Download - Carwhisperer Bluetooth Attack
![Page 1: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/1.jpg)
Carwhisperer
Bluetooth Attack
![Page 2: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/2.jpg)
What is Bluetooth??
• Bluetooth is “A specification for short-range radio
links between mobile phones, mobile computers,
digital cameras, and other portable devices.”
• Enables users to establish ad hoc networks
supporting voice and data communications
![Page 3: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/3.jpg)
History
• It has been called after Harald Blatand (Harald
bluetooth), the king of Denmark.
• The Bluetooth wireless technology was invented in
1994 by Ericsson
• In September 1998, the Bluetooth Special Interest
Group (SIG) was founded with the objective of
developing the Bluetooth wireless technology
![Page 4: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/4.jpg)
Bluetooth Basics
• Bluetooth operates in the licensed-free ISM band
between 2.4 and 2.48 GHz.
• For Prevention of interference with other devices working
within ISM, Bluetooth make use of a technique called
frequency hopping.
• It takes 1600 hops/sec
• It has 79 base band frequencies
• Bluetooth is a connection oriented service.
![Page 5: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/5.jpg)
Bluetooth Basics(Continued)
• In order to connect two Bluetooth devices, one of them,
normally the device initiating the connection, elevates to
the master, leaving the second device as a slave.
• Piconet
• Scatternet
• ACL (Asynchronous connection-oriented) and SCO
(Synchronous connection-less)
• Data rates up to 3 Mb/s
• Typical communication range is 10 to100 meters
![Page 6: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/6.jpg)
Bluetooth Topology (ACL link)
![Page 7: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/7.jpg)
Bluetooth Topology (SCO/eSCO link)
![Page 8: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/8.jpg)
Master-Slave Architecture
• In Bluetooth, connections with up to seven devices,
which form piconet are possible, where communication is
led by the master device.
![Page 9: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/9.jpg)
Bluetooth Services
• Bluetooth makes use of a protocol stack, which makes it
simple to separate application logic from physical data
connections.
• The protocol architecture of Bluetooth allows for straight
forward implementation of existing network protocols
like HTTP, FTP, etc.
![Page 10: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/10.jpg)
![Page 11: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/11.jpg)
Bluetooth Radio & Baseband
• Bluetooth Radio work as a digital signal processing
component of the system
• Bluetooth device transmit data, which is made up of bits
(ones and zeros), over a radio frequency
• Baseband processes the signal received and transmitted
by Radio
• Controls links, packets, error and flow
![Page 12: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/12.jpg)
LMP & HCI
• LMP manages link setup, authentication, link
configuration and other low level protocols
• Connection establishment
• HCI provides command interface to the baseband
controller and link manager
• Exists across three sections, the host, transport layer and
the host controller
![Page 13: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/13.jpg)
L2CAP & RFCOMM
• L2CAP provides connection-oriented and connection-
less data services to upper layer protocols
• Permits protocols and applications to transmit and
receive data packets up to 64 kilobytes in length
• RFCOMM protocol supports 60 simultaneous connection
between two Bluetooth devices
• The number of connections that can be used
simultaneously in a bluetooth device is implementation
specific, meaning what profile is being used
![Page 14: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/14.jpg)
SDP-Service Discovery Protocol
• Bluetooth is a technology, which is deployed in a
dynamical environment. Devices may get out of range or
even switched on, while new devices might become
activated.
• In order to detect services, provided by other devices, a
protocol, which detects services makes sense. In
Bluetooth, the Service Discovery Protocol is responsible
for keeping track of services, provided within a device’s
operating range
![Page 15: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/15.jpg)
TCS - Telephony Control Protocol
• The Telephony Control Protocol provides functionality to
control telephony applications and makes use of L2CAP
connections.
![Page 16: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/16.jpg)
OBEX - Object Exchange Protocol
• The Object Exchange Protocol (OBEX) provides services
for the exchange of binary data objects. To initiate an
OBEX session, an optional OBEX authentication is
possible.
• Therefore, a limited set of commands like PUT, GET or
ABORT exist for easy file transfers, comparable to HTTP.
![Page 17: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/17.jpg)
Bluetooth Profiles
• In Bluetooth, provided services are composed to a
Bluetooth Profile. Bluetooth devices communicate via the
profiles, that act as ”interfaces”.
• For further consideration, two Bluetooth profiles are
especially interesting, concerning BlueSnarfing and
BlueBugging attacks:
1. OBEX Object Push Profile (OPP).
2. Synchronisation Profile (SYNCH).
![Page 18: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/18.jpg)
OBEX Object Push Profile (OPP)
• The Object Push Profile (OPP) provides basic functions
for exchange of binary objects, mainly used for vCards in
Bluetooth.
• vCard is a file format standard for electronic business
cards.
• Since vCards are not worth being especially protected, no
authorization procedure is performed before OPP
transactions. Supported OBEX commands are connect,
disconnect, put , get and abort.
![Page 19: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/19.jpg)
Synchronization Profile (SYNCH)
• The Synchronization Profile (SYNCH) provides functions
for exchange of Personal Information Manager (PIM)
data and was adopted from the IrDA infrared
specification.
• In Bluetooth, especially private data, like the address
book, calendar, etc. is sent using the SYNCH profile.
![Page 20: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/20.jpg)
Overview On Bluetooth Security
• Security within Bluetooth itself covers three major
areas:
– Authentication
– Authorization
– Encryption
• Security levels:
– Silent
– Private
– Public
![Page 21: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/21.jpg)
![Page 22: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/22.jpg)
![Page 23: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/23.jpg)
![Page 24: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/24.jpg)
![Page 25: Carwhisperer Bluetooth Attack](https://reader033.vdocuments.mx/reader033/viewer/2022051818/54c159d34a7959740b8b457c/html5/thumbnails/25.jpg)
Thank You !!