1

Identifying and Assessing Security Issues related to Bluetooth Wireless Networks

Gregory Lamm Jorge Estrada Gerlando Falauto Jag Gadiyaram
University of Virginia

November 29, 2000

A Christmas Carol
2

Charles Dickens had it right-for every major issue (or story) in the world, there is usually a Past, a Present and a Future that are clearly identifiable.

Group 11 would like to tell you a story.

University of Virginia

The Ghost of Bluetooth Past

10th Century Danish King (unified warring Viking Tribes): Harald Bluetooth No Wireless Networks prior to 20th Century New Wireless Transmission Schemes for the 21st Century
802.11b Home Radio Frequency Bluetooth (version 1.0)
University of Virginia

Past Bluetooth Attacks

4

1. Third Party Eavesdropping & Impersonating

A B

2. Stealing Addresses from a Bluetooth Device Tracking the device through the network Impersonate a device
University of Virginia

The Ghost of Bluetooth Present

Ad hoc Networks Bluetooth Chip: $50 Range: 10 meters (30 feet) Throughput: 720,000 bps Peer to Peer Piconet (8/250) Scatternet (10 Piconets)

University of Virginia

Bluetooth
6

(Special Interest Group)

1,900 Bluetooth Technology Manufactures

University of Virginia

Bluetooth Applications
7

University of Virginia

Bluetooth Development
8

Local Area Network (LAN)

Small Network Large Throughput IR or Radio Communication Relays not used Fixed with limited mobility Small Distances

Wireless Phone Network

Large Network Small Throughput Radio Communication Relays used Mobility Large Distances
University of Virginia

Bluetooth Overview
9 Local Area Network (LAN)

Radio Frequency Hopping (1600 Hps) Communication 2.4GHz Frequency Range RF Interface 720 Kbps 4 Mbps
Challenge-Response Scheme Authentication SAFER+ None/One-way/Mutual Needed for encryption Optional Symmetric Stream Cipher Negotiable Key Size (8-128 bits) Clock dependent
University of Virginia

Wireless Phone Network

Encryption

Bluetooth Communication
10

Radio Frequency Communications (RF C)

Controls Frequency Hopping for Bluetooth

Logical Link Control (LLC)

Link Management Security Management QoS Management Transmission Scheduling

Link Manager Protocol (LMP)

Configure, authenticate and handle the connections Power management scheme
University of Virginia

Bluetooth Authentication
11

Link key generation KLINK

PIN Random # B (Claimant) E1 (SAFER+)

A (Verifier)
BD_ADDRB KLINK AU_RAND CHECK SRES = SRES E1 (SAFER+)

BD_ADDRB BD_ADDRB KLINK AU_RAND

AU_RAND

SRES ACO

SRES ACO

SRES
Encryption key generation
University of Virginia

Bluetooth Encryption
12

A
BD_ADDRA clockA KC

Is everything OK? BD_ADDR E Yes, BUT... clock K

0

A A

E0
Kcipher

Kcipher

Kcipher

Kcipher

dataA-B
Kcipher

dataA-B

data

Kcipher

dataB-A

dataB-A
University of Virginia

13

The Ghost of Bluetooth Future

Security Weaknesses
Encryption
Plain Text Attack

Authentication
Unit Key Stealing

Communication
Impersonation
University of Virginia

Bluetooth Applications
14

University of Virginia

Conclusions
15

As Viking Hackers, we believe that Bluetooth has some vulnerabilities and some increased security measures are needed.

Security

Functionality

University of Virginia