1 / 42

Security Weaknesses in Bluetooth

by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev. Security Weaknesses in Bluetooth. Bluetooth: what it is, why is it vulnerable and can we fix it?. What are we talking about today?. Overview. What is bluetooth? How does it work?

rafael-reed
Download Presentation

Security Weaknesses in Bluetooth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev Security Weaknesses in Bluetooth

  2. Bluetooth: what it is, why is it vulnerable and can we fix it? What are we talking about today?

  3. Overview • What is bluetooth? • How does it work? • What are the problems? • How do we fix it? • Conclusion • Personal Remarks

  4. What is bluetooth? • Bluetooth - is a standard and communications protocol primarily designed for low power consumption, with a short range (1-50 meters) based on low-cost microchips in each device.

  5. What is bluetooth? • Bluetooth enables these devices to communicate with each other when they are in range. • The devices use a radio communications system, so they do not have to be in line of sight of each other

  6. What is bluetooth? • Essentially it is a mini wireless network between communicating nodes called Piconet. • Piconet - allows one master device to interconnect with up to seven active slave devices

  7. What is bluetooth?

  8. What is bluetooth?

  9. How does it work? • There are two modes of operation: • Discoverable – nodes respond to queries made by unknown devices and begin negotiations • Non-discoverable – nodes only respond to devices that it has communicated with previously • Cryptography in Bluetooth is based on the SAFER+ algorithm. It defines 4 different cryptography functions E1, E21, E22, E3

  10. How does it work? • When communication is initiated between nodes, which just discovered each other, they begin by negotiating a link key which is later used for purposes of encryption for this and later sessions.

  11. How does it work? • Generation of unit key • Generation of initialization key • Generation of link key • Mutual authentication • Generation of encryption key • Generation of key stream • Encryption of data

  12. How does it work? • XXX = public value • XXX = secret value • XXX = sent in clear • XXX = sent encrypted

  13. E21 1. Generation unit key ADDRA RANDA KA

  14. 2. Generation initialization key IN_RAND IN_RAND IN_RAND PIN PIN E22 E22 Length Length Length Kinit Kinit

  15. 3. Generation link key (1)‏ Kinit Kinit K KA =Klink KA =Klink

  16. 3. Generation link key (2)‏ LK_RANDA LK_RANDB ADDRA ADDRB LK_RANDA LK_RANDB E21 E21 LKA LKB KAB =Klink KAB =Klink LKB LKA LK_RANDB LK_RANDB E21 E21 ADDRB ADDRA

  17. 4. Mutual authentication ADDRB AU_RAND ADDRB ADDRB E1 E1 Klink Klink AU_RAND AU_RAND SRES ACO SRES ACO SRES

  18. 5. Generation encryption key EN_RAND EN_RAND EN_RAND E3 E3 Klink Klink ACO ACO KC KC

  19. 6. Generation key stream ADDRA ADDRA E0 E0 clockMASTER clockMASTER KC KC KCIPHER KCIPHER

  20. 7. Encryption of data KCIPHER KCIPHER DATA DATA KCIPHER KCIPHER DATA DATA

  21. How does it work? • If for some reason a device in the network is running out of resources bluetooth utilizes a simpler version of communication.

  22. Unit key KA =Klink A B

  23. What are the problems? • Limited battery power • Computational power • Small amount of memory • Small range • Ad-hoc network • Not always I/O-interface

  24. What are the problems? • A lot of data is transmitted in the clear • If an attacker can obtain an initialisation key he/she is able to compute the link key and thus mount Man-in-The Middle attacks.

  25. What are the problems? • Sniffing can be done as well to an extent. Devices that are being sniffed need to be in discoverable mode. • With proper equipment distribution an attacker is able to pin point the location of a node.

  26. What are the problems? • Location, location, location – this is the hardest and most expensive (money wise) attack that can be mounted. • If an attacker is able to spread a large number of “passively” sniffing nodes then he/she will be able to record multiple identities for later use, as well as be able to pin point the location of the node based on where it has most recently been seen.

  27. What are the problems? • There are several problems that I see with this attack: • Money - the authors estimate $10 which is not true even 7 years later. The smallest equipped PC that I am aware of are Gum-Stick PCs which start at $80 (that's without the bluetooth module)‏

  28. What are the problems? • Quantity – even with today's devices the longest straight distance you can get is about 50m in practice. So if you want to cover a building for example you will have to deploy a very large number of devices.

  29. What are the problems? • Eavesdropping and Impersonation – since the entire communication is based around the initialisation key if an attacker is able to guess and create a hash database of these then he/she will be able to listen in or become any of the devices in the piconet.

  30. What are the problems? • Eavesdropping – • Method One: in order to achieve this an attacker does not need to do much more than initiate a brute-force attack on the PIN used to setup communication. He/She can start guessing PIN # with length up to 5-6 digits and verify their correctness by engaging the victim in verification stage of the protocol.

  31. What are the problems? • Method Two: the attacker will attempt to setup communication with a node using a PIN he/she has chosen, at this point the initialisation protocol kicks in and the victim sends all the needed information for the attacker to be able to run a simulated communication until he is able to generate a valid PIN and initialisation key pair.

  32. What are the problems? • Finally, if an attacker is able to guess a correct PIN and initialisation key pair then he is able to perform a MitM attack on the network. • Since devices can be both masters and slaves and neither has a predefined role. An attacker can force the devices to both enter a master role or a slave one, which puts them out of sync, unless the attacker transmits messages to them.

  33. What are the problems? • Final attack on the protocol involves the ciphers used. • In a pre-computation phase, an attacker randomly selects N internal states of the cipher, and computes the corresponding output key stream. These N key streams are sorted and stored in a database. Then M bits of the actual key-stream are observed.

  34. What are the problems? • If M ∗ N > 2^132 then one expects to see a collision between the actual key-stream and a key-stream in the database. • By choosing M = N = 2^66 , this shows that the cipher can be broken with time and memory complexity 2^66

  35. How do we fix it? • PIN Length - In order to avoid a situation in which an attacker is able to obtain the secret keys of victim devices, it is important to use sufficiently long and sufficiently random PINs. The authors determine that 64 bit PINs should be sufficient enough. • Application Layer Security – using something similar to Certificates can prevent MitM attacks from happening.

  36. How do we fix it? • Master/Slave Relations – making sure that certain devices are not able to change status will help with MitM attacks since an attacker will not be able to jam the devices.

  37. How do we fix it? • Physical Protection - Our attacks on the key exchange rely on the attacker being able to detect the signals transmitted by the victim devices. The use of a Faraday’s cage (with the form factor of a metal coated plastic bag) may be useful to obtain security against this attack.

  38. How do we fix it? • Cipher - the attacks against the cipher can be avoided by replacing the cipher, e.g., with AES, and not to use plaintext communication in order to setup the encryption of later plaintexts.

  39. Conclusion • This paper is based on now defunct bluetooth standard. • Most of the problems described in this paper are now taken care of in the latest version of the protocol (currently at version 2.1 with version 3.0 being in the works).

  40. Personal Remarks • Enable Bluetooth only when you need it • Keep the device in non-discoverable mode • Use long and difficult to guess PIN key when pairing the device (key such as 1234 is unacceptable)‏ • Reject all unexpected pairing requests • Check list of paired devices from time to time to ensure there are no unknown devices on the list • Enable encryption when establishing BT connection to your PC.

  41. Personal Remarks • There is an attack the authors did not explore at all and that is DoSing a device: during the PIN brute-force verification, an attacker can just flood a node with these requests and prevent legitimate uses of the device due to its inability to process them. • Authors never discuss the fact that the bluetooth protocol allows modifications to certain devices without any prior pairing: phonebook sharing and contact sharing. • No prevention of replay attacks

  42. Questions?

More Related