About Bluetooth Paring And Authentication

Published Date: 02 Nov 2017

In Malaysian society the mobile handheld device or smart phones is becoming more affordable and is becoming more of a common sight. When these mobile devises get involved in a crime or a security incident, forensic specialists are required to have tools that allow them an extensive examination and quick recovery of data and in turn be used as digital evidence. This paper gives an analysis of forensic software tools for current smart phones in Malaysia.

This paper will investigate the upcoming security threats of mobile devices using a Bluetooth wireless medium. Bluetooth is a transmission medium between two paired devices where data can be sent back and forth wirelessly. This means that a third party can extract data from a mobile device wirelessly. Currently there is a variety of hacking tools available for free download and tutorials on step by step procedure to hack a device via Bluetooth (BT).

With the ever growing demand of mobile devices and Bluetooth being a standard medium for device to device communication, a Investigation of potential threats for mobile devices to provide a security solution.

1.2 : Background to the project

BT is a wireless technology used today which is meant to be a universal standard protocol for short range communication. The intent is to replace cables connecting mobile devices, BT operates in the range of 2.4Ghz and is designed to allow wire free communications over a range of short-haul distances in three power classes, namely, short range 10-100 cm, ordinary range 10 m, and long range 100 m (Hager C. , Midkiff, S. 2003).

Mobile Devices like cell phones, smart phones, PDA’s and Computers commonly utilize BT for email synchronization, sending messages, sending contact information or connecting to a remote headset. A fact that escapes users of BT devices are the risk that lay users open to vulnerabilities of the technology. Users are subject to various types of hacking such as Bluehacking, Bluejacking, Marphing, Bluesniping and Bluesnafting these are just a few threats out of the many variants available (Hager, C. , Midkiff, S. 2003).

1.3 : Scope and objectives

The objective is to have a better understanding of BT and the threats that affect it. From the research information gathered it is possible to develop a web application for computer forensic analysis to deal with or detect BT intrusion.

The objective is to produce an in-depth investigation analysis on BT hacking methods from a technical aspect and an understanding to develop web application to detect threats within Bluetooth range.

The intent of the research paper is to determine how real the threat of assaults to BT enabled devices and how easy such attacks are to launch. Industries and users need a more effective, safe, cheap and confidential means of device communication with a minimum amount of vulnerabilities.

Once the research paper is complete, it will provide an in-depth view on how Bluetooth security is bypassed from a technical stand point. From the analysis of BT security, procedures for handling BT security threats and prevention of hacking via Bluetooth may be circumvented

1.4 : Project plan

The project plan includes these tasks and explanation notes explaining Challenges on each task

Gantt chart

Planning and updating not represent in the timeline

Secondary Research

Research was ongoing thought the project

Chapter 3 Questionnaire

The time it took to conduct the questionnaires analysis and report took longer than anticipated

Chapter 3 Conclusion

Chapter 4 Analysis

Chapter 5 Design

Design may change for technical reasons and will be noted in future works

Chapter 6 Conclusion and Recommendations

Changes and improvements

Please refer to Gantt chart in appendix 7.1, 7.2, 7.3, 7.4

2.0 : LITERATURE REVIEW

2.1 : Introduction

The papers reviewed are research based on Bluetooth (BT) wireless connection in the fields of security architecture and security threats. The project examining mechanisms with which to attack Bluetooth enabled devices. The paper briefly describes the protocol architecture of Bluetooth and the Java interface that programmers can use to connect to Bluetooth communication services. Several types of attacks are described under domain research

2.2 : Domain Research

To understand how BT hacking is possible and the threat it poses to users a look at the current BT security protocols is required to determine the vectors of attack used to accomplish BT hacking. BT has numerous security modes, device manufactures determine which modes to use for any BT enabled device. BT can establish trusted devices that can exchange data without asking authorization, this is provided that the user allowed the device before. The function is possible because of the service level security and device level security functioning together to protect the BT enabled device from unauthorized data transmission from new devices. The methods include authorization and identification procedures that permit the use of BT functions and services to the registered user that requires users to make a conscious decision to open a file or accept a data transfer (Haataja, K. 1995).

2.2.1 Types of Attacks

Types of BT attacks include "bluejacking," "bluebugging" and "Car Whisperer" this attack has been identified to be a BT-specific security issues despite of the intricate BT security architecture, hacking the device is still possible (O’Connor, Reeves, 2008). 

Bluejacking methods involve sending a business card or just a text message to the intended target mobiles device within a 10-meter radius. If the target doesn't realize what the message in tales, the target may allow the contact to be added to his or hers address book, and the added contact can send him messages that might be automatically opened because they're coming from a known contact (Haataja, K. 2012).

Another extraordinarily powerful attack method of BT hacking is called Bluebugging. The hacking takes control of the targets phone via the targets BT hands free or headset. This is achieved by pretending to be the targets BT hands free or headset. Once this is accomplished," it will allow an attacker to access the targets phone in order to make phone calls, send short messages service (sms) messages, read sms messages stored on the phone, read and write contact entries, alter phone services parameters, connect to the internet, set call forwarding and more" (Trifinite.org 2004).

The Car Whisperer is a piece of software that allows hackers to send audio to and receive audio from a Bluetooth-enabled car stereo. Like a computer security hole, these vulnerabilities are an inevitable result of technological innovation, and device manufacturers are releasing firmware upgrades that address new problems as they arise (O’Connor, Reeves, 2008).

These vulnerabilities are an inevitable result of technological innovation. The threats of BT hacking will only escalate. BT effective range is extended due the advent of directional antennas with a potential range of "1,78 km (1.01 miles)" . Combinations of several different methods of attacks already exist that make BT an extremely vulnerable device communication medium (OConnor, Reeves, 2008).

2.2.2 About Bluetooth Paring and Authentication

In the previous generation devices, each device creates an initialization key based on the Bluetooth PIN passkey, MAC address and 128-bit random number. Each device then uses the initialization key to exchange random words used in the creation of the link-keys. Following creation of the link-keys, each device pair perform mutual authentication. Should an attacker be able to observe the pairing process, he can reconstruct the link-keys to decrypt further traffic between paired devices (O’Connor, Reeves 2008).

In order for devices to communicate securely, Bluetooth (BT) devices require pairing process. Pairing requires devices to trade passkeys in order to create a link-key used for encryption. The Simple Pairing protocol in the Core specification 2.1 includes significant improvements including a Diffie-Helman key exchange. On the other hand, over 1.8 billion Bluetooth-enabled devices that functions pre-2.1 spec (O’Connor, Reeves 2008).

In response to the discovered protocol weaknesses, the Bluetooth Special Interest Group developed Secure Simple Pairing. Simple Pairing uses the Elliptic Curve Diffie Helman public key exchange to protect against passive eaves dropping. (O’Connor, Reeves 2008)Initially, each device computes a public and a private key. However, only the public keys are transmitted over the radio. Thus, an eavesdropper only has access to the two public keys and cannot compute either the private key or the shared Diffie-Helman key. Once each device is authenticated, the key is also used as one of the variables to create the shared linkkey for encryption. In the latest Bluetooth specification, an encryption key can be recreated for communication sessions that last longer than 24 hours (O’Connor, Reeves 2008).

Although Secure Simple Pairing provides protection against passive eavesdropping, it provides no additional protection against the existing man-in-the-middle attacks. Additionally, Secure Simple Pairing also introduces Near-Field-Communication (NFC) cooperation. By bringing two devices within a close proximity, the algorithm allows for automatic pairing. (O’Connor, Reeves 2008)

2.2.4 Bluetooth Security and Modes

Bluetooth has several security modes and device manufacturers to decide which mode to include in a Bluetooth device. In most cases, Bluetooth users can establish "trusted devices" that can exchange data without asking permission. When any other device tries to establish a connection to the user's gadget, the user has to decide to allow it. Security methods include authorization and identification procedures that limit the use of Bluetooth services to the registered user and require that users make a conscious decision to open a file or accept a data transfer. As long as these measures are enabled on the user's phone or other device, unauthorized access is unlikely. A user can also simply switch his Bluetooth mode to "non-discoverable" and avoid connecting with other Bluetooth devices entirely. If a user makes use of the Bluetooth network primarily for synching devices at home, this might be a good way to avoid any chance of a security breach while in public.

While pairing provides the link-key used for encryption and authentication, the Link Manager Protocol (LMP) directs the security mode. Four modes exist for Bluetooth security. In the first mode, a device does not initiate security procedures. In the second mode, a device does not initiate security procedures prior to the establishment of the L2CAP connection. In the third mode, the device must initiate security procedures prior to establishment of the LMP connection. In the fourth and final mode, the device can classify security requirements based on authentication and security required (Haataja, K. 2008).

Device security in Bluetooth has improved with each release of the Core specification. But with all new releases comes the potential for newer attacks. Although security design and implementation prove important, the next section addresses some countermeasures a user can take to decrease the threat posed by Bluetooth-enabled attacks (Haataja, K. (2008).