Elliptic Curve Diffie Hellman (ECDH) for keys
‣ Security manager requirements can be:
authenticated link key, unauthenticated link key, no security
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 6
Pairing (Creating Kinit)
• The PIN is used to create an initial key, Master Slave
Kinit, which is only used during the pairing (A) (B)
process Create IN_RAND
128bit random value
• The PIN is combined with an initial 128-bit IN_RAND

random value, which is created by the (broadcast)

master and broadcasted in plaintext to the

BD_ADDR

BD_ADDR
IN_RAND

IN_RAND
PIN

PIN
slave device
• Depending on the length of the PIN, a
Bluetooth Device Address (BD_ADDR) is E22 E22
used.

Kinit

Kinit
‣ If one device has fixed PIN, use BD_ADDR
of device with variable PIN
‣ If both variable, use BD_ADDR of slave

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 7
Pairing (Creating Kab)
Master (A) Slave (B)
• Kinit is then used along with Create LK_RANDA
128bit random value
Create LK_RANDB
128bit random value
two new random values to Kinit Kinit

established a shared link key, LK_RANDA


LK_RANDA XOR Kinit

Kab (broadcast)
LK_RANDB XOR Kinit
LK_RANDB

• Each devices create the link LK_RANDB LK_RANDA

random LK_RAND, XOR the


value with Kinit and broadcast

BD_ADDRB

BD_ADDRB
BD_ADDRA

BD_ADDRA
LK_RANDB

LK_RANDB
LK_RANDA

LK_RANDA
the ciphertext
• The peer device recovers
E21 E21 E21 E21
LK_RAND and uses two
instances of E21 to create Kab
Kab Kab

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 8
Device Authentication
• Finally, each device authenticates Verifier Claimant
its peer using a simple challenge (A) (B)
response protocol Create AU_RANDA
128bit random value
AU_RANDA
• The challenge is an 128bit random (broadcast)
value, AU_RANDA, which is

AU_RANDA

AU_RANDA
BD_ADDRB

BD_ADDRB
Kab

Kab
broacasted in clear text
• The E1 algorithm is used to create
E1 E1
the response, SRESA.

SRESA’
• If SRESA matches SRESA’, the

SRESA
32 bits 32 bits

claimant knows Kab Compare SRESA SRESA’


to SRESA’
• Devices swap roles for mutual (broadcast)

authentication.

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 9
Cryptographic Algorithms
• The three encryption algorithms (E22, E21,
and E1) are based on the SAFER+ block
cipher using 128 bit keys.
‣ Secure And Fast Encryption Routine
(SAFER)+ was submitted as a candidate for
AES in 1998
• Cryptanalysts significantly weakened the
E0 stream cipher
‣ No practical attacks yet.

• However, the PIN key space provides an


avenue for attack ...

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 10
Cracking the Bluetooth PIN
• What happens if an adversary is passively observing broadcasted
communications?
‣ IN_RAND (plaintext)

‣ LK_RANDA and LK_RANDB (XORed with Kinit)

‣ AU_RANDA and AU_RANDB (plaintext)

‣ SRESA and SRESB (plaintext)

• Adversary can guess a PIN, which results in


a hypothetical Kinit and resulting Kab.
• The adversary can test if a Kab corresponds
to the transmitted SRES values.
• Brute force the PIN!
‣ 4-digit PIN in 63 ms (with algorithm enhancements) on a P4, 3GHz
(each extra digit added an order of magnitude in recovery time)
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 11
Re-Pairing Attack
• Fortunately, devices do not pair every time (save Kab)
• However, and adversary can actively manipulate the
authentication protocol to cause the devices to repair
‣ Send master “LMP_not_accepted” after AU_RAND request
• Indicates the slave forgot Kab

‣ Send IN_RAND to slave before master sends AU_RAND


• Can make slave think the master lost connection and Kab

‣ Inject random SRES to master in response to AU_RAND


• If repeated enough times, master reinitiates pairing

• If successful, the Bluetooth user must re-enter the PIN


‣ Be suspicious if this happens!
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 12
New Pairing Algorithm
• Bluetooth v2.1+EDR introduced Secure Simple Pairing (SSP)
• Uses new algorithms (ECDH). PIN not used to create keys.
• Four association models:
‣ Numeric Comparison: Displays a 6-digit PIN on each device, user
answers “yes” or “no”.
‣ Passkey Entry: PIN shown on one device, entered on the other for
comparison (e.g., one has input capabilities and the other doesn’t).
‣ Just Works: Same as Passkey, but no input our output on one
device. User blindly accepts the connection.
‣ Out of Band (OOB): Uses NFC connection for pairing key.

• All but “Just Works” provides an authenticated key

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 13
Bluejacking
• Bluejacking is the practice of sending
unsolicited messages to a Bluetooth
device (e.g., a phone).

• Attack Vector: OBEX Push Profile (OPP)


(for business cards)

• Issue: The vCard transfer protocol tells the phone to prompt


the user to handle a new contact. An adversary can craft the
contact name with arbitrary text.

• Result: No damage can result, but users may be annoyed.

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 14
BlueSnarf
• BlueSnarf is one of the most famous Bluetooth attacks
‣ The vulnerability was identified independently
by Marcel Holtmann (September 2003) and
Adam Laurie (November 2003)
• Attack Vector: OBEX Push Profile (OPP)
‣ OPP is commonly used to exchange business cards and frequently
set up to not required authentication. Normally, this is fine.
• Issue: Some Bluetooth implementations allow the OBEX GET
command after an unauthenticated connection (for vCard)
• Result: An adversary can “get” known filenames such as ‘telecom/
pb.vcf’ (entire phone book) or ‘telecom/cal.vcs’ calendar
• Solution: firmware update for vulnerable devices
CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 15
BlueBug
• BlueBugging allows an attacker to take control of a phone

• Attack Vector: RFCOMM channels (provides RS-232 emulation)

• Issue: Some devices contain an unauthenticated


RFCOMM interface that provides an
AT command parser
• Result: An adversary can use the device to
make phone calls, send SMS messages, etc.
• Solution: firmware update for vulnerable devices

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 16
HeloMoto
• HeloMoto uses a combination of BlueSnarf and BlueBug attacks
• Issue: Some devices incorrectly implement the ‘trusted device’
handling (first seen on Motorola devices).
‣ Step 1: Establish an unauthenticated OBEX
connection as in BlueSnarf
‣ Step 2: Interrupt the sending process
• This leaves the attacker’s device in the list
of “trusted devices” on victim phone
‣ Step 3: Connect to the headset profile without
authentication and send AT commands
• Result: Same as BlueBug
• Solution: firmware update for vulnerable devices

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 17
BlueSmack
• BlueSmack disables some Bluetooth enabled devices, similar to
the ‘Ping of Death’ for Windows

• Attack Vector: L2CAP layer echo request

• Issue: Incorrect packet length handling


in some implementations

• Result: Using tools as simple as


‘l2ping -s 600’ (standard Linux BlueZ utility)
can shut off many iPaqs

• Solution: firmware update for vulnerable devices


CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 18
Attack Tools
• BackTrack live CD
‣ Also see http://trifinite.org/trifinite_stuff.html for more resources

• Scanning Tools
‣ bluez-utils (Linux)
‣ BlueSniff
‣ Redfang - finds “non-discoverable” devices

• Blooover II: BlueBug, HeloMoto, BlueSnarf, OBEX Object Push


• BTCrack (implements PIN brute force)
• Car Whisperer (headset PIN is usually 0000 or 1234)
• Bluetooth Sniping (over a mile)

CSE597a - Cellular Phone Operating Systems Security - Spring 2009 - Instructors McDaniel and Enck Page 19