SECURITY ANALYSIS AND EVALUATION OF BLUETOOTH TECHNOLOGY
Armaan Buttar
Thomas Bickerton Andrew David
PRESENTED BY:
CONTENTS
Overview Implementation Vulnerabilities
Risk Assessment
Mitigation Measures Security
Recommendation
Conclusion
OVERVIEW
Introduced in 1994 by Ericsson 5 billion devices
Versions 1 to Version 5.2 Wireless Technology
Operates on a frequency band between 2.4GHz to 2.48GHz
Range within 1m to 100m
OVERVIEW | BLUETOOTH TECHNOLOGY
POWER |CLASS | TRANSMISSION RATES
OVERVIEW | BLUETOOTH TECHNOLOGY
BLUETOOTH DEVICE SHIPMENTS WORLDWIDE FROM 2015 TO 2026
IMPLEMENTATION | ATTACK STAGES
Obfuscation Surveillance Fuzzer
Range Extension Sniffing
Man in the Middle
Unauthorised direct data access Denial of service
Malware
IMPLEMENTATION OBFUSCATION
• The obfuscation is a technique that is used to achieve anonymity of one’s device by changing the device’s information to launch an attack.
IMPLEMENTATION | OBFUSCATION
Step:1 Checking the standard configuration
IMPLEMENTATION | OBFUSCATION
• Step 2: Obfuscating the device’s information
IMPLEMENTATION | OBFUSCATION
• Alternative Step: Random Allocation
IMPLEMENTATION OBFUSCATION
Result
Attacks Version 1s
Version 2s
Version 3s
Version 4s/5s
Comments
Obfuscation N/A Success Success Success Works with every
version, but V1s wasn’t available.
IMPLEMENTATION SURVEILLANCE
Surveillance stage where we acquired target device’s information such as BD_ADDR, device name, version that device used, class, vulnerabilities present, features, etc.
IMPLEMENTATION | SURVEILLANCE
• Step 1: Capturing the Devices
IMPLEMENTATION | SURVEILLANCE
• Step 2: Gathering Information
IMPLEMENTATION SURVEILLANCE
Result
Attacks Version 1s Version 2s Version 3s
Version 4s/5s
Comments
Surveillance N/A Success Success Success Tools works with every version, but
V1s wasn’t available and device should be
discovery mode
IMPLEMENTATION FUZZER ATTACK
• The Fuzzer attack in Bluetooth is a technique used by the
attackers to test the Bluetooth applications. This attack can crash the device by submitting non-standard information into a
Bluetooth stack to achieve malicious outcomes.
IMPLEMENTATION | FUZZER ATTACK
• Attack on Bluetooth Version 2
IMPLEMENTATION | FUZZER ATTACK
• Attack on version 3
IMPLEMENTATION | FUZZER ATTACK
• Attack on Version 4 and Version 5
IMPLEMENTATION FUZZER ATTACK
Result
Attacks Version 1s/5s
Version 2s Version 3s Version 4s Comments
Fuzzer Attack
N/A Success Success Failed Works on V2 and V3, but for other versions depends on the security
mechanism.
RANGE EXTENSION
• Used to extend Bluetooth range by over 1KM
• Range extension uses a Yagi antenna pictured
• Operates on same frequency range 2.4GHz
• Used for other attacks
SNIFFING
SNIFFING
Available tools:
• BlueSniff: Through Bluesniff, we have scanned devices like version 5 to get some results of how
the device is functioning in terms of frequency. The sdptool has been used to monitor and execute the scan and check for traffics if there is any.
• HCI Dump: HCIDump is a tool to monitor the Bluetooth traffic. It has access to sockets of Bluetooth to monitor the internal and external Bluetooth traffic.
SNIFFING
• BlueSniff:
SNIFFING
• HCI Dump:
SNIFFING
# Test Steps Data Expected Result Actual Result
1 BlueSniff tool to scan for the devices Run the command hcitool scan Scans the devices and get the information.
Scans the devices and get the information.
2 Initiate the sdptool browse command Run the command Sdptool browses to the destinated IP address to get
the MAC address.
Capture the devices within range. It shows the MAC
address.
Captured the devices within range. Shows Mac address.
3 Initiate btmon Run the command
Btmon -i hci0 -w
It shows the HCI dump history in the Wireshark for the device.
It shows the HCI dump history in the Wireshark for the device.
Result of Sniffing Stage
MAN-IN-THE-MIDDLE
• Bthidproxy:
MAN-IN-THE-MIDDLE
# Test Steps Data Expected Result Actual Result
1.a. Bthidproxy Run the command make file To form connection between the host device and the HID
device.
N/A
b. Run the bthidproxy Capture the host machine data
and replicate the HID device.
N/A
Result of MITM Attack Stage
DENIAL OF SERVICE (DOS)
• Uses Bluetooth protocol L2cap
• Repeatedly sending ping requests to MAC address
• Battery exhaustion
• BlueSYN attack. Hybrid between ICMP and L2cap
DOS
Result:
Attacks Version 1s Version 2s Version 3s Version 4s/5s Comments
DOS N/A Success Failed Failed Only works on V2 and for other
versions, it only drains devices’ battery life.
UNAUTHORISED DIRECT DATA ACCESS (UDDA)
• Gaining access to device. Read and extract sensitive data
• Car whisperer attack
• Blue Bugging
• AT commands
UDDA
Result:
Attacks Version 1s Version 2s Version 3s Version 4s/5s Comments
Unauthorised direct data
access
N/A N/A N/A N/A Could not try the attack because of the
lack of resources and it needed specific device to implement it.
MALWARE
MALWARE IMPACT ON LIFECYCLE OF THREATS
MALWARE
•Result of Malware Attack Stage
# Test Steps Data Expected Result Actual Result
1. BlueBag Run malware in public areas
To spread malicious data without any
alert.
N/A
2. Caribe Run worm To attack users using Symbian OS.
N/A
3. CommWarrior Run virus To use worm in form of Bluetooth MMS.
N/A
4. Skuller Run trojan To spread trojan
with the use of Symbian OS worm.
N/A
VULNERABILITIES
Vulnerabilities Remarks Version
Data encryption when in motion Data and authentication is not encrypted when in motion. This can result in information breaches.
V1.0,V1.1
The Security PINs are too short for Bluetooth devices Having short and weak PIN for the device is a security vulnerability as they can be easily guessed
V1.1,V1.2 V2.0
The Authentication of devices are predictable Having a predicable authentication value may lead to man in the middle or impersonation attack.
V1.1,V1.2
The lack of PIN management Due to the lack of security mechanism, it is difficult to manage multiple users. So, scalability is a problem.
V1.1,V1.2 V2.0
During the connection establishment the master key is shared The master key shouldn’t be broadcasted. All
The services for the security are limited Additional security services must be incorporated within the Bluetooth for a better overall performance and productivity.
All
CHALLENGES
• Covid-19
• Access to labs
• Public vulnerability scanning
• Virtual machines
• Sourcing devices
• Change title of project
RISK ASSESSMENT
Sniffing - Medium MITM – Medium UDDA - High
DOS – Low
Malware - Medium Fuzzer - Medium
Risk is assessed on:
• Age of device
• Version of Bluetooth
• Result of successful attack
• Controls/Patches in place
MITIGATION MEASURES AND SECURITY
RECOMMENDATION FOR USER AWARENESS
Avoid sharing sensitive contents or data as Bluetooth cannot be totally reliable to share
contents that are sensitive.
1
Remember to keep Bluetooth settings to
“not discoverable” all the time.
2
Always check if the devices you pair up your
Bluetooth devices are authenticated.
3
Avoid to do turn on or share contents from
Bluetooth in public places.
4
Do not forget to unpair devices once the work
has been done.
5
Always keep the devices up-to-date and install
patches for security.
