Bluetooth technology has become integral to our daily lives, allowing us to connect and communicate wirelessly with various devices. However, with the increasing use of Bluetooth-enabled devices, ensuring their security has become more critical.
Bluetooth attacks can compromise sensitive data, lead to unauthorized access, and even enable control over devices without the owner’s knowledge. Therefore, it is crucial to understand the common Bluetooth attacks and implement effective mitigation techniques to safeguard our devices and personal information.
Common Bluetooth attacks
1. MAC Address Spoofing Attack
The attack occurs before establishing encryption and during the piconet formation when link keys are generated. In this attack, devices authenticate each other by generating link keys. Attackers can mimic other users, terminate connections, or intercept/modify data using specialized tools.
2. PIN Crack Attack
This attack happens during the device pairing and authentication process. An attacker utilizes a frequency sniffer tool to gather the RAND and BD_ADDR of the targeted device. Then, a brute-force algorithm (E22 algorithm) is employed to test all possible permutations of the PIN with the previously collected data until the correct PIN is discovered.
3. Man-in-the-Middle Attack
Man-in-the-Middle Attacks, like the one depicted in Figure 9 below, occur when devices attempt to pair. This attack unknowingly relays messages between devices, enabling authentication without the shared secret keys. The user falsely believes the pairing was successful while, in reality, both devices are paired with the attacker.
4. BlueJacking Attack
During a BlueJacking attack, unsolicited messages are sent by the attacker to a device, deceiving the user into using an access code. This allows the adversary to gain access to files on the targeted device. For the attack to succeed, the devices involved and the message’s source must be within a specific range of 10 meters. This attack is often employed in crowded areas like airports, shopping malls, and train stations. While it typically doesn’t involve data alteration, it can make devices vulnerable to other attacks.
5. BlueSnarfing Attack
This attack involves hacking into a mobile phone and stealing data stored in its memory, such as contacts, calendar entries, and images. The attacker connects to the user’s device by exploiting the OBEX File Transfer Protocol, a file transfer program used in Bluetooth. This enables the attacker to pair with the device and gain unauthorized access to its data. Figure 10 below illustrates a BlueSnarfing attack.
6. BlueBugging Attack
The attack occurs in the RFCOMM protocol, where physical connections are made via L2CAP + baseband to emulate serial RS-232 connections. In this attack, the attacker secretly connects to the target device without the owner’s knowledge. The attacker takes control of the device by gaining access to the device’s set of “AT” commands, which are attention commands used to send instructions to the module. This enables the attacker to execute commands as if they were the device owner, steal information, and access the phone’s services and settings.
7. BlueBump Attack
This attack exploits weaknesses in the handling of link keys. During the attack, a business card is exchanged between the attacker and the user. A trusted and authenticated connection is established by coercing the user to accept the card. However, even after the pairing, the user unknowingly maintains an active connection with the attacker since the link key is not deleted. The attacker can continue to pair with the target device unless the key is deleted.
8. BlueDump Attack
In this attack, the attacker falsifies the BD_ADDR of one of the devices to connect with the other. During pairing, the target device sends an authentication request, and the attacker responds with ‘HCI_Link_Key_Request_Negative_Reply’ due to the absence of a link key. Sometimes, the targeted device deletes its link key, entering pairing mode.
9. BluePrinting Attack
This attack combines revealed information about a device to gather additional details, such as the manufacturer, device model, and firmware version. To perform this attack, the BD_ADDR of the device must be known.
10. Blueover Attack
Blueover and its successor Blueover II are auditing tools used to determine if a Bluetooth device is vulnerable, but they can also initiate a BlueBugging attack.
11. BlueBorne Attack
The attack exploits a stack buffer overflow flaw by targeting the processing of pending client L2CAP configuration responses. This allows the attacker to hijack Bluetooth connections, gaining control over a targeted device’s embedded content and functions. The attack only requires the MAC and Bluetooth addresses to be successful.
12. Fuzzing Attack
In this attack, the adversary tries to provoke abnormal behavior in a device by sending malformed data packets and non-standard data to its Bluetooth radio. By observing how the device reacts to these packets, the attacker can identify vulnerabilities in the protocol stack if the device’s operations become sluggish or stop.
13. Off-Line PIN Recovery Attack
During the attack, the attacker attempts to intercept values like IN_RAND, LK_RAND, AU_RAND, and SRES (signed response). The SRES value is a matching variable necessary for authentication. Through brute forcing, the attacker tries to obtain a PIN that would yield the correct intercepted SRES value.
14. Brute-Force BD_ADDR Attack
This attack involves scanning the last three bytes of the BD_ADDR of a device. It’s worth noting that the first three bytes, known publicly, can be set as fixed.
15. Reflection/Relay Attack
During this attack, the attacker impersonates a device, aiming to authenticate the connection by reflecting or relaying device information. The attacker doesn’t seek undisclosed information but exploits the reflection or relay mechanism.
16. Backdoor Attack
This attack occurs when establishing a trusted relationship during pairing. The adversary doesn’t appear on the target device’s register of paired devices. Once the relationship is established, the attacker gains access to the device’s services and resources without the device owner’s knowledge. The attack requires knowledge of the target device’s BD_ADDR and vulnerability to the attack.
17. Denial of Service Attacks
Denial of Service attacks come in DDoS (Distributed Denial of Service) and ordinary DoS. In ordinary DoS attacks, the attacker attempts to crash the network or restart the system by flooding the targeted system with packets. A single attacker can perform DDoS attacks and disable or restrict network access. These attacks can target the Physical Layer or layers above it. Examples of DoS attacks include BD_ADDR duplication, BlueSmack, BlueChop, L2CAP guaranteed service, battery exhaustion, and Big NAK (Negative Acknowledgement), which exploits continuous retransmission loops.
18. Worm Attacks
Worm attacks occur when malicious software or Trojan files propagate to Bluetooth devices. Examples of such attacks are:
- Cabir Worm: A malicious software targeting Bluetooth technology. Mobile phones using the Symbian Series 60 interface platform are vulnerable. The user must accept the worm to succeed, leading to its installation. The worms are often disguised as applications, tricking users into unknowingly accepting them. Once installed, the software searches for and sends itself to other available devices. The Mabir worm is a variant of the Cabir worm, using Multimedia Messaging Service messages and Bluetooth for replication.
- Skulls Worm: This malicious SIS (Symbian Installation System) trojan file targets Symbian mobile phones with the Series 60 platform. The worm disguises itself as a Macromedia Flash player. To activate the worm, the user must open and install the SIS file, after which it searches for additional devices to infect.
- Lasco Worm: The Lasco worm combines a Bluetooth worm and an SIS file. It targets and infects Symbian mobile phones supporting the Series 60 platform. To activate the worm, the user must open and install the velasco.sis file, allowing it to search for additional devices to infect.
19. Bluesmack Attack
This is a DoS attack on Bluetooth devices, similar to the “Ping of Death” attacks targeting IP-based devices. It involves sending pings and L2CAP echo requests to Bluetooth devices, causing the input buffer to overflow and the targeted device to be knocked out.
20. MultiBlue Attack
In this attack, the attacker gains access to the device they wish to hack using the MultiBlue dongle, a Bluetooth-capable 4 GB thumb drive. The attacker utilizes the MultiBlue application to discover nearby devices and send pairing requests. The targeted device presents a pre-shared key (code) for authentication and encryption. The attacker gains control over the device once the key is entered into the MultiBlue application.
21. HeloMoto Attack
This attack combines BlueSnarfing and BlueBugging attacks. It exploits a vulnerability in Motorola devices caused by the erroneous implementation of “trusted devices.” The attacker’s device is stored as a trusted device on the target device’s list. By connecting to the OBEX push profile and sending a vcard, the attacker bypasses the authentication and connects to the target device’s headset profile. BlueBugging is then used to take control of the device.
22. Bluecasing/War Nibbling Attack
This attack is carried out by phreakers (telephone network hackers) using laptops or PCs equipped with high-gain antennas and specialized software. They exploit vulnerabilities in Bluetooth phones to gain access to the targeted devices.
Mitigation techniques
Mitigation techniques protect Bluetooth-enabled devices and users from common Bluetooth attacks. By implementing these techniques, individuals and organizations can enhance security and minimize the risks of Bluetooth technology.
- To achieve optimal standards, it is necessary to update the default settings.
- Ensure that devices are within a secure range and remain in that range by setting them to the lowest power level.
- Enhance the resistance against brute-force attacks by utilizing long and random PIN codes.
- Regularly change the default PIN for devices and update it frequently, such as once every other month.
- Set devices to the undiscoverable mode by default, except when pairing is required.
- Most active discovery tools rely on devices being discoverable to identify them. In undiscoverable mode, devices are invisible to other Bluetooth devices, while trusted devices can still connect and communicate in this hidden mode.
- When not in use, especially in certain public areas like shopping malls, coffee shops, public transportation, clubs, bars, etc., it is advisable to turn off Bluetooth on devices to prevent users from receiving advertisements from potential Bluejackers.
Exercise caution and refrain from entering passkeys or PINs when unexpectedly prompted. - Keep software and drivers up to date to ensure access to the latest product improvements and security fixes.
- Users are advised against using Bluetooth-enabled devices or modules that are not supported or lack security measures, including Bluetooth versions 1.0 and 1.2.
- Pair devices as needed, ensuring the pairing process occurs in a secure non-public setting. This precautionary measure helps thwart attackers from intercepting pairing messages. As mentioned earlier, pairing is a critical aspect of Bluetooth security, and users should be aware of the risks associated with eavesdropping.
- Whenever possible, utilize SSP (Secure Simple Pairing) instead of legacy PIN authentication during the pairing exchange process to mitigate PIN cracking attacks.
It is essential to unpair any lost or stolen Bluetooth devices from the previously paired devices. This prevents attackers from accessing the user’s other devices through Bluetooth pairing. - Users should never accept transmissions from unknown or suspicious devices. Only accept content from trusted devices.
- Immediately remove all paired devices after use.
- Monitor devices closely and keep them within close range for better security.