Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Bluetooth devices can also provide a bridge to existing networks. The goal of Bluetooth is to connect different devices together, wirelessly, in a small environment, such as an office or home. Bluetooth can be used to connect almost any device to any other device, for example, to connect a PDA and a mobile phone. Bluetooth is inexpensive, takes little power to operate, and maintains a low profile. The standard effectively does the following: Eliminates wires and cables between stationary and mobile devices Facilitates data and voice communications Offers the possibility of ad hoc networks and delivers synchronicity between personal devices
Operating Band
Bluetooth transceivers operate in the unlicensed 2.4-GHz ISM band that is reserved for industrial, scientific, and medical applications. This band is available in most parts of the world (varies in some countries). The band is similar to the band wireless LAN devices and other IEEE 802.11-compliant devices occupy. Table 1 summarizes the characteristics of Bluetooth networks.
Characteristics
Description
Physical Layer Frequency Band Hop Frequency Data Rate Operating Range
Frequency Hopping Spread Spectrum (FHSS) 2.4 GHz 2.45 GHz (ISM band) 1,600 hops/sec. 1 Mbps (raw). Higher bit rates are anticipated About 30 feet to 330 feet
100 mW 10 mW 1 mW
At a 330-foot range, Bluetooth can compete with other wireless LAN technologies and applications. Additionally, as with the data rates, it is anticipated that even greater distances will be achieved in the future.
www.airdefense.net
keyboard, and PC Ease of file sharing between Bluetoothdevices, for example, a PDA can access the files of a laptop Wireless synchronization with other Bluetooth-enabled devices, without user input Automated wireless applications that interface with the LAN and Internet Internet connectivity for a wide variety of devices and applications, for example, a Bluetooth mobile phone can act as a wireless modem for laptops
Figure 2. Bluetooth Air-Interface Security
As illustrated in figure 2, Bluetooth can provide security on the link level, i.e., on various wireless links on the radio paths only. Link encryption and authentication may be provided, but true end-to-end security is not possible. In the figure, security services are provided between the PDA and the printer, between the cell phone and laptop, and between the laptop and the desktop.
Security Enforcement
Bluetooth uses pairing, PINs, and frequency hopping to enforce security. Encryption and authentication are based on a secret linked key that is shared by a pair of Bluetooth devices. To generate this key, Bluetooth uses a pairing procedure the first time two devices communicate with one another. In this manner, two Bluetooth devices authenticate each other by passing a message during the initial handshake phase. Pairing is the driving force behind Bluetooth, as it is designed for information exchange. Pairing enables Bluetooth to interface with other devices and exchange, update, and synchronize data. To communicate, Bluetooth devices use a PIN in their initialization process. Some Bluetooth devices only allow the user to enter an ID number for each use, while others allow storage of the PIN in nonvolatile memory. Additionally, Bluetooth uses a frequency hopping technique to keep transmissions from
Security protocols
Bluetooth supports the following protocols: Authentication provides an abort mechanism if a device cannot authenticate properly. This addresses, Do I know with whom I am communicating? Authorization allows the control of resources. This addresses, Has this device been authorized to use this service? Encryption attempts to prevent information compromise from eavesdropping (passive attack). This addresses, Are only authorized persons allowed to view my data?
www.airdefense.net.
breaking up. This technique, which consists of skipping around the radio band 1,600 times per second, improves the signal clarity. Also, by limiting communication to only synchronized devices, frequency hopping makes it slightly more difficult for an attacker to locate the Bluetooth transmission. This provides some additional protection from eavesdropping and malicious access.
users choose to implement Bluetooth default security, vulnerabilities do exist that provide a motivation for using enhanced security. Some Bluetooth devices have serious flaws in their authentication and data transfer mechanisms (see table 3.) Though Bluetooth devices have security features built in, most devices ship with unsecured default configurations that create gaping security holes.
InStat/MicroDesign Resources
3. Security Risks
How secure are Bluetooth devices that use only available Bluetooth default security? Even when
Comments
Shared master key. No user authentication. Eavesdropping, resulting from device key sharing. Compromise of privacy if the Bluetooth device address (BD_ADDR) is captured and associated with a particular user. Device authentication is simple shared-key challenge-response. End-to-end security is not performed.
The Bluetooth SIG needs to develop a better broadcast keying scheme. Bluetooth only provides device authentication. Application-level security and user authentication is optional. A hacker may be able to compromise the security, i.e., gain unauthorized access to between two other users. Once the BD_ADDR is associated with a particular user, that users activities could be logged, resulting in a loss of privacy. One-way only challenge-response authentication is subject to man-in-the middle attacks. Mutual authentication is required to provide verification that users and the network are legitimate. Only individual links are encrypted and authenticated. Data is decrypted at intermediate points. Application software above the Bluetooth software can be developed. Audit, non-repudiation, and other services do not exist. If needed, these can be developed at particular points in a Bluetooth network. Data is vulnerable to third-party providers. Source: NIST
Limited security services. Viruses and DoS attacks, via the Internet and Email.
www.airdefense.net
Insecure Configurations Using default security configurations in a Bluetooth network is an open invitation for attack on both the Bluetooth network, and your enterprise backbone.
Like wireless LAN devices, Bluetooth devices are being rapidly deployed with little or no security, However because of the pervasiveness of these unsecured devices left in default settings, they stand to be an attractive target for exploitation.
Pete Lindstrom, research director, Spire Security
link is compromised, all devices in that Bluetooth network are vulnerable to attack. For example, a compromised link allows a hacker to monitor data traffic, while a compromised device allows the hacker to request and receive sensitive data. In addition, remote users often delegate authority (rights) to a host machine (e.g., a shared server) to execute programs. If the remote device is compromised and the authorized user had granted rights to the machine, the hacker could then use those rights to compromise the network. An example of this is a PDA automatically requesting a laptop to send and download emails. If the user had enabled (i.e., had delegated authority to) the PDA to download email from the laptop, a hacker could use the compromised PDA to obtain the email.
Bluetooth networks in many enterprises connect back to a wired network at some point. Hackers can use an insecure networked Bluetooth laptop as an entry point into the entire enterprise network, gaining access to customer credit cards, records, and other sensitive information that may not even exist on the Bluetooth network.
SNARF Attacks
Discovered by A.L. Digital's chief security officer Adam Laurie while testing phones for his own company's deployment, the SNARF (also called grab) attack bypasses the security net of most handsets and enables hackers to breach and compromise confidential data, including an individual subscribers phonebook, calendar, business card data, and associated attachments, such as still and moving images, e.g., friends and family photos. All this data can be taken anonymously from some very well-known Bluetooth-enabled mobiles and it is accomplished completely without the handset owners knowledge or consent.
www.airdefense.net.
Additionally, hackers can use the SNARF attack to obtain the phones International Mobile Equipment Identity (IMEI), which remotely identifies the phone to the mobile network. The IMEI is used in illegal phone cloning.
Backdoor Attacks
The complete memory contents of some mobile phones can be accessed when an attacker establishes a trust relationship through the Bluetooth pairing procedure, while ensuring that it no longer appears in the targets register of paired devices. This data includes not only the phonebook and calendar, but also media files, such as pictures and text messages. In essence, the entire device can be backed up to the hackers own system. Not only can the hacker acquire data from the phone, but the hacker can also access other services, such as modems or Internet, and WAP or GPRS gateways.
Management Countermeasures
Enterprises that use Bluetooth technology can reduce risks by establishing and documenting security policies that address the use of Bluetooth devices and user responsibilities. Security policies should include a list of approved uses for Bluetooth devices, the type of information that may be transferred in the network, and disciplinary actions resulting from misuse. Security policies should also specify a set scheme for password use.
Bluejacking
Bluejacking is a technique that is similar in concept to a buffer overflow attack against a wired network. The technique involves abusing the Bluetooth pairing procedure, made possible because the name of the initiating Bluetooth device displays on the target device as part of the handshake exchange. As pairing allows a large user defined name field (up to 248 characters), the field itself can be used to pass the message. This presents a potential security problem. During Bluejacking, the hacker successfully pairs with the target device using the first part of the handshake exchange. If this occurs, all data on the target device becomes available to the hacker, including phone books, calendars, pictures, and text messages. Bluejacking can provide the means for a hacker to hijack valuable data from corporations, government bodies, and the like. Bluejacking can succeed because of the number of users who are often duped by a constant barrage of unsolicited messages, such as SPAM email or SMS text messages.
www.airdefense.net
devices and their key attributes. BlueWatch can enable individual users and enterprises to identify rogue and insecure Bluetooth devices in their air space, enabling them to take proactive steps to mitigate the risk of security breaches. Monitoring tools like AirDefense BlueWatch can play a critical role in providing visibility of unsanctioned or insecure Bluetooth devices and the security vulnerabilities they introduce.
Pete Lindstrom, research director, Spire Security
Conclusion
As businesses and consumers continue their rapid adoption of wireless technologies, all enterprises must address the growing security concerns from new airborne threats. Companies spend millions of dollars securing their networks. When a companys network is left exposed by insecure devices such as Bluetooth devices, hackers can enter the organization and compromise the companys corporate backbone, rendering investments in information technology security obsolete. The implications from a security breach can impact the companys reputation, intellectual property and regulated information. Organizations should take protective steps to monitor for Bluetooth devices in their air space to mitigate these new types of risks.
AirDefense BlueWatch runs on a standard Windows XP or Windows 2000 platform, on PCs and laptops. It uses a plug-in USB Bluetooth adapter that is compatible with WIDCOMM Bluetooth drivers. (Most PC devices use a WIDCOMM Bluetooth driver. This includes adapters from Linksys and Belkin, commonly available at consumer electronics stores.) AirDefense recommends using a Class 3 adapter for the greatest range of 330 feet (100 meters). BlueWatch monitors the airwaves to: Identify different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones. Provide Key Attributes, including the device class, device name, and manufacturer. Provide Connection Information, indicating if Bluetooth devices are paired or connected. Identify Available Services on each device, including network access, fax, and audio gateway. "Many of our new company-issued devices are Bluetooth enabled. Although this is a convenience for many of our associates, there is a risk that sensitive data may be compromised. AirDefense BlueWatch provides a monitoring solution that we can use to identify and track how and with whom these devices communicate."
Michael Ciarochi, senior security engineer, HomeBanc Mortgage
About AirDefense
AirDefense is the thought leader and innovator of wireless network security and operational support solutions. Founded in 2001, AirDefense pioneered the concept of 24x7 monitoring of the airwaves and now provides the most advanced solutions for rogue wireless LAN detection, policy enforcement, intrusion protection and monitoring the health of wireless networks. Blue chip companies and government agencies rely upon AirDefense solutions to secure and manage wireless networks around the globe. For more information or feedback on this white paper, please contact: AirDefense, Inc. 4800 North Point Parkway Suite 100 Alpharetta, Georgia 30022 Email: www.airdefense.net Phone: 770.663.8115
All trademarks are the property of their respective owners.
www.airdefense.net.