Skip to content

Latest commit

 

History

History
104 lines (78 loc) · 4.16 KB

bluetooth.md

File metadata and controls

104 lines (78 loc) · 4.16 KB
Raw

Bluetooth

  • Range is typically less than 10m
  • Operates on the 2.4 GHz
  • Discovery feature can control the visibility of the device
  • Bluetooth Low Energy (BLE): Bluetooth >= 4.0
  • Bluetooth Classic (BC): Bluetooth < 4.0
  • Uses WPAN (wireless personal area network)
  • Utilize the Gaussian Frequency Shift Keying (FSK) to exchange information in the basic rate (BR) of usually 1 mbps.

Bluetooth security

  • Standard provides three basic security services:
    • Authentication
      • To verify the identity of communicating devices
    • Confidentiality
      • To prevent the compromise of information and ensure that only authorized devices can access and view data.
    • Authorization
      • To allow the control of resources by ensuring that a device is authorized to use a service before permitting it to do so.
  • ❗ Standard does not address address other security services such as audit and non-repudiation.
  • Four security modes (levels):
    1. Mode 1: No authentication/encryption.
    2. Mode 2: Authorization with access control policies.
    3. Mode 3: Mandate authentication and encryption using secret key with paired devices
    4. Mode 4: Secure Simple Pairing using Elliptic-Curve Diffie-Hellman (ECDH) for key exchange and link key generation

Bluetooth device discovery

  • BlueScanner: Finds devices around and displays information
  • BT Browser: Find and enumerate nearby devices

Bluetooth attacks

BlueSmacking

  • 📝 DoS attack using echo.

BlueJacking

  • 📝 Sending unsolicited data to bluetooth devices
  • Allows spamming for bluetooth also known as BlueSpamming
  • ❗ Not related to hijacking

BluePrinting

  • 📝 Extracting information about the device

BlueSnarfing

  • 📝 Stealing data from target device
  • E.g. calendars, contact lists, emails and text messages

BlackJacking

  • 📝 Exploits a blackberry device to attack corporate LAN directly
  • Compromises blackberry then proxies between corporate servers and attacker.

BBProxy

BlueBugging

  • Also known as bluebug-attack
  • Create a backdoor attack before returning control of the phone to its owner
  • Extends BlueJacking and BlueSnarfing (allows attacker to access data)
  • E.g. by pretending to be a headset to receive phone calls
  • Not so common as vulnerabilities are generally patched

Bloover

  • A proof-of-concept tool
  • 📝 Exploits bluebugging targeting J2ME (Java micro edition) enabled phones such as Nokia
  • Bloover II: Exploits bluebug and also helomoto, bluesnarf and OBEX object push attacks

Bluetooth attacks countermeasures

  • Check paired devices
  • Turn off visibility / turn off Bluetooth if not used
  • Use strong PIN
  • Use encryption
  • Use the strongest security mode available
  • Don't accept unknown requests
  • Use bluetooth security tools

Bluetooth security tools

  • Bluetooth firewall
    • Mobile app for logging and monitoring Bluetooth connections
    • Radar feature allows you to scan nearby bluetooth devices
    • Scan feature lists apps that can perform bluetooth actions
  • Bluediving
    • Bluetooth penetration suite
    • Exploits BlueBug, BlueSnarf, BlueSnarf++ and BlueSmack
  • Bluelog
    • Linux Bluetooth scanner
  • btscanner
    • Debian tool to extract information from a Bluetooth device without the requirement to pair.
  • BlueRanger
    • Simple Bash script which uses Link Quality to locate Bluetooth device radios