Overview of the security weaknesses
in Bluetooth
Dave SingeléeCOSIC seminar 11/06/2003
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
Personal Area Network (PAN)
Small number of mobile devices Heterogeneous Ad-hoc network Wireless (WPAN) Small range
Personal Area Network (PAN)
Constraints Limited battery power Computational power Small amount of memory Small range Ad-hoc network Not always I/O-interface
Different technologies Infrared (IrDA) Radio propagation (Bluetooth) Human body (Body Area Networks) …
Different technologies Infrared (IrDA) Radio propagation (Bluetooth) Human body (Body Area Networks) …
Bluetooth 1998: Bluetooth SIG IEEE 802.15 Range < 10m 2.4 GHz ISM band Spread spectrum & frequency hopping 1 Mbit/s Piconets: 1 master and up to 7 slaves
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
My colour convention XXX = public value XXX = secret value
XXX = sent in clear XXX = sent encrypted
Protocols in Bluetooth
1. Generation of unit key2. Generation of initialization key3. Generation of link key4. Mutual authentication5. Generation of encryption key6. Generation of key stream7. Encryption of data
1. Generation unit key
E21RANDA
ADDRA
KA
2. Generation initialization key
E22 E22
PIN
IN_RAND IN_RAND
PIN
L L
IN_RAND
KinitKinit
3. Generation link key (1)
Kinit
KA = Klink
KKinit
KA = Klink
3. Generation link key (2)
KAB = Klink
LK_RANDA LK_RAND
B
E21 E21
E21 E21
ADDRA ADDRB
LK_RANDA
LK_RANDB
KAB = Klink
ADDRB ADDRA
LK_RANDB
LK_RANDB
LKA
LKALKB
LKB
4. Mutual authenticationADDRB
E1 E1
ADDRB
AU_RAND
Klink
AU_RAND
SRES
AU_RAND
Klink
ADDRB
SRES
SRES
ACO ACO
5. Generation encryption key
EN_RAND
E3 E3
EN_RAND
EN_RAND
KlinkKlink
ACO ACO
KC KC
6. Generation key stream
E0 E0
ADDRA
clockMASTE
RKC
KCIPHER KCIPHER
ADDRA
clockMASTE
RKC
7. Encryption of data
KCIPHER KCIPHER
KCIPHER KCIPHER
DATA
DATA
DATA
DATA
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
Most important security weaknesses
Problems with E0 Unit key PIN Problems with E1 Location privacy Denial of service attacks
Problems with E0 Output (KCIPHER) = combination of 4
LFSRs Key (KC) = 128 bits Best attack: guess some registers -> 266 (memory and complexity)
Unit keyKA = Klink
A B
Unit keyKA = Klink
A
C
B
KA = K’link
PIN Some devices use a fixed PIN
(default=0000) Security keys = security PIN !!!! Possible to check guesses of PIN
(SRES) -> brute force attack Weak PINs (1234, 5555, …)
Problems with E1 E1 = SAFER+ Some security weaknesses
(although not applicable to Bluetooth)
slow
Location privacy Devices can be in discoverable
mode Every device has fixed hardware
adress Adresses are sent in clear
-> possible to track devices (and users)
Denial of service attacks Radio jamming attacks Buffer overflow attacks Blocking of other devices Battery exhaustion (e.g., sleep
deprivation torture attack)
Other weaknesses No integrity checks No prevention of replay attacks Man in the middle attacks Sometimes: default = no security …
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
Recommendations Never use unit keys!!!! Use long and sufficiently random
PINs Always make sure security is
turned on …
Interesting solutions Replace E0 and E1 with AES Use MACs to protect integrity Pseudonyms Identity based cryptography Elliptic curves Use MANA protocols instead of PIN Use network layer security services
(IPSEC) to provide end-to-end security
Outline of the talk
1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion
Conclusion Bluetooth has quite a lot of
security weaknesses! Need for secure lightweight
protocols More research needed!!
Questions
??
Top Related