710 likes | 946 Views
Xiuzhen Cheng cheng@gwu.edu. Csci 388 Wireless and Mobile Security – Bluetooth and Security. Introduction. Named after Harold Bluetooth, King of Denmark (0952-0995 A.D.) Bluetooth Consortium was founded in Spring 1998
Xiuzhen Chengcheng@gwu.edu Csci388Wireless and Mobile Security – Bluetooth and Security
Introduction • Named after Harold Bluetooth, King of Denmark (0952-0995 A.D.) • Bluetooth Consortium was founded in Spring 1998 • By Ericsson, Intel, IBM, Nokia, Toshiba; Now more than 2000 organizations joint the SIG • Goal: developing a single-chip, low-cost, radio-based wireless network technology • Bluetooth is an open standard for short-range digital radio to interconnect a variety of devices • Cell phones, PDA, notebook computers, modems, cordless phones, pagers, laptop computers, printers, cameras, etc.
IEEE 802.15 • In 1999, IEEE established a working group for wireless personal area networks (WPAN) • Contains multiple subgroups • IEEE 802.15.1 • Standardizes the lower layers of the Bluetooth (together with the Bluetooth consortium) • Bluetooth also specifies higher layers • IEEE 802.15.2 • Focuses on the coexistence of WPAN and WLAN • Proposes the adaptive frequency hopping (used since version 1.2) that requires a WPAN device check for the occupied channels and exclude them from their hopping list • IEEE 802.15.3 • For high-rate at low-power low cost • IEEE 802.15.4 • Low-rate low-power consumption WPAN enabling multi-year battery life • Zigbee consortium tries to standardize the higher layers of 802.15.4
Bluetooth is a PAN Technology • Offers fast and reliable transmission for both voice and data • Can support either one asynchronous data channel with up to three simultaneous synchronous speech channels or one channel that transfers asynchronous data and synchronous speech simultaneously • Support both packet-switching and circuit-switching
Bluetooth is a standard that will … • Eliminate wires and cables between both stationary and mobile devices • Facilitate both data and voice communications • Offer the possibility of ad hoc networks and deliver synchronicity between personal devices
Characteristics of Bluetooth Technology 79 frequencies, each channel is used for 625 microseconds 2M is expected for Bluetooth 2
Bluetooth Topology • Bluetooth-enabled devices can automatically locate each other • Topology is established on a temporary and random basis • Up to eight Bluetooth devices may be networked together in a master-slave relationship to form a piconet • One is master, which controls and setup the network • All devices operate on the same channel and follow the same frequency hopping sequence • Two or more piconet interconnected to form a scatternet • Only one master for each piconet • A device can’t be masters for two piconets • The slave of one piconet can be the master of another piconet
Piconet • Master sends its globally unique 48-bit id and clock • Hopping pattern is determined by the 48-bit device ID • Phase is determined by the master’s clock • Why at most 7 slaves? • Active member address is 3-bit • Parked and standby nodes • Parked devices can not actively participate in the piconet but are known to the network and can be reactivated within some milliseconds • 8-bit for parked nodes • No id for standby nodes • Standby nodes do not participate in the piconet
ScatterNet • FH-CDMA to separate piconets within a scatternet • More piconets within a scatternet degrades performance • Possible collision because hopping patterns are not coordinated • A device participating in more than one piconet • At any instant of time, a device can participate only in one piconet • If the device participates as a slave, it just synchronize with the master’s hop sequence • The master for a piconet can join another piconet as a slave; in this case, all communication within in the former piconet will be suspended • When leaving a piconet, a slave notifies the master about its absence for certain amount of time • Communication between different piconets takes place by devices jumping back and forth between these nets
Frequency Selection • FH is used for interference mitigation and media access; TDD is used for separation of the transmission directions • In 3-slot or 5-slot packets, why frequency does not change? Why some frequencies are skipped? fk fk+1 fk+2 fk+3 fk+4 fk+5 fk+6 M S M S M S M fk fk+3 fk+4 fk+5 fk+6 M (3-slot packet) S M S M fk fk+1 fk+6 M S (5-slot packet) M
Physical Links • Synchronous connection-oriented link (SCO) • Reserve two consecutive slots at fixed intervals • Asynchronous connectionless Link (ACL) • Polling scheme – master polls each slave • Error recovery • ACK a packet in the slot following the packet • Negative ACK or timeout signals a retransmission
Benefits • Cable Replacement • Replace the cables for peripheral devices, USB 1.1 and 2.0, printers, etc • Ease of file sharing • Panel discussion, conference, etc. • Wireless synchronization • Synchronize personal information contained in the address books and date books between different devices such as PDAs, cell phones, etc. • Bridging of networks • Cell phone connects to the network through dial-up connection while connecting to a laptop with Bluetooth.
Security of Bluetooth • Security in Bluetooth is provided on the radio paths only • Link authentication and encryption may be provided • True end-to-end security relies on higher layer security solutions on top of Bluetooth • Bluetooth provides three security services • Authentication – identity verification of communicating devices • Confidentiality – against information compromise • Authorization – access right of resources/services • Fast FH together with link radio link power control provide protection from eavesdropping and malicious access • Fast FH makes it harder to lock the frequency • Power control forces the adversary to be in relatively close proximity
Security Modes A security manager controls access to services and to devices Needs a secret key Exchange Business Cards Security mode 2 does not provide any security until a channel has been established
Key Generation from PIN PIN: 1-16 bytes. PINs are fixed and may be permanently stored. Many users use the four digit 0000 Bluetooth Key Generation From PIN
Bluetooth Initialization Procedure (Pairing) • Creation of an initialization key • Creation of a link key • Authentication
Creation of an Initialization Key PIN and its length
Challenge-Response Based Claimant: intends to prove its identity, to be verified Verifier: validating the identity of another device Use challenge-response to verify whether the claimant knows the secret (link key) or not If fail, the claimant must wait for an interval to try a new attempt. The waiting time is increased exponentially to defend the “try-and-error” authentication attack Mutual authentication is supported The E1 authentication algorithm is based on SAFER+ Authentication 48-bit device address Challenge (128-bit) Response (32-bit)
Confidentiality Authenticated Cipher Offset
Confidentiality • ACO (Authenticated Cipher Offset) is 96-bit, generated during the authentication procedure • ACO and the link key are never transmitted • Encryption key Kc is generated from the current link key • Kc is 8-bit to 128-bit, negotiable between the master and the slave • Master suggests a key size • Set the “minimum acceptable” key size parameter to prevent a malicious user from driving the key size down to the minimum of 8 bits • The keystream is different for different packet since slot number is different
Three Encryption Modes for Confidentiality • Encryption Mode 1: -- No encryption is performed on any traffic • Encryption Mode 2: -- Broadcast traffic goes unprotected while unicast traffic is protected by the unique key • Encryption Mode 3: -- All traffic is encrypted
Trust Levels, Service Levels • Two trust levels: trusted and untrusted • Trusted devices have full access right • Untrusted devices have restricted service access
Bluetooth Security Architecture Summary • Step 1: User input (initialization or pairing) • Two devices need a common pin (1-16 bytes) • Step 2: Authentication key (128-bit link key) generation • Possibly permanent, generated based on the PIN, device address, random numbers, etc. • Step 3: Encryption key (128 bits, store temporarily) • Step 4: key stream generation for xor-ing the payload
Security Summary • The security of the whole system relies on the PIN, which may be too short • Users intend to use 4-digit short PINs, or even a null PIN • Utilized new cryptographic primitives, which have not gone through enough security analysis. • The E0 algorithm is designed specifically for Bluetooth • E0 has gone many security analysis. When used in Bluetooth mode, the security of E0 is decreased from 128-bit to 84-bit; when used outside of a Bluetooth system, its effective security is only 39-bit • Short range was a countermeasure to force the attackers to be in close proximity; now range extenders can be easily built • Attackers grow since information is more attractive • People use Bluetooth not only for personal information, but also for corporate information
Hacker Tools • Bluesnarfing: • Adam Laurie, Serious flaws in Bluetooth security lead to disclosure of personal data • http://www.thebunker.net/security/bluetooth.htm • Bluejacking • http://www.bluejackq.com/ • Redfang • http://www.securiteam.com/tools/5JP0I1FAAE.html
IN-Class Project • Given all cryptographic primitives (E0, E1, E21, E22) used in Bluetooth Pairing/Bonding and authentication process, can you design a procedure to crack the Bluetooth PIN? – Focus on short PIN now. • Hint: assume you have recorded all messages exchanged during the initialization procedure • You have 30 minutes for this project – no implementation, just figure out HOW!
Most important security weaknesses • Problems with E0 • PIN • Problems with E1 • Location privacy • Denial of service attacks
Problems with E0 • Many publications on this already! • Output (KC) = combination of 4 LFSRs (Linear Feedback Shift Register) • Key (KC) = 128 bits • Best attack: guess some registers -> 266 (memory and complexity)
PIN • Some devices use a fixed PIN (default=0000) • Security keys = security PIN !!!! • Possible to check guesses of PIN (SRES) -> brute force attack • Weak PINs (1234, 5555, …)
Problems with E1 • E1 = SAFER+ • Some security weaknesses (although not applicable to Bluetooth) • slow
Location privacy • Devices can be in discoverable mode • Every device has fixed hardware address • Addresses are sent in clear -> possible to track devices (and users)
Denial of service attacks • Radio jamming attacks • Buffer overflow attacks • Blocking of other devices • Battery exhaustion (e.g., sleep deprivation torture attack)
Other weaknesses • No integrity checks • No prevention of replay attacks • Man in the middle attacks • Sometimes: default = no security • …
Recommendations • Never use unit keys!!!! • Use long and sufficiently random PINs • Always make sure security is turned on • …
Interesting solutions • Replace E0 and E1 with AES • Use MACs to protect integrity • Pseudonyms • Identity based cryptography • Elliptic curves • Use MANA protocols instead of PIN • Use network layer security services (IPSEC) to provide end-to-end security
Conclusion • Bluetooth has quite a lot of security weaknesses! • Need for secure lightweight protocols • More research needed!!
And More.... • Zigbee, 802.15.4, and Bluethooth
What is ZigBee? • Technological Standard Created for Control and Sensor Networks • Based on the IEEE 802.15.4 Standard • Created by the ZigBee Alliance
The ZigBee Name • Named for erratic, zig-zagging patterns of bees between flowers • Symbolizes communication between nodes in a mesh network • Network components analogous to queen bee, drones, worker bees
IEEE 802.15.4 & ZigBee In Context Application Customer • “the software” • Network, Security & Application layers • Brand management IEEE 802.15.4 • “the hardware” • Physical & Media Access Control layers API Security 32- / 64- / 128-bit encryption ZigBee Alliance Network Star / Mesh / Cluster-Tree MAC IEEE 802.15.4 PHY 868MHz / 915MHz / 2.4GHz Stack Silicon App Source: http://www.zigbee.org/resources/documents/IWAS_presentation_Mar04_Designing_with_802154_and_zigbee.ppt
The 802 Wireless Space Source: http://www.zigbee.org/en/resources/
ZigBee and Other Wireless Technologies Source: http://www.zigbee.org/en/about/faq.asp
ZigBee Aims Low • Low data rate • Low power consumption • Small packet devices