null Mumbai Chapter December 2012 Meet

1. Carwhisperer
Bluetooth Attack

2. What is Bluetooth??
• Bluetooth is “A specification for short-range radio
links between mobile phones, mobile computers,
digital cameras, and other portable devices.”
• Enables users to establish ad hoc networks
supporting voice and data communications

3. History
• It has been called after Harald Blatand (Harald
bluetooth), the king of Denmark.
• The Bluetooth wireless technology was invented in
1994 by Ericsson
• In September 1998, the Bluetooth Special Interest
Group (SIG) was founded with the objective of
developing the Bluetooth wireless technology

4. Bluetooth Basics
• Bluetooth operates in the licensed-free ISM band
between 2.4 and 2.48 GHz.
• For Prevention of interference with other devices working
within ISM, Bluetooth make use of a technique called
frequency hopping.
• It takes 1600 hops/sec
• It has 79 base band frequencies
• Bluetooth is a connection oriented service.

5. Bluetooth Basics(Continued)
• In order to connect two Bluetooth devices, one of them,
normally the device initiating the connection, elevates to
the master, leaving the second device as a slave.
• Piconet
• Scatternet
• ACL (Asynchronous connection-oriented) and SCO
(Synchronous connection-less)
• Data rates up to 3 Mb/s
• Typical communication range is 10 to100 meters

6. Bluetooth Topology (ACL link)

7. Bluetooth Topology (SCO/eSCO link)

8. Master-Slave Architecture
• In Bluetooth, connections with up to seven devices,
which form piconet are possible, where communication is
led by the master device.

9. Bluetooth Services
• Bluetooth makes use of a protocol stack, which makes it
simple to separate application logic from physical data
connections.
• The protocol architecture of Bluetooth allows for straight
forward implementation of existing network protocols
like HTTP, FTP, etc.

11. Bluetooth Radio & Baseband
• Bluetooth Radio work as a digital signal processing
component of the system
• Bluetooth device transmit data, which is made up of bits
(ones and zeros), over a radio frequency
• Baseband processes the signal received and transmitted
by Radio
• Controls links, packets, error and flow

12. LMP & HCI
• LMP manages link setup, authentication, link
configuration and other low level protocols
• Connection establishment
• HCI provides command interface to the baseband
controller and link manager
• Exists across three sections, the host, transport layer and
the host controller

13. L2CAP & RFCOMM
• L2CAP provides connection-oriented and connection-
less data services to upper layer protocols
• Permits protocols and applications to transmit and
receive data packets up to 64 kilobytes in length
• RFCOMM protocol supports 60 simultaneous connection
between two Bluetooth devices
• The number of connections that can be used
simultaneously in a bluetooth device is implementation
specific, meaning what profile is being used

14. SDP-Service Discovery Protocol
• Bluetooth is a technology, which is deployed in a
dynamical environment. Devices may get out of range or
even switched on, while new devices might become
activated.
• In order to detect services, provided by other devices, a
protocol, which detects services makes sense. In
Bluetooth, the Service Discovery Protocol is responsible
for keeping track of services, provided within a device’s
operating range

15. TCS - Telephony Control Protocol
• The Telephony Control Protocol provides functionality to
control telephony applications and makes use of L2CAP
connections.

16. OBEX - Object Exchange Protocol
• The Object Exchange Protocol (OBEX) provides services
for the exchange of binary data objects. To initiate an
OBEX session, an optional OBEX authentication is
possible.
• Therefore, a limited set of commands like PUT, GET or
ABORT exist for easy file transfers, comparable to HTTP.

17. Bluetooth Profiles
• In Bluetooth, provided services are composed to a
Bluetooth Profile. Bluetooth devices communicate via the
profiles, that act as ”interfaces”.
• For further consideration, two Bluetooth profiles are
especially interesting, concerning BlueSnarfing and
BlueBugging attacks:
1. OBEX Object Push Profile (OPP).
2. Synchronisation Profile (SYNCH).

18. OBEX Object Push Profile (OPP)
• The Object Push Profile (OPP) provides basic functions
for exchange of binary objects, mainly used for vCards in
Bluetooth.
• vCard is a file format standard for electronic business
cards.
• Since vCards are not worth being especially protected, no
authorization procedure is performed before OPP
transactions. Supported OBEX commands are connect,
disconnect, put , get and abort.

19. Synchronization Profile (SYNCH)
• The Synchronization Profile (SYNCH) provides functions
for exchange of Personal Information Manager (PIM)
data and was adopted from the IrDA infrared
specification.
• In Bluetooth, especially private data, like the address
book, calendar, etc. is sent using the SYNCH profile.

20. Overview On Bluetooth Security
• Security within Bluetooth itself covers three major
areas:
– Authentication
– Authorization
– Encryption
• Security levels:
– Silent
– Private
– Public

25. Thank You !!