Bluetooth Security

Abstract

Bluetooth is one of the most widely used technologies used by various devices such as mobile phones, gaming consoles, laptop and computer peripherals. This article discusses about Bluetooth security, technology standards, security features, vulnerabilities and risks associated with using Bluetooth enabled devices.

Introduction

Wireless technology enables device communication without physical connections such as cables. Communication in this technology is performed via radio waves so reliability depends on physical surrounding objects such as walls. Since wireless network broadcast their data which concerns the data security. WLAN, WPAN and Ad hoc networks are using wireless technology to communicate and they are implemented by set of standards. WLAN is using IEEE 802.11 standard and WPAN and Ad hoc networks using Bluetooth standard [IEEE01].

The Bluetooth standard allows a number of devices to communicate in dynamically changing network topologies. It uses the frequency hopping spread spectrum which makes it a short-range technology. Main usage area for Bluetooth technology is devices which are battery powered and have limited power consumption such as Mobile devices, PDA, etc….

There are s number of information security risks when using Bluetooth technology to transfer data within private and public networks; these risks can be increased by a number of factors such misconfiguration and not using security capabilities by end-users and accessing unsafe networks.

According to K. Scarfone and J. Padgette (2008), Bluetooth devices have different operating ranges and are categorized into 3 classes, Class 1 which ranges up to 100 meters and uses higher power, Class 2 which ranges up to 10 meters and uses medium power and Class 3 which ranges up to 1 meter and uses lowest power. Class 2 is mostly used by mobile devices. these numbers are designed operated ranges so the attacker might be able to communicate at significantly larger distances by using high gain antennas.

Wireless technology enables device communication without physical connections such as cables. Communication in this technology is performed via radio waves so reliability depends on physical surrounding objects such as walls. Since wireless network broadcast their data which concerns the data security. WLAN, WPAN and Ad hoc networks are using wireless technology to communicate and they are implemented by set of standards. WLAN is using IEEE 802.11 standard and WPAN and Ad hoc networks using Bluetooth standard [IEEE01].

The Bluetooth standard allows a number of devices to communicate in dynamically changing network topologies. It uses the frequency hopping spread spectrum which makes it a short-range technology. Main usage area for Bluetooth technology is devices which are battery powered and have limited power consumption such as Mobile devices, PDA, etc….

There are s number of information security risks when using Bluetooth technology to transfer data within private and public networks; these risks can be increased by a number of factors such misconfiguration and not using security capabilities by end-users and accessing unsafe networks.

According to K. Scarfone and J. Padgette (2008), Bluetooth devices have different operating ranges and are categorized into 3 classes, Class 1 which ranges up to 100 meters and uses higher power, Class 2 which ranges up to 10 meters and uses medium power and Class 3 which ranges up to 1 meter and uses lowest power. Class 2 is mostly used by mobile devices. these numbers are designed operated ranges so the attacker might be able to communicate at significantly larger distances by using high gain antennas.

Bluetooth security features

There are four main information security services to protect the Bluetooth devices which applies to all of the Bluetooth layers including:

  1. >Identification which includes identifying each entity such as user or device to recognize it and distinguish it from others. Identification will be performed by first two layers of the devices which are physical and Bluetooth layers.
  2. Authentication: Verifying the identity of communication device to allow access to the available services. Authentication mechanisms for each layer is performed independently and each layer is responsible for its own authentication.
  3. Confidentiality: Preventing information compromise. Confidentiality is a property which guarantees that information which is stored on the device host will not provided for unauthorized persons, or processes.
  4. Authorization: Checking if the device is permitted to use a service on the Bluetooth enabled host device.

Additionally, there are four security modes defined by Bluetooth which Bluetooth devices must operate in one of these security modes. These security modes includes:

  1. None secure which authentication and encryption is bypassed
  2. Service level-enforced security mode, which security procedures are initiated after link establishment.
  3. Link level-enforced security mode, which supports authentication and encryption features based on a separate secret link key.
  4. Service level-enforced security mode initiating authentication and encryption after link setup

Keijo (2008) has defined a secure simple pairing in six phases including:

  1. Capability exchange, which if its first time for the devices to connect, they exchange their Input and Output capabilities.
  2. Public key exchange, each device generates a private and public key and exchange the public key with each other.
  3. Authentication stage 1: depending the association model, ensuring that no MITM (Man-In-The-Middle) in the communication.
  4. Authentication stage 2: Once the devices finish exchanging and validating integrity of public keys and nonces.
  5. Link key calculation: Both devices calculate link key by their Bluetooth addresses.
  6. LMP authentication and encryption which generates encryption keys

Vulnerabilities

Vulnerability is a weakness in the system that  can be exploited and provide opportunity for attackers to perform an attack. Alfred Loo (2009) concludes that: Most of the existing threats come from the ignorance of users, improper security implementation by some manufacturers, and the inactive attitude of many corporations.

Here are some of the information security vulnerabilities and the possible risks associated with them:

  • Identification: If a mobile device is stolen and previously is paired to the other devices can be used to access data on the other devices.
  • Authentication: If authentication parameters are transmitted in clear text which allows attackers to gather these information using eavesdropping. Or another example would be using short PIN or default ones which lets attackers to find it easily using brute-force. Shaked and Wool (2005) have shown that it is very easy to crack the PIN used by a Bluetooth device when pairing with another device.
  • Authorization: If one authorization is used for all the available services in the device, it increase the risk of accessing the data once the device is authorized by attacker.
  • Confidentiality: If the radio traffic is not encrypted, attackers can sniff the radio data and using protocol sniffers. Another example would be if all devices use shared master key which if discovered by attackers can be used to decrypt all of the transmitted data.
  • Integrity: If per packet integrity checks is not implemented, it helps attackers to manipulate the data without being identified.
  • Non-repudiation: If event auditing is disabled, it will not be possible to trace using events to find the attackers.
  • Availability: It is possible that other applications functions in the same frequency and alter transmitted data.
  • Physical security: if secure hardware design is not applied it allows accessing the memory by opening the hardware of the device.
  • Anonymity: It is possible to find manufacturer of the Bluetooth device by first 3 character of the BD_ADDR and map the device to a user using that value and getting future details of the device to help future attacks. Also attackers still can find devices set to none-discovery mode to get details of the device.
  • User awareness: choosing simple PIN numbers can help attackers to guess the PIN numbers and pair with their devices.
  • Proximity security: Despite the fact that in the Bluetooth specification maximum range is defined 100 meters, F. Tvrz and M. Coetzee  (2010: p75) stated that: The hardware providing Bluetooth functionality has been successfully modified which increased transmission up to 1.77 Kilometres.

Implementation security: If one of the layers from source to the destination is not secure it may use by attackers to gain access to the whole data.

Attacks on Bluetooth

Attacks use misconfiguration and vulnerabilities to compromise the Bluetooth enabled device information security services. F. Tvrz and M. Coetzee  (2010: p92) has categorised these attacks into two main categories (passing and active) four main categories including:

  1. Interruption which causes devices to become unavailable by sending malicious data to the device. These kind of attacks become under active category since the attack involves in the modification of the data streams. An example would be Denial of service attacks.
  2. Interception which involves attempts to gain unauthorized access to the mobile phone. These attacks are Passive attacks since it will not result any changes in the device. Eavesdropping and traffic analysis are examples of these kind of attacks. In these attacks Bluetooth transmissions are monitored to find communication patterns.
  3. Modification which including altering the content and data in the Bluetooth enabled device. These attacks also take place under active category and Message modification is an example of these kind of attacks which the legitimate message is changed by editing or deleting it.
  4. Fabrication which by performing counterfeit attackers can bypass authentication and gain access to the device. Fabrication is an active attack an examples would be Relay and Masquerade. In the relay attacks, transmissions are monitored and attacker retransmit the data to the Bluetooth device as legitimate user. Masquerading involves impersonating an authorized user to gain access to the Bluetooth devices.

Attackers can increase communication range by connecting to an external antenna on the Bluetooth dongle which help them to attempt access a devices in a larger range. By using a sniffing device they can accumulate all the communication information taking place within all 79 frequencies or reply to the victim device. Pairing would be best opportunity for attackers to compromise the information security if the device number and random number is transmitted in clear text.

Using Bluetooth worms, viruses and Trojans are another way to gain access to the Bluetooth devices. The way that a Bluetooth device infects the device is different comparing the worms which spread in the Internet. A Bluetooth infection occurs only when source and victim devices are located in their range.

Attacks could be performed across all layers in different stages and it is critical to detect and configure the device to secure it against the attacks, one method which organizations can use to detect possible attacks are using honeyclients. OConnor and Sangster (2010) introduced a framework for implementing virtual honeyclients for mobile devices (honeyM) which can be used to get more information about attacks.  They also demonstrated that honeyM could simulate several different vulnerable mobile devices and also to deceive multiple scanning and detection tools.

Conclusion

Bluetooth provides possibility to create short range Ad hoc connections within both private and public networks. Bluetooth enabled devices presents new risks within public or private environments since wireless networks are beyond traditional wired networks. These risks are identified on all layers of the Bluetooth device.

Identification, authentication, confidentiality and authorization are four information security systems which needs to be performed to protect the data and Bluetooth enabled devices. It is also dependent on the security mode which the device is configured to operate. These information security systems are catered on the wireless links and operating system, application and user layers are responsible for their own information securities.  There are a number of vulnerabilities which can be used by attackers to gain access to the device. End user must be aware of the risks of using Bluetooth devices and also the organization should understand the security concepts and configurations to reduce these risks.

References

  • K. Scarfone and J. Padgette, Guide to Bluetooth Security, NIST Special Publication 800-121, 2008.
  • F. Tvrz and M. Coetzee (2010). Information security of a bluetooth-enabled handheld device. Germany: Lambert academic publishing AG & Co. KG. 20-26, 72-86.
  • John D. Padgette. 2009. Bluetooth security in the DOD. In Proceedings of the 28th IEEE conference on Military communications (MILCOM’09). IEEE Press, Piscataway, NJ, USA, 2425-2430.
  • Alfred Loo. 2009. Technical opinion: Security threats of smart phones and Bluetooth. Commun. ACM 52, 3 (March 2009), 150-152. DOI=10.1145/1467247.1467282 http://doi.acm.org/10.1145/1467247.1467282
  • Y. Shaked and A.Wool Cracking the Bluetooth PIN. In Proceedings of 3rd USENIX/ACM Conference of Mobile Systems, Applications and Services (MOBISYS), June 2005.
  • Keijo M. J. Haataja. 2008. New efficient intrusion detection and prevention system for Bluetooth networks. In Proceedings of the 1st international conference on MOBILe Wireless MiddleWARE, Operating Systems, and Applications (MOBILWARE ’08). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), ICST, Brussels, Belgium, Belgium, , Article 16 , 6 pages.
  • T. J. O’Connor and Ben Sangster. 2010. honeyM: a framework for implementing virtual honeyclients for mobile devices. In Proceedings of the third ACM conference on Wireless network security (WiSec ’10). ACM, New York, NY, USA, 129-138. DOI=10.1145/1741866.1741888 http://doi.acm.org/10.1145/1741866.1741888

About majid

Software engineer, Web developer and IT graduate. Profile: View My Profile
This entry was posted in Computer Security. Bookmark the permalink.