1 / 0

Bluetooth Security

Bluetooth Security. Ben Cumber Kyle Swenson. Overview. Introduction to Bluetooth Protocol stack Profiles Proliferation and Applications Security Past attacks Current state of the art Known vulnerabilities Examples; Demonstration Future attacks Hardening Options: Mitigating the Risk

starbuck
Download Presentation

Bluetooth Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bluetooth Security

    Ben Cumber Kyle Swenson
  2. Overview Introduction to Bluetooth Protocol stack Profiles Proliferation and Applications Security Past attacks Current state of the art Known vulnerabilities Examples; Demonstration Future attacks Hardening Options: Mitigating the Risk Conclusion
  3. Introduction to Bluetooth Convenience IEEE 802.15.1 : Personal Area Network Defines the medium access control (MAC) mechanisms Baseband/ Physical 2.4 GHz ( Same as Wi-Fi) Adaptive Frequency Hopping Currently Maintained by the Bluetooth Special Interest Group (SIG)
  4. Introduction to Bluetooth: Protocols Mandatory Bluetooth Protocols Link Manager Protocol Logical Link Control and Adaptation Protocol (L2CAP) Service Discovery Protocol (SDP) Audio Streaming Protocols RFCOMM (Most common) http://www.mnl.com/images/thelink/bluetooth_fig2.gif http://upload.wikimedia.org/wikipedia/commons/9/9f/Bluetooth_protokoly.svg
  5. Relevant Bluetooth Profiles Bluetooth Profiles Defines how a device uses the Bluetooth protocols All built on core Bluetooth stack Widespread integration and interoperability. Defines the authentication and encryption (if any) Human Interface Device (HID) Built off the USB HID specification Includes RTUs, data acquisition equipment Audio Control and Distribution Bluetooth headset phone control and audio streaming Object Exchange (OBEX) Allows file transfer, contact transfer
  6. Bluetooth Security Mechanisms Pairing: usually requires user verification, version dependent Bonding: allows for seamless reconnection after two devices have been paired Based off a link-key generated during the pairing process If either device forgets the link-key, then it is renegotiated automatically Plaintext negotiation of encryption key Encryption: Completely optional, dependent upon device capability.
  7. Bluetooth Security: The MAC Address Basis for all Bluetooth communication All devices are required to at least respond to direct connection requests, regardless of discoverability setting Assumed to be unique With the right module, it’s easy to imitate a legitimate device. Specification doesn’t define behavior when two devices have the same MAC address Part of the MAC address is allocated by the SIG/IEEE Publicly available Other part is assigned by the manufacturer
  8. Bluetooth Security: The MAC Address Lower Address Portion (LAP) Mandatory part of baseband communication Upper Address Portion (UAP) Contains time delay information for frequency hopping. Non-significant Address Portion UAP + NAP form the organizationally unique identifier Once the MAC address has been determined, the device is potentially compromised
  9. Known Exploits BlueRanger Uses the required direct connection response to gauge relative distance through the integrity of the link SpoofTooph Scans for discoverable devices Clones the device Imitates MAC address, profiles, services, names, and other “unique” characteristics BTCrack How it works: Observe a pairing Guess a 4-16 digit pin Check to see if the hashed value of the pin matches the hashed value that you observed.
  10. Known Exploits BlueBugging – Control a remote smartphone Making/forwarding calls, sending and receiving text messages. Snarfing– Retrieve contacts or calendar Uses the OBEX Push Profile OBEX Push doesn’t require any authentication Carwhisperer – Uses vehicular audio profiles Send audio messages to driver Listen to conversations in the vehicle vCardBlaster (Virtual Business Card) Contains contact information Sends a continuous stream of vCards using Bluetooth Bluetooth v4.0 has already been exploited
  11. Collecting Information Ubertooth One A custom Bluetooth chip from TI (CC2400) with a LPC 1768 Cortex M3 microcontroller attached via USB $120 module, allows sniffing of Bluetooth traffic Able to export packets to Wireshark traffic, get sensitive information Spectrum Analyzer Simple to program, modify, and use With some embedded systems experience and motivation, every exploit is possible
  12. Bluetooth and SCADA SEL-2925 – RS-232 emulation over wireless link Convenience Remote Telemetry and Data Acquisition Same performance degradation as WiFi in noisy environments Uses HID profile: simple, fast, negligible configuration Increasingly being used for automation Source: https://www.bluetooth.org/en-us/Documents/BW13_DayOne_Session3_BluetoothTrends.pdf
  13. Hardening Bluetooth Encrypt the data at a higher layer (application layer) in the protocol stack Don’t use it! Turn Bluetooth OFF (non-discoverable, non-connectable doesn’t matter) Bluetooth in SCADA and critical infrastructure Bluetooth was designed for convenience, not security Other than lower power consumption, Bluetooth has no advantage over WiFi. Integrating Bluetooth into SCADA is inappropriate- use something else
  14. Conclusion Bluetooth security needs more attention Lack of appropriate tools cripples penetration testing and security analysis Embedded applications Most completely omit security, assume protection in complexity Demonstrates the need for a reliable, secure, wireless communication Security must be an integral component in the initial design process, not added after the fact Realize the risk when using Bluetooth for your SCADA application.
  15. References http://trifinite.org/ http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/ http://en.wikipedia.org/wiki/SAFER https://github.com/greatscottgadgets/ubertooth/releases/tag/2014-02-R2 http://openciphers.sourceforge.net/oc/index.php http://www.hackfromacave.com/ http://en.wikipedia.org/wiki/Bluetooth http://en.wikipedia.org/wiki/Bluetooth_protocols http://en.wikipedia.org/wiki/Bluetooth_Special_Interest_Group https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=40560 https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=241363 https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=174214 https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=263754 https://www.bluetooth.org/en-us/specification/adopted-specifications http://bluetooth-pentest.narod.ru/ http://linuxpoison.blogspot.com/2008/04/discovering-and-hacking-bluetooth.html http://pen-testing.sans.org/blog/pen-testing/2011/10/20/the-bluetooth-dilemma http://blog.zoller.lu/2009/02/btcrack-11-final-version-fpga-support.html
More Related