Security of Bluetooth

Security of Bluetooth Máté Szalay szalaym@hit.bme.hu Bluetooth Security 1 Introduction      Wireless Standard Piconet (8 devices) Scatternet Range: ~10m LOS 1Mbps   64k voice 768k data   2.4 GHz v1.0, v1.1 Bluetooth Security 2 Bluetooth SIG Special Interest Group  Founded in 1998  www.bluetooth.com  Members:  IBM, Intel, Microsoft  Ericsson, Nokia, Motorola  Agere, 3COM, Toshiba  Bluetooth Security 3 Bluetooth Devices Cellular phones  Headsets  Earphones  Printers, keyboards …  Bluetooth Security 4 Bluetooth Security Goals Message Confidentiality  User Anonimity   Unique ID Bluetooth Security 5 Modes of Operation - 1  Discoverable Replies to everyone  Other piconet?  New device?   Non-Discoverable  Replies to devices already known Bluetooth Security 6 Modes of Operation - 2  Connectable  Replies to queries from already discovered nodes Does not reply  Non-Connectable  Bluetooth Security 7 Setting Up Communication Two devices  Not yet seen each other  Symmetric link key is set up  No shared secret  PIN based  Man-in-the-middle attacks  Bluetooth Security 8 Setting Up Link Key Two methods  1. Insufficient Memory  Using the unit key as link key  Impersonation attacks!   2. Sufficient Memory Initialization key  Mutual Authentication  Exchange of random numbers  Link key generation  Bluetooth Security 9 Initialization Key Generation A RND a(B) PIN RND B RND a(B) PIN IK CH1 a(B) IK CH1 IK CH1 a(B) IK RESP1 RESP1’ … RESP1 Bluetooth Security 10 Link Key – Method 1 A B EIK{KA} KA is the link key  Can be different from unit key!  Bluetooth Security 11 Link Key – Method 2 A randA a(A) B randB a(B) LK_Ka EIK{LK_Ka} LK_Kb EIK{LK_Kb} (LK_KaLK_Kb) is the link key  Mutual Verification  Bluetooth Security 12 Link Key - Attacks Attacker obtains initialization key  PIN length!  Attacker obtains unit key  Link key computed from initialization key  Encryption keys are computed from link key  Bluetooth Security 13 Location - 1 Attacker traces movement of bluetooth users  Owns or leases several bluetooth devices  $10/device  Well placed (airports)   Records identities Bluetooth Security 14 Location - 2 Discoverable mode  Non-discoverable mode  Wait for the user to initiate  Gaining control over user’s device   Controlling only user’s device Bluetooth Security 15 Linking Identities   Consumer identity is known  e.g.: credit card transfer Probabilistic matches Bluetooth Security 16 Encryption Engine   4 LFSRs  Lengths: 25, 31, 33, 39 Two 2-bit registers  Broken: 2100 time  266 time + 266 memory  Bluetooth Security 17 Countermeasures PIN length > 64 bit  Protecting unit keys  Application layer security  Replacing the Cipher  Bluetooth Security 18 Thank you for your attention! szalaym@hit.bme.hu Bluetooth Security 19