Wireless OverviewProtocols and Threat Models
www.decodesystems.com/blackhat/bh-1.ppt
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 2
Focus of this talk
• Overview of available commercial technologies• Skipping 802.11• U.S.-centric• Terrestrial networks• Additional information in second briefing
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 3
Wireless OverviewProtocols and Threat Models
• Radio Frequency Basics• Mobile telephony• Cellular Digital Packet Data (CDPD)• Nextel• Private data networks• Two-way paging• Bluetooth• 3G
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 4
Why Wireless
• Immediate communication, mobile user• Two-way, interactive• Broadcast• Convenience• Bandwidth limitations• Roaming (no fixed location)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 5
Market Requirements
• Reliable• Low-cost• Easy to use• Secure• Pervasive• Interoperable
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 6
Wireless Security Requirements
• Trust Model• access control
– authenticate users to access particular resources• link privacy
– encryption• link integrity
– message authentication• prevent denial of service
– (limit bandwidth hogs)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 7
Radio Frequency• Federal Communications
Commission• FM Radio: 88 to 108
MHz• Cellular telephones: 800
and 1900 MHz• Two-way pagers: 900
MHz• Industrial, Scientific and
Medical (ISM): 2.402 to 2.480 GHz
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 8
Radio Wave
• Frequency• Wavelength• Amplitude• Modulation
– Amplitude– Frequency– Phase– FSK– PSK
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 10
Generic Wireless Architecture
• Mobile terminal• Airlink• Radio base station• Intraconnect links• Network control• Interconnect links• External Networks
– Public Switched Telephone Network
– Internet
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 11
Common Airlink Problems
• Variable link quality• Multi-path (signal reflections)• Shadowing (terrain/structure blockage)• Interference
– Other users– EMI
• Attenuation– Distance– Antenna orientation/polarization
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 12
Multipath
• Multiple paths to receiver
• Each path has slightly different time delay
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 14
Error Detection/Correction• Parity Codes
– Parity bits + Data bits = Expected code word• Cyclic Redundancy Check
– Chunk of data + Polynomial residue• Block Codes
– Chunk of data + Redundant Data• Convolutional Codes
– Data stream fed through LFSR– Code rate, constraint length
• Concatenated Codes
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 15
Terrestrial Networks
• Voice primary– Cellular and PCS– Nextel
• Data primary– private packet– paging
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 16
Cellular
• Analog• Digital - TDMA• Digital - CDMA• Digital - GSM
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 17
System Comparison
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 18
Cellular Frequency Reuse• Seven frequency sets• Geographic distance
between sets allows the same frequencies to be reused
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 19
Cellular-based• Mobile Telephone
Switching Office (MTSO)– Controls multiple base
stations– Interfaces to PSTN
• Mobile is handed off from one base station to another
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 20
Advanced Mobile Phone System
• “1G”• Analog voice• 50 MHz, 832 channels• Mobile transmit: 824 MHz to 849 MHz• Base transmit: 869 to 894 MHz• 21 control channels• Designed in 1970’s
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 21
Cellular Telephone startup• Mobile telephone scans for
strongest control channel• Listens to overhead
messages on forward link• Sends registration message
– Electronic Serial Number (ESN)
– Mobile Identification Number (MIN)
• Waits for paging message
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 22
AMPS weaknesses
• Interception is easy (but now illegal)
• Spoofing (“cloned” phones)
• Call hijacking• Tracking
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 23
Locating Mobiles
• GPS• Time Difference of Arrival• Angle of Arrival• Multipath Fingerprinting
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 26
Cellular Digital Packet Data
• Packet data sent on idle voice channels
• Voice takes priority• AT&T
– “OmniSky” service• Verizon• IP-based interfaces• 150,000 customers• Many police car installs
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 28
CDPD Elements• M-ES: Mobile End System
– CDPD modem• MDBS: Mobile Data Base
Station– RF interface
• MD-IS: Mobile Data Intermediate System– Mobile Home Function (MHF)– Mobile Serving Function (MSF)
• IS: Intermediate System– Router, IP/CNIP
• F-ES: Fixed End Station
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 29
CDPD Roaming
• Packets to M-ES go to MHF MD-IS first
• Forwarded to MSF MD-IS• Packets from M-ES can
route directly to F-ES
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 30
CDPD Airlink• GMSK modulation• 19.2 kbps raw data rate• FEC
– Reed-Solomon 63, 47 block code– 47 info symbols (six-bit symbols, 282 bits), 16
parity symbols, 63 total symbols– Correct up to 8 six-bit symbols
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 31
CDPD MAC• Continuous forward link from MDBS• Mobiles listen to forward link busy/idle• Possible reverse channel collisions
– Mobile checks forward link for decode success• Header, User Data, Trailer (Frame Check)• Flag, address, control fields in header• Selective ARQ
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 32
CDPD Link Establishment
• M-ES known to serving MD-IS Terminal Equipment Identifier (TEI), 6 to 27 bits
• M-ES sends TEI Request with 48-bit Equipment ID
• MD-IS issues TEI Assign with assigned TEI• TEI lifetime of 4 hours, can be exhausted
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 33
CDPD Registration• End System Hello (ESH) message
– Network Equipment Identifier (usually 32-bit IP address)– Registration Counter (to filter duplicates)– Credentials
• Authentication Random Number (ARN, 64 bits)• Authentication Sequence Number (ASN, 16 bits)
– Shared history (incremented by 1 after each TEI assignment)
• ESH sent from M-ES to MDBS encrypted• ASN and ARN are both 0 at initial configuration• ARN occasionally changed• Network maintains two most-recent Credentials
– (in case of loss of update synchronization)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 34
CDPD Registration
• MD-IS sends Redirect Request (RDR) to MHF
• Requests MHF send all future packets to it
• MHF checks M-ES Credentials
• MHF returns Redirect Confirmation to MSF
• MSF returns Hello Confirmation (ISC) to M-ES
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 35
CDPD Attacks• IP-accessible Intermediate Systems (routers)
– Attacks from outside, other providers– BGP4, OSPF, buffer overflow, etc
• Only the airlink is encrypted• Use unauthenticated RDR messages to grab traffic• Brute force Credentials via repeated RDR • Jam reverse link transmissions
– Disrupt M-ES reception– Busy-out the reverse link (attempt saturation)– Place an analog call via CDPD cellsite
• CDPD “ZAP” command to silence bad modems
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 36
Cellemetry
• Use spare capacity in the cellular control channel
• A few bytes• Telemetry
– Vending machines– Maintenance data
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 37
Digital AMPS
• Answer to capacity issues• AT&T Wireless• IS-136• 800 MHz cellular and 1900 MHz PCS• Time Division Multiple Access• Six timeslots• One call gets two timeslots
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 38
Time Division Multiple Access
• Mobiles take turns transmitting
• Base transmits continuously
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 39
Code Division Multiple Access
• Competitor to D-AMPS• IS-95• Sprint PCS, Verizon• Pilot + 63 other “channels”• Walsh Codes
– Requires that all users in a cell be time-synchronized to maintain orthogonality
• Near/Far problem, power control
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 40
Frequency Hopping
• Transmissions “hop”• Pseudo-random sequence• Transmitter and receiver
must synchronize• 2.4 GHz ISM
– at least 75 frequencies– duration < 400 ms
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 41
Direct Sequence
• Each data bit replaced with sequence of “chips”
• Bandwidth increases• Power density decreases• Signals appear as noise• LPI/LPD, anti-jam• GPS, IS-95• Chip pattern comes from
Pseudo-random Noise (PN) code
• Transmitter and receiver must synchronize
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 42
Correlation ExampleDATA: 1 0 1 1 0 1 1 0 0 1 0 0PN: 1010 0110 0100 1111 0001 0100 1001 0100 0101 0001 0100 1011SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100
(four chips per bit)
First data bit 1 becomes 4 chips, 1010Next data bit 0 comes 4 chips, 1001 (inverted 0110)
Correlation with PN Code synchronized
SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100PN: 1010 0110 0100 1111 0001 0100 1001 0100 0101 0001 0100 1011
XOR: 0000 1111 0000 0000 1111 0000 0000 1111 1111 0000 1111 1111
Correlation with PN Code not synchronized (one chip off)
SPREAD: 1010 1001 0100 1111 1110 0100 1001 1011 1010 0001 1011 0100PN: 0100 1100 1001 1110 0010 1001 0010 1000 1010 0010 1001 0110
XOR: 1110 0101 1101 0001 1100 1101 1011 0011 0000 0011 0010 0010
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 43
Problems with CDMA• Cell sites “breathe”
– Combined noise of all reverse links can exceed cell site limit
• Airlink different but network suffers same weaknesses as D-AMPS
• Must license from Qualcomm
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 44
Global System for Mobiles
• European design from the 1980s• VoiceStream, Cingular, AT&T
transitioning• Short Message Service• 200 kHz channels• Eight timeslots• 270 kbps aggregate data rate
• Separates equipment identity from user identity
• Subscriber Information Module
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 45
International Mobile station Equipment Identity
• Type Approval Code (TAC) is issued by a central authority
• Final Assembly Code (FAC) identifies the place of manufacture
• Serial Number (SNR) assigned by the manufacturer
• Spare (SP) is reserved, usually zero.
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 46
International Mobile Subscriber Identity
• Mobile Country Code (MCC) identifies the country in which the customer is subscribed.– (United States is 310)
• Mobile Network Code (MNC) identifies the GSM network to which the user is subscribed, also known as the home network.– (VoiceStream is 26)
• Mobile Subscriber Identification Number (MSIN) identifies the user within the network.
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 47
GSM Speech• 20 millisecond sample of
speech• Digitized from codec (13
kbps)• Channel coding (22.8 kbps)• Interleaving• Encrypting• Burst formatting (33.8 kbps)• Modulation (270 kbps)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 48
GSM has weak crypto
• Security by Obscurity– Algorithms never officially
released– All of them leaked or reverse-
engineered
• A3/A8 in SIM• A5 in hardware• A5 (privacy algorithm)
deliberately weakened– A8 feeds it weakened keys– Weaker algorithm (A5/2) for
export
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 49
Short Message Service• 20 billion SMS messages per month from
553 million GSM subscribers• Carried in GSM logical data channel• Increasing applications
– Youth market (Instant Messenger)– eBay outbidding– Remote monitoring
• TDMA and CDMA have similar– “Tacked on”
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 50
Some SMS Issues
• Early pre-pay phones had free SMS due to lack of billing system integration
• SMS Identity spoofing– Faked “caller-ID” data
• SMS viruses• Crash certain phones
– Badly-formatted binary messages
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 51
Integrated Dispatch Enhanced Network (iDEN)
• Grew out of Specialized Mobile Radio (SMR), dispatch/group environment
• Equipment from Motorola• Service from Nextel• TDMA, 6 timeslots, 15 ms each• Continuous forward control channel• VSELP voice• Test equipment can monitor
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 52
Mobitex
• Cingular Interactive (US)• Rogers (Canada)• “Palm.Net” service• Ericsson standard• 700,000 customers
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 53
Mobitex coverage
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 54
Mobitex• 2,500 U.S. base stations• 30 mile radius• 10 - 30 channels per site• 12.5 kHz• 8 kbps signaling rate• 895 - 910 MHz• 2 watts
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 55
Mobitex monitoring
• Specification publicly available• Source code to monitor released on Usenet
– Receiver with 800 MHz coverage– PC with simple interface board
• Network interfaces via Internet, frame relay, X.25
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 56
Advanced Radio Data Information System (ARDIS)
• IBM field personnel, Motorola network• Motient (US), Bell Mobility (Canada)• 40 million messages/month• 1,500 base stations• 40 watt transmitter, 10 - 15 mile range• X.25 or TCP/IP to ARDIS switch
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 57
ARDIS Network• Radio Packet Modem (RPM)• Base stations talk to Radio
Network Controller (RNC) via leased lines with dialup restoral
• Switch is “ARDIS Service Engine”
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 58
ARDIS Airlink
• DataTac 4000 (US)• MDC 4800 or RD-LAP 19.2• 2048 maximum message• 240 or 512 byte max packet payload• Logical Link Identifier (unique device ID),
either 4 or 8 bytes• CRC and FEC
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 59
ARDIS Protocols
• Standard Context Routing (SCR)– Basic Inbound (from server to mobile)– Basic Acknowledgement (mobile ACK)– Basic Outbound (from mobile to server)
• Peer-to-peer – “Message Generator” (MG) protocol– Poorly validated field values
• Sender (spoof)• Recipient (spam)• Message length (crash client application)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 60
ARDIS Message Filtering
• Radio Packet Modem uses Hayes AT command-style interface
• “The modem’s two-character S50 register contains the current user header. When a wireless modem receives an outbound message from the ARDIS network, the modem examines the user header in the message header. If the user header in the message matches the user header in an S50 register, the message can be received. If it does not match, the message is discarded.”– ATS50=QA
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 61
ARDIS Security Recommendations• “Customers with sensitive data may want to provide data
encryption within their applications. For example, an exclusive OR could be applied to ASCII data with a randomly generated encryption key selected for each terminal during logon.
• NOTE: Only user data can be encrypted; ARDIS must be able to read SCR and other user header data to determine the proper disposition of a message.”
• “A wireless device application should allow a command from the host to dump all RAM contents and disable the application. This command could be used if a wireless device were lost or stolen. This feature could be activated automatically when a logon is attempted, or by a host user.”
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 62
MicroCellular Data Network (Ricochet)
• Mesh topology• FHSS, every 10 - 25 ms• Synchronous heartbeat, 30 sec• Ricochet modems: 900 MHz• Poletop radios: 2.3, 2.4 GHz
– Density 5 - 12 per square mile
• Wireless Access Point (WAP)– Covers 10 - 12 square miles
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 63
Ricochet Network• Name Server: The Ricochet Name Server
maintains access control and routing information for every radio and service within the Ricochet network. Every time a Ricochet device (subscriber device, microcell radio, or gateway) is powered on, it registers with the Name Server to verify that it has network authorization. Whenever a Ricochet device requests a connection, the Name Server validates the request. If authorized, the originator is provided with a network routing path to the requested destination.
• MCDN Path– List of addresses (IP, phone number, microcell
number) of waypoints– part of header, used to route the packet
• Packet delivery services– Lightweight: in-order, windowed, no end-to-end
retries– Heavyweight: in-order, windowed, end-to-end retries
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 64
Metricom and Ricochet
• Metricom• 51,000 customers in 21 cities• Bankruptcy
• Ricochet Networks (part of Aerie Networks)• Gen II: 176 kbps, up to 400 kbps bursts
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 65
FLEX (One-way paging)
• Four level FSK• 1600, 3200, 6400 bps• Four-minute FLEX
protocol cycle• Short capcodes: 7 digits• Long capcodes: 9 digits• FLEXsuite: 128-bit RC4,
symmetric keys
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 66
ReFLEX (Two-way paging)
• Narrowband PCS• Nationwide frequencies• Forward: 896-902 MHz• Reverse: 929 - 931, 940 -
941 MHz
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 67
ReFLEX inbound messaging
• Send request on shared ALOHA channel• Receive timeslot assignment• Send data in assigned timeslot on data
channel
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 68
ReFLEX forward link
• ReFLEX frame is 1.875 s• 128 frames = cycle (4 minutes)• 21 data, 11 error correction (21,32) BCH• “collapse”, sleep for 2n frames
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 69
Bluetooth• Peer-to-peer, proximity-based
“personal area network”• Low power, short range• Multiple devices in a
“piconet”– one device is master
• Up to 10 piconets may link to form “scatter nets”
• Each device has a unique 48-bit address
• Initialization process uses a PIN
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 70
Bluetooth Airlink• 2.45 GHz• 1,600 hops per second• Master and up to 7 active Slaves• Hop sequence based on master’s address• GMSK, BPSK• FEC• Master: up to 721 kbps, even timeslots• Slave: 57.6 kbps, odd timeslots• 79 frequencies• 3.2 kHz clock, 28 bits
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 71
Bluetooth device modes
• Four modes: – active (continuous)– sniff (check at intervals)– hold (check again later)– park (listen for beacon only)
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 72
Bluetooth Protocol Stack
• Application Group• Middleware Protocol Group• Transport Protocol Group
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 73
Transport Protocol Group• Radio• Baseband• L2CAP (Logical Link Control and Adaptation
Protocol)– Protocol multiplexing– Fragmentation/reassembly
• Audio• Control• Link Manager
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 74
Bluetooth Identifiers
• Device Address, 48 bits• Private Authentication Key, 128 bits• Private Encryption Key, 8 to 128 bits• RAND, 128 bits
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 75
Bluetooth Security Modes
• Security Mode 1– non-secure
• Security Mode 2– service-level– after channel establishment
• Security Mode 3– link-level– prior to channel establishment
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 76
Bluetooth Security Levels
• Device– Trusted– Untrusted
• Service– Authorization and Authentication– Authentication Only– Open to all devices
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 77
Bluetooth Unit Key
• Unit Key– E21( Device Address, Random Number)– Usually fixed for the lifetime of the device
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 78
Bluetooth Initial Key Generation
• Verifier sends Claimant IN_RAND• Verifier computes Kinit from
E22( IN_RAND, PIN)• Kinit is temporary link key• PIN can be
– Fixed in simple device– Keyed in by user (typically 4 digits)– Generated by user device
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 79
Bluetooth Authentication
1. Device A generates AU_RAND and sends it to Device B2. Device B sends Device AddressB to Device A
3. Device A and Device B both compute SRES and ACO from SAFER+ based MAC function E1(Kinit, AU_RAND, Device Address )
4. Device B sends SRESB to Device A
5. If SRESA equals SRESB, then devices are authenticated
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 80
Bluetooth Link Key• Two types of link keys• Unit key of one of the devices
– Unit A computes K = KA XOR Kinit and sends K to Unit B
– Unit B computes KA = K XOR Kinit
– KA is used as link key
• Key derived from both unit keys– Unit A generates LK_RANDA, sends it to Unit B and computes
LK_KA = E21(LK_RANDA, Device AddressA )
– Unit B generates LK_RANDB, sends it to Unit A and computes LK_KB = E21(LK_RANDB, Device AddressB)
– Both units compute each other’s key and the link key KAB = LK_KA XOR LK_KB
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 81
Bluetooth Encryption Key
• KC = E3( EN_RANDA, Klink, COF )• Ciphering Offset Figure (COF)
– Authenticated Ciphering Offset (ACO) or– For broadcast, Device Address concatenated
with itself
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 82
Bluetooth Encryption
• Kcipher = E0( Device AddressA, clockA, KC )
• Data is exclusive-OR’ed with Kcipher before transmission and after reception
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 83
Bluetooth Security Issues
• Privacy– Devices can be closely tracked
• Only devices are authenticated, not users• Key variables exchanged in the clear• Link key a shared secret among too many
– A, B use A’s unit key as the link key– B can later use A’s unit key and a faked address
to eavesdrop on traffic
Black Hat BriefingsJuly 31, 2002
Wireless OverviewProtocols and Threat Models
Page 84
3GPP• 3rd Generation Partnership Project• Crypto developed in the open• Air interface will use KASUMI encryption• Evolve GSM
– Multimedia Messaging Service (MMS)– General Packet Radio Service (GPRS)
• GSM overlay (Phase 1: 4x14 kbps, Phase 2: 8x14kbps)• Cingular,AT&T: TDMA to GSM to GPRS
– Enhanced Data rates for GSM Evolution (EDGE)– Universal Mobile Telephone Service (UMTS)– High Speed Circuit Switched Data (HSCSD)
Top Related