Upload
joshua-kurian
View
241
Download
0
Embed Size (px)
Citation preview
8/6/2019 pp1 (Autosaved)
1/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
ABSTRACT
Current Bluetooth worms pose relatively little danger compared to Internet scanningworms-but things might change soon. The authors BlueBag project shows targeted attacksthrough Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility. Basically, it's a Bluetooth-sniffing computer hidden in a suitcase that was rolledthrough train stations, a shopping center, and even a computer security Conference showfloor this year to see how many Bluetooth-enabled devices attackers could potentially infectwith a worm or a virus.
The BlueBag project shows targeted attacks through Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility. The purpose of BlueBag to
gather data on the prevalence of insecure devices to understand how susceptible people areto simple social engineering attacks, and to demonstrate the easibility of attacks in securedareas. To mount any type of attack without being noticed, led to create a covert attack andscanning device, which later came to call the BlueBag.
8/6/2019 pp1 (Autosaved)
2/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
INTRODUCTION
Mobile computing is quickly gaining ground in our daily experience; for this reason itis very important to understand the potential risks linked with all types of wireless devices.Bluetooth became the pervasive technology to support wireless communication in variouscontexts of everyday life. It is basically the new alternative to infrareds and is based on ashortwave radio technology able to transmit data across physical obstacles such as walls or other objects. At present, the greatest level of diffusion is witnessed in so-called smart
phones, the latest generation of cellular phones, devices that, on top of offering all thefunctions of cutting- edge telephone technology enclose functions and applications typical of
palm pilots, managed by an operative system, such as Symbian or Microsoft WindowsMobile. Now Bluetooth group was working hard to show hardware firms and users thetechnology's versatility. Finding and connecting to other Bluetooth using devices wassometimes difficult. Future versions of the Bluetooth software will hide this complexity andmake devices negotiate a radio link without the need for setting up pairing codes.
The cellular phone represents in fact a precious source of personal data with its phonebook, messages agenda and much more. Wireless networks pose a threat to thesecurity of anyone using them, warn security experts. Many organizations and individualsare turning to wireless networks because they are easy to set up and make it much easier tore-arrange offices or computer equipment. The cost of this convenience can be a significantdrop in security, particularly now that tools are available to let people spot and penetratethese wireless networks. Smart phones are now very similar to personal computers because
of this; they are at the same time more vulnerable, more useful and more attractive for a potential attack. This increased vulnerability is due to the presence of a system of evolvedconnectivity applications that expose the telephone and the data it contains to a series of risks deriving from
8/6/2019 pp1 (Autosaved)
3/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
activities such as sending e-mail, the transfer of data through the Internet, the exchange of MMS and WAP messages and the use of accessories .
viral epidemic, using well-known attacks that are constantly evolving. Specifically,communications that take place through Bluetooth connections become potential vehiclesfor viruses and the target of attacks that can extract information from the smart phone.Mobile phones are more vulnerable than PCs because a computer typically has a singleentry port, whereas a phone has many: GSM, GPRS, Bluetooth, IR and so on.
The immediate need for Bluetooth came from the desire to connect peripherals anddevices without cables. The available technology-IrDA OBEX (IR Data Association ObjectExchange Protocol) is based in IR links those are limited to line of site connections.Bluetooth integration is further fueled by the demand for mobile and wireless access to
LANs, Internet over mobile and other existing networks, where the backbone is wired butthe interface is free to move. This not only makes the network easier to use but also extendsits reach. The advantages and rapid proliferation of LANs suggest that setting up personalarea networks, that is, connections among devices in the proximity of the user, will havemany beneficial uses.
Bluetooth could also be used in home networking applications. With increasingnumbers of homes having multiple PCs, the need for networks that are simple to install andmaintain, is growing. There is also the commercial need to provide "information push"capabilities, which is important for handheld and other such mobile devices and this has
been partially incorporated in Bluetooth. Bluetooth's main strength is its ability tosimultaneously handle both data and voice transmissions, allowing such innovativesolutions as a mobile hands-free headset for voice calls, print to fax capability, andautomatically synchronizing PDA, laptop, and cell phone address book applications
8/6/2019 pp1 (Autosaved)
4/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
CHAPTER 2
BASICS
Bluetooth wireless technology is a short-range communications technology intended toreplace the cables connecting portable and/or fixed devices while maintaining high levels of security. The objective of the Bluetooth protocol is in fact to unify different wireless datatransmission technology among mobile and static electronic devices. The key features of Bluetooth technology are robustness, low power, and low cost. Bluetooth technology hasachieved global acceptance such that any Bluetooth enabled device, almost everywhere inthe world, can connect to other Bluetooth enabled devices in proximity. A fundamentalBluetooth wireless technology strength is the ability to simultaneously handle both data andvoice transmissions.
Bluetooth is the term used to describe the protocol of a short range frequency-hoppingradio link between devices. These devices are then termed Bluetooth - enabled. Bluetoothtechnology operates in the unlicensed industrial, scientific and medical (ISM) band at 2.4 to2.485 GHz, using a spread spectrum, frequency hopping, full-duplex signal at a nominal rateof 1600 hops/sec. The 2.4 GHz ISM band is available and unlicensed in most countries.Bluetooth technology's adaptive frequency hopping (AFH) capability was designed toreduce interference between wireless technologies sharing the 2.4 GHz spectrum. The signalhops among 79 frequencies at 1 MHz intervals to give a high degree of interferenceimmunity. AFH works within the spectrum to take advantage of the available frequency.
This is done by detecting other devices in the spectrum and avoiding the frequencies theyare using. This adaptive hopping allows for more efficient transmission within the spectrum, providing users with greater performance even if using other technologies along withBluetooth technology.
8/6/2019 pp1 (Autosaved)
5/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
CHAPTER3
ARCHITECTURE
The Bluetooth specification was developed in 1994 by Jaap .Haartsen and SvenMattisson, who were working for Ericsson Mobile Platforms in Lund, Sweden. Thespecification is based on frequency-hopping spread spectrum technology. The specificationswere formalized by the Bluetooth Special Interest Group (SIG). It was established byEricsson, IBM, Intel, Toshiba, and Nokia. Standard or Basic Rate transmission uses theGaussian Frequency Shift Keying (GFSK) method, while EDR uses a combination of GFSK and Phase Shift Keying (PSK). Bluetooth protocols simplify the discovery and setup of services between devices. The Bluetooth core system consists of an RF transceiver,
baseband, and protocol stack. Bluetooth controller is a sub-system containing the BluetoothRF, baseband, resource controller, link manager, device manager and a Bluetooth HCI.
3.1 PICONETS
Bluetooth enabled electronic devices connect and communicate wirelessly throughshort- range, ad-hoc networks known as piconets. Each device can also belong to several
piconets simultaneously. The low range and low power of Bluetooth was intended for
devices within a few meters of each other swap information. Ad-hoc is a network typicallycreated in a spontaneous manner. An ad hoc network requires no formal infrastructure and islimited in temporal and spatial extent. A piconet is an ad-hoc computer network, usingBluetooth technology protocols to allow one master device to interconnect with up to sevenactive devices. Bluetooth specification allows connecting two or more piconets together toform a scatternet, with some devices acting as a bridge by simultaneously playing the master role and the slave role in one piconet. Piconets are established dynamically and automaticallyas Bluetooth enabled devices enter and leave radio proximity. A piconet consists of two or more devices that occupy the same physical channel. The common clock is identical to the
8/6/2019 pp1 (Autosaved)
6/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Bluetooth clock of one of the devices in the piconet, known as the master of the piconet, andthe hopping sequence is derived from the master clock and the master Bluetooth deviceaddress.
All other synchronized devices are referred to as slaves in the piconet. The termsmaster and slave are only used when describing these roles in a piconet. Within a commonlocation a number of independent piconets may exist. Each piconet has a different physicalchannel.
A Bluetooth enabled device may participate concurrently in two or more piconets. Itdoes this on a time-division multiplexing basis. A Bluetooth enabled device can never be amaster of more than one piconet. Any Bluetooth device can host any other Bluetooth device.This makes using services easier because there is no longer a need to set up network addresses or permissions as in many other networks. When an individual connects differentBluetooth devices together, he creates around himself a so called PAN that is a small network with the possibility to exchange data and information as it usually occurs with a regular company LAN.
3.2 CLASSIFICATION
With regards to power, Bluetooth devices can be grouped in grades, eachcorresponding to a different reach:
Grade 1 - able to communicate with Bluetooth devices in a 100 m range.
8/6/2019 pp1 (Autosaved)
7/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Grade 2 - able to communicate with Bluetooth devices up to a 10 m
range.
Grade 3 - able to communicate with Bluetooth devices within a lm
range.
Class M aximum Permitted Power mW(dBm)
Grade 1 100 mW (20 dBm)Grade 2 2.5 mW (4 dBm)Grade 3 1 mW (0 dBm)
T able 1. Various Bluetooth devices and their maximum power
T he various classes of Bluetooth devices and their maximum
power.
Version D ata Rate 1
Version 1.2 IMbit/s
Version 2.0 + EDR 3Mbit/s
WiMedia Alliance (Proposed) 53 - 480Mbit/s
T able 2. D ata rates of various Bluetooth versions. T he data rates of
various Bluetooth versions are given in above table.
D ocumentation on Bluetooth is split into two sections, the Bluetooth
Specification and Bluetooth Profiles.
8/6/2019 pp1 (Autosaved)
8/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
T he Specification describes how the technology works (the Bluetooth protocol
architecture).
The Profiles describe how the technology is used (how different parts of the specification can be used to fulfill adesired function for a Bluetooth device).
3.3 CORE SYSTEM ARCHITECTURE
The Bluetooth core system covers the four lowest layers and associated protocols defined by the Bluetooth
specification as well as one common service layer protocol, the
Service discovery protocol (SDP) and the overall profile requirements are specified in the generic access
profile (GAP). A complete Bluetooth application requires a number of additional services and higher layer protocols
that are defined in the Bluetooth specification.
The lowest three layers are sometimes grouped into a subsystem known as the Bluetooth controller. This is a
common implementation involving a standard physical communications interface between the Bluetooth contro ller
and remainder of the Bluetooth system including the L2CAP, service layers and higher layers (known as the
Bluetooth host). Although this interface is optional, the architecture is designed to allow for its existence and
characteristics. The Bluetooth specification enables interoperability between independent Bluetooth enabled
systems by defining the protocol messages exchanged between equivalent layers, and also interoperability between
independent Bluetooth sub-systems by defining a common interface between Bluetooth controllers and Bluetooth
hosts.
8/6/2019 pp1 (Autosaved)
9/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Figure 2. Core System Architecture
3.4 BLUETOOTH PROTOCOL STACK
8/6/2019 pp1 (Autosaved)
10/31
B lu
g S min r
Dep t f C pu t er Sc ience & Engg. I ES C E, C
ittil pp ill
Fi 3. Bl t t Pro toco l St ck
The e h Sp ec f ca a w f r de e ping int erac tive
service s and appli ca tions ov er int eropera le radio modul es and d ata communi ca tion p roto cols. Th e ultim ate obj ec tive of the Spec if ica tion is toallow appli ca tions wr itten in a manner that is conf ormant to th e Spec if ica tion to int eropera te with eac h oth er . To ac hieve thisint eropera bility, m atching appli ca tions in remot e device s must run ov er identi ca l proto col st ac s. E ac h on e of these differe nt p roto col st ac s us e a common Blu etooth d ata link and physi ca l layer .
Protoco l l r Pro toco l i t st ck Bl t oot Core Pro toco ls C le B seband [1], L MP {2], L2 C P [3], SDP [4]
R eplacemen t Pro toco l R FC MM [5] Te lephony Control Pro toco ls T CS Binary [6], AT-commands [7],[8],[9] Adop ted Pro toco ls PPP [10], UDP /TCP/ P [10], O B [11], WAP
[12], v Card [13], v Cal [14], Ir MC1 [15], WAE [16] Table 3.Th e proto cols and l ayer s in th e Blu etooth p roto col st ac k.
3.5 BLUETOOTH CORE PROTOCOLS
8/6/2019 pp1 (Autosaved)
11/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Baseband - Baseband protocol forms the lowest layer in Bluetooth
architecture. It is responsible for the functionality contained in the physical
layer of the OSI/IS O model, but also performs some tasks from higher layers.
Its main tasks are synchronization, transmission of the information, error
correction, logical channels division and data whitening. Bluetooth supports
both synchronous and asynchronous channels.
ACCESS CODE HEADER PAYLOAD
Figure 4. Standard Basic Rate packet format
Figure 5. Standard Enhanced Data Rate packet format
y Link Manager Protocol (LMP) - The link manager protocol is responsible for link set-up between Bluetooth devices. This includes security aspects like authenticationand encryption by generating, exchanging and checking of link and encryption keysand the control and negotiation of baseband packet sizes. Furthermore it controls the
power.
y Modes and duty cycles of the Bluetooth radio device, and the connection states of aBluetooth unit in a piconet.
y Service Discovery Protocol (SDP) - Discovery services are crucial part of theBluetooth framework. These services provide the basis for all the usage models.Using SDP, device information, services and the characteristics of the services can
be queried and after that, a connection between two or more Bluetooth devices can be established. SDP is defined in the Service Discovery Protocol specification.
8/6/2019 pp1 (Autosaved)
12/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
y Logical Link Control and Adaptation Protocol (L2CAP) - The Bluetooth logicallink control and adaptation protocol) adapts upper layer protocols over the
baseband. It can be thought to work in parallel with LMP in difference that L2CAP
provides services to the upper layer when the payload data is never sent at LMPmessages. L2CAP provides connection-oriented and connectionless data services tothe upper layer protocols with protocol multiplexing capability, segmentation andreassembly operation, and group abstractions. L2CAP permits higher level
protocols and applications to transmit and receive L2CAP data packets up to 64kilobytes in length. Although the Baseband protocol provides the SCO and ACLlink types, L2CAP is defined only for ACL links and no support for SCO links isspecified in Bluetooth Specification 1.0. The figure above illustrates the use of channel identifier (CID) in a communication between corresponding peer L2CAPentities in separate devices.
Figure 6. Bluetooth Core Protocol
3.6 CABLE REPLACEMENT PROTOCOLS
8/6/2019 pp1 (Autosaved)
13/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
RFCOMM - RFCOMM is a serial line emulation protocol and is based on ETSI 07.10specification. This "cable replacement" protocol emulates RS-232 control and datasignals over Bluetooth baseband, providing both transport capabilities for upper levelservices that use serial line as transport mechanism. The figure below illustrates point-to-
point signaling to establish a voice or data call in a single-point configuration. First the
other device is notified of the call request using the point-to-point signaling channel (A). Next, this signaling channel is used to further establish the speech or data channel (B).
Figure 7. Signalling in a single point configuration
8/6/2019 pp1 (Autosaved)
14/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Figure 8.Point-to-point signalling in a single point configuration
3.8 BLUETOOTH PROFILES
The Generic Object Exchange profile defines the protocols and procedures that shall be used by the applications providing the usage modelswhich need the object exchange capabilities. The usage model can be, for example, Synchronization, File Transfer, or Object Push model.
The most common devices using these usage models can be notebook PCs, PDAs, smart phones, and mobile phones. The Bluetooth profile structureand the dependencies of the profi les are depicted. A profile is dependent uponanother profile if it re-uses parts of that profile, by implicitly or explicitlyreferencing it. Dependency is illustrated in the figure: a profile hasdependencies on the profile(s) in which it is contained - directly and indirectly.For example, the Object Push profile is dependent on Generic ObjectExchange, Serial Port, and Generic Access profiles.
8/6/2019 pp1 (Autosaved)
15/31
8/6/2019 pp1 (Autosaved)
16/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
frequency at the same time. It is unlikely that two transmitters will be on the same frequencyat the same time. This same technique minimizes the risk that portable devices will disruptBluetooth devices, since any interference on a particular frequency will last only a tinyfraction of a second. When Bluetooth-capable devices come within range of one another, anelectronic conversation takes place to determine whether they have data to share or whether
one needs to control the other. Any Bluetooth device will transmit the following informationon demand:
Device name. Device class. List of services.
Technical information, for example, device features, manufacturer, Bluetoothspecification used, clock offset.
Pairs of devices may establish a trusted relationship by learning a shared secret knownas a passkey. A device that wants to communicate only with a trusted device cancryptographically authenticate the identity of the other device. Trusted devices may alsoencrypt the data that they exchange over the airwaves so that no one can listen in. Theencryption can be turned off, and passkeys are stored on the device file system. Since theBluetooth address is permanent, a pairing is preserved, even if the Bluetooth name is
changed. Pairs can be deleted at any time by either device. Devices generally require pairingor prompt the owner before they allow a remote device to use any or most of their services.Some devices, such as mobile phones, usually accept OBEX business cards and noteswithout any pairing or prompts. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 Kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR)and reach 2.1 Mbit/s.
The steps involved in trusted Bluetooth pairing are:
8/6/2019 pp1 (Autosaved)
17/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Charge the Devices.
Power up the Devices.
Turn the Bluetooth Functionality On.
Make the Devices Visible.
Place Both Devices in the Connection Mode.
Enter the Passcode.
Deleting or Disconnecting Trusted Devices.
CHAPTER 5
SECURITY ISSUESBluetooth implements confidentiality, authentication and key derivation with custom
algorithms. In Bluetooth, key generation is generally based on a Bluetooth PIN, which must
be entered into both devices. This procedure might be modified if one of the devices has a
fixed PIN. During pairing, an initialization key or master key is generated. The stream
cipher is used for encrypting packets, granting confidentiality and is based on a shared
cryptographic secret, namely a previously generated link key or master key. Bluetooth
offers several security modes, and device manufacturers determine which mode to include
in a Bluetooth-enabled gadget. The Bluetooth specification includes security features at the
link level. These features are based on a secret link key that is shared by a pair of devices.
To generate this key a pairing procedure is used when the two devices communicate for the
8/6/2019 pp1 (Autosaved)
18/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
first time. Service level security and device level security work together to protect Bluetooth
devices from unauthorized data transmission.
Trusted Device: Device with fixed relationship that is trusted and has unrestricted access
to all services.
Untrusted Device: Device with no permanent fixed relationship or device that has a fixedrelationship, but is not considered as trusted. The access to services is restricted.
Security methods include authorization and identification procedures that limit the
use of Bluetooth services to the registered user. As long as these measures are enabled on
the user's phone or other device, unauthorized access is unlikely. A user can also simply
switch his Bluetooth mode to "non-discoverable" and avoid connecting with other Bluetooth
devices entirely. . Cell-phone virus writers have taken advantage of Bluetooth's automated
connection process to send out infected files. When the virus arrives in the user's cell phone,
the user has to agree to open it and then agree to install it. Security can be defined by four
fundamental elements: availability, access, integrity, and confidentiality. A security
architecture defines the protocols and functionality required to implement the four elements
of security within a specific application category. The rules that determine the access rights
to different resources on the devices are called the access policy. There are threemodes of security for Bluetooth access between two devices.
Security Mode 1: non-secure (Public)
Security Mode 2: service level enforced security(Private)
Security Mode 3: link level enforced security(Silent)
8/6/2019 pp1 (Autosaved)
19/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Figure 10. Bl uetooth security threat s
Some reported viruses and their vital statistics are listed below.
8/6/2019 pp1 (Autosaved)
20/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Table 4. Reported viruses and their vital staThe names bluesnarfing and bluebugging have been given to these
methods of illegal and improper access to information. Although the Bluetooth standard
incorporates very robust security mechanisms that application developers can use to createsecure architectures, researchers have discovered a series of theoretical glitches and
possible attacks in Bluetooth's core specifications. The most serious of these can lead to a
compromise of the cryptographic algorithm protecting communication through sniffing,
but this attack is impractical because the attacker must be present at the pairing of devices
and then must be able to sniff communications between them. The specific attacks through
Bluetooth are:
y BlueSnarf - Bluesnarfing allows hackers to gain access to data stored on a Bluetooth
enabled phone using Bluetooth wireless technology without alerting the phones user of
the connection made to the device. The information that can be accessed in this manner
includes the phonebook and associated images, calendar, and IMEI (international
mobile equipment identity). By setting the device in non-discoverable, it becomes
significantly more difficult to find and attack the device. Without specialized
8/6/2019 pp1 (Autosaved)
21/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
equipment the hacker must be within a 10 meter range of the device while running a
device with specialized software. Only specific older Bluetooth enabled phones are
susceptible to bluesnarfing. Bluejacking - Bluejacking allows phone users to send
business cards anonymously using Bluetooth wireless technology. Bluejacking does
NOT involve the removal or alteration of any data from the device. These businesscards often have a clever or flirtatious message rather than the typical name and phone
number. Bluejackers often
y Look for the receiving phone to ping or the user to react. They then send another,
more personal message to that device. Once again, in order to carry out a
bluejacking, the sending and receiving devices must be within 10 meters of one
another. Phone owners who receive bluejack messages should refuse to add the
contacts to their address book. Devices that are set in non-discoverable mode are
not susceptible to bluejacking.
y HeloMoto- A combination of BlueSnarf and BlueBug, this attack's name comes
from the fact that it was originally discovered on Motorola phones.
y BlueSmack- This denial-of-service (DoS) attack knocks out certain types of
devices; attackers can perform it with standard tools.
y BlueDump- This attack causes a Bluetooth device to dump its stored link key,
creating an opportunity for key-exchange sniffing or for another pairing to occur
with the attacker's device of choice.
y Car Whisperer- This attack abuses the default configuration of many hands-free
and headset devices, which come with fixed PINs for pairing and transmission.
y BlueChop- This DoS attack can disrupt any established Bluetooth piconet by
means of a device that isn't participating in it, if the piconet master supports
multiple connections. BlueBugging - Bluebugging allows skilled individuals to
access the mobile phone commands using Bluetooth wireless technology without
notifying or alerting the phones user. This vulnerability allows the hacker to
initiate phone calls, send and receive text messages, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with
all the attacks, without specialized equipment, the hacker must be within a 10
meter range of the phone. This is a separate vulnerability from bluesnarfing and
does not affect all of the same phones as bluesnarfing. The code below is an
example of bluebugging program.
8/6/2019 pp1 (Autosaved)
22/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
y Denial of service (DoS)- The Well known denial of service (DoS) attack, which
has been most popular for attacking internet Web sites and networks, is now an
option for hackers of Bluetooth wireless technology enabled devices. This
nuisance is neither original nor ingenious and is, very simply, a constant request
for response from a hackers. Bluetooth enabled computer to another Bluetoothenabled device such that it causes some temporary battery degradation in the
receiving device. While occupying the Bluetooth link with invalid
communication requests, the hacker can temporarily disable the products
Bluetooth.
y Blue Bump- This attack takes advantage of a Weakness in the handling of
Bluetooth link keys, giving devices that are no longer authorized the ability to
access services as if still paired. It can lead to data theft or to the abuse of mobile
Internet connectivity services, such as Wireless Application Protocol (WAP) and
General Packet Radio Services (GPRS)
CHAPTER 6
8/6/2019 pp1 (Autosaved)
23/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
CREATING A BLUEBAG
The BlueBag project shows targeted attacks through Bluetooth malware using proof-
of- concept codes and devices that demonstrate their feasibility. The purpose of BlueBag
to gather data on the prevalence of insecure devices to understand how susceptible peopleare to simple social engineering attacks, and to demonstrate the easibility of attacks in
secured areas. To mount any type of attack without being noticed, led to create a covert
attack and scanning device, which later came to call the BlueBag. A Linux-based
embedded system with several Bluetooth dongles to process many discovered devices in
parallel, using an omni directional antenna to improve the range and cover a wide area.
Researchers needed both a hidden tool and an instrument that could easily be carried
around and still have a long battery life. To fulfill these requirements, we created the
BlueBag by modifying a standard blue trolley and inserting a Mini-ITX system with thefollowing off-the shelf components:
y a VIA EPIA Mini-ITX motherboard (model PD6000E)y 256 MBytes of RAM in a DDR400 DIMM module;y EPIA Mil PCI back plate to extend the available onboard USB connections from
two to six
y A 20-Gbyte iPod, with a 1.8-inch hard drive that can resist an acceleration of up to
3gs;y eight class-1 Bluetooth dongles with Broadcom chipsets (some were connected to a
four-port USB hub);
y A modified class-1 Linksys Bluetooth dongle (Cambridge Silicon Radio chipset)
modified with a Net gear Omni directional antenna with 5dBi gain.
y a picoPSU, DC-DC converter (this small power supply can generate up to 120 watts
at over 96 percent efficiency);
y A 12 V-26Ah lead acid battery to power our lengthy surveying sessi
8/6/2019 pp1 (Autosaved)
24/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Figure 11. The Bluebag open
The BlueBag runs on GNU/Linux OS on top of which researchers created a softwareinfrastructure in Python that makes it easy to devise, control, and perform survey sessions.
The software is completely multithreaded, and can use the available dongles to performdifferent tasks concurrently. They implemented a simple but useful dongle management andallocation scheme to dynamically learn about available resources and lock them whenneeded. By doing so, they can reserve specific dongles to run applications that need to lock single physical interfaces for some time. The software is quite modular and was designedwith the typical producer/consumer pattern: producers put found devices in a queue, usingthe standard utilities that come with BlueZ (official Linux Bluetooth stack) in order tocollect information. The software also includes customized versions of well-knownBluetooth information-gathering techniques such as blueprinting. A distinct thread managesthe queue and assigns tasks to different consumers. They designed the BlueBag software
suite to allow us to monitor and control the test's execution from a palmtop or smart phonevia a web interface that runs on top of a TCP/IP over Bluetooth connection.
8/6/2019 pp1 (Autosaved)
25/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
CHAPTER 7
THE BLUEBAG PROJECT
Researchers initially focused on identifying how many active Bluetooth devices were in
discoverable or visible mode. They have demonstrated that it's possible to find devices with
active Bluetooth technology in nondiscoverable mode using a brute-force attack. An attack
with this method is possible only if attackers want to target a specific device they know to be
active and in range, and even then, they must first identify the brand and model in order to
prune the address space. Therefore, keeping a phone in nondiscoverable mode provides a
basic form of protection against targeted attacks. For this reason, their test focused
exclusively on detecting devices in discoverable modethe only ones actually in a condition
of potential risk of attack from Bluetooth malware. Researchers conducted survey in several
high-transit locations surrounding Milan:
Milan's Exhibition Centre, during the InfoSecurity 2006 trade show;
the Orio Center Shopping Mall;
the MM2 Cadorna Metro Station;
the Assago MilanoFiori Office District;
Milan's Central Station;
the Milan Malpensa Airport; and
Politecnico di Milano Technical University, Leonardo Branch.
Table 5 shows the results; "unique devices" denotes the number of unique devices in
discoverable mode that researchers found during a specific session, and "device rate"
indicates the average number of unique devices discovered per minute. This data shows the
capillary diffusion of Bluetooth technology in everyday life and also highlights the huge
number of potentially vulnerable devices researchers found, even in such a short duration.
After grouping the devices, researchers tried analyzing the types of services the devices
offered and, in particular, those that can be used to propagate worms.
LOCATION DATE DURATION(HH:MM) 1
UNIQUEDE VICES
DE VICERATE
8/6/2019 pp1 (Autosaved)
26/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Insecurity 2006 02/08-10/06 4:42 149 0.53Ono Center ShoppingMall
03/01-11/06 6:45 377 0.93
MM2 Metro Station 03/09/06 0:39 56 1,44Assago Office District 03/09/06 111 236 1.60
Milan Central Station 03/09/06 1:12 185 157Mian Malpensa Airport 03/13/06 4:25 321 1.21Politecnico di Milano
Technical University 03/14/06 2:48 81 0.48Total 22:58 1405
T able 5.Summery of surveying results
SER VICE TYPE NUMBER OF
DE VICESOBEX Object Push, OBEX file transfer 313Headset hands-free audio gateway 303Dial-up networking 292
T able 6.Services offered by mobile devices
Tab le 6 s how s, the OBEX Push service wa s active and in range f or enough time to a llow the
scanning o f 313 device s; thi s s ervice is norma lly used f or tran sf erring in f ormation or f iles and
app lication s inc luding worm s. Important f inding f rom the survey wa s " visibility time " that is,
the average time in which a device remain s in a potentia l attacker' s range , or the time in which
an aggre ss or cou ld exp loit the device . This time depend s s ub stantia lly on the diff erent activity
pattern s o f peop le in diff erent context s and in some ca ses. S ome ce ll phone mode ls on the
market are con f igured to be in discoverab le mode by de f au lt if the Bluetooth connection is
activated , thu s requiring the user to manua lly modi f y the setting to the secure , nondi scoverab le
mode . M ost existing worm s re ly on the user accepting a f ile to propagate , s o they wanted to
know the ratio o f user s who wou ld accept an unknown f ile tran sf er f rom an unknown source . To
obtain thi s data , they deve loped an
8/6/2019 pp1 (Autosaved)
27/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
OBEX Pusher , an add-on to their norma l survey script s, which searche s f or a ll discoverab le Bluetooth device s with OBEX Push support enab led and then send s them a f ile . Us ing thi s too l,they f ound that an astounding 7.5 percent o f device owner s care le ssl y accepted unknown f ile tran sf er s f rom unknown source s and were thu s high ly vu lnerab le to socia l engineering attack s.
Enve lope
Figure 12. Ps eudocode o f Bluetooth worm with dynamic pay load s f or targeted attack s
All the elements are thus in place for a huge risk, to both companies and individuals;they can almost certainly foresee an increase in attacks that aim not only to make a mobiledevice unusable or connect it to premium-rate telephone numbers but also target specificinformation on the device. The effort it takes to reach a target device is often thought of as aform of protection. To prove this assumption wrong, they created a network of viral agentsthat can spread among mobile devices looking for a target, zero in on it, and then reportinformation back to the attacker. They designed a proof-of-concept worm infrastructure thatuses an envelope-payload mechanism. The envelope component is a piece of software thatcan scan for Bluetooth devices and propagate to found devices; it has a list of targets to
propagate to and a set of payloads that it can "deploy" on the targets. The payloadcomponents can be any type of malicious code that we want to execute on victim deviceswithin the limits of cell phone operating systems. Such payloads can use the highconnectivity of Bluetooth-enabled devices to transmit harvested information back to the
8/6/2019 pp1 (Autosaved)
28/31
8/6/2019 pp1 (Autosaved)
29/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
Figure 13.I n f ection ratio
Summary of Bluetooth securityoperations
Figure 14. S ummary o f Bluetooth security operation s
8/6/2019 pp1 (Autosaved)
30/31
Bluebag Seminar 2011
Dept. Of Computer Science & Engg. I ESCE, Chittilappilly
CHAPTER 8
CONCLUSION
Bluetooth device should never be public as default or as fixed factory setting. A user
should have at least a possibility to change the factory setting of security level somehow.
Other possibility is to set private security level as mandatory and print the BD ADDR of the
device in every manual. 16 case sensitive.
Alphanumerical characters long PIN codes should always be used when possible. This also
requires minor changes to the Bluetooth specification if Bluetooth SIG wants to force device
manufacturers to use it. On the other hand, some public Bluetooth services are not possible
if all devices must be nondiscoverable. Bluetooth device manufacturers and users should
also take security issues much more seriously.
8/6/2019 pp1 (Autosaved)
31/31
Bluebag Seminar 2011
9. REFERENCES
BOOK S1. S.F. Hager and C.T. Midkiff, "Demonstrating Vulnerability in Bluetooth
Security," Proc I EEE Global Telecommunications Conf. (GLOBECOM 03), vol. 3,2003, IEEE CS Press, pp. 1420-1424.
2. R. Morrow, Bluetooth I mplementation and Use , McGraw-Hill Professional, 2002.
ONLINE REFERENCE
1. www.computer.org
2. www.bluetooth.com
3.www.f-secure.com
4.www.wikipedia.org