BluetoothSecurity.ppt

S
ssuser1d7ef1
BLUETOOTH TECHNOLOGY/SECURITY Prepared By: Lo’ai Hattar Supervised By: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s campus-2006
What’s With the Name? •The name ‘Bluetooth’ was named after 10th century Viking king in Denmark Harald Bluetooth who united and controlled Denmark and Norway. •The name was adopted because Bluetooth wireless technology is expected to unify the telecommunications and computing industries
Who Started Bluetooth? • Bluetooth Special Interest Group (SIG) •Founded in Spring 1998 •By Ericsson, Intel, IBM, Nokia, Toshiba; •Now more than 2000 organizations joint the SIG
What Is Bluetooth? ☼ Bluetooth is an open standard for short-range digital radio to interconnect a variety of devices Cell phones, PDA, notebook computers, modems, cordless phones, pagers, laptop computers, printers, cameras by developing a single-chip, low-cost, radio-based wireless network technology
Bluetooth • Simplifying communications between: - devices and the internet - data synchronization • Operates in licensed exempt ISM band at 2.4ghz • Uses frequency hoping spread spectrum • Omni directional, no requiring line of sight • Bluetooth offers data speeds of up to 1 Mbps up to 10 meters (Short range wireless radio technology ) • Unlike IrDA, Bluetooth supports a LAN-like mode where multiple devices can interact with each other. • The key limitations of Bluetooth are security and interference with wireless LANs. • Short range wireless radio technology
Bluetooth • Bluetooth is a PAN Technology – Offers fast and reliable transmission for both voice and data – Can support either one asynchronous data channel with up to three simultaneous synchronous speech channels or one channel that transfers asynchronous data and synchronous speech simultaneously – Support both packet-switching and circuit- switching
Bluetooth • Personal Area Network (PAN) Bluetooth is a standard that will … – Eliminate wires and cables between both stationary and mobile devices – Facilitate both data and voice communications – Offer the possibility of ad hoc networks and deliver synchronicity between personal devices
Bluetooth Topology • Bluetooth-enabled devices can automatically locate each other • Topology is established on a temporary and random basis • Up to eight Bluetooth devices may be networked together in a master-slave relationship to form a Piconet
Cont. • One is master, which controls and setup the network • All devices operate on the same channel and follow the same frequency hopping sequence • Two or more piconet interconnected to form a scatter net • Only one master for each piconet • A device can’t be masters for two piconets • The slave of one piconet can be the master of another piconet
Ad-hoc • is a network connection method which is most often associated with wireless devices. • The connection is established for the duration of one session and requires no base station. • Instead, devices discover others within range to form a network for those computers. • Devices may search for target nodes that are out of range by flooding the network with broadcasts that are forwarded by each node. • Connections are possible over multiple nodes (multihop ad hoc network). • Routing protocols then provide stable connections even if nodes are moving around
A piconet • is an ad-hoc computer network of devices using Bluetooth technology protocols to allow one master device to interconnect with up to seven active slave devices • Up to 255 further slave devices can be inactive, or parked, which the master device can bring into active status at any time.
A Typical Bluetooth Network Piconet • Master sends its globally unique 48-bit id and clock – Hopping pattern is determined by the 48-bit device ID – Phase is determined by the master’s clock • Why at most 7 slaves? – (because a three-bit MAC adress is used). • Parked and standby nodes – Parked devices can not actively participate in the piconet but are known to the network and can be reactivated within some milliseconds – 8-bit for parked nodes – No id for standby nodes – Standby nodes do not participate in the piconet
BluetoothSecurity.ppt
Security Protocol • There are five phases of Simple Pairing: Phase 1: Public key exchange Phase 2: Authentication Stage 1 Phase 3: Authentication Stage 2 Phase 4: Link key calculation Phase 5: LMP Authentication and Encryption • Phases 1, 3, 4 and 5 are the same for all protocols whereas phase 2 (Authentication Stage 1) is different depending on • the protocol used. Distributed through these five phases are 13 steps.
BluetoothSecurity.ppt
Bluetooth Frequency • Has been set aside by the ISM( industrial ,sientific and medical ) for exclusive use of Bluetooth wireless products • Communicates on the 2.45 GHz frequency
Frequency Selection • FH is used for interference mitigation and media access; • TDD (Test-Driven Development) is used for separation of the transmission directions In 3-slot or 5-slot packets
FH-CDMA (Frequency Hopping - Code Division Multiple Access) • Frequency hopping (FH) is one of two basic modulation techniques used in spread spectrum signal transmission. • It is the repeated switching of frequencies during radio transmission, often to minimize the effectiveness of the unauthorized interception or jamming of telecommunications. • It also is known as frequency- hopping code division multiple access (FH-CDMA). • Bluetooth uses a technique called spread-spectrum frequency hopping.
Avoiding Interference : Hopping • • In this technique, a device will use 79 individual, randomly chosen frequencies within a designated range • Transmitters change frequency 1600 times a second
Cont. • Each channel is divided into time slots 625 microseconds long • Data in a packet can be up to 2,745 bits in length • Packets can be up to five time slots wide
Cont. • FH-CDMA to separate piconets within a scatternet • More piconets within a scatter net degrades performance – Possible collision because hopping patterns are not coordinated • At any instant of time, a device can participate only in one piconet • If the device participates as a slave, it just synchronize with the master’s hop sequence
Cont. • The master for a piconet can join another piconet as a slave; in this case, all communication within in the former piconet will be suspended . • When leaving a piconet, a slave notifies the master about its absence for certain amount of time. • Communication between different piconets takes place by devices jumping back and forth between these nets
BluetoothSecurity.ppt
Simplified Bluetooth stack
Bluetooth Profile Structure
How Does It Work? • Bluetooth is a standard for tiny, radio frequency chips that can be plugged into your devices • The information is then transmitted to your device • These chips were designed to take all of the information that your wires normally send, and transmit it at a special frequency to something called a receiver Bluetooth chip.
Bluetooth Chip RF Baseband Controller Link Manager Bluetooth Chip
SPECIFICATIONS • Bluetooth specifications are divided into two: – Core Specifications This bluetooth specification contains the Bluetooth Radio Specification as well as the Baseband, Link Manager, L2CAP, Service Discovery, RFCOMM and other specifications.
SPECIFICATIONS – Application Specifications • These specifications include the following • Profiles Cordless Telephony • Serial Port • Headset • Intercom • Dialup Networking • Fax • File Transfer • Service Discovery Application • Generic Access
RADIO POWER CLASSES • The Bluetooth specification allows for three different types of radio powers: – Class 1 = 100mW – Class2 = 2.5mW – Class 3 = 1mW • These power classes allow Bluetooth devices to connect at different ranges • High power radius have longer ranges. The maximum range for a Class 1, 100mW is about 100 meters. There is also a minimum range for a Bluetooth connection. The minimum range is around 10cm.
Power Management Benefits • Cable Replacement – Replace the cables for peripheral devices • Ease of file sharing – Panel discussion, conference, etc. • Wireless synchronization – Synchronize personal information contained in the address books and date books between different devices such as PDAs, cell phones, etc. • Bridging of networks – Cell phone connects to the network through dial-up connection while connecting to a laptop with Bluetooth.
Bluetooth Devices • Telephones • Headsets • Computers • Cameras • PDAs • Cars • Etc … Bluetooth will soon be enabled in everything from:
Bluetooth Products 1 • Bluetooth-enabled PC Card
Bluetooth Products 2 • Bluetooth-enabled PDA
Bluetooth Products 3 • Bluetooth-enabled Cell Phone
Bluetooth Products 4 • Bluetooth-enabled Head Set
Usage Models • Cordless computer • Ultimate headset • Three-in-one phone • Interactive conference (file transfer) • Direct network access • Instant postcard
BluetoothSecurity.ppt
Wireless Technologies • There are two technologies that have been developed as wireless cable replacements: Infrared (IRDA) and radio (Bluetooth).
Why Not Infrared? • Intended for point to point links • Limited to line of sight • have a narrow angle (30 degree cone), • Low penetration power • Distance covered is low(1 meter approx) • have a throughput of 9600 bps to 4 Mbps • IrDA has proven to be a popular technology with compliant ports currently available in an array of devices including: embedded devices, phones, modems, computers (PCs) and laptops, PDAs, printers, and other computer peripherals
Compare Infrared, Bluetooth Bluetooth Infrared Connection Type Spread Spectrum Infrared, narrow beam Spectrum 2.4GHz Optical 850 nano meters Data Rate 1Mbps 16Mbps Range 30 Feet 3 Feet Supported Devices Upto 8 2
Cont….. Voice Channels 3 1 Data Security 8-128bit Key No special security Addressing 48 bit MAC 32 bit ID
Our Focus •Bluetooth security
Security of Bluetooth • Security in Bluetooth is provided on the radio paths only – Link authentication and encryption may be provided – True end-to-end security relies on higher layer security solutions on top of Bluetooth • Bluetooth provides three security services – Authentication – identity verification of communicating devices – Confidentiality – against information compromise – Authorization – access right of resources/services • Fast FH together with link radio link power control provide protection from eavesdropping and malicious access – Fast FH makes it harder to lock the frequency – Power control forces the adversary to be in relatively close proximity
Security Modes (Authentication ) • Exchange Business Cards – Needs a secret key • A security manager controls access to services and to devices – Security mode 2 does not provide any security until a channel has been established • Key Generation from PIN – PIN: 1-16 bytes. PINs are fixed and may be permanently stored. Many users use the four digit 0000
Bluetooth Key Generation From PIN • Bluetooth Initialization Procedure (Pairing) – Creation of an initialization key (ki) – Creation of a link key Authentication (ka)
Creation of an Initialization Key • PIN and its length (ki)
Creation of a link key Authentication • Challenge-Response Based – Claimant: intends to prove its identity, to be verified – Verifier: validating the identity of another device – Use challenge-response to verify whether the claimant knows the secret (link key) or not . If fail, the claimant must wait for an interval to try a new attempt. – The waiting time is increased exponentially to defend the “try-and-error” authentication attack – Mutual authentication is supported • Challenge (128-bit) • Response (32-bit) • 48-bit device address
Confidentiality • ACO (Authenticated Cipher Offset) is 96-bit, generated during the authentication procedure – ACO and the link key are never transmitted • Encryption key Kc is generated from the current link key – Kc is 8-bit to 128-bit, negotiable between the master and the slave Master suggests a key size Set the “minimum acceptable” key size parameter to prevent a malicious user from driving the key size down to the minimum of 8 bits • The key stream is different for different packet since slot number is different
Three Encryption Modes for Confidentiality • Encryption Mode 1: -- No encryption is performed on any traffic • Encryption Mode 2: -- Broadcast traffic goes unprotected – while uni cast traffic is protected by the unique key • Encryption Mode 3: -- All traffic is encrypted
Trust Levels, Service Levels (authorization ) • Two trust levels: trusted and untrusted – Trusted devices have full access right – Untrusted devices have restricted service access
Bluetooth Security Architecture • Step 1: User input (initialization or pairing) – Two devices need a common pin (1-16 bytes) • Step 2: Authentication key (128-bit link key) generation – Possibly permanent, generated based on the PIN, device address, random numbers, etc. • Step 3: Encryption key (128 bits, store temporarily) • Step 4: key stream generation for xor-ing the payload
Security cont. • The security of the whole system relies on the PIN which may be too short – Users intend to use 4-digit short PINs, or even a null PIN • Utilized new cryptographic primitives, which have not gone through enough security analysis. (E0,E1,E20,E22) algorithms
E0 algorithm • The E0 algorithm is designed specifically for Bluetooth • E0 has gone many security analysis. When used in Bluetooth mode, the security of E0 is decreased from 128-bit to 84-bit; • when used outside of a Bluetooth system, its effective security is only 39-bit • A Bluetooth device resets the E0 key after every 240 output bits, severely limiting the amount of known key stream that may be available to the cryptanalyst.
Short Key Attacks • we focus on .short key. attacks, that still manage to recover the key despite this limitation. • attacker can guess the content of the registers of the three smaller LFSRs and of the E0 combiner state registers with a probability of 2 to power 93. • This attack requires a total of 128 bits of known plaintext and ciphertext. The reverse engineering and verication takes approximately 27 operations. Making the total complexity of the attack 2to power100.
Long Key Attacks • an attack that recovers the session key in a similar way to what showed, only that assuming much more keystream is available • within a packet and therefore the overall complexity was closer to O(2 to power 93).
• Short range was a countermeasure to force the attackers to be in close proximity; – now range extenders can be easily built • Attackers grow since information is more attractive – People use Bluetooth not only for personal information, but also for corporate information
Hacker Tools • Bluesnarfing: • is the theft of information from a wireless device through a Bluetooth connection. • By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -- without leaving any evidence of the attack. • Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. • Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled.
Hacker Tools • Bluejacking • is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field It is widely believed that the term bluejacking comes from Bluetooth and hijacking. • However, a bluejacker doesn't hijack anything: he or she merely uses a feature on the sender and the recipient's device. Both parties remain in absolute control over their devices, and a bluejacker will not be able to take over your phone or steal your personal information. • Bluejacking is usually technically harmless, but because bluejacked people don't know what is happening, they think their phone is malfunctioning. • Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well.
Most important security weaknesses • Problems with E0 • PIN • Problems with E1 • Location privacy • Denial of service attacks
Problems with E0 • Given all cryptographic primitives (E0, E1, E21, E22) used in Bluetooth Pairing/Bonding and authentication process the Bluetooth PIN can be cracked ? – Focus on short PIN now. • Output (KC) = combination of 4 LFSRs (Linear Feedback Shift Register) • Key (KC) = 128 bits • Best attack: guess some registers
PIN • Some devices use a fixed PIN (default=0000) • Security keys = security PIN !!!! • Possible to check guesses of PIN (SRES) -> brut force attack • Weak PINs (1234, 5555, …
Problems with E1 • E1 = SAFER+ • In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — • All of the algorithms in the SAFER family are unpatented and available for unrestricted use. • Some security weaknesses (although not applicable to Bluetooth) – slow
Location privacy • Devices can be in discoverable mode • Every device has fixed hardware address Addresses are sent in clear – possible to track devices (and users)
Denial of service attacks • Radio jamming attacks • Buffer overflow attacks • Blocking of other devices • Battery exhaustion (e.g., sleep deprivation torture attack)
Other weaknesses • No integrity checks • No prevention of replay attacks • Man in the middle attacks • Sometimes: default = no security
Advantages (+) • Wireless (No Cables) • No Setup Needed • Low Power Consumption (1 Milliwat) • Industry Wide Support
Disadvantages (-) • Short range (10 meters) • Small throughput rates - Data Rate 1.0 Mbps • Mostly for personal use (PANs) • Fairly Expensive
Bluetooth’s Future •The future of this technology becoming a standard is likely •With a strong industry pushing behind it, success is inevitable. •Often, with new technology, early changes mean reconstruction. Not With Bluetooth, instead, there will be an improvement to the existing standard. •Bluetooth will soon be known as Bluetooth 2.2 as they are trying to develop the product to better fulfill the needs of consumers
The End • Thank You, for attending my presentation.
BluetoothSecurity.ppt
BluetoothSecurity.ppt
1 de 72

BluetoothSecurity.ppt

Baixar para ler offline
Engenharia

bluetooth security

S
ssuser1d7ef1

Recomendados

Bluetooth Technology & SecurityBluetooth Technology & Security
Bluetooth Technology & SecurityHimangshu Hazra
304 visualizações66 slides
Bluetooth.pptBluetooth.ppt
Bluetooth.pptDrTThendralCompSci
107 visualizações32 slides
Bluetooth basicBluetooth basic
Bluetooth basicEngr Sid
616 visualizações63 slides
Bluetooth Basic VersionBluetooth Basic Version
Bluetooth Basic VersionAyesha Saeed
3.1K visualizações63 slides
Bluetooth technologyBluetooth technology
Bluetooth technologyRohit Roy
6.8K visualizações13 slides
BluetoothBluetooth
BluetoothHassan Razzaq
911 visualizações19 slides

Mais conteúdo relacionado

Similar a BluetoothSecurity.ppt

BluetoothBluetooth
BluetoothAnamika Garg
3.8K visualizações28 slides
BluetoothBluetooth
BluetoothFahim Faysal
4.7K visualizações37 slides
6-IoT protocol.pptx6-IoT protocol.pptx
6-IoT protocol.pptxPratik Gohel
167 visualizações82 slides
Bluetooth pptBluetooth ppt
Bluetooth pptsanjeev kumar suman
148 visualizações19 slides
lecture10-wireless.pptxlecture10-wireless.pptx
lecture10-wireless.pptxPranavSinghSambyal
7 visualizações34 slides

Similar a BluetoothSecurity.ppt(20)

BluetoothBluetooth
Bluetooth
Anamika Garg3.8K visualizações
BluetoothBluetooth
Bluetooth
Fahim Faysal4.7K visualizações
6-IoT protocol.pptx6-IoT protocol.pptx
6-IoT protocol.pptx
Pratik Gohel167 visualizações
Bluetooth pptBluetooth ppt
Bluetooth ppt
sanjeev kumar suman148 visualizações
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
punjab engineering college, chandigarh4.5K visualizações
lecture10-wireless.pptxlecture10-wireless.pptx
lecture10-wireless.pptx
PranavSinghSambyal7 visualizações
PPT on Bluetooth Based Wireless Sensor NetworksPPT on Bluetooth Based Wireless Sensor Networks
PPT on Bluetooth Based Wireless Sensor Networks
Siya Agarwal88.4K visualizações
Bluetooth technologyBluetooth technology
Bluetooth technology
Deevena Dayaal1.4K visualizações
Bluetooth - Comprehensive PresentationBluetooth - Comprehensive Presentation
Bluetooth - Comprehensive Presentation
Muhammed Afsal Villan2.6K visualizações
Bluetooth TechnologyBluetooth Technology
Bluetooth Technology
Vishal Arora562 visualizações
Carwhisperer Bluetooth AttackCarwhisperer Bluetooth Attack
Carwhisperer Bluetooth Attack
n|u - The Open Security Community7.7K visualizações
BluetoothBluetooth
Bluetooth
abhishek upadhyay313 visualizações
BluetoothBluetooth
Bluetooth
rajatmal410K visualizações
bluetooth technology bluetooth technology
bluetooth technology
deepak kumar1.3K visualizações
Bluetooth technology by shamshadBluetooth technology by shamshad
Bluetooth technology by shamshad
1122334411223344787 visualizações
BLUETOOTH.pptBLUETOOTH.ppt
BLUETOOTH.ppt
TheUltimateFunEntert28 visualizações
BluetoothBluetooth
Bluetooth
Mac_Kevin1.1K visualizações
Bluetooth based-smart-sensor-networkBluetooth based-smart-sensor-network
Bluetooth based-smart-sensor-network
priyadharshini murugan8.5K visualizações
[PPT] _ 1.3 Bluetooth.pptx[PPT] _ 1.3 Bluetooth.pptx
[PPT] _ 1.3 Bluetooth.pptx
Selvaraj Seerangan42 visualizações
BluetoothBluetooth
Bluetooth
mylove25252369 visualizações

Último

Informed search algorithms.pptxInformed search algorithms.pptx
Informed search algorithms.pptxDr.Shweta
12 visualizações19 slides
Pointers.pptxPointers.pptx
Pointers.pptxAnanthi Palanisamy
58 visualizações32 slides
Paper 3.pdfPaper 3.pdf
Paper 3.pdfJavad Kadkhodapour
6 visualizações19 slides

Último(20)

Informed search algorithms.pptxInformed search algorithms.pptx
Informed search algorithms.pptx
Dr.Shweta12 visualizações
Thermal aware task assignment for multicore processors using genetic algorithm Thermal aware task assignment for multicore processors using genetic algorithm
Thermal aware task assignment for multicore processors using genetic algorithm
IJECEIAES24 visualizações
Pointers.pptxPointers.pptx
Pointers.pptx
Ananthi Palanisamy58 visualizações
STUDY OF SMART MATERIALS USED IN CONSTRUCTION-1.pptxSTUDY OF SMART MATERIALS USED IN CONSTRUCTION-1.pptx
STUDY OF SMART MATERIALS USED IN CONSTRUCTION-1.pptx
AnnieRachelJohn18 visualizações
7_DVD_Combinational_MOS_Logic_Circuits.pdf7_DVD_Combinational_MOS_Logic_Circuits.pdf
7_DVD_Combinational_MOS_Logic_Circuits.pdf
Usha Mehta11 visualizações
Paper 3.pdfPaper 3.pdf
Paper 3.pdf
Javad Kadkhodapour6 visualizações
Stone Masonry and Brick Masonry.pdfStone Masonry and Brick Masonry.pdf
Stone Masonry and Brick Masonry.pdf
Mohammed Abdullah Laskar17 visualizações
PlumbingPlumbing
Plumbing
Iwiss Tools Co.,Ltd9 visualizações
How I learned to stop worrying and love the dark silicon apocalypse.pdfHow I learned to stop worrying and love the dark silicon apocalypse.pdf
How I learned to stop worrying and love the dark silicon apocalypse.pdf
Tomasz Kowalczewski22 visualizações
Deutsch CrimpingDeutsch Crimping
Deutsch Crimping
Iwiss Tools Co.,Ltd13 visualizações
cloud computing-virtualization.pptxcloud computing-virtualization.pptx
cloud computing-virtualization.pptx
RajaulKarim2072 visualizações
An approach of ontology and knowledge base for railway maintenanceAn approach of ontology and knowledge base for railway maintenance
An approach of ontology and knowledge base for railway maintenance
IJECEIAES9 visualizações
Object Oriented Programming with JAVAObject Oriented Programming with JAVA
Object Oriented Programming with JAVA
Demian Antony D'Mello49 visualizações
IEC 61850 Technical Overview.pdfIEC 61850 Technical Overview.pdf
IEC 61850 Technical Overview.pdf
ssusereeea975 visualizações
SWM L1-L14_drhasan (Part 1).pdfSWM L1-L14_drhasan (Part 1).pdf
SWM L1-L14_drhasan (Part 1).pdf
MahmudHasan74787038 visualizações
Electronic Devices - Integrated Circuit.pdfElectronic Devices - Integrated Circuit.pdf
Electronic Devices - Integrated Circuit.pdf
booksarpita10 visualizações
LFA-NPG-Paper.pdfLFA-NPG-Paper.pdf
LFA-NPG-Paper.pdf
harinsrikanth40 visualizações
Dynamics of Hard-Magnetic Soft MaterialsDynamics of Hard-Magnetic Soft Materials
Dynamics of Hard-Magnetic Soft Materials
Shivendra Nandan11 visualizações
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
Anowar Hossain9 visualizações
Wire Cutting & StrippingWire Cutting & Stripping
Wire Cutting & Stripping
Iwiss Tools Co.,Ltd6 visualizações

BluetoothSecurity.ppt

  • 1. BLUETOOTH TECHNOLOGY/SECURITY Prepared By: Lo’ai Hattar Supervised By: Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s campus-2006
  • 2. What’s With the Name? •The name ‘Bluetooth’ was named after 10th century Viking king in Denmark Harald Bluetooth who united and controlled Denmark and Norway. •The name was adopted because Bluetooth wireless technology is expected to unify the telecommunications and computing industries
  • 3. Who Started Bluetooth? • Bluetooth Special Interest Group (SIG) •Founded in Spring 1998 •By Ericsson, Intel, IBM, Nokia, Toshiba; •Now more than 2000 organizations joint the SIG
  • 4. What Is Bluetooth? ☼ Bluetooth is an open standard for short-range digital radio to interconnect a variety of devices Cell phones, PDA, notebook computers, modems, cordless phones, pagers, laptop computers, printers, cameras by developing a single-chip, low-cost, radio-based wireless network technology
  • 5. Bluetooth • Simplifying communications between: - devices and the internet - data synchronization • Operates in licensed exempt ISM band at 2.4ghz • Uses frequency hoping spread spectrum • Omni directional, no requiring line of sight • Bluetooth offers data speeds of up to 1 Mbps up to 10 meters (Short range wireless radio technology ) • Unlike IrDA, Bluetooth supports a LAN-like mode where multiple devices can interact with each other. • The key limitations of Bluetooth are security and interference with wireless LANs. • Short range wireless radio technology
  • 6. Bluetooth • Bluetooth is a PAN Technology – Offers fast and reliable transmission for both voice and data – Can support either one asynchronous data channel with up to three simultaneous synchronous speech channels or one channel that transfers asynchronous data and synchronous speech simultaneously – Support both packet-switching and circuit- switching
  • 7. Bluetooth • Personal Area Network (PAN) Bluetooth is a standard that will … – Eliminate wires and cables between both stationary and mobile devices – Facilitate both data and voice communications – Offer the possibility of ad hoc networks and deliver synchronicity between personal devices
  • 8. Bluetooth Topology • Bluetooth-enabled devices can automatically locate each other • Topology is established on a temporary and random basis • Up to eight Bluetooth devices may be networked together in a master-slave relationship to form a Piconet
  • 9. Cont. • One is master, which controls and setup the network • All devices operate on the same channel and follow the same frequency hopping sequence • Two or more piconet interconnected to form a scatter net • Only one master for each piconet • A device can’t be masters for two piconets • The slave of one piconet can be the master of another piconet
  • 10. Ad-hoc • is a network connection method which is most often associated with wireless devices. • The connection is established for the duration of one session and requires no base station. • Instead, devices discover others within range to form a network for those computers. • Devices may search for target nodes that are out of range by flooding the network with broadcasts that are forwarded by each node. • Connections are possible over multiple nodes (multihop ad hoc network). • Routing protocols then provide stable connections even if nodes are moving around
  • 11. A piconet • is an ad-hoc computer network of devices using Bluetooth technology protocols to allow one master device to interconnect with up to seven active slave devices • Up to 255 further slave devices can be inactive, or parked, which the master device can bring into active status at any time.
  • 12. A Typical Bluetooth Network Piconet • Master sends its globally unique 48-bit id and clock – Hopping pattern is determined by the 48-bit device ID – Phase is determined by the master’s clock • Why at most 7 slaves? – (because a three-bit MAC adress is used). • Parked and standby nodes – Parked devices can not actively participate in the piconet but are known to the network and can be reactivated within some milliseconds – 8-bit for parked nodes – No id for standby nodes – Standby nodes do not participate in the piconet
  • 14. Security Protocol • There are five phases of Simple Pairing: Phase 1: Public key exchange Phase 2: Authentication Stage 1 Phase 3: Authentication Stage 2 Phase 4: Link key calculation Phase 5: LMP Authentication and Encryption • Phases 1, 3, 4 and 5 are the same for all protocols whereas phase 2 (Authentication Stage 1) is different depending on • the protocol used. Distributed through these five phases are 13 steps.
  • 16. Bluetooth Frequency • Has been set aside by the ISM( industrial ,sientific and medical ) for exclusive use of Bluetooth wireless products • Communicates on the 2.45 GHz frequency
  • 17. Frequency Selection • FH is used for interference mitigation and media access; • TDD (Test-Driven Development) is used for separation of the transmission directions In 3-slot or 5-slot packets
  • 18. FH-CDMA (Frequency Hopping - Code Division Multiple Access) • Frequency hopping (FH) is one of two basic modulation techniques used in spread spectrum signal transmission. • It is the repeated switching of frequencies during radio transmission, often to minimize the effectiveness of the unauthorized interception or jamming of telecommunications. • It also is known as frequency- hopping code division multiple access (FH-CDMA). • Bluetooth uses a technique called spread-spectrum frequency hopping.
  • 19. Avoiding Interference : Hopping • • In this technique, a device will use 79 individual, randomly chosen frequencies within a designated range • Transmitters change frequency 1600 times a second
  • 20. Cont. • Each channel is divided into time slots 625 microseconds long • Data in a packet can be up to 2,745 bits in length • Packets can be up to five time slots wide
  • 21. Cont. • FH-CDMA to separate piconets within a scatternet • More piconets within a scatter net degrades performance – Possible collision because hopping patterns are not coordinated • At any instant of time, a device can participate only in one piconet • If the device participates as a slave, it just synchronize with the master’s hop sequence
  • 22. Cont. • The master for a piconet can join another piconet as a slave; in this case, all communication within in the former piconet will be suspended . • When leaving a piconet, a slave notifies the master about its absence for certain amount of time. • Communication between different piconets takes place by devices jumping back and forth between these nets
  • 26. How Does It Work? • Bluetooth is a standard for tiny, radio frequency chips that can be plugged into your devices • The information is then transmitted to your device • These chips were designed to take all of the information that your wires normally send, and transmit it at a special frequency to something called a receiver Bluetooth chip.
  • 28. SPECIFICATIONS • Bluetooth specifications are divided into two: – Core Specifications This bluetooth specification contains the Bluetooth Radio Specification as well as the Baseband, Link Manager, L2CAP, Service Discovery, RFCOMM and other specifications.
  • 29. SPECIFICATIONS – Application Specifications • These specifications include the following • Profiles Cordless Telephony • Serial Port • Headset • Intercom • Dialup Networking • Fax • File Transfer • Service Discovery Application • Generic Access
  • 30. RADIO POWER CLASSES • The Bluetooth specification allows for three different types of radio powers: – Class 1 = 100mW – Class2 = 2.5mW – Class 3 = 1mW • These power classes allow Bluetooth devices to connect at different ranges • High power radius have longer ranges. The maximum range for a Class 1, 100mW is about 100 meters. There is also a minimum range for a Bluetooth connection. The minimum range is around 10cm.
  • 31. Power Management Benefits • Cable Replacement – Replace the cables for peripheral devices • Ease of file sharing – Panel discussion, conference, etc. • Wireless synchronization – Synchronize personal information contained in the address books and date books between different devices such as PDAs, cell phones, etc. • Bridging of networks – Cell phone connects to the network through dial-up connection while connecting to a laptop with Bluetooth.
  • 32. Bluetooth Devices • Telephones • Headsets • Computers • Cameras • PDAs • Cars • Etc … Bluetooth will soon be enabled in everything from:
  • 33. Bluetooth Products 1 • Bluetooth-enabled PC Card
  • 34. Bluetooth Products 2 • Bluetooth-enabled PDA
  • 35. Bluetooth Products 3 • Bluetooth-enabled Cell Phone
  • 36. Bluetooth Products 4 • Bluetooth-enabled Head Set
  • 37. Usage Models • Cordless computer • Ultimate headset • Three-in-one phone • Interactive conference (file transfer) • Direct network access • Instant postcard
  • 39. Wireless Technologies • There are two technologies that have been developed as wireless cable replacements: Infrared (IRDA) and radio (Bluetooth).
  • 40. Why Not Infrared? • Intended for point to point links • Limited to line of sight • have a narrow angle (30 degree cone), • Low penetration power • Distance covered is low(1 meter approx) • have a throughput of 9600 bps to 4 Mbps • IrDA has proven to be a popular technology with compliant ports currently available in an array of devices including: embedded devices, phones, modems, computers (PCs) and laptops, PDAs, printers, and other computer peripherals
  • 41. Compare Infrared, Bluetooth Bluetooth Infrared Connection Type Spread Spectrum Infrared, narrow beam Spectrum 2.4GHz Optical 850 nano meters Data Rate 1Mbps 16Mbps Range 30 Feet 3 Feet Supported Devices Upto 8 2
  • 42. Cont….. Voice Channels 3 1 Data Security 8-128bit Key No special security Addressing 48 bit MAC 32 bit ID
  • 44. Security of Bluetooth • Security in Bluetooth is provided on the radio paths only – Link authentication and encryption may be provided – True end-to-end security relies on higher layer security solutions on top of Bluetooth • Bluetooth provides three security services – Authentication – identity verification of communicating devices – Confidentiality – against information compromise – Authorization – access right of resources/services • Fast FH together with link radio link power control provide protection from eavesdropping and malicious access – Fast FH makes it harder to lock the frequency – Power control forces the adversary to be in relatively close proximity
  • 45. Security Modes (Authentication ) • Exchange Business Cards – Needs a secret key • A security manager controls access to services and to devices – Security mode 2 does not provide any security until a channel has been established • Key Generation from PIN – PIN: 1-16 bytes. PINs are fixed and may be permanently stored. Many users use the four digit 0000
  • 46. Bluetooth Key Generation From PIN • Bluetooth Initialization Procedure (Pairing) – Creation of an initialization key (ki) – Creation of a link key Authentication (ka)
  • 47. Creation of an Initialization Key • PIN and its length (ki)
  • 48. Creation of a link key Authentication • Challenge-Response Based – Claimant: intends to prove its identity, to be verified – Verifier: validating the identity of another device – Use challenge-response to verify whether the claimant knows the secret (link key) or not . If fail, the claimant must wait for an interval to try a new attempt. – The waiting time is increased exponentially to defend the “try-and-error” authentication attack – Mutual authentication is supported • Challenge (128-bit) • Response (32-bit) • 48-bit device address
  • 49. Confidentiality • ACO (Authenticated Cipher Offset) is 96-bit, generated during the authentication procedure – ACO and the link key are never transmitted • Encryption key Kc is generated from the current link key – Kc is 8-bit to 128-bit, negotiable between the master and the slave Master suggests a key size Set the “minimum acceptable” key size parameter to prevent a malicious user from driving the key size down to the minimum of 8 bits • The key stream is different for different packet since slot number is different
  • 50. Three Encryption Modes for Confidentiality • Encryption Mode 1: -- No encryption is performed on any traffic • Encryption Mode 2: -- Broadcast traffic goes unprotected – while uni cast traffic is protected by the unique key • Encryption Mode 3: -- All traffic is encrypted
  • 51. Trust Levels, Service Levels (authorization ) • Two trust levels: trusted and untrusted – Trusted devices have full access right – Untrusted devices have restricted service access
  • 52. Bluetooth Security Architecture • Step 1: User input (initialization or pairing) – Two devices need a common pin (1-16 bytes) • Step 2: Authentication key (128-bit link key) generation – Possibly permanent, generated based on the PIN, device address, random numbers, etc. • Step 3: Encryption key (128 bits, store temporarily) • Step 4: key stream generation for xor-ing the payload
  • 53. Security cont. • The security of the whole system relies on the PIN which may be too short – Users intend to use 4-digit short PINs, or even a null PIN • Utilized new cryptographic primitives, which have not gone through enough security analysis. (E0,E1,E20,E22) algorithms
  • 54. E0 algorithm • The E0 algorithm is designed specifically for Bluetooth • E0 has gone many security analysis. When used in Bluetooth mode, the security of E0 is decreased from 128-bit to 84-bit; • when used outside of a Bluetooth system, its effective security is only 39-bit • A Bluetooth device resets the E0 key after every 240 output bits, severely limiting the amount of known key stream that may be available to the cryptanalyst.
  • 55. Short Key Attacks • we focus on .short key. attacks, that still manage to recover the key despite this limitation. • attacker can guess the content of the registers of the three smaller LFSRs and of the E0 combiner state registers with a probability of 2 to power 93. • This attack requires a total of 128 bits of known plaintext and ciphertext. The reverse engineering and verication takes approximately 27 operations. Making the total complexity of the attack 2to power100.
  • 56. Long Key Attacks • an attack that recovers the session key in a similar way to what showed, only that assuming much more keystream is available • within a packet and therefore the overall complexity was closer to O(2 to power 93).
  • 57. • Short range was a countermeasure to force the attackers to be in close proximity; – now range extenders can be easily built • Attackers grow since information is more attractive – People use Bluetooth not only for personal information, but also for corporate information
  • 58. Hacker Tools • Bluesnarfing: • is the theft of information from a wireless device through a Bluetooth connection. • By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -- without leaving any evidence of the attack. • Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. • Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled.
  • 59. Hacker Tools • Bluejacking • is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field It is widely believed that the term bluejacking comes from Bluetooth and hijacking. • However, a bluejacker doesn't hijack anything: he or she merely uses a feature on the sender and the recipient's device. Both parties remain in absolute control over their devices, and a bluejacker will not be able to take over your phone or steal your personal information. • Bluejacking is usually technically harmless, but because bluejacked people don't know what is happening, they think their phone is malfunctioning. • Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well.
  • 60. Most important security weaknesses • Problems with E0 • PIN • Problems with E1 • Location privacy • Denial of service attacks
  • 61. Problems with E0 • Given all cryptographic primitives (E0, E1, E21, E22) used in Bluetooth Pairing/Bonding and authentication process the Bluetooth PIN can be cracked ? – Focus on short PIN now. • Output (KC) = combination of 4 LFSRs (Linear Feedback Shift Register) • Key (KC) = 128 bits • Best attack: guess some registers
  • 62. PIN • Some devices use a fixed PIN (default=0000) • Security keys = security PIN !!!! • Possible to check guesses of PIN (SRES) -> brut force attack • Weak PINs (1234, 5555, …
  • 63. Problems with E1 • E1 = SAFER+ • In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — • All of the algorithms in the SAFER family are unpatented and available for unrestricted use. • Some security weaknesses (although not applicable to Bluetooth) – slow
  • 64. Location privacy • Devices can be in discoverable mode • Every device has fixed hardware address Addresses are sent in clear – possible to track devices (and users)
  • 65. Denial of service attacks • Radio jamming attacks • Buffer overflow attacks • Blocking of other devices • Battery exhaustion (e.g., sleep deprivation torture attack)
  • 66. Other weaknesses • No integrity checks • No prevention of replay attacks • Man in the middle attacks • Sometimes: default = no security
  • 67. Advantages (+) • Wireless (No Cables) • No Setup Needed • Low Power Consumption (1 Milliwat) • Industry Wide Support
  • 68. Disadvantages (-) • Short range (10 meters) • Small throughput rates - Data Rate 1.0 Mbps • Mostly for personal use (PANs) • Fairly Expensive
  • 69. Bluetooth’s Future •The future of this technology becoming a standard is likely •With a strong industry pushing behind it, success is inevitable. •Often, with new technology, early changes mean reconstruction. Not With Bluetooth, instead, there will be an improvement to the existing standard. •Bluetooth will soon be known as Bluetooth 2.2 as they are trying to develop the product to better fulfill the needs of consumers
  • 70. The End • Thank You, for attending my presentation.