Bluetooth Hacking – Understanding Risks

Udemy Editor

Bluetooth Technology

Ericsson originally thought of Bluetooth as a short-range radio replacement for fixed cabling such as the serial computer standard RS232 back in the late nineties. Bluetooth’s purpose was to exchange data from connected fixed and mobile devices. Later, Bluetooth would find an extended role as the standard for short distance connectivity for creating Personal Area Networks (PANS) when connecting wearable accessories and mobile devices.

Understand wireless hacking at Udemy.com.

Blue tooth is a radio communication protocol that operates in the unlicensed short-wavelength UHF 2.4 -2.48 GHz range, reserved for Industrial, Scientific and Medical (ISM) purposes. Due to its design purpose, Bluetooth uses reduced power controls to limit the range of the radio. It also uses frequency band hopping as a basic protection against eavesdropping.

Bluetooth uses frequency hopping to span the 79 designated Bluetooth channels. Each channel has a bandwidth of 1 Mhz. Bluetooth 4.1 uses two channels for spacing, which reduces the available channels to 40. The frequency range for channels is from 2402 MHz to 2480 MHz in 1 MHz steps. Bluetooth performs 1600 hops per second using adaptive frequency spectrum hopping.

Bluetooth Protocol

Bluetooth works on a master/slave model, where one master can connect to seven slaves and share the master’s clock for synchronization. Bluetooth uses a packet-based protocol, which is controlled by the master device’s clock.

In order for devices to connect, they need to agree and adhere to certain specific Bluetooth profiles. Profiles cover a wide range of devices and use cases. For example, a Bluetooth device must adhere to its own profile, so there will be specific profiles for a mobile phone connecting to a car stereo, or an ear-piece, or external speakers.

Bluetooth Uses

Bluetooth was designed specifically for short-range communication on an ISM radio frequency channel and with low power consumption. Range is power-class dependent but Bluetooth using battery-powered class 2 has a range of up to 10 meters. This was fine for its original purpose of being a fixed cable replacement as a PAN connection personal mobile devices and accessories.

Learn how to hack at Udemy.com

Bluetooth Security

Bluetooth implements security through a shared key, which is generated from the PIN that is entered into both devices when you want to form a connection. During the pairing process, an initialization key is generated from the PIN and this key is used to encrypt all future communications and provide confidentiality. The PIN is normally just a 4 digit number, which makes the cipher relatively weak. However, PINs are only entered at the time of pairing, so an attacker has to eavesdrop during the connection or in some way entice the potential victim to re-enter his PIN.

Frequency hopping at 1600 hops per second makes it very resistant to interference and jamming attempts.

Other Security features:

Bluetooth uses the E0 cipher suite for encryption with a 128 key
Mask discoverability – by not making the device ‘discoverable’ it will no longer advertise its BD_ADDR to anyone asking for it. Another Bluetooth device cannot pair with a device unless it knows its BD_ADDR.
Regularly flush all trusted devices – re-pair with those needed as required. Over time, the device can build up a long list of unnecessary trusted device names leaving it vulnerable to attack should they fall into the wrong hands.

Bluetooth Security Concerns & Vulnerabilities

There were several high profile security issues with Bluetooth prior to version v2.1 due to there being an option to switch to security mode 1, which actually has no security. Unfortunately, less security conscious device owners were willing and happy to switch off the device security if it facilitated easier pairing and to leave their Bluetooth devices in discoverable mode as they wished to make contacts. In fact, prior to 2005, Bluetooth was a common way for teenagers to communicate with each other in shopping malls and theaters.

The number of devices being advertised convinced store owners to turn to Bluetooth marketing. This involved using a Bluetooth enabled PC with a class 1 device that could reach up to 100 m. Bluetooth marketing software would scan and build up a list of BD_ADDR it could identify before attempting to pair and send a business card or advertisement. This marketing tactic became so prevalent that Bluetooth device owners stopped broadcasting their device BD_ADDR.

Even today, there are security issues that make a device ‘discoverable’ since an attacker cannot launch any attack without the BD_ADDR .

Secondly, although it isn’t strictly a security issue, there is privacy issues.

Bluetooth-Specific Security Issues

Complete trust in the paired device – if the profiles allow phone-to-phone trust, then during the pairing session, an attacker can do just about anything they want
Loose profiles allow too much latitude – Bluetooth was designed as a cable between a phone and other devices, but many profiles are set for dumb accessories, which are no longer dumb
Weakness in the E0 encryption algorithm has been found to have many unaddressed flaws.
Pairing is loosely defined – devices can pair using a 4 digit code for the encryption, which is vulnerable to commonly available Bluetooth hacking tools.

Risks of Attack

If an attacker uses a tool such as Super Bluetooth Hack, the hacker can pair with the device and perform some of the following malicious events:

– make the phone ring

– try to make calls.

– Steal or copy contacts

– Read SMS messages

– turn off the network / phone

– set or reset alarms

– change the date and time

– block the network operator

– start and delete java applications

Mitigation against Attack