Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev What are we talking about today? Bluetooth: what it is, why is it vulnerable and can we fix it? Overview What is bluetooth? How does it work? What are the problems? How do we fix it? Conclusion Personal Remarks What is bluetooth? Bluetooth - is a standard and communications protocol primarily designed for low power consumption, with a short range (1-50 meters) based on low-cost microchips in each device. What is bluetooth? Bluetooth enables these devices to communicate with each other when they are in range. The devices use a radio communications system, so they do not have to be in line of sight of each other What is bluetooth? Essentially it is a mini wireless network between communicating nodes called Piconet. Piconet - allows one master device to interconnect with up to seven active slave devices What is bluetooth? What is bluetooth? How does it work? There are two modes of operation: Discoverable – nodes respond to queries made by unknown devices and begin negotiations Non-discoverable – nodes only respond to devices that it has communicated with previously Cryptography in Bluetooth is based on the SAFER+ algorithm. It defines 4 different cryptography functions E1, E21, E22, E3 How does it work? When communication is initiated between nodes, which just discovered each other, they begin by negotiating a link key which is later used for purposes of encryption for this and later sessions. How does it work? Generation of unit key Generation of initialization key Generation of link key Mutual authentication Generation of encryption key Generation of key stream Encryption of data How does it work? XXX = public value XXX = secret value XXX = sent in clear XXX = sent encrypted 1. Generation unit key ADDRA RANDA E21 KA 2. Generation initialization key IN_RAND IN_RAND IN_RAND PIN Length PIN E22 Kinit E22 Kinit Length 3. Generation link key (1) Kinit KA = Klink K Kinit KA = Klink 3. Generation link key (2) LK_RANDA LK_RANDB LK_RANDA KAB = Klink LK_RANDB ADDRA E21 ADDRB E21 LKA LKB LKB LKA E21 ADDRB LK_RANDB KAB = Klink E21 ADDRA LK_RANDB 4. Mutual authentication ADDRB AU_RAND ADDRB Klink ADDRB E1 AU_RAND SRES Klink E1 AU_RAND ACO SRES SRES ACO 5. Generation encryption key EN_RAND EN_RAND EN_RAND Klink E3 Klink E3 ACO ACO KC KC 6. Generation key stream ADDRA clockMASTER ADDRA E0 E0 clockMASTER KC KC KCIPHER KCIPHER 7. Encryption of data KCIPHER KCIPHER DATA DATA KCIPHER DATA KCIPHER DATA How does it work? If for some reason a device in the network is running out of resources bluetooth utilizes a simpler version of communication. Unit key KA = Klink A B What are the problems? Limited battery power Computational power Small amount of memory Small range Ad-hoc network Not always I/O-interface What are the problems? A lot of data is transmitted in the clear If an attacker can obtain an initialisation key he/she is able to compute the link key and thus mount Man-in-The Middle attacks. What are the problems? Sniffing can be done as well to an extent. Devices that are being sniffed need to be in discoverable mode. With proper equipment distribution an attacker is able to pin point the location of a node. What are the problems? Location, location, location – this is the hardest and most expensive (money wise) attack that can be mounted. If an attacker is able to spread a large number of “passively” sniffing nodes then he/she will be able to record multiple identities for later use, as well as be able to pin point the location of the node based on where it has most recently been seen. What are the problems? There are several problems that I see with this attack: Money - the authors estimate $10 which is not true even 7 years later. The smallest equipped PC that I am aware of are Gum-Stick PCs which start at $80 (that's without the bluetooth module) What are the problems? Quantity – even with today's devices the longest straight distance you can get is about 50m in practice. So if you want to cover a building for example you will have to deploy a very large number of devices. What are the problems? Eavesdropping and Impersonation – since the entire communication is based around the initialisation key if an attacker is able to guess and create a hash database of these then he/she will be able to listen in or become any of the devices in the piconet. What are the problems? Eavesdropping – Method One: in order to achieve this an attacker does not need to do much more than initiate a brute-force attack on the PIN used to setup communication. He/She can start guessing PIN # with length up to 5-6 digits and verify their correctness by engaging the victim in verification stage of the protocol. What are the problems? Method Two: the attacker will attempt to setup communication with a node using a PIN he/she has chosen, at this point the initialisation protocol kicks in and the victim sends all the needed information for the attacker to be able to run a simulated communication until he is able to generate a valid PIN and initialisation key pair. What are the problems? Finally, if an attacker is able to guess a correct PIN and initialisation key pair then he is able to perform a MitM attack on the network. Since devices can be both masters and slaves and neither has a predefined role. An attacker can force the devices to both enter a master role or a slave one, which puts them out of sync, unless the attacker transmits messages to them. What are the problems? Final attack on the protocol involves the ciphers used. In a pre-computation phase, an attacker randomly selects N internal states of the cipher, and computes the corresponding output key stream. These N key streams are sorted and stored in a database. Then M bits of the actual key-stream are observed. What are the problems? If M ∗ N > 2^132 then one expects to see a collision between the actual key-stream and a key-stream in the database. By choosing M = N = 2^66 , this shows that the cipher can be broken with time and memory complexity 2^66 How do we fix it? PIN Length - In order to avoid a situation in which an attacker is able to obtain the secret keys of victim devices, it is important to use sufficiently long and sufficiently random PINs. The authors determine that 64 bit PINs should be sufficient enough. Application Layer Security – using something similar to Certificates can prevent MitM attacks from happening. How do we fix it? Master/Slave Relations – making sure that certain devices are not able to change status will help with MitM attacks since an attacker will not be able to jam the devices. How do we fix it? Physical Protection - Our attacks on the key exchange rely on the attacker being able to detect the signals transmitted by the victim devices. The use of a Faraday’s cage (with the form factor of a metal coated plastic bag) may be useful to obtain security against this attack. How do we fix it? Cipher - the attacks against the cipher can be avoided by replacing the cipher, e.g., with AES, and not to use plaintext communication in order to setup the encryption of later plaintexts. Conclusion This paper is based on now defunct bluetooth standard. Most of the problems described in this paper are now taken care of in the latest version of the protocol (currently at version 2.1 with version 3.0 being in the works). Personal Remarks Enable Bluetooth only when you need it Keep the device in non-discoverable mode Use long and difficult to guess PIN key when pairing the device (key such as 1234 is unacceptable) Reject all unexpected pairing requests Check list of paired devices from time to time to ensure there are no unknown devices on the list Enable encryption when establishing BT connection to your PC. Personal Remarks There is an attack the authors did not explore at all and that is DoSing a device: during the PIN brute-force verification, an attacker can just flood a node with these requests and prevent legitimate uses of the device due to its inability to process them. Authors never discuss the fact that the bluetooth protocol allows modifications to certain devices without any prior pairing: phonebook sharing and contact sharing. No prevention of replay attacks Questions?
© Copyright 2026 Paperzz