SPRINGER BRIEFS IN COMPUTER SCIENCE Keijo Haataja Konstantin Hyppönen Sanna Pasanen Pekka Toivanen Bluetooth Security Attacks Comparative Analysis, Attacks, and Countermeasures SpringerBriefs in Computer Science For furthervolumes: http://www.springer.com/series/10028 Keijo Haataja Konstantin Hyppönen • Sanna Pasanen Pekka Toivanen • Bluetooth Security Attacks Comparative Analysis, Attacks, and Countermeasures 123 KeijoHaataja Konstantin Hyppönen Sanna Pasanen Pekka Toivanen School ofComputing Universityof Eastern Finland Kuopio Finland ISSN 2191-5768 ISSN 2191-5776 (electronic) ISBN 978-3-642-40645-4 ISBN 978-3-642-40646-1 (eBook) DOI 10.1007/978-3-642-40646-1 SpringerHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2013949249 (cid:2)TheAuthor(s)2013 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionor informationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purposeofbeingenteredandexecutedonacomputersystem,forexclusiveusebythepurchaserofthe work. Duplication of this publication or parts thereof is permitted only under the provisions of theCopyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the CopyrightClearanceCenter.ViolationsareliabletoprosecutionundertherespectiveCopyrightLaw. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexempt fromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. While the advice and information in this book are believed to be true and accurate at the date of publication,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityfor anyerrorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,with respecttothematerialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface WegratefullyacknowledgeElenaTrichina,MarttiPenttonen,andTapioGrönfors for their guidance and supervision during the work presented in Haataja’s Ph.D. thesis [1]. We also thank Niina Päivinen for her cooperation on RF-Fingerprint related researchwork[2]. This researchworkwas funded bythe European Union Artemis project Design, Monitoring, and Operation of Adaptive Networked Embedded Systems (DEMANES). References 1. K.Haataja,SecurityThreatsandCountermeasuresinBluetooth-EnabledSystems,Ph.D.Diss., UniversityofKuopio,DepartmentofComputerScience,2009 2. S. Pasanen, K. Haataja, N. Päivinen, P. Toivanen, New Efficient RF Fingerprint-Based Security Solution for Bluetooth Secure Simple Pairing, in Proceedings of the 43rd IEEE HawaiiInternationalConferenceonSystemSciences,Koloa,Kauai,5–8Jan2010 v Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Overview of Bluetooth Security . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Reasons for Bluetooth Network Vulnerabilities. . . . . . . . . . . . . . . 15 3.1 Vulnerability to Eavesdropping. . . . . . . . . . . . . . . . . . . . . . . . 15 3.2 Weaknesses in Encryption Mechanisms . . . . . . . . . . . . . . . . . . 19 3.3 Weaknesses in PIN Code Selection . . . . . . . . . . . . . . . . . . . . . 20 3.4 Weaknesses in Association Models of SSP. . . . . . . . . . . . . . . . 21 3.5 Weaknesses in Device Configuration. . . . . . . . . . . . . . . . . . . . 22 4 Comparative Analysis of Bluetooth Security Attacks. . . . . . . . . . . 23 4.1 Disclosure Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 Integrity Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.3 DoS Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.4 Multithreats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 5 MITM Attacks on Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.1 MITM Attacks on SSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.2 Comparative Analysis of Bluetooth MITM Attacks. . . . . . . . . . 67 6 Countermeasures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 6.1 Intrusion Detection and Prevention System. . . . . . . . . . . . . . . . 71 6.2 RF Fingerprint-Based Security Solution for SSP. . . . . . . . . . . . 74 6.3 Countermeasures for Bluetooth Devices up to 2.0 ? EDR . . . . . 77 6.4 Countermeasures for SSP-Enabled Bluetooth Devices . . . . . . . . 80 7 New Practical Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 8 Conclusion and Future Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 vii Chapter 1 Introduction Theuseofwirelesscommunicationsystemsandtheirinterconnectionsvianetworks havegrownrapidlyinrecentyears.Becauseradiofrequency(RF)wavescanpene- trateobstacles,wirelessdevicescancommunicatewithnodirectlineofsightbetween them.ThismakesRFcommunicationeasiertousethanwiredorinfraredcommuni- cation,butitalsomakeseavesdroppingeasier.Moreover,itiseasiertodisruptand jam wireless RF communication than wired communication. Because wireless RF communication can suffer from these new threats, additional countermeasures are neededtoprotectagainstthem. Bluetooth[1]isatechnologyforshort-rangewirelessdataandreal-timetwo-way audio/videotransferprovidingdataratesupto24Mb/s.Connectiontypesdefinethe ways Bluetooth devices can exchange data. Bluetooth has three connection types: Asynchronous Connection-Less (ACL), Synchronous Connection-Oriented (SCO), andExtendedSCO(eSCO). ACL links are used for symmetric or asymmetric data transfer. Retransmission ofpacketsisusedtoensuretheintegrityofdata.SCOlinksaresymmetricandare used for transferring real-time two-way voice. Retransmission of voice packets is not used. Therefore, when the channel Bit Error Rate (BER) is high, voice can be distorted.eSCOlinksarealsosymmetricandareusedfortransferringreal-timetwo- wayvoice.Retransmissionofpacketsisusedtoensuretheintegrityofdata(voice). Becauseretransmissionofpacketsisused,eSCOlinkscanalsocarrydatapackets. However,theyaremainlyusedfortransferringreal-timetwo-wayvoice.Bluetooth 1.2(orlater)devicescanuseeSCOlinks,buttheymustalsosupportSCOlinksto providebackward-compatibility. Bluetooth operates at 2.4GHz frequency in the free Industrial, Scientific, and Medical (ISM) band. Bluetooth devices that communicate with each other form a piconet. The device that initiates a connection is the piconet master and all other devices within that piconet are slaves. All communication within a piconet goes throughthepiconetmaster.Theclockofthepiconetmasterandfrequency-hopping informationareusedtosynchronizethepiconetslaveswiththemaster.Twoormore piconetstogetherformascatternet,whichcanbeusedtoeliminateBluetoothrange K.Haatajaetal.,BluetoothSecurityAttacks,SpringerBriefsinComputerScience, 1 DOI:10.1007/978-3-642-40646-1_1,©TheAuthor(s)2013 2 1 Introduction restrictions. A scatternet environment requires that different piconets must have a commondevice,calledascatternetmember,torelaydatabetweenthepiconets. ManykindsofBluetoothdevices,suchaslaptops,PCs,mice,keyboards,printers, mobilephones,headsets,andhands-freedevices,arewidelyusedallovertheworld. Moreover,inmanycountries,ahands-freedeviceorheadsetconnectedtoamobile phoneistheonlyformofvoicecommunicationdevicepermittedinmovingvehicles forsafetyreasons.Therefore,themarketsforeasy-to-usewirelessBluetoothheadsets andhands-freedevicesarehuge! Already in 2006, the one billionth Bluetooth device was shipped [2]. Less than 5years later in 2011, the four billionth Bluetooth device was shipped [3], and the volumeisexpectedtoincreaserapidlyinthenearfuture.AccordingtoIn-Stat,the eight billionth Bluetooth device is expected to be shipped by the end of 2013 [4]. Therefore,itisveryimportanttokeepBluetoothsecurityissuesuptodate. Our results: In this book, we explain the reasons for Bluetooth network vul- nerabilitiesandprovidealiterature-review-basedcomparativeanalysisofBluetooth security attacks over the past 10years (2001–2011), including our own Bluetooth securityattacks.Inaddition,weexplaincountermeasuresagainsttheseattacksbased on a literature review and propose a new practical countermeasure for Bluetooth SecureSimplePairing(SSP).Weproposeanewpracticalattackthatworksagainst allexistingBluetoothversions.Furthermore,wepresentsomenewideasthatwillbe usedinourfutureresearchwork. Therestofthebookisorganizedasfollows.Chapter2providesanoverviewof Bluetoothsecurity.ReasonsforBluetoothnetworkvulnerabilitiesareexplained in Chap.3.Chapter4providesaliterature-review-basedcomparativeanalysisofBlue- toothsecurityattacksoverthepast10years(2001–2011):theattacksaredesigned againstBluetoothversionsupto2.0+EDR(EnhancedDataRate),butsomeofthem (especiallyDenial-of-Serviceattacks)alsoworkagainstallexistingBluetoothver- sions,i.e.,Bluetoothversions1.0A–4.0.SinceMan-In-The-Middle(MITM)attacks are also possible and dangerous against the latest SSP-enabled Bluetooth versions (i.e.,Bluetoothversions2.1+EDR−4.0),MITMattacksonBluetoothareexplained in Chap.5, which also provides a comparative analysis of all existing Bluetooth MITMattacks:MITMattacks,against“old”Bluetoothversionsupto2.0+EDRas wellasagainst“new”SSP-enabledBluetoothversions,overthepast10years(2001– 2011)areexplainedandanalyzed.Chapter6explainstheexistingcountermeasures againsttheseattacksbasedonaliteraturereviewandproposesanewpracticalcoun- termeasureforBluetoothSSP.Anewpracticalattackthatworksagainstallexisting BluetoothversionsisproposedinChap.7.Finally,Chap.8concludesthebookand sketchesfuturework. Chapter 2 Overview of Bluetooth Security The basic Bluetooth security configuration is done by the user who decides how a Bluetooth device will implement its connectability and discoverability options. Thedifferentcombinationsofconnectabilityanddiscoverabilitycapabilitiescanbe dividedintothreecategories,orsecuritylevels[1,2]. 1. Silent:Thedevicewillneveracceptanyconnections.ItsimplymonitorsBluetooth traffic. 2. Private:Thedevicecannotbediscovered,i.e.,itisaso-callednon-discoverable device. Connections will be accepted only if the Bluetooth Device Address (BD_ADDR) is known to the prospective master. A 48-bit BD_ADDR is nor- mallyuniqueandrefersgloballytoonlyoneindividualBluetoothdevice. 3. Public:Thedevicecanbebothdiscoveredandconnectedto.Itisthereforecalled adiscoverabledevice. The 48-bit BD_ADDR is divided into three parts: the 16-bit Nonsignificant Address Part (NAP), the 8-bit Upper Address Part (UAP), and the 24-bit Lower AddressPart(LAP).ThefirstthreebytesofBD_ADDR(NAPandUAP)refertothe manufactureroftheBluetoothchipandrepresentcompany_id.Thelastthreebytes ofBD_ADDR(LAP),calledcompany_assigned,areusedmoreorlessrandomlyin differentBluetoothdevicemodels.Company_idvaluesarepublicinformationand arelistedintheInstituteofElectricalandElectronicsEngineers’(IEEE’s)Organi- zationallyUniqueIdentifier(OUI)database[2,5]. There are also four different security modes that a device can implement. In Bluetoothtechnology,adevicecanbeinonlyoneofthefollowingsecuritymodes atatime[1,2]: 1. Nonsecure:TheBluetoothdevicedoesnotinitiateanysecuritymeasures. 2. Service-levelenforcedsecuritymode:TwoBluetoothdevicescanestablishanon- secureACLlink.Securityprocedures,namelyauthentication,authorization,and optional encryption, are initiated when a Logical Link Control and Adaptation Protocol (L2CAP) Connection-Oriented (CO) or an L2CAP Connection-Less (CL)channelrequestismade. K.Haatajaetal.,BluetoothSecurityAttacks,SpringerBriefsinComputerScience, 3 DOI:10.1007/978-3-642-40646-1_2,©TheAuthor(s)2013 4 2 OverviewofBluetoothSecurity 3. Link-levelenforcedsecuritymode:SecurityproceduresareinitiatedwhenanACL linkisestablished. 4. Service-levelenforcedsecuritymode:Thismodeissimilartomode2,exceptthat only Bluetooth devices using SSP can use it, i.e., only Bluetooth 2.1+EDR or laterdevicescanusethissecuritymode. Authenticationisusedforprovingtheidentityofonepiconetdevicetoanother. Theresultsofauthenticationareusedfordeterminingtheclient’sauthorizationlevel, whichcanbeimplementedinmanydifferentways:forexample,accesscanbegranted toallservices,onlytoasubsetofservices,ortosomeserviceswhileotherservices require additional authentication. Encryption is used for encoding the information beingexchangedbetweenBluetoothdevicesinsuchawaythateavesdropperscannot readitscontents[2]. Bluetooth uses Secure And Fast Encryption Routine + (SAFER+) [6] with a 128-bitkeyasanalgorithmforauthenticationandkeygenerationinBluetoothver- sionsupto3.0+HS(HighSpeed),whileBluetooth4.0(i.e.BluetoothLowEnergy) replaces SAFER+ with the more secure 128-bit Advanced Encryption Standard (AES)[1,2,7]. SAFER+ [6] was developed by Massey et al. in 1998. It was submitted as a candidatefortheAEScontest,butthecipherwasnotselectedasafinalist.SAFER+ is a block cipher with the following main features. It has a block size of 128 bits andthreedifferentkeylengths(128,192,and256bits).SAFER+consistsofnine phases(eightidenticalroundsandtheoutputtransformation)andaKeyScheduling Algorithm(KSA)inthefollowingway.KSAproduces17different128-bitsubkeys. Each round uses two subkeys and a 128-bit input word from the previous round to calculate a 128-bit word that is a new input word for the next round. The last subkeyisusedintheoutputtransformation,whichisasimplebitwiseXORofthe last round’s output with the last subkey. Although some optimizations for faster breakingofSAFER+exist(forexample,in[8,9]),itisstillconsideredquitesecure [1,2,6,8,9]. AES [7] was published by the National Institute of Standards and Technology (NIST) in 2001 after the evaluation process of the AES contest. Rijndael was the winner of the contest and NIST selected it as the algorithm for AES. AES is a symmetric block cipher that is intended to replace the Data Encryption Standard (DES) as the approved standard for a wide range of applications, but this process will take many years. NIST anticipates that the Triple Data Encryption Standard (3DES)willremainanapprovedalgorithmfortheforeseeablefuture,atleastforU.S. governmentuse.AESencryptionconsistsof10–14roundsinwhichdatablocksare processedstep-by-stepinthefollowingway(exceptthefinalround;itisnoteworthy thatAESdecryptionissymmetrictoAESencryption)[1,2,7,10,11]: 1. Byte substitution: Byte substitution uses an S-box to perform a byte-by-byte substitutionoftheblock. 2. Rowshifting:Rowshiftingisasimplepermutation.