Carwhisperer

Bluetooth Attack

What is Bluetooth??

• Bluetooth is “A specification for short-range radio

links between mobile phones, mobile computers,

digital cameras, and other portable devices.”

• Enables users to establish ad hoc networks

supporting voice and data communications

History

• It has been called after Harald Blatand (Harald

bluetooth), the king of Denmark.

• The Bluetooth wireless technology was invented in

1994 by Ericsson

• In September 1998, the Bluetooth Special Interest

Group (SIG) was founded with the objective of

developing the Bluetooth wireless technology

Bluetooth Basics

• Bluetooth operates in the licensed-free ISM band

between 2.4 and 2.48 GHz.

• For Prevention of interference with other devices working

within ISM, Bluetooth make use of a technique called

frequency hopping.

• It takes 1600 hops/sec

• It has 79 base band frequencies

• Bluetooth is a connection oriented service.

Bluetooth Basics(Continued)

• In order to connect two Bluetooth devices, one of them,

normally the device initiating the connection, elevates to

the master, leaving the second device as a slave.

• Piconet

• Scatternet

• ACL (Asynchronous connection-oriented) and SCO

(Synchronous connection-less)

• Data rates up to 3 Mb/s

• Typical communication range is 10 to100 meters

Bluetooth Topology (ACL link)

Bluetooth Topology (SCO/eSCO link)

Master-Slave Architecture

• In Bluetooth, connections with up to seven devices,

which form piconet are possible, where communication is

led by the master device.

Bluetooth Services

• Bluetooth makes use of a protocol stack, which makes it

simple to separate application logic from physical data

connections.

• The protocol architecture of Bluetooth allows for straight

forward implementation of existing network protocols

like HTTP, FTP, etc.

Bluetooth Radio & Baseband

• Bluetooth Radio work as a digital signal processing

component of the system

• Bluetooth device transmit data, which is made up of bits

(ones and zeros), over a radio frequency

• Baseband processes the signal received and transmitted

by Radio

• Controls links, packets, error and flow

LMP & HCI

• LMP manages link setup, authentication, link

configuration and other low level protocols

• Connection establishment

• HCI provides command interface to the baseband

controller and link manager

• Exists across three sections, the host, transport layer and

the host controller

L2CAP & RFCOMM

• L2CAP provides connection-oriented and connection-

less data services to upper layer protocols

• Permits protocols and applications to transmit and

receive data packets up to 64 kilobytes in length

• RFCOMM protocol supports 60 simultaneous connection

between two Bluetooth devices

• The number of connections that can be used

simultaneously in a bluetooth device is implementation

specific, meaning what profile is being used

SDP-Service Discovery Protocol

• Bluetooth is a technology, which is deployed in a

dynamical environment. Devices may get out of range or

even switched on, while new devices might become

activated.

• In order to detect services, provided by other devices, a

protocol, which detects services makes sense. In

Bluetooth, the Service Discovery Protocol is responsible

for keeping track of services, provided within a device’s

operating range

TCS - Telephony Control Protocol

• The Telephony Control Protocol provides functionality to

control telephony applications and makes use of L2CAP

connections.

OBEX - Object Exchange Protocol

• The Object Exchange Protocol (OBEX) provides services

for the exchange of binary data objects. To initiate an

OBEX session, an optional OBEX authentication is

possible.

• Therefore, a limited set of commands like PUT, GET or

ABORT exist for easy file transfers, comparable to HTTP.

Bluetooth Profiles

• In Bluetooth, provided services are composed to a

Bluetooth Profile. Bluetooth devices communicate via the

profiles, that act as ”interfaces”.

• For further consideration, two Bluetooth profiles are

especially interesting, concerning BlueSnarfing and

BlueBugging attacks:

1. OBEX Object Push Profile (OPP).

2. Synchronisation Profile (SYNCH).

OBEX Object Push Profile (OPP)

• The Object Push Profile (OPP) provides basic functions

for exchange of binary objects, mainly used for vCards in

Bluetooth.

• vCard is a file format standard for electronic business

cards.

• Since vCards are not worth being especially protected, no

authorization procedure is performed before OPP

transactions. Supported OBEX commands are connect,

disconnect, put , get and abort.

Synchronization Profile (SYNCH)

• The Synchronization Profile (SYNCH) provides functions

for exchange of Personal Information Manager (PIM)

data and was adopted from the IrDA infrared

specification.

• In Bluetooth, especially private data, like the address

book, calendar, etc. is sent using the SYNCH profile.

Overview On Bluetooth Security

• Security within Bluetooth itself covers three major

areas:

– Authentication

– Authorization

– Encryption

• Security levels:

– Silent

– Private

– Public

Thank You !!