University of Virginia

1

Gregory Lamm Gerlando FalautoJorge Estrada Jag Gadiyaram

November 29, 2000

Identifying and Assessing Security Issues related to

Bluetooth Wireless Networks

University of Virginia

2A Christmas Carol

Charles Dickens had it right-for every major issue (or story) in the world, there is usually a Past, a Present and a Future that are clearly identifiable.

Group 11 would like to tell you a story.

University of Virginia

3

The Ghost of BluetoothPast

• 10th Century Danish King (unified warring Viking Tribes): Harald Bluetooth

• No Wireless Networks prior to 20th Century

• New Wireless Transmission Schemes for the 21st Century– 802.11b– Home Radio Frequency– Bluetooth (version 1.0)

University of Virginia

4Past Bluetooth Attacks

1. Third Party Eavesdropping & Impersonating

2. Stealing Addresses from a Bluetooth Device Tracking the device through the network Impersonate a device

A BC

University of Virginia

5

• Ad hoc Networks• Bluetooth Chip: $50• Range: 10 meters (30 feet)• Throughput: 720,000 bps• Peer to Peer• Piconet (8/250)• Scatternet (10 Piconets)

The Ghost of Bluetooth Present

University of Virginia

6

Bluetooth (Special Interest Group)

1,900 Bluetooth Technology Manufactures

University of Virginia

7Bluetooth Applications

University of Virginia

8Bluetooth Development

Local AreaNetwork(LAN)

Wireless Phone

Network

• Small Network• Large Throughput• IR or Radio Communication• Relays not used• Fixed with limited mobility • Small Distances

• Large Network• Small Throughput• Radio Communication• Relays used• Mobility• Large Distances

University of Virginia

9Bluetooth Overview

Local AreaNetwork

(LAN)

Wireless Phone

Network

Encryption

Authentication

Communication

• Challenge-Response Scheme• SAFER+• None/One-way/Mutual• Needed for encryption

• Optional• Symmetric Stream Cipher• Negotiable Key Size (8-128 bits)• Clock dependent

• Radio Frequency Hopping (1600 Hps)• 2.4GHz Frequency Range• RF Interface• 720 Kbps – 4 Mbps

University of Virginia

10Bluetooth Communication

• Link Manager Protocol (LMP) – Configure, authenticate and

handle the connections – Power management scheme

• Radio Frequency Communications (RF C)– Controls Frequency Hopping

for Bluetooth

• Logical Link Control (LLC)– Link Management

– Security Management– QoS Management

– Transmission Scheduling

University of Virginia

11Bluetooth Authentication

Link key generationKLINK

PINRandom #

SRES’SRES ACO’ACO

Encryption key generation

SRES’

BD_ADDRB

CHECKSRES = SRES’

E1

(SAFER+)BD_ADDRB

KLINK

AU_RAND

E1

(SAFER+)BD_ADDRB

KLINK

AU_RAND

A (Verifier) B (Claimant)

AU_RAND

University of Virginia

12Bluetooth Encryption

E0

BD_ADDRA

clockA

KC’

Kcipher

Kcipher

Kcipher

dataA-B

dataB-A

E0

BD_ADDRA

clockA

K’C’

K’cipher

K’cipher

K’cipher

dataA-B

dataB-A

data

A B

=

Is everything OK?Yes, BUT...

Is everything OK?Yes, BUT...

University of Virginia

13

The Ghost of Bluetooth Future

• Encryption– Plain Text Attack

• Authentication– Unit Key Stealing

• Communication– Impersonation

Security Weaknesses

University of Virginia

14Bluetooth Applications

University of Virginia

15Conclusions

• As Viking Hackers, we believe that Bluetooth has some vulnerabilities and some increased security measures are needed.

Security Functionality