- •Contents
- •Preface
- •1 Introduction
- •1.1 Bluetooth system basics
- •1.1.1 Background
- •1.1.2 Trade-offs
- •1.1.3 Bluetooth protocol stack
- •1.1.4 Physical layer
- •1.1.5 Baseband
- •1.1.6 Link manager protocol
- •1.1.7 Logical link control and adaptation protocol
- •1.1.8 Host control interface
- •1.1.9 Profiles
- •1.2 Bluetooth security basics
- •1.2.1 User scenarios
- •1.2.2 Notions and terminology
- •References
- •2.1 Key types
- •2.2 Pairing and user interaction
- •2.3 Authentication
- •2.4 Link privacy
- •2.4.1 Protect the link
- •2.4.2 Encryption algorithm
- •2.4.3 Mode of operation
- •2.4.4 Unicast and broadcast
- •2.5 Communication security policies
- •2.5.1 Security modes
- •2.5.2 Security policy management
- •References
- •3 Bluetooth Pairing and Key Management
- •3.1 Pairing in Bluetooth
- •3.2 HCI protocol
- •3.3 LM protocol
- •3.4 Baseband events
- •3.4.1 Initialization key generation
- •3.4.2 Unit key generation
- •3.4.3 Combination key generation
- •3.4.4 Authentication
- •3.4.5 Master key generation
- •3.5 User interaction
- •3.6 Cipher key generation
- •3.7 Key databases
- •3.7.1 Unit keys generation requirements
- •3.7.2 Combination key generation requirements
- •3.7.3 Key databases
- •3.7.4 Semipermanent keys for temporary use
- •References
- •4 Algorithms
- •4.1 Crypto algorithm selection
- •4.1.1 Block ciphers
- •4.1.2 Stream ciphers
- •4.2 SAFER+
- •4.3 Encryption engine
- •4.4 Ciphering algorithm E0
- •4.4.1 Initialization
- •4.5 Implementation aspects
- •References
- •5 Broadcast Encryption
- •5.1 Overview
- •5.2 Preparing for broadcast encryption
- •5.3 Switching to broadcast encryption
- •References
- •6 Security Policies and Access Control
- •6.1 Objectives
- •6.1.1 Trust relations
- •6.1.2 Security levels
- •6.1.3 Flexibility
- •6.1.4 Implementation considerations
- •6.2 Security manager architecture
- •6.2.1 Overview
- •6.2.2 Device trust level
- •6.2.3 Security level for services
- •6.2.4 Connection setup
- •6.2.5 Database contents and registration procedure
- •Reference
- •7 Attacks, Strengths, and Weaknesses
- •7.1 Eavesdropping
- •7.2 Impersonation
- •7.3 Pairing
- •7.4 Improper key storage
- •7.4.1 Disclosure of keys
- •7.4.2 Tampering with keys
- •7.4.3 Denial of service
- •7.5 Unit key
- •7.6 Location tracking
- •7.6.1 Bluetooth device address and location tracking
- •7.6.2 Five different types of location tracking attacks
- •7.7 Implementation flaws
- •References
- •8 Providing Anonymity
- •8.1 Overview of the anonymity mode
- •8.2 Address usage
- •8.3 Modes of operation
- •8.4 Inquiry and paging
- •8.4.1 Connectable mode
- •8.4.2 Private connectable mode
- •8.4.3 General connectable mode
- •8.5 Alias authentication
- •8.6 Pairing
- •8.7 Anonymity mode LMP commands
- •8.8 Pairing example
- •References
- •9 Key Management Extensions
- •9.1 Improved pairing
- •9.1.1 Requirements on an improved pairing protocol
- •9.1.2 Improved pairing protocol
- •9.1.3 Implementation aspects and complexity
- •9.2 Higher layer key exchange
- •9.2.2 Higher layer key exchange with EAP TLS
- •9.3 Autonomous trust delegation
- •9.3.1 Security group extension method
- •9.3.3 Group extension method versus public key method
- •References
- •10 Security for Bluetooth Applications
- •10.1 Headset
- •10.1.1 Headset security model
- •10.1.2 Pass-key and key management
- •10.1.3 Example
- •10.2 Network access
- •10.2.1 Common access keys
- •10.2.2 Security architecture
- •10.2.3 Network service subscription
- •10.2.4 Initial connection
- •10.2.5 Subsequent access to NAcPs
- •10.3 SIM access
- •10.3.1 The SIM access profile
- •10.3.2 Securing SIM access
- •References
- •Glossary
- •List of Acronyms and Abbreviations
- •About the Authors
- •Index
Attacks, Strengths, and Weaknesses |
113 |
|
|
address is also able to impersonate the unit distributing the unit key. Thus, when using a unit key, there is no protection against attacks from trusted devices. The unit key usage weakness was observed by Jakobsson and Wetzel in [19] and was also pointed out by NIST in a report on wireless security [22]. The potential risks with units keys have also been recognized by the Bluetooth SIG. Originally, the unit key was introduced in order to reduce memory requirements on very limited devices and remains part of the standard for backward compatibility reasons. The Bluetooth combination keys would be much more appropriate to use for almost any Bluetooth unit and the Bluetooth SIG does not recommend the use of unit keys [23] anymore.
7.6 Location tracking
As we have discussed, security in computer networks includes different aspects of message integrity, authentication, and confidentiality. In wireless networks, where users move between different networks and media types, another issue becomes important: location privacy. Since the Bluetooth technology is targeted toward devices of personal type like mobile phones, PDAs, or laptops, this becomes a real issue. The location privacy threat is actually independent of whether Bluetooth is just used for local connectivity or as an access technology. As long as the device is carried and used by one particular person, there is a risk that the device is tracked using the transmitted radio signals from the Bluetooth-enabled device. In order to be able to track user movements, there must be some fixed device identity the attacker can utilize. Once the attacker has succeeded in linking a human identity to the device identity, the threat becomes a reality. Hence, all kinds of fixed identities are potential privacy threats. The Bluetooth device address or any value derived from the device address is the obvious location privacy attack target in Bluetooth. Moreover, even a userfriendly name or any other application-specific identity might be a privacy problem. In this section we discuss the Bluetooth device address usage from a privacy perspective and discuss different Bluetooth location tracking attacks.
To protect a device against location tracking, an anonymity mode is needed. Devices operating in anonymous mode regularly update their device address by randomly choosing a new one. The anonymity mode is described in detail in Chapter 8.
7.6.1Bluetooth device address and location tracking
The most serious location tracking threat utilizes the Bluetooth device address. The address format is derived from the IEEE 802 standard. The Bluetooth
114 |
Bluetooth Security |
device address, BD_ADDR, has a length of 48 bits and consists of three different parts:
1.Lower address part;
2.Upper address part (UAP);
3.Nonsignificant address part (NAP).
The format is illustrated in Figure 7.3. The LAP and UAP form the significant part.
The entire Bluetooth address (LAP, UAP, and NAP parts) is sent in the special frequency hop synchronization (FHS) packets transmitted at certain occasions. This fact can be utilized in the different attacks described in Section 7.6.2. However, this is not the only threat. Any deterministic value derived from the entire or parts of a fixed device address might be used for the very same purpose. This is the case for the Bluetooth access codes. These codes form the first part of each packet transmitted in Bluetooth. There are three different distinct access codes:
1.CAC, which is derived from the master’s LAP;
2.Device access code (DAC), which is derived form the specific device’s (slave) LAP;
3.Inquiry access code (IAC), which can be of two different forms, but is derived from special dedicated LAP values not related to any specific
BD_ADDR.
Hence, the CAC and DAC (but not the IAC) can potentially be used to track the location of a specific user.
LSB |
|
|
|
|
|
|
|
|
MSB |
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Company-assigned field |
|
|
Company identity field |
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LAP |
|
|
UAP |
|
|
NAP |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24 bits |
|
|
|
|
8 bits |
|
|
|
|
16 bits |
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 7.3 Bluetooth device address format.
Attacks, Strengths, and Weaknesses |
115 |
|
|
7.6.2Five different types of location tracking attacks
As we just discussed, directly or indirectly, the use of a fixed device address allows the general location of Bluetooth devices to be clandestinely determined. The device address, the CAC, or the DAC can be used to identify a particular device. Also, the user-friendly name of a device can be used to track the location of a device. In all, five different types of location tracking attacks have been identified. We describe these in the following sections.
Inquiry attack
In this scenario the attacker has distributed one or more Bluetooth devices throughout a region in which he desires to locate Bluetooth users. This can be done relatively inexpensively due to the low cost of Bluetooth devices. In addition, this network of devices can be used for a legitimate purpose, such as public information kiosks, and thus may already exist. Furthermore, assume that the potential victim of such an attack has left his device in discoverable mode. In this case, the attacking device can simply interrogate the area using frequent inquiry messages for devices and maintain a log of all the device addresses that are discovered. This data can be correlated with time to provide an accurate record of victim movements and associations (e.g., two people who are frequently in the same area are probably associated in some way).
Traffic monitoring attack
The next attack we describe succeeds even if the victim device is not in discoverable mode. In this case, the attacker simply monitors the communication between two trusted devices belonging to the victim. These devices will communicate using a specific CAC. This CAC is computed from the device address of the master device in the piconet. Therefore, an attacker can determine the master devices in the area by simply monitoring all network traffic nearby. Even if the CAC is not unique, the attacker can be quite confident that a particular CAC belongs to one unique device due to the small probability of two devices that have the same CAC within a small area. Similarly, the DAC can be used to detect a particular device. Furthermore, the whole device address is sent in the FHS packets of the devices, allowing an attacker to uniquely determine the identity of a device. An attack based on monitoring DAC or FHS packets are not as powerful as an attack based on monitoring CAC, since the FHS packet or packets containing DAC are only used at connection establishment (or at the master-slave switch), that is, events that are relatively rare.
Paging attack
This attack allows the attacker to determine if a given device with a known BD_ADDR or DAC is present within range. The attack requires that the