bluetooth airdefense

7/27/2019 Bluetooth Airdefense

http://slidepdf.com/reader/full/bluetooth-airdefense 1/7

.

White Paper

Bluetooth Networks: Risks & Defenses

The objective of this white paper is to provide an overall understanding of Bluetooth networks,examine their security features and inherent risks, and make recommendations for mitigating

risks.

1. Understanding Bluetooth

Networks

Bluetooth technology is a IEEE 802.15 open

standard and specification that enables short-

range wireless connections between a multitudeof wireless devices, including desktop and

laptop computers, handhelds, PDAs, cell phones,

camera phones, printers, digital cameras,

headsets, keyboards, and even a computer

mouse. More than 250 million Bluetooth devices

are in operation worldwide and this number is

expected to grow to more than one billion in the

next two years. Currently, there are more

Bluetooth devices than wireless LAN devices in

use.

Bluetooth was originally architected by EricssonMobile Communications, which named the

technology after the 10th Century Danish

Viking, King Harald Blatand, also called

“Bluetooth.” Today, Bluetooth technology is

supported by all major companies, including

IBM, Intel, Nokia, and Toshiba.

A Personal Area Network Bluetooth is also called Personal Area Network

(PAN) technology. It uses a globally available,

short-range digital radio band frequency for

worldwide compatibility to provide amechanism for creating small wireless networks

on an ad hoc basis. Bluetooth enables fast and

reliable transmission for both voice and data.

Bluetooth-enabled devices allow users to

eliminate cables from their digital peripherals,

making cable clutter a thing of the past.

Bluetooth devices can also provide a bridge to

existing networks.

The goal of Bluetooth is to connect different

devices together, wirelessly, in a small

environment, such as an office or home.Bluetooth can be used to connect almost any

device to any other device, for example, to

connect a PDA and a mobile phone.

Bluetooth is inexpensive, takes little power to

operate, and maintains a low profile. The

standard effectively does the following:

¾ Eliminates wires and cables between

stationary and mobile devices

¾ Facilitates data and voice communications

¾ Offers the possibility of ad hoc networks and

delivers synchronicity between personal

devices

Operating Band Bluetooth transceivers operate in the unlicensed

2.4-GHz ISM band that is reserved for

industrial, scientific, and medical applications.

This band is available in most parts of the world

(varies in some countries). The band is similar to

the band wireless LAN devices and other IEEE

802.11-compliant devices occupy. Table 1

summarizes the characteristics of Bluetooth

networks.



www.airdefense.net 2 Copyright 2004, AirDefense, Inc.

Characteristics Description

Physical Layer Frequency Hopping

Spread Spectrum (FHSS)

Frequency Band 2.4 GHz – 2.45 GHz (ISM

band)

Hop Frequency 1,600 hops/sec.

Data Rate 1 Mbps (raw). Higher bit

rates are anticipated

Operating Range About 30 feet to 330 feet

Table 1. Key Characteristics of BluetoothTechnology

How Bluetooth Devices Network Bluetooth networks are comprised of wireless

stations or clients only, unlike a wireless LAN,

which is comprised of both wireless user stations

and access points. A Bluetooth client may be

any Bluetooth-enabled device.

Bluetooth devices automatically locate each

other and form networks. As with all ad hoc

networks, Bluetooth network topologies

establish themselves on a temporary, random

basis.

Bluetooth networks maintain a “master-slave”

relationship between devices. Any Bluetooth

device can become a master or slave. This

relationship forms a piconet . Up to eight

Bluetooth devices may be networked together in

a piconet, in which one device is designated as

the master of the network with up to seven

slaves connected directly to that network. The

master device controls and sets up the network

(including defining the network’s hopping

scheme).

Devices in a Bluetooth piconet operate on the

same channel and follow the same frequency

hopping sequence. Although only one device

can act as the master for each network, a slave in

one network can act as the master for other

networks, thus creating a chain of networks.This series of piconets, called scatternets, allows

several devices to inter-network over an

extended distance. Figure 1 illustrates a typical

piconet and scatternet.

Figure 1. A Typical Bluetooth Piconet &

Scatternet.

Range of Bluetooth DevicesThe operating range of a Bluetooth-enabled

device depends on its Class, which in turn

depends on the power level of the device.

DeviceType

Power Level

Operating Range

Class 3 100 mW Up to 330 feet

Class 2 10 mW Up to 30 feet

Class 1 1 mW Less than 30 feet

Table 2. Range of Bluetooth Devices by Class

At a 330-foot range, Bluetooth can compete with

other wireless LAN technologies and

applications. Additionally, as with the data rates,

it is anticipated that even greater distances will

be achieved in the future.

Benefits of Using BluetoothBluetooth technology can result in increased

efficiency and reduced costs. The efficiencies

and cost savings are attractive for the home user

and enterprise business user alike. Key benefits

of Bluetooth include:

¾ Cable replacement for most device and

peripheral interconnections, such as a mouse,



Copyright 2004, AirDefense, Inc. 3 www.airdefense.net.

keyboard, and PC

¾ Ease of file sharing between Bluetooth-

devices, for example, a PDA can access the

files of a laptop

¾ Wireless synchronization with other

Bluetooth-enabled devices, without user

input¾ Automated wireless applications that

interface with the LAN and Internet

¾ Internet connectivity for a wide variety of

devices and applications, for example, a

Bluetooth mobile phone can act as a wireless

modem for laptops

2. Bluetooth Security Features

As a wireless technology, Bluetooth comes with

some inherent, limited security features that

users can optionally (but rarely) implement for both devices and services. Bluetooth supports

authentication, authorization, and encryption

(confidentiality) protocols; security modes,

including link-level; separate access control for

devices and services; and the use of several

types of identifiers (IDs), depending on the

device.

Security protocolsBluetooth supports the following protocols:

¾ Authentication provides an abortmechanism if a device cannot authenticate

properly. This addresses, “Do I know with

whom I am communicating?”

¾ Authorization allows the control of

resources. This addresses , “Has this device

been authorized to use this service?”

¾ Encryption attempts to prevent information

compromise from eavesdropping (passive

attack). This addresses , “Are only authorized

persons allowed to view my data?”

Link-Level Security ModeBluetooth supports link-level security. Link-

level security provides a means for a secure link

layer; pairing with PINs to establish secret pair-

wise link keys; challenge–response

authentication with knowledge of the link key;

and encryption. Figure 2 depicts the Bluetooth

radio path for link-level security.

Figure 2. Bluetooth Air-Interface Security

As illustrated in figure 2, Bluetooth can provide

security on the link level, i.e., on various

wireless links on the radio paths only. Link

encryption and authentication may be provided, but true end-to-end security is not possible. In

the figure, security services are provided

between the PDA and the printer, between the

cell phone and laptop, and between the laptop

and the desktop.

Security Enforcement Bluetooth uses pairing, PINs, and frequency

hopping to enforce security.

Encryption and authentication are based on a

secret linked key that is shared by a pair of

Bluetooth devices. To generate this key,

Bluetooth uses a pairing procedure the first time

two devices communicate with one another. In

this manner, two Bluetooth devices authenticate

each other by passing a message during the

initial handshake phase.

Pairing is the driving force behind Bluetooth, as

it is designed for information exchange. Pairing

enables Bluetooth to interface with other devices

and exchange, update, and synchronize data.

To communicate, Bluetooth devices use a PIN

in their initialization process. Some Bluetoothdevices only allow the user to enter an ID

number for each use, while others allow storage

of the PIN in nonvolatile memory.

Additionally, Bluetooth uses a frequency

hopping technique to keep transmissions from




breaking up. This technique, which consists of

skipping around the radio band 1,600 times per

second, improves the signal clarity. Also, by

limiting communication to only synchronized

devices, frequency hopping makes it slightly

more difficult for an attacker to locate the

Bluetooth transmission. This provides someadditional protection from eavesdropping and

malicious access.

3. Security Risks

How secure are Bluetooth devices that use only

available Bluetooth default security? Even when

users choose to implement Bluetooth default

security, vulnerabilities do exist that provide a

motivation for using enhanced security. Some

Bluetooth devices have serious flaws in their

authentication and data transfer mechanisms (see

table 3.)

“Though Bluetooth devices have security

features built in, most devices ship with

unsecured default configurations that create

gaping security holes.”

InStat/MicroDesign Resources

Security Issue / Vulnerability Comments

Shared master key. The Bluetooth SIG needs to develop a better broadcast keyingscheme.

No user authentication. Bluetooth only provides device authentication. Application-levelsecurity and user authentication is optional.

Eavesdropping, resulting from device key

sharing.

A hacker may be able to compromise the security, i.e., gain

unauthorized access to between two other users.

Compromise of privacy if the Bluetooth

device address (BD_ADDR) is captured andassociated with a particular user.

Once the BD_ADDR is associated with a particular user, that

user’s activities could be logged, resulting in a loss of privacy.

Device authentication is simple shared-keychallenge-response.

One-way only challenge-response authentication is subject toman-in-the middle attacks. Mutual authentication is required to

provide verification that users and the network are legitimate.

End-to-end security is not performed. Only individual links are encrypted and authenticated. Data is

decrypted at intermediate points. Application software above the

Bluetooth software can be developed.

Limited security services. Audit, non-repudiation, and other services do not exist. If needed,these can be developed at particular points in a Bluetooth network.

Viruses and DoS attacks, via the Internet

and Email.

Data is vulnerable to third-party providers.

Source: NIST

Table 3. Key Security Issues with Bluetooth Networks.




Insecure Configurations

Using default security configurations in a

Bluetooth network is an open invitation for

attack on both the Bluetooth network, andyour enterprise backbone.

“Like wireless LAN devices, Bluetooth

devices are being rapidly deployed with little

or no security, However because of the

pervasiveness of these unsecured devices left

in default settings, they stand to be an

attractive target for exploitation.”

Pete Lindstrom, research director,Spire Security

Bluetooth networks in many enterprises connect

back to a wired network at some point. Hackers

can use an insecure networked Bluetooth laptopas an entry point into the entire enterprise

network, gaining access to customer credit

cards, records, and other sensitive information

that may not even exist on the Bluetooth

network.

Eavesdropping and BackdoorsHackers can use wireless microphones as

bugging devices. There have been recorded

incidents of successful attacks on PCs using

hacker “toolkits,” such as Back Orifice and

NetBus. A hacker with a program such as Back Orifice installed on a device in the Bluetooth

network could access other Bluetooth devices

and networks that have limited or no security.

Bluetooth devices are further vulnerable because

the system authenticates the devices, not the

users. As a result, a compromised device can

gain access to the network and compromise both

the network and the devices on the network.

Authorized Remote User VulnerabilitiesAuthorized remote users pose a threat to

Bluetooth networks. Remote users are notalways subject to the same security requirements

as onsite users. They frequently use links that

are not secure, whether at home or while

traveling. In the process of connecting, remote

users transmit user IDs and passwords, which a

hacker can capture using a network sniffer. The

hacker does not have to be in close proximity to

a user to intercept traffic. Once the device or

link is compromised, all devices in that

Bluetooth network are vulnerable to attack.

For example, a compromised link allows a

hacker to monitor data traffic, while a

compromised device allows the hacker to

request and receive sensitive data.

In addition, remote users often delegate

authority (rights) to a host machine (e.g., a

shared server) to execute programs. If the

remote device is compromised and the

authorized user had granted rights to the

machine, the hacker could then use those rights

to compromise the network. An example of this

is a PDA automatically requesting a laptop to

send and download emails. If the user had

enabled (i.e., had delegated authority to) the

PDA to download email from the laptop, ahacker could use the compromised PDA to

obtain the email.

Signal Jamming & InterferencesBesides the typical Denial-of-Service (DoS)

attacks directed against LANs and Internet

services, Bluetooth devices are also susceptible

to signal jamming. Bluetooth devices share

bandwidth with microwave ovens, cordless

phones, and other wireless networks and are thus

vulnerable to interference. Hackers can interfere

with the flow of information (i.e., disrupt therouting protocol by feeding the network

inaccurate information) by using devices that

transmit in the 2.4-GHz ISM band.

SNARF AttacksDiscovered by A.L. Digital's chief security

officer Adam Laurie while testing phones for his

own company's deployment, the SNARF (also

called “grab”) attack bypasses the security net of

most handsets and enables hackers to breach and

compromise confidential data, including an

individual subscriber’s phonebook, calendar, business card data, and associated attachments,

such as still and moving images, e.g., friends

and family photos. All this data can be taken

anonymously from some very well-known

Bluetooth-enabled mobiles and it is

accomplished completely without the handset

owners knowledge or consent.




Additionally, hackers can use the SNARF attack

to obtain the phone’s International Mobile

Equipment Identity (IMEI), which remotely

identifies the phone to the mobile network. The

IMEI is used in illegal phone cloning.

Backdoor AttacksThe complete memory contents of some mobile

phones can be accessed when an attacker

establishes a trust relationship through the

Bluetooth pairing procedure, while ensuring thatit no longer appears in the target’s register of

paired devices. This data includes not only the

phonebook and calendar, but also media files,

such as pictures and text messages. In essence,

the entire device can be backed up to the

hacker’s own system. Not only can the hacker

acquire data from the phone, but the hacker can

also access other services, such as modems or Internet, and WAP or GPRS gateways.

Bluejacking Bluejacking is a technique that is similar in

concept to a buffer overflow attack against a

wired network.

The technique involves abusing the Bluetooth

pairing procedure, made possible because the

name of the initiating Bluetooth device displays

on the target device as part of the handshake

exchange. As pairing allows a large user definedname field (up to 248 characters), the field itself

can be used to pass the message. This presents a

potential security problem.

During Bluejacking, the hacker successfully

pairs with the target device using the first part of

the handshake exchange. If this occurs, all data

on the target device becomes available to the

hacker, including phone books, calendars,

pictures, and text messages. Bluejacking can

provide the means for a hacker to hijack

valuable data from corporations, government bodies, and the like. Bluejacking can succeed

because of the number of users who are often

duped by a constant barrage of unsolicited

messages, such as SPAM email or SMS text

messages.

4. Mitigating Security Risks

Countermeasures are now available to help

secure Bluetooth networks. There are

countermeasures that enterprise IT management

can take to establish security policies; there are

limited software solutions inherent in Bluetooth;and now there is the industry’s first commercial-

grade Bluetooth monitoring system,

AirDefense BlueWatch™.

Management CountermeasuresEnterprises that use Bluetooth technology can

reduce risks by establishing and documenting

security policies that address the use of

Bluetooth devices and user responsibilities.

Security policies should include a list of

approved uses for Bluetooth devices, the type of

information that may be transferred in thenetwork, and disciplinary actions resulting from

misuse. Security policies should also specify a

set scheme for password use.

Secure Bluetooth ConfigurationsSoftware solutions inherent in Bluetooth

technology include the PIN and private

authentication. Bluetooth enforces PIN codes at

the link level. Because the PIN codes are

necessary for authentication and link security,

administrators should ensure that Bluetooth

devices use PIN codes other than the default (or lowest) setting.

Passwords are fundamental measures that add an

extra layer of security. As Bluetooth devices can

store and automatically access link-level PIN

codes from memory, a Bluetooth device should

employ device authentication as an extra layer of

security. Enterprises should incorporate

application-level software that requires

password authentication in Bluetooth devices.

Monitoring with AirDefense AirDefense BlueWatch is the industry’s firstcommercial-grade Bluetooth monitoring

solution. BlueWatch is part of the suite of

AirDefense products that monitor the airwaves

to enhance the security of wireless networks.

BlueWatch is a Windows-based software

program that scans for the presence of Bluetooth




devices and their key attributes. BlueWatch can

enable individual users and enterprises to

identify rogue and insecure Bluetooth devices in

their air space, enabling them to take proactive

steps to mitigate the risk of security breaches.

“Monitoring tools like AirDefense BlueWatch can play a critical role in

providing visibility of unsanctioned or

insecure Bluetooth devices and the security

vulnerabilities they introduce.”

Pete Lindstrom, research director,Spire Security

AirDefense BlueWatch runs on a standard

Windows® XP® or Windows 2000® platform,

on PCs and laptops. It uses a plug-in USB

Bluetooth adapter that is compatible with

WIDCOMM® Bluetooth drivers. (Most PC

devices use a WIDCOMM Bluetooth driver.This includes adapters from Linksys® and

Belkin®, commonly available at consumer

electronics stores.) AirDefense recommends

using a Class 3 adapter for the greatest range of

330 feet (100 meters).

BlueWatch monitors the airwaves to:

¾ Identify different types of Bluetooth devices,

including laptops, PDAs, keyboards and cell

phones.

¾ Provide Key Attributes, including thedevice class, device name, and manufacturer.

¾ Provide Connection Information,

indicating if Bluetooth devices are paired or

connected.

¾ Identify Available Services on each device,

including network access, fax, and audio

gateway.

"Many of our new company-issued devices

are Bluetooth enabled. Although this is a

convenience for many of our associates,

there is a risk that sensitive data may becompromised. AirDefense BlueWatch

provides a monitoring solution that we can

use to identify and track how and with whom

these devices communicate."

Michael Ciarochi, senior security engineer,HomeBanc Mortgage

Conclusion

As businesses and consumers continue their

rapid adoption of wireless technologies, all

enterprises must address the growing security

concerns from new airborne threats. Companies

spend millions of dollars securing their networks. When a company’s network is left

exposed by insecure devices such as Bluetooth

devices, hackers can enter the organization and

compromise the company’s corporate backbone,

rendering investments in information technology

security obsolete. The implications from a

security breach can impact the company’s

reputation, intellectual property and regulated

information.

Organizations should take protective steps to

monitor for Bluetooth devices in their air spaceto mitigate these new types of risks.

About AirDefense

AirDefense is the thought leader and innovator

of wireless network security and operational

support solutions. Founded in 2001, AirDefense

pioneered the concept of 24x7 monitoring of the

airwaves and now provides the most advanced

solutions for rogue wireless LAN detection, policy enforcement, intrusion protection and

monitoring the health of wireless networks. Blue

chip companies and government agencies rely

upon AirDefense solutions to secure and manage

wireless networks around the globe.

For more information or feedback on this white

paper, please contact:

AirDefense, Inc.

4800 North Point Parkway

Suite 100

Alpharetta, Georgia 30022Email: www.airdefense.net

Phone: 770.663.8115

All trademarks are the property of their respective

owners.

bluetooth airdefense

Documents