Why Bluetooth? Bluetooth Technology

New technologies are swiftly becoming part of every aspect of human life. It's now impossible to imagine life without devices which a few years ago were only to be seen in sci-fi films.

Bluetooth technology first started being developed by Ericsson in 1994. In 1998 Ericsson, IBM, Nokia, Intel and Toshiba formed the SIG consortium, which developed the Bluetooth standard. Many mobile phones and computer peripherals are now equipped with Bluetooth, and some household appliance manufacturers have also adopted this technology as well.

Transceivers which make it possible to use Bluetooth with devices that were designed without Bluetooth capability are now available. They make it possible to connect a telephone to a stereo system in order to download MP3 files to the handset or to listen to MP3 files in the phone's memory. Bluetooth earphones, handsfree devices and car kits are just a few examples of the ways in which Bluetooth can be used.

Bluetooth is now widely implemented; this, combined with the novelty of the technology meant that hackers started to target Bluetooth and its potential vulnerabilities at the beginning of the new millennium. After all, hackers are always attracted to new, unresearched technologies. Groups such as @stack and shmoo were involved in Bluetooth research.

Bluetooth is also an object of interest for the antivirus industry, as worms can use this technology to spread. For example, Cabir, Lasco, Comwar — all these worms run under Symbian OS and spread via Bluetooth. Because of the ability to transmit files (including potentially malicious ones) Bluetooth vulnerabilities are of real interest.

Bluetooth was originally designed to eliminate wires connecting devices. For example, if you connect a mouse, a printer, a mobile phone and, say, a GPS receiver to a laptop using wires, the laptop is no longer really portable. In addition, the machine may not have enough ports to connect all the devices.

However, at some stage Bluetooth began to make inroads into the world of wireless local area networks. Some people believe that it could become a viable alternative to Wi-Fi. In my opinion, the technologies are complementary and although similar, they have different applications.

Bluetooth technology is based on piconets consisting of a master unit and up to seven slave units located within 10 meters of the master unit. Piconets can be united into scatternets. The master unit communicates with the slave units; there is no direct communication between slave units.

Bluetooth devices operate on an unlicensed frequency band between 2.4 to 2.4835 GHz. To avoid interference with other devices operating on the same band, the technology uses a frequency hopping algorithm with 1600 frequency hops per second.

The time during which devices operate in a certain frequency is called a time slot and is 625 microseconds in duration. Units in a piconet change frequency at the same time on command from the master unit, based on a pseudo-random hopping sequence. The frequency band is broken up into 79 channels spaced 1 MHz apart. Data is transmitted in frames, which can span 1, 3 or 5 slots.

There are two types of connection: ACL (asynchronous connectionless) and SCO (synchronous connection-oriented).

The first type of connection is used to transfer data that can be handled at any time. A slave unit can have only one ACL connection to the master unit.

The second link type is used for transferring data in real time, e.g. for transmitting voice data. A slave unit can have up to 3 SCO links with the main unit, each with a rate of 64 kb/sec.

The Bluetooth specification divides Bluetooth devices into three groups:

Most Bluetooth devices are Class 2 or Class 3.

The protocol stack looks like this:

Security Mechanisms

According to the specification, user information can be protected by encrypting transmitted data, while the access code and the packet header are transmitted over an unencrypted channel. Data is encrypted using the E0 stream cipher.

Attacks at the communication link level are therefore clearly possible.

Bluetooth can operate in one of three Security Modes:

Security Mode 1 – unprotected (no security) In this mode, no encryption or authentication is used, while the device itself operates in a non-discriminating, i.e. broadcasting (promiscuous) mode.

Security Mode 2 – application/service based (L2CAP) In this mode, once a connection is established, Security Manager performs authentication, thereby restricting access to the device.

Security Mode 3 – link-layer PIN authentification/ MAC address encryption. Authentication is performed prior to a connection be established. Although transparent encryption is used, even in this mode the device can be compromised.

Bluetooth security is based on the generation of keys using a PIN code, which can be 1 to 16 bytes in length. Most devices currently use 4-byte PINs. First, the E2 algorithm is used to generate a 16-byte Link Key based on the PIN code.

Then an Encryption Key based on the Link Key is calculated using the E3 algorithm.

The first key is used for authentication, the second for encryption.

The authentication process is as follows:

Types of Bluetooth Attack

BlueBug

This vulnerability allows an attacker to perform unauthorized actions on a Bluetooth-enabled device.

Under ideal conditions, a BlueBug attack takes only a few seconds. The distance from the victim's device to the attacker's device during the attack is limited by the transmitting power of class 2 Bluetooth radios, which is, as mentioned above, 10-15 meters. A directional antenna can be used in order to increase the range.

Since some telephones allow for the issue of AT commands, an attacker can perform the following actions:

Blueprinting : Blueprinting can be used for accessing the details of Bluetooth-enabled victim devices. As mentioned above, each Bluetooth device has a unique address. This address consists of 6 bytes (usually given in a form similar to that of MAC addresses MM:MM:MM:XX:XX:XX). The first three bytes of this address (the M-bytes) refer to the manufacturer of the chipset. Unfortunately, in the case of the remaining three bytes (the X-bytes), the situations is not as simple and it's not possible to identify the device model 100%.

All Bluetooth-enabled devices have a range of services. The list of services can be obtained via the service discovery protocol (SDP). The device can be queried which results in information in a specific format which can then be used to identify the device model.

BlueSmack : BlueSmack is a DoS attack that can be conducted using standard tools that are shipped with Linux Bluez. BlueSmack is similar to a well-known attack which was used to attack early versions of Microsoft Windows 95. At L2CAP level it's possible to request an echo from another Bluetooth device.

As with the ICMP ping, the idea of the L2CAP ping is also to check connectivity and to measure roundtrip time on an established link. With the help of the l2ping utility that ships with the standard BlueZ distributive, he user can specify the length of packets to be sent. To achieve the desired result, the -s option can be used to specify a size of about 600 bytes.

BlueSnarf : This is is probably the best known type of Bluetooth attack. The attacker uses the OBEX Push Profile (OPP), originally developed for exchanging business cards and other objects. In most cases this service does not require authentication. The BlueSnarf attack conducts an OBEX GET request for known filenames such as 'telecom/pb.vcf' (the phone book) or 'telecom/cal.vcs' (the calendar file). If firmware on the victim device has been incorrectly implemented, the attacker is able to gain access to all files on the victim device.

BlueSnarf++ : This attack is very similar to BlueSnarf. The main difference is the method used by an attacker to gain access to the victim device file system. BlueSnarf++ gives the attacker full read/write access via the OBEX Push Profile. If an OBEX FTP server is running on the device, a connection can be established via the OBEX Push service without pairing.

The attacker can view all files in the file system (using the ls command) or even delete files (the rm command). The attacker is also able to perform actions on any memory installed in the device, including memory extension cards such as Memory Stick or SD cards.

HelloMoto : This is a combination of BlueSnarf and BlueBug.

This attack exploits incorrect processing of 'trusted device' handling on some Motorola phones.

The attacker initiates a connection using the OBEX Push Profile and mimics sending a vCard. The send process is then interrupted, but the attacker's device remains on the trusted device list on the victim's phone. Using this entry on the trusted device list, the attacker is able to connect to the headset profile without authentication. Once a connection is established, the attacker is able to take control of the device by using AT commands.

BlueBump : This attack utilizes social engineering. The idea is to establish a trusted connection with the victim device. This can be achieved by sending a business card in order to make the recipient perform authentication. The attacker keeps the connection open but asks the victim to delete the link key for the attacker's device. The victim is not aware that the connection is still active. The attacker then requests re-generation of the link-key. As a result, the attacker's device gets a new entry on the list without authentification. The attacker then has access to the victim device until the key is deleted.

BlueDump attack : In this case the attacker needs to know the BDADDR of a set of paired devices. The attacker spoofs the address of one of the devices and connects to the other. Since the attacker has no link key, when the victim device requests authentication, the attacker's device will respond with an 'HCI_Link_Key_Request_Negative_Reply', which will, in some cases, cause the target device to delete its own link key and go into pairing mode.

BlueChop : The purpose of this attack is to disrupt an established piconet by using a device that is not part of the network. This attack is based on the fact that the master unit supports multiple connections that can be used to create an extended network (a scatternet). The attacker spoofs the address of a random device that is part of the piconet and links to the master unit, disrupting the piconet.