1
Identifying and Assessing
Security Issues related to
Bluetooth Wireless
Networks
Gregory Lamm
Jorge Estrada
Gerlando Falauto
Jag Gadiyaram
November 29, 2000
University of Virginia
A Christmas Carol
2
Charles Dickens had it right-for every
major issue (or story) in the world, there
is usually a Past, a Present and a
Future that are clearly identifiable.
Group 11 would like to tell you a story.
University of Virginia
3
The Ghost of Bluetooth
Past
• 10th Century Danish King (unified
warring Viking Tribes): Harald Bluetooth
• No Wireless Networks prior to 20th
Century
• New Wireless Transmission Schemes
for the 21st Century
– 802.11b
– Home Radio Frequency
– Bluetooth (version 1.0)
University of Virginia
Past Bluetooth Attacks
4
1. Third Party Eavesdropping & Impersonating
A
C
B
2. Stealing Addresses from a Bluetooth Device
 Tracking the device through the network
 Impersonate a device
University of Virginia
5
The Ghost of Bluetooth
Present
•
•
•
•
•
•
•
Ad hoc Networks
Bluetooth Chip: $50
Range: 10 meters (30 feet)
Throughput: 720,000 bps
Peer to Peer
Piconet (8/250)
Scatternet (10 Piconets)
University of Virginia
Bluetooth
6
(Special Interest Group)
1,900 Bluetooth
Technology Manufactures
University of Virginia
Bluetooth Applications
7
University of Virginia
Bluetooth Development
8
Local Area
Network
(LAN)
• Small Network
• Large Throughput
• IR or Radio Communication
• Relays not used
• Fixed with limited mobility
• Small Distances
Wireless
Phone
Network
• Large Network
• Small Throughput
• Radio Communication
• Relays used
• Mobility
• Large Distances
University of Virginia
Bluetooth Overview
9
Local Area
Network
(LAN)
Wireless
Phone
Network
• Radio Frequency Hopping
(1600 Hps)
Communication • 2.4GHz Frequency Range
• RF Interface
• 720 Kbps – 4 Mbps
• Challenge-Response
Scheme
Authentication • SAFER+
• None/One-way/Mutual
• Needed for encryption
Encryption
• Optional
• Symmetric Stream Cipher
• Negotiable Key Size (8-128 bits)
• Clock dependent
University of Virginia
Bluetooth Communication
10
• Radio Frequency
Communications (RF C)
– Controls Frequency Hopping
for Bluetooth
• Logical Link Control (LLC)
– Link Management
– Security Management
– QoS Management
– Transmission Scheduling
• Link Manager Protocol (LMP)
– Configure, authenticate and
handle the connections
– Power management scheme
University of Virginia
Bluetooth Authentication
11
PIN
Random #
Link key generation
KLINK
A (Verifier)
BD_ADDRB
KLINK
AU_RAND
CHECK
SRES = SRES’
BD_ADDRB
E1
(SAFER+)
BD_ADDRB
KLINK
AU_RAND
B (Claimant)
E1
(SAFER+)
AU_RAND
SRES’ ACO’
SRES ACO
SRES’
Encryption key generation
University of Virginia
Bluetooth Encryption
12
A
BD_ADDRA
clockA
KC’
B
Is everything OK?
BD_ADDR
E Yes, BUT... clock
K’
A
A
0
C’
K’cipher
Kcipher
K’cipher
Kcipher
dataA-B
dataA-B
Kcipher
dataB-A
E0
data
=
K’cipher
dataB-A
University of Virginia
13
The Ghost of Bluetooth
Future
Security Weaknesses
• Encryption
– Plain Text Attack
• Authentication
– Unit Key Stealing
• Communication
– Impersonation
University of Virginia
Bluetooth Applications
14
University of Virginia
Conclusions
15
• As Viking Hackers, we believe that Bluetooth
has some vulnerabilities and some increased
security measures are needed.
Security
Functionality
University of Virginia