security of bluetooth n.
Download
Skip this Video
Download Presentation
Security of Bluetooth

Loading in 2 Seconds...

play fullscreen
1 / 19

Security of Bluetooth - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

Security of Bluetooth. Máté Szalay szalaym@hit.bme.hu. Introduction. Wireless Standard Piconet (8 devices) Scatternet Range: ~10m LOS 1Mbps 64k voice 768k data 2.4 GHz v1.0, v1.1. Bluetooth SIG. Special Interest Group Founded in 1998 www.bluetooth.com Members:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security of Bluetooth' - haley-reeves


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security of bluetooth

Security of Bluetooth

Máté Szalayszalaym@hit.bme.hu

Bluetooth Security

introduction
Introduction
  • Wireless Standard
  • Piconet (8 devices)
  • Scatternet
  • Range: ~10m LOS
  • 1Mbps
    • 64k voice
    • 768k data
  • 2.4 GHz
  • v1.0, v1.1

Bluetooth Security

bluetooth sig
Bluetooth SIG
  • Special Interest Group
  • Founded in 1998
  • www.bluetooth.com
  • Members:
    • IBM, Intel, Microsoft
    • Ericsson, Nokia, Motorola
    • Agere, 3COM, Toshiba

Bluetooth Security

bluetooth devices
Bluetooth Devices
  • Cellular phones
  • Headsets
  • Earphones
  • Printers, keyboards

Bluetooth Security

bluetooth security goals
Bluetooth Security Goals
  • Message Confidentiality
  • User Anonimity
  • Unique ID

Bluetooth Security

modes of operation 1
Modes of Operation - 1
  • Discoverable
    • Replies to everyone
    • Other piconet?
    • New device?
  • Non-Discoverable
    • Replies to devices already known

Bluetooth Security

modes of operation 2
Modes of Operation - 2
  • Connectable
    • Replies to queries from already discovered nodes
  • Non-Connectable
    • Does not reply

Bluetooth Security

setting up communication
Setting Up Communication
  • Two devices
  • Not yet seen each other
  • Symmetric link key is set up
  • No shared secret
  • PIN based
  • Man-in-the-middle attacks

Bluetooth Security

setting up link key
Setting Up Link Key
  • Two methods
  • 1. Insufficient Memory
    • Using the unit key as link key
    • Impersonation attacks!
  • 2. Sufficient Memory
    • Initialization key
    • Mutual Authentication
    • Exchange of random numbers
    • Link key generation

Bluetooth Security

initialization key generation

RND a(B) PIN

RND a(B) PIN

IK

IK

CH1 a(B) IK

CH1 a(B) IK

RESP1

RESP1’

Initialization Key Generation

A

B

RND

CH1

RESP1

Bluetooth Security

link key method 1
Link Key – Method 1

A

B

  • KA is the link key
  • Can be different from unit key!

EIK{KA}

Bluetooth Security

link key method 2

randA a(A)

randB a(B)

LK_Ka

LK_Kb

Link Key – Method 2

A

B

  • (LK_KaLK_Kb) is the link key
  • Mutual Verification

EIK{LK_Ka}

EIK{LK_Kb}

Bluetooth Security

link key attacks
Link Key - Attacks
  • Attacker obtains initialization key
  • PIN length!
  • Attacker obtains unit key
  • Link key computed from initialization key
  • Encryption keys are computed from link key

Bluetooth Security

location 1
Location - 1
  • Attacker traces movement of bluetooth users
  • Owns or leases several bluetooth devices
    • $10/device
    • Well placed (airports)
  • Records identities

Bluetooth Security

location 2
Location - 2
  • Discoverable mode
  • Non-discoverable mode
    • Wait for the user to initiate
    • Gaining control over user’s device
  • Controlling only user’s device

Bluetooth Security

linking identities
Linking Identities
  • Consumer identity is known
    • e.g.: credit card transfer
  • Probabilistic matches

Bluetooth Security

encryption engine
Encryption Engine
  • 4 LFSRs
    • Lengths: 25, 31, 33, 39
  • Two 2-bit registers
  • Broken:
    • 2100 time
    • 266 time + 266 memory

Bluetooth Security

countermeasures
Countermeasures
  • PIN length > 64 bit
  • Protecting unit keys
  • Application layer security
  • Replacing the Cipher

Bluetooth Security

thank you for your attention

Thank you for your attention!

szalaym@hit.bme.hu

Bluetooth Security