Bluetooth
15C
“How does Bluetooth bonding work, what security holes
can an attacker use, what has been done so far?”
2G1704 – Internet Security and Privacy
KTH
2005-11-24
Markus Swenson, [email protected]
Tanawat Tatiyavoranant, [email protected]
1. Introduction................................................................................................................2
2. Bluetooth Overview...................................................................................................2
3. Security ......................................................................................................................2
3.1 Authentication..................................................................................................3
3.1.1 Generation of initialization key ........................................................3
3.1.2 Generation of link key and link key exchange .................................3
3.1.3 Authentication...................................................................................4
3.1.4 Encryption (optional)........................................................................4
3.2 What to do........................................................................................................4
4 Bluetooth Attacks .......................................................................................................5
4.1 Bluetooth Attack behaviour .............................................................................6
1
1. Introduction
Nowadays, we know Bluetooth technology as the base primary of ad hoc network for
the short-range digital radio. It was combined with many of digital devices like
mobile phones, fixed telephones, PDAs and laptops. Therefore, Bluetooth is useful in
term of cable less technology by using with application such as wireless
synchronization, file sharing, and also use as gateway for internet connectivity and
etc.
This study focuses on the mechanism of Bluetooth bonding, Bluetooth’s
security details in additional to pointing out the weak point in its current security.
Following the introduction, the First part briefly mentions about the history and the
standard of Bluetooth as well as its specification. Next, we will continue with the
subject of Bluetooth bonding (pairing), its mechanism and its security. Thereafter we
will mention about Bluetooth security breaks and holes for attacker using. Finally this
study ends with behaviour of the attacker today.
2. Bluetooth Overview
Bluetooth was invented by Ericsson Mobile Communication in 1994. Its name came
from the name of Danish king --Harald Bluetooth. Bluetooth is short-range
communication protocol. The Bluetooth Specification 2.0 1 divides Bluetooth in three
different classes based on the range needed. The radio waves operate in the 2.4 GHz
band, which is a free band that also is used by WLANs like 802.11g.
Maximum output Maximum range
100 m
Class 1 100 mW
20 m
Class 2 2,5 mW
10 m
Class 3 1 mW
Table 1
Because of the interference with WLANs and other radio communication in the 2.4
GHz band Bluetooth has implemented frequency-hopping and power-reduction to
reduce the interference. The frequency-hopping technique changes the frequency of
1600 times per second among 79 different channels by a pseudo-random order. In a
Bluetooth connection there are always one master and up to 7 slaves. The data
transfer prior version 2.0 is maximized to 720 kbps. With the new feature Enhanced
Data Rate in version 2.0 the maximum data rate is 2.1 Mbps.
3. Security
The first time when two units want to communicate in a secure way, they need to be
paired to each other. In the pairing process units are exchanging keys and authenticate
each other. However the Bluetooth specification defines three different security
modes, from no authentication or encryption to both authentication and encryption. In
this section about security we are looking primary on the authentication process as it
is describe in the Bluetooth Specification 2.0.
1
Core Specification v2.0 + EDR, https://www.bluetooth.org/spec
2
3.1 Authentication
There are three different functions for authentication, E1, E2 and E3. All of them are
based on a block-cipher, SAFER+, which was one of the potential candidates to
become AES 2 . The version of SAFER+ that the Bluetooth specification specifies is an
enhanced version called SAFER-SK128 which is free and will map a 128 input to a
128 output. The standard uses both the SAFER-SK128 but also a modified version
that is non-invertible. The inputs to these different functions are a bit different
depending on in which stage of the pairing process the units are. E1 is used when
encrypting the authorization challenge-response values. E2 is for generating different
link keys. E3 is used when creating the encryption key.
There are four important elements into the authentication:
Units hardware address
48 bits
Link key
128 bits
Encryption key
8 – 128 bits
Public
Private
Private
Table 2
The connection process is divided into different phases depending on if the units have
been paired or not.
3.1.1 Generation of initialization key
The creation of an initialization key is used when no other keys are present. The key
is derived from a random number, a PIN, length of the PIN and a unit’s hardware
address. The PIN code can either be a factory value or the user can enter a maximum
of 16 octets. There are three different scenarios how the PIN is used:
• If one device has a fixed PIN then will the unit address of the other
be used when deriving a new link key.
• If both units have non-fixed key then will the hardware address of
the unit that received the random number be used. The PIN code has
to be entered in both devices that are going to be paired.
• If both units have fixed PIN they can’t be paired.
The unit address will be added to the PIN and the whole unit’s address might not be in
use. The initialization key is discarded when the link key is exchanged between the
units, it is only used to protect the initial value that need to be protected before a
regular key, link key, is established.
3.1.2 Generation of link key and link key exchange
When a link key is established between two units they will use that key for
authentication. A link key is 128 bits long and a shared between two or more units. A
new link key can be derived whenever to improve security. There are four types of
different link keys:
• Combination key KAB
- Combination key is based on information from both the unit in the
pairing process.
• Unit key KA
- A unit key is a key that one unit will use in all its connections with
other users. Unit keys is preferred when one single unit is connecting a
2
Bluetooth Security, Nikos Mavrogiannapoulos, 2005-11-18
3
•
•
large group of users, it will only have to store one key instead of one
key for each user.
Temporary key KMaster
- A master key is only used temporarily to replace an original link key in
a current session. It is used when a master unit wants to reach more
than one slave using the same encryption key.
Initialization key KInit
- A unit that is created if there are no other keys or the keys are lost. It is
only used as link key during initialization.
The combination link key is a combination of two numbers generated in two devices.
• Each device creates a random number and encrypts it together with its
hardware address.
• The random number is XOR:d with initialization key (current link key) and
sent away to the other unit.
• Now the two units have the other’s random number. The hardware address is
public so each unit can calculate their counter part’s encrypted random
number together with hardware address.
• Both units now do a bitwise modulo2 addition to combine the two units’
encrypted values.
• The result of the modulo2 addition is the combination key of the two units.
• A mutual authentication is required in order to confirm that both units have the
correct combination key. After a successful authentication the old link key can
be discarded.
3.1.3 Authentication
Authentication is based on a challenge-response scheme. User A sends a random
value to B. B will encrypt the random number and B’s hardware address with the link
key that A and B share. B will send its result to A which will do the same calculation
and compare the two. A mutual authentication is realized by doing the authentication
process twice. When A has authenticated B in the example above B will do the same
as A did.
To prevent a unit to do massive repeated attempts of testing a large
number of keys in short time the Bluetooth standard has a built in protection. Every
failed attempt will increase the waiting time exponentially. Each unit that try to
connect has its own waiting interval to prevent denial-of-service attacks.
3.1.4 Encryption (optional)
Encryption is an optional feature when using Bluetooth. The encryption key, E0, is
between 8 and 128 bits and derived from the current link key.
3.2 What to do
There are some things that can enhance the security 3 .
• Bond two units in secure place where no one can listen in and steal
the PIN.
• Use long random PINs
• Do not use unit keys if not necessary.
3
Bluetooth Security White Paper, Christian Gehrmann, 2002-05-14
4
4 Bluetooth Attacks
Several of Bluetooth attacks have been found on the E0 stream cipher that based on
Linear Feedback Shift Registers. (LSFR) The cipher text is just the output of XOR
between plaintext and keystream of the linear encryption as shown in Figure1.
Therefore, it is not hard to manipulate the cipher text to produce a different output if
the transmitted data are known 4 .
Figure 1 Bluetooth Encryption Procedure 5
Combining with the previous statement, the man-in-the-middle attack can be more
problems with the devices that rely on unit keys. It can be easily illustrated by the
following scenario. Device A use unit key to communicate and share some
information with trusted device B. In the same time during the connection with device
B, device A connects to another untrusted device C with the unit key. From this
situation, device C can monitor the information between A and B as well as obtains
the security encryption key by trace it back from the unit key and a fake device
address of device A.
Another issue for the Bluetooth attack is about PIN cracking. From the experiment, it
can be fully succeed with the lower 64 bits PIN 6 . (Equivalent to 19 decimal digits
PIN) It can be done by emulated the possible values of PIN. By knowing random
number from master device, the attacker can run E1 and E2 to find the hypothesis Kinit
and hypothesis link key. From this state the attacker calculates SRES (Signed
Response) from these two key and compare it to check the result. The entire process
of PIN cracking can be shown in the Figure2.
4
A Uniform framework for cryptanalysis of the Bluetooth e0 cipher, Ophir Levy and Avishia Wool
Wireless Network Security 802.11, Bluetooth and Handheld Devices, Tom Karygiannis and Les
Owens, November 2002
6
Cracking the Bluetooth PIN, Yaniv Shaked and Avishai Wool, 2005-05-02
5
5
Figure 2 PIN cracking structure
4.1 Bluetooth Attack behaviour 7
The following are some of possible vulnerability of Bluetooth that can be happened
with the Bluetooth enabled devices.
• BlueSnarfing
- The attacker will connect to the target device without alerting anything
to the owner device as well as gain access to restrict portions of
devices such as phonebook, calendar, IMEI, picture and etc.
• Backdoor Attack
- The attacker will do the snarfing to get the information about the trust
paring device. Thereafter it will fake itself to gain access and service
such as the connection with modem, WAP, GPRS and everything that
the trusted device can do.
• BlueBugging
- The attacker will connect to the target device without alerting like
BlueSnarfing but it also tries to create the serial profile connection to
the target device. After the serial profile establishment, the attacker can
get the full access of AT (Attention) command 8 . In another way, that
mean the attacker will have a full possibility to make a call, send
message, or connect to the internet by using the target devices.
• BlueJacking
- The attacker will not do anything with the target devices except
sending the annoying message or business card by using the
anonymous as sender.
7
Serious flaw in Bluetooth security lead to disclosure of personal data, Adam Laurie, Ben Laurie, A.L.
Digital Ltd., 2004-10-14
8
http://www.modem.com/general/extendat.html
6