Bluetooth
- Range is typically less than 10m
- Operates on the 2.4 GHz
- Discovery feature can control the visibility of the device
- Bluetooth Low Energy (BLE): Bluetooth >= 4.0
- Bluetooth Classic (BC): Bluetooth < 4.0
- Uses WPAN (wireless personal area network)
- Utilize the Gaussian Frequency Shift Keying (FSK) to exchange information in the basic rate (BR) of usually 1 mbps.
Bluetooth security
- Standard provides three basic security services:
- Authentication
- To verify the identity of communicating devices
- Confidentiality
- To prevent the compromise of information and ensure that only authorized devices can access and view data.
- Authorization
- To allow the control of resources by ensuring that a device is authorized to use a service before permitting it to do so.
- Authentication
- ❗ Standard does not address address other security services such as audit and non-repudiation.
- Four security modes (levels):
- Mode 1: No authentication/encryption.
- Mode 2: Authorization with access control policies.
- Mode 3: Mandate authentication and encryption using secret key with paired devices
- Mode 4: Secure Simple Pairing using Elliptic-Curve Diffie-Hellman (ECDH) for key exchange and link key generation
Bluetooth device discovery
- BlueScanner: Finds devices around and displays information
- BT Browser: Find and enumerate nearby devices
Bluetooth attacks
BlueSmacking
- 📝 DoS attack using echo.
BlueJacking
- 📝 Sending unsolicited data to bluetooth devices
- Allows spamming for bluetooth also known as BlueSpamming
- ❗ Not related to hijacking
BluePrinting
- 📝 Extracting information about the device
BlueSnarfing
- 📝 Stealing data from target device
- E.g. calendars, contact lists, emails and text messages
BlackJacking
- 📝 Exploits a blackberry device to attack corporate LAN directly
- Compromises blackberry then proxies between corporate servers and attacker.
BBProxy
- 📝 Bluejacking tool
- Included in BlackBerry Attack Toolkit
- Announced by DefCon
BlueBugging
- Also known as bluebug-attack
- Create a backdoor attack before returning control of the phone to its owner
- Extends BlueJacking and BlueSnarfing (allows attacker to access data)
- E.g. by pretending to be a headset to receive phone calls
- Not so common as vulnerabilities are generally patched
Bloover
- A proof-of-concept tool
- 📝 Exploits bluebugging targeting J2ME (Java micro edition) enabled phones such as Nokia
- Bloover II: Exploits bluebug and also helomoto, bluesnarf and OBEX object push attacks
Bluetooth attacks countermeasures
- Check paired devices
- Turn off visibility / turn off Bluetooth if not used
- Use strong PIN
- Use encryption
- Use the strongest security mode available
- Don't accept unknown requests
- Use bluetooth security tools
Bluetooth security tools
- Bluetooth firewall
- Mobile app for logging and monitoring Bluetooth connections
- Radar feature allows you to scan nearby bluetooth devices
- Scan feature lists apps that can perform bluetooth actions
- Bluediving
- Bluetooth penetration suite
- Exploits BlueBug, BlueSnarf, BlueSnarf++ and BlueSmack
- Bluelog
- Linux Bluetooth scanner
- btscanner
- Debian tool to extract information from a Bluetooth device without the requirement to pair.
- BlueRanger
- Simple Bash script which uses Link Quality to locate Bluetooth device radios