1 / 22

An Analysis of Bluetooth Security

An Analysis of Bluetooth Security. Team A: Padmaja Sriraman Padmapriya Gudipati Sreenivasulu Lekkala. Introduction. Short range radio technology which utilizes wireless protocol. Can transmit data up to 100 meters. Composed of 8 active devices which share a master – slave relationship.

aretha-fernandez
Download Presentation

An Analysis of Bluetooth Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of Bluetooth Security Team A: Padmaja Sriraman Padmapriya Gudipati Sreenivasulu Lekkala

  2. Introduction • Short range radio technology which utilizes wireless protocol. • Can transmit data up to 100 meters. • Composed of 8 active devices which share a master – slave relationship. • Developed by Bluetooth Special Interest Group (SIG).

  3. Types of keys LINK KEY SEMI TRANSPARENT TEMPORARY KEY UNIT KEY COMBINATION KEY INITIALIZATION MASTER CIPHERING KEY ENCRYPTION KEY CONSTRAINED ENCRYPTION KEY PAYLOAD KEY

  4. Security Architecture • Generation of initialization key • Authentication • Generation of link key • Link key exchange • Generation of encryption key

  5. Key Pairing • Generation of initialization key: A method similar to SAFER+ Block Cipher is used. The input to this method is the public address of the bluetooth unit, PIN, length of the pin and a random number • Authentication: This process involves a challenge-response scheme. • Link key generation: Any one type of the key is generated. • Link key exchange: The generated key is exchanged. • Generation of encryption key: Uses Cipher Keys for encryption of data

  6. Modes of Operation • Mode 1 – No Security. Authentication and encryption are bypassed. • Mode2 –Service level security. Used after the link connection is established. • Mode3 – Link level security. Uses the link keys. • Mode4 – Similar to Mode2 but with enhanced security techniques

  7. Eavesdropping • Attacker can see and change the payload • Easy when it is not encrypted • One solution is frequency hopping technology • 2.4 GHZ ISM band which is license free • Hops between frequencies in pseudo-random order • Difficult to pick up the signal

  8. Impersonation • Receivers want to be sure that they receive from original sending party • Attacker impersonates the sending unit • Needs to give correct response to the challenge • Not easy, No attack on SAFER+ known • Changes the payload data • Easy if no encryption, manipulate CRC • Since CRC calculation is a linear task • Attacker can compute how to modify CRC according to modification to encrypted data

  9. Combination key generation K= current link keyKAB = Combination key

  10. Pairing • Can be prone to attack if it is done in public places • The current link key used to generate the combination key, KAB, is derived as KINT=E22(BD_ADDR_A, IN_RAND,PKEY) • PKEY is the secret pass key • If an attacker can guess PKEY, he can calculate combination key • If PKEY is short, it becomes easy to guess it

  11. Authentication(Challenge-Response) BD_ADDRB Claimant Verifier • SRES=E1(KAB,AU_RAND,BD_ADDRB) • If PKEY is small, attacker can try possible value to get a match between SRES’ and SRES • Short passkey values should be avoided AU_RAND Calculates SRES’ SRES Success if SRES’==SRES

  12. Improper key storage • Disclosure of keys • Malicious USB plugs, Viruses, Trojan horses • Device should be paired with hosts it is allowed on • Host should communicate only with trusted parties • Adding link key to the database without pairing • Device assumes that valid bonding exists • Restrict the access • Encrypt the database

  13. Contd… • Denial of service • Delete or corrupt the link keys in the database • Change the CRC along with the keys • Authentication fails repeatedly, waiting time increases • Solution is to request new pairing • Need to provide good integrity protection to the database

  14. Location Tracking • Tracking users movements by tracking bluetooth device • Bluetooth access codes CAC, LAC, IAC are derived from the device address • These codes help in tracking • To prevent this devices operate in anonymity mode updating their device address randomly

  15. Implementation flaws • Key database management, user interaction, memory protection • Snarf attack – Set up connection without consent or alerting • Backdoor attack – Erase link from list of paired devices but not from database of the victim. Attacker attacks the target • Bluejacking – Sending unsolicited messages to bluetooth devices

  16. Security for Bluetooth Applications Bluetooth security will depend on the application exactly how one should use. Some applications need more security design than other applications because some applications are more security sensitive. Here we discuss the security mechanisms for three different bluetooth applications. Headset. Network Access. SIM Access.

  17. Headset The Bluetooth headset profile is used for headset connections to mobile phones and laptops. The security association is used to authenticate and encrypt all communication between two Bluetooth wireless devices. Bluetooth pass-key usage can prevent illegal use of stolen headset. A typical headset configuration consists of two devices a headset (HS) and audio gateway (AG). AG is typically a cellular phone , laptop , PC. The communication between HS and AG is protected by the authentication and encryption mechanisms.

  18. Headset (contd..) The HS and AG need to store the pass-keys and link-keys for secure connections. HS usually does not have the user interface , AG will control some of the basic settings of HS (e.g volume setting, changing the passkey). The pairing will only succeed if only the AG knows the correct pass-key of HS. If the HS is stolen , the thief will not know the pass-key and will not succeed to connect to the HS with another AG.

  19. Network Access Network access to an IP network in Bluetooth is provided through PAN profile. Network access points (NAcP) connected to LAN through wired network in one side and the other side Bluetooth wireless devices will be connected. NAcPs can be accessed by anybody because it is open , but service will be restricted by service provider , only authorized persons will be allowed to access the network. Suggested security architecture is built around common access key (CAK) concept .

  20. SIM Access The SIM (subscription identity module) access application is provided by a Bluetooth profile. A SIM card is an integrated circuit used in GSM mobile telephone system. It is used to hold the subscriber information. The Bluetooth SIM access profile defines procedures and protocols for access to a remote SIM over a Bluetooth connection. The SIM is used for security critical services. The card holds secret keys and subscriber information.

  21. Conclusion • Bluetooth is a widely used technology for short distance wireless communication • Still has security loopholes and research is going on to improve security

  22. References [1] Christian Gehrmann, Joakim Persson, Ben Smeets, Bluetooth Security, Artech House, 2004 [2] http://www.cs.utk.edu/~tyang/wireless/blue.htm [3] http://www.cs.utk.edu/~dasgupta/bluetooth/ [4] http://en.wikipedia.org/wiki/Bluetooth [5]. http://www.bluetooth.com/Bluetooth/Technology

More Related