Securing Bluetooth Tutorial

8.1 Overview of Bluetooth

For the most part,the purpose of this course has been to discuss 802.11 A, B, G and N wireless networks. But Bluetooth is also a wireless standard actually under 802.15.1. And we're going to discuss it because there are some issues involved with securing bluetooth devices and bluetooth networks. Now to give you a bit of history, bluetooth was originally a specification created by Ericsson back in 1994. Ericsson joined with Toshiba, IBM and some others The create the Bluetooth Special Interest Group. And they basically manage the specifications of Bluetooth and make sure that the devices that use Bluetooth compatible. Now, Bluetooth operates in pretty much one of the same frequency range as a lot of other 802 devices. 802.11 2.4 GHz devices to be exact that operate in the same ISM frequency band. Now Bluetooth uses a technology we would discuss earlier, frequency-hopping spread spectrum, or FHSS. Bluetooth is an open standard. And it's basically used for short-range radio frequency communication between devices. Very small distance away these devices have to be, very short range. They're used to establish personal area networks. Works. Now we see Bluetooth a lot used in personal and consumer electronics. Things like tablets, cell phones, laptops, and so forth. We also see them used in things like Bluetooth headsets and media players. Now, for the purposes of our discussion Let's assume that we're talking primarily about devices that exchanged that importance sensitive data, things like laptops, tablets and cell phones. For the purposes of talking about security with Bluetooth. We're probably not going to talk too much about securing a Bluetooth headset, after all it's not very configurable and the audio data that is being streamed to and is probably not Typically important enough secured. I'm talking music, I'm not talking BlueTooth headsets that you speak to on the cellphone. Those are important. So just keep in mind. We're talking about BlueTooth devices that really need to be secured. Now these devices As I said, have to be in a very close physical proximity with each other. Typically, within a few feet. Typically, the range for a good connection is 10 to 20 feet. Beyond that you lose connection and you don't, it's not very effective. Now these devices form ad-hoc networks, okay, and as we know from our discussion on wireless 802.11, ad-hoc means it's typically a device-device connection. There's no infrastructure, no centralized Access point involved. The ad-hoc networks that are formed by these devices are called piconets meaning very small networks. Now there are several different versions of Bluetooth currently out there that have. Be produced over the years and we still see them out there, depending upon the age of the device. The first spec that we'll talk about is the Bluetooth 1.2 version. It came out back in November of 2003. Now, we don't see a lot of those out there anymore And as a matter of fact as you see the versions increase, we also see data rates increase, power usage decrease and security increase. Bluetooth 2.1 is probably the one we see out there a lot these days and those are still legacy devices. They came out back in July 2007 And 2.1 with Enhanced Data Rate introduced the concept called Secure Simple Pairing or SSP. We also have Bluetooth 3.0 + High Speed. Again, more data rate improvements. But not a lot of security improvements as we'll talk about when we'd look at bluetooth's weaknesses. We also have Bluetooth 4.0 out there, the current specification. And basically that reduced the power requirements for Bluetooth devices. And it came out just a few years ago back in 2010. So we got some basic specifications out there for Bluetooth, and we got some different versions out there. Now obviously there are different weaknesses for each version of Bluetooth, and different security measures we need to take, and we'll discuss those.

8.2 Bluetooth Weaknesses

Now let's discuss bluetooth security issues. Now bluetooth being an RF based technology suffer some of the same security issues as normal 802.11 wireless technologies that we've discussed earlier. We've got the standard eavesdropping and interception of data, man-in-the-middle attacks, message integrity attacks and so forth. Now bluetooth also suffers from some technology unique issues and some known vulnerabilities that affect only bluetooth. A lot of the bluetooth weaknesses that we see, depend upon the version of bluetooth currently in use. Now, weaknesses prior to version 1.2 coming out include, reuse of static keys for pairing, And easily intercepted keys and spoofed devices. So we've seen right here that keys and encryption may be an issue with Bluetooth. And you'll see that's a recurring theme. Then we. That were fixed, but you had weaknesses prior to version 2.1 which include devices in Security 1 Mode don't initiate security, they just kind of sit there. Inadequate or short PINs, PIN randomness wasn't very adequate, and PIN management in general wasn't done very well with these versions of Bluetooth. You also had repetition of keystreaming After about a day. So it would be easy to see repeated keystreams and pick those up and try to crack the keys. Now up until version 4 you still had some weaknesses. Unlimited authentication requests was a big one and with that, that ment a bluetooth devise could repeatedly try to authenticate with another one over and over and over. Now this could just be an annoyance but it also could be a denial of service attack because it would reduce your battery life. And keep you from using the device. You also have keys shared amongst several devices, the same key. So you may have pairing issues, but it also would be very easy to get the key that way. Encryption, as I mentioned, is a recurring theme with Bluetooth, and a lack of FIPS-compliant encryption Is an issue with Bluetooth and has been for a while. There's also an issue of tracking users through Bluetooth device addresses that because those things can be recorded in operating systems such as windows and so forth And maintain. So even after you've disconnected from the device you would still have that information about the Bluetooth user you connected to. Now all the versions that we've discussed have weaknesses, and they all have weaknesses that pertain to keys. Whether they're inadequate PINs, bad keys, bad encryption And so forth but you've also got other weaknesses. Keys that are improperly stored on the device. Encryption key length that's negotiable meaning that its not set and can be reduced unfortunately. No user authentication between devices and no end to end security No other means of protecting the communication session other than what Bluetooth offers. You also have issues with devices that remain discoverable for way too long or too often. And discoverable means that they're out there searching for another device to pair with. So if they're discoverable, they're transmitting and so forth, and they can be attached to by a malicious device or a malicious user. You only want to have those discoverable on for as long as you need them to and And know more. So those are some of the generic weaknesses Bluetooth has. And we'll talk a little bit later about how to secure those weaknesses. We'll also talk about how those weaknesses are attacked.

8.3 Bluetooth Security Features

Let's discuss some security features inherent to Bluetooth. Now some of these features depend upon the version of Bluetooth that you are using. Of course, there are some features that are inherent to all versions of Bluetooth. One security feature if you will is physical proximity. Because Bluetooths have to operate in a very closed systems to each other it makes it actually more difficult for attacks to occur. However an attacker that does attack a Bluetooth device has to be in very close physical proximity and it's likely because of that. The attack will be very unobtrusive and you may not even notice it's happening, but at least it can prevent attacks that occur from far away. Now another, sort of security feature, is the use of Frequency Hopping Spread Spectrum. Now FHSS could, back in the older days of Bluetooth, marginally make attacks more difficult because of the frequency hopping. Now that's really no longer a security protection, if it ever was to begin with because these days devices are able to key in on those frequencies a lot faster, so its not really a security measure. So if you've heard that before it really doesn't apply to Bluetooth specifications these days. Now there are Bluetooth specifications out there that call for 4 basic security modes 1 through 4. Now the modes basically indicate whether a Bluetooth device is going to initiate security and if it supports certain security features such as encryption, authentication, and so forth. Let's talk about each of these modes. Now first there's Security Mode 1 and this by and large is considered not secure at all. So you almost never see this used except in backwards compatibility with very old devices. Now Security Mode 1 does not initiate any authentication or encryption at all. Which is unfortunate because encryption and authentication are both really needed in today's bluetooth world. Now because it doesn't initiate it allows any bluetooth device out there that request connections. To establish those connections. So if a malicious hacker wants to establish a connection with a device that sends security mode one, it's actually very easy to do. Now, on the other hand, even if the device is set to security mode one, if the other device requests security, it will participate in it. But obviously an attacker who's trying to make use of Security Mode 1 won't request that security. Now Mode 1 is supported in newer devices only for backwards compatibility with some of these older devices. It really should never be used, it shouldn't be set that way. Now also keep in mind when we're talking about Security Mode 1, or any of the other security modes for that matter, we're really talking about devices that pass data. We're talking about laptops, cell phones, tablets, bluetooth keyboards. We're really not talking about the wireless headphones that only transmit audio, so keep that in mind. A lot of these devices do not allow you to change security modes, but most of them do. Now there's Security Mode 2. That's where service level enforced security occurs. So basically, the devices negotiate the connection and then securities initiated based upon the service that the devices want to access. So unfortunately, that link is already established when security comes in the play. Now the local security manager on the device controls the access to services and determines what will be allowed and what won't be allowed. And there are policies for access control that exists. And how they interface with other protocols and devices within Security Mode 2. Security Mode 2 can use varying levels of trust and authorization for these different services. Then, there's Security Mode 3. This is the link level-enforced mode. So what it means is that security is actually initiated. Before the link is established. So, the security is initiated, then the link is established, and it's much more secure. So, there is security already there before services are rendered to the other device. Now Mode 3 devices require a form of authentication and encryption. Now have to have service level authentication just like you had in security mode two, but this suggests that you use both. You initiate security on the link with security mode three, and also to initiate security. On a service by service basis as well. That way you have doubled the security. And there's Security Mode 4. Now Security Mode 4 is also a service-level-enforced security mode just like two is. The security is initiated only after the physical and logical link Connection occurs between the two devices. Now it uses a few processes that aren't used previously and one of them is simple or rather Secure Simple Paring or SSP. And this also uses a form of cryptography called Elliptic Curve Cryptography and it also uses Diffie-Hellman in combination with that. So the keys can be exchanged and agreed upon.

8.4 Bluetooth Attacks

Now let's continue our discussion on Bluetooth. And talk about some of the attacks that are inherent with Bluetooth. There are several well documented attacks on Bluetooth that we see and hear about a lot in the security world. Some of these require specialized tools or software. And you'll actually find a lot of the software On the BackTrack Linux distribution that we've been using throughout the course to hack wireless networks with. This distribution contains some of the more common Bluetooth hacking tools and we'll talk about those a little bit later In another session, we'll actually go through backtracking point out some of the bluetooth hacking tools available to you. Now there's just a few of the bluetooth attacks standard ones that we'll discuss. Bluesnarfing actually exploits a firmware flaw in older devices. It's an older attack. What it can do is cause a forced connection with a device and theoretically can allow data access to that device. Another form of attack is bluejacking. Now this is kind of like span or phishing. Whereas an attacker sends multiple unsolicited messages to a Bluetooth device. And that might trick the Victim into connecting to that Bluetooth device. Or it may trick them into storing things like contacts in their telephone or in their laptop for that particular user, that particular tack, or Bluetooth device. So it actually does use a formal social engineering as well. Then there's bluebugging, this is the more serious of the ones we've discussed so far. This exploits a security flaw in some older devices. What it does is it lets an attacker gain access to the actual device and it's underlying command structure. Technically you can use these to allow unauthorized dead access to anything that's on the device. You can also eavesdrop in the case of a cellphone or you can even make phone calls on the device if the attacker has the ability to run commands on the device using bluebugging. There's also an attack called a Car Whisperer, and this may seem kind of funny at first, but it exploits Bluetooth audio kits for vehicles. And what it can allow is for the attacker to actually ease drop on telephone conversations that take place in a vehicle with a Bluetooth device attached. Now obviously this is not going to happen in a moving vehicle The vic, the victim may be parked in a parking lot talking on the phone. The attacker would have to be very close by as well. Just some generic attacks that we also see with bluetooth, Denial-of-Sevice attacks obviously. are rampant and sometimes you probably would see those more often than you would see the others. Those are used to make the bluetooth device unusable by the victim. For example, draining the battery, causing interference and so forth might do this. Now, there are other attacks that you could theoretically implement on a bluetooth device or a bluetooth network. Include fuzzing attacks, eavesdropping obviously, and pairing attacks where you would interfere with legitimate pairing of Bluetooth devices or try to pair with a Bluetooth device that you shouldn't be pairing with. So that's a typical attack, and we've discussed that already. There's also an attack that I did not mention on the slides called Blue casing, and that's where you actually just do scanning of Bluetooth devices to see what's out there. It's kind of like casing a scene of a crime, for example, this is Blue casing, it's a new term out there. So there are a wide variety of Bluetooth attacks. We've talked about some of the more serious ones, some of the more common ones, but there are plenty Out there that take advantage of the different weaknesses in Bluetooth. Encryption, PINs, and so forth.

8.5 Bluetooth Attack Tools

[SOUND] Now let's discuss packing tools that you can use to perform wireless security assessments on Bluetooth. Now there are several tools available in Backtrack 5. We won't talk about all of them. We're basically just going to show them to you and give you a brief explanation on them. One of the things you have to have is a bluetooth device on your computer. Your laptop that Backtrack is using, that Backtrack can detect. Otherwise, the tools won't work. Now the tools that we're going to show you have different levels of functionality and effectiveness. Some tools are for pairing, some tools are for full range of Bluetooth attacks and you have tools that can even try to detect Bluetooth devices that are turned off from discoverable mode. Now just a couple of tools that are on here that we'll talk about, and we'll talk about a couple of others as well, include Bluediving and Bluemaho. And we'll show you how those work. Now you've got several Bluetooth tools available to you. Now on backtrack, if you look at the command line. Open up a terminal window and look at the command line. You can go to the pentest bluetooth directory. And do an ls. And you will find your list of tools that are available there. There's several available. You have bluediving, bluelog BlueMaho, BT Audit, Redfang. There are also some tools scattered throughout in the wireless directories as well, and there are some tools that are part of these suites of tools. For example, Bluediving is actually a suite of tools. Let's take a look at Bluediving for a moment. You've got a couple of things here. Obviously blue diving is a pearl script, and it can actually do a lot of different things. Now, its an older tool and it was last updated way back in 2007, but it could implement several attacks even today. Things like blue bugging, blue snarfing, and even blue smack. And these particular tags cannot only pair with a bluetooth device. They can eavesdrop, they can detect signals, they can even connect to bluetooth device like a smartphone and its possible to make this connection and run commands or eavesdrop on voice calls with it. Now, there's another tool out there that is called Bluemaho and we'll take a look at it as well. And let's go back our directory up a little bit. And let's do an ls. And let's go to bluemaho. And there's different directories here that we can use to configure bluemaho. There's exploits and tools directory. Now bluemaho is a Python script. It's fairly up to date. And let's go ahead and run it real quick and see what we get. Let's type in python. Or python rather. Bluemaho, .py. And that will run our path on script. We actually get a GUI with bluemaho and there are several things you can look at. You can select the exploits available to you, bluesmack, bluebugger and so forth. You can also select the particular tool you want to run. ATShell, Bluetracker, BSS, BTFTP and Carwhisperer. Carwhisperer is a very popular tool that's used to eavesdrop on audio car kits that use cellphones. So you could actually if you're within range of this use this to eavesdrop on a cellphone conversation. That takes place over the car audio system. Now, this is all assuming that you have a valid Bluetooth device that can be used in your backtrack distribution obviously. So let's take a look at a couple of other things here. You can see everything you need at the command prompt in the shell terminal window. But you can also access these through the GUI as well. If we go to Applications here, and say go to BackTrack and Exploitation Tools. If you cruise over to Wireless Exploitation Tools and BlueTooth Exploitation, you'll see a wide variety of tools there, atshell, which is part of bluemaho. Also you can access it that way. bluediving, bluelog BT Audit and Redfang. And Redfang's an interesting tool that can actually help you connect to a Bluetooth device that is not turned on in to discoverable mode. That's very interesting. It actually tries to do a brute force of the last six bytes of the Bluetooth identifier. And by doing that it can actually locate bluetooth devices that are turned off in terms of being discoverable. So, there's a wide variety of bluetooth tools that we have that we can use in BackTrack, and while we're not going to go in depth on any one of them, because this really is an 802.11 course. Versus a Bluetooth hacking course, they're there for you to use if you so choose to do testing on your Bluetooth devices on your network.

8.6 Securing Bluetooth

To top off our discussion on Bluetooth, let's talk about securing it. We've talked about its weaknesses, we've talked about attacks. Now how do we fix Bluetooth? First of all, we set devices to as low power as we need for them to work. If the power doesn't need to be turned up on them, we don't turn them on. We also want to make sure that we choose PIN codes that are sufficiently random, that they're long enough, and also they're kept private. One thing we want to do is avoid static and weak PIN numbers. Such as all zeroes. We've all seen BlueTooth devices that have a PIN number of zero, zero, zero, zero, or one, one, one, one, or something of that nature. Avoid those PINs and change them when you can. Don't base your link keys on your unit keys obviously because they can be derived from each other. Now, there is the just works type of security model, or actually, it's not a security model. It's more of a functionality model. When we say just works, it does just work, and it provides that functionality to the user, but it's not just secure, so avoid using that whenever possible. Configure your bluetooth devices to be nondiscoverable, most of the time, by default. They don't need to stay in a discoverable mode. Only turn them on to discover when you absolutely need to and then turn them off. Use link encryption for all of your pairings. Make sure that that encrypted link is there when you pair a device so that the pin will not be in clear text. Use mutual authentication for devices when it's available. Typically you can use mutual authentication when you're using laptops and other devices that support it. Use the highest level of security that's supported by your device. You may have to negotiate down and go with the least common level of security between the devices, but still use the highest possible you could achieve with both of them. You also want to configure the maximum encryption level. That is practical between your two devices. Whatever they can both go to, then set it at that. If you need to, use application level authentication and encryption for very sensitive data. Now obviously Bluetooth takes place at the lower levels of the OSI model, application protocols such as SSH, SSL or even certificate based authentication could be used in some instances to protect. That data as it goes from Bluetooth device to Bluetooth device. You also want to pair devices as infrequently as possible. Only do it when you need to. When you're obviously pairing two devices you need, don't pair to just any device. You should also only pair your devices in a secure area. In other words, an area that could be inside away from other folks with bluetooth devices who may be eavesdropping on your bluetooth pairing and your bluetooth connections. Try to do it away from public places in your home, in your office and so forth, in a good area. Now they are also some non-technology type of protections and these are obviously typical security protections. We would use for a wide variety of things, not just Bluetooth, but also wireless, wired networks, and so forth. Policy and procedures is the big one. Make sure that your organization, if they are using Bluetooth on a widespread basis, make sure there's a policy on it. What level of security Bluetooth devices we'll use, strength of the pen, and so forth. Have that dictated out and spelled out in policy. And have procedures for these things, such as pairing and so forth. Also, educate your users on the security issues that are inherent with Bluetooth and how to get around them. How to secure your Bluetooth devices.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*