Bluetooth Encryption

1
Bluetooth Encryption

• Shawn Roberts
• 31 March 2004

2
What is Bluetooth ?

• Created by Ericsson Mobile Communications
• Named after 10th Century Danish King Harald
  Bluetooth
• Standardized within the 802.15 Personal Area
  Network (PAN) working group
• 1988 Bluetooth SIG founded
• Founding members include Ericsson, Nokia, IBM,
  Toshiba, Intel
• Today over 2,000 participating companies

3
Bluetooth Physical Layer

• 2.4 to 2.4835 GHz (ISM band)
• Frequency hopping spread spectrum with time
  division duplex
• 1,600 hops/sec over 79 frequencies in
  quasi-random fashion
• Each 625 microsecond slot uses a different
  frequency
• Hop carriers equally spaced at 1 MHz intervals

4
Bluetooth Physical Characteristics

• Data Rate 1 Mbps
• Throughput 720 kbps (approx)
• Three classes of power management
• Class 1 100 milliwatt (mW) 100 meters
• Class 2 2.5 milliwatt (mW) 10 meters
• Class 3 1 milliwatt (mW) 1/10 to 10 meters
• 48 bit addresses

5
Bluetooth Networks

• Small adhoc Network consisting of up to 8
  Bluetooth devices
• One master and seven slaves
• Device can only be the master of one piconet at
  the time
• Device can switch between multiple piconets
• Scatternet-Consists of multiple piconets

6
Authentication Parameters
Parameter Length Secrecy Characteristic
Device Address 48 bit Public
Random Challenge 128 bit Public, unpredictable
Authentication 32 bit Public
Link Key 128 bit Secret
7
Bluetooth Keys

• Link keys
• All keys are 128bit random numbers and are either
  temporary or semi-permanent
• 4 Types
• Unit key KA -unique long-term private key of a
  device
• Combination key KAB -derived from units A and B.
  Generated for each pair of devices
• Master key Kmaster -used when master device wants
  to transmit to several devices at once
• Initialization key Kinit -used in the
  initialization process.

8
Bluetooth Keys(2)

• Encryption key
• Derived from the current link key. Automatically
  changed each time encryption is needed.
• Separate from the authentication key
• PIN Code
• Fixed or selected by the user
• Usually 4 digits, can be 8 to 128 bits
• Shared secret

9
Bluetooth Key Generation
10
Bluetooth Authentication
11
Levels of Trust

• Trusted-If device B is trusted by device A it is
  allowed unrestricted access to A
• Untrusted-If B is untrusted by A it has
  authenticated to A but access to A is limited
• Unknown-If B is Unknown it has not been
  authenticated and is unknown

12
Encryption Modes

• Mode 1 No encryption on any traffic
• Mode 2 Broadcast traffic (unencrypted)
• Individual Traffic encrypted with individual
  link keys
• Mode 3 All traffic encrypted according to
  master link key

13
Bluetooth Encryption Process
14
Bluetooth Insecurities

• PIN weakness
• Initial authentication is based on a PIN that can
  be anywhere between 8-128 bits.
• If poorly chosen can be easy to guess
• Reflection Attack
• A hacker can capture the MIN and ESN and pretend
  to be someone else
• Stealing the Unit Key
• Highlights weakness of only authenticating the
  device and not the user
• Replay attacks
• A hacker can record Bluetooth transmissions in
  all 79 frequencies and then in some way figure
  out frequency hopping sequence and then replay
  the whole transmission.

15
Bluetooth Insecurities(2)

• Man in the middle
• Bluetooth authentication does not use public key
  certificates to authenticate users.
• Denial-of-Service attack
• Not very feasible would require the jamming of
  the whole ISM band

16
Securing your Bluetooth Device

• Pairing
• Weakest link and the most vulnerable to attack
• Should be performed in a secure area
• Use long Personal Identification Numbers
• Avoid using unit keys.
• Use combination keys instead
• Check the default settings of the device
• Respond only to inquiries of known devices
• Do not save PIN permanently in memory

17
Sources

• Bluetooth Stack Architecture Microsoft Windows CE 
  .NET 4.2 http//msdn.microsoft.com/library/default
  .asp?url/library/en-us/wcebluet/html/ceconBluetoo
  thStackArchitecture.asp
• Gehrmann, Christian. Bluetooth Security White
  Paper". Version 1.0 19 April 2002.
  http//www.bluetooth.com/upload/24Security_paper.P
  DF
• Xydis, Ph.D. Thomas G. and Simon Blake-Wilson.
  Security Comparison Bluetooth Communications
  vs. 802.11, 10 November 2001, revised 15 May
  2002. http/www.bluetooth.com/upload/14Bluetooth_W
  ifi_Security.pdf
• United States Dept. of Commerce. National
  Institute of Standards and Technology. Technology
  Administration. Special Publication
  800-48Wireless Network Security802.11,Bluetooth
  and Handheld Devices. By Tom Karygiannis
  http//csrc.nist.gov/publications/nistpubs/800-48/
  NIST_SP_800-48.pdf
• Bluetooth Encryption Engine
• http//www.stanford.edu/jayasena/ee272/proj_desc.
  htm

18
Bluetooth Protocol Stack