overview of the security weaknesses in bluetooth dave singelée cosic seminar 11/06/2003

Overview of the security weaknesses

in Bluetooth

Dave SingeléeCOSIC seminar 11/06/2003

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

Personal Area Network (PAN)

Small number of mobile devices Heterogeneous Ad-hoc network Wireless (WPAN) Small range

Personal Area Network (PAN)

Constraints Limited battery power Computational power Small amount of memory Small range Ad-hoc network Not always I/O-interface

Different technologies Infrared (IrDA) Radio propagation (Bluetooth) Human body (Body Area Networks) …

Different technologies Infrared (IrDA) Radio propagation (Bluetooth) Human body (Body Area Networks) …

Bluetooth 1998: Bluetooth SIG IEEE 802.15 Range < 10m 2.4 GHz ISM band Spread spectrum & frequency hopping 1 Mbit/s Piconets: 1 master and up to 7 slaves

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

My colour convention XXX = public value XXX = secret value

XXX = sent in clear XXX = sent encrypted

Protocols in Bluetooth

1. Generation of unit key2. Generation of initialization key3. Generation of link key4. Mutual authentication5. Generation of encryption key6. Generation of key stream7. Encryption of data

1. Generation unit key

E21RANDA

ADDRA

KA

2. Generation initialization key

E22 E22

PIN

IN_RAND IN_RAND

PIN

L L

IN_RAND

KinitKinit

3. Generation link key (1)

Kinit

KA = Klink

KKinit

KA = Klink

3. Generation link key (2)

KAB = Klink

LK_RANDA LK_RAND

B

E21 E21

E21 E21

ADDRA ADDRB

LK_RANDA

LK_RANDB

KAB = Klink

ADDRB ADDRA

LK_RANDB

LK_RANDB

LKA

LKALKB

LKB

4. Mutual authenticationADDRB

E1 E1

ADDRB

AU_RAND

Klink

AU_RAND

SRES

AU_RAND

Klink

ADDRB

SRES

SRES

ACO ACO

5. Generation encryption key

EN_RAND

E3 E3

EN_RAND

EN_RAND

KlinkKlink

ACO ACO

KC KC

6. Generation key stream

E0 E0

ADDRA

clockMASTE

RKC

KCIPHER KCIPHER

ADDRA

clockMASTE

RKC

7. Encryption of data

KCIPHER KCIPHER

KCIPHER KCIPHER

DATA

DATA

DATA

DATA

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

Most important security weaknesses

Problems with E0 Unit key PIN Problems with E1 Location privacy Denial of service attacks

Problems with E0 Output (KCIPHER) = combination of 4

LFSRs Key (KC) = 128 bits Best attack: guess some registers -> 266 (memory and complexity)

Unit keyKA = Klink

A B

Unit keyKA = Klink

A

C

B

KA = K’link

PIN Some devices use a fixed PIN

(default=0000) Security keys = security PIN !!!! Possible to check guesses of PIN

(SRES) -> brute force attack Weak PINs (1234, 5555, …)

Problems with E1 E1 = SAFER+ Some security weaknesses

(although not applicable to Bluetooth)

slow

Location privacy Devices can be in discoverable

mode Every device has fixed hardware

adress Adresses are sent in clear

-> possible to track devices (and users)

Denial of service attacks Radio jamming attacks Buffer overflow attacks Blocking of other devices Battery exhaustion (e.g., sleep

deprivation torture attack)

Other weaknesses No integrity checks No prevention of replay attacks Man in the middle attacks Sometimes: default = no security …

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

Recommendations Never use unit keys!!!! Use long and sufficiently random

PINs Always make sure security is

turned on …

Interesting solutions Replace E0 and E1 with AES Use MACs to protect integrity Pseudonyms Identity based cryptography Elliptic curves Use MANA protocols instead of PIN Use network layer security services

(IPSEC) to provide end-to-end security

Outline of the talk

1. Introduction2. Protocols in Bluetooth3. Security problems4. Recommendations / solutions5. Conclusion

Conclusion Bluetooth has quite a lot of

security weaknesses! Need for secure lightweight

protocols More research needed!!

Questions

??