As discussed in my previous posting concerning Bluetooth security, Bluetooth devices normally have numerous built-in security mechanisms. But are these mechanisms sufficiently secure to repel most Bluetooth-specific attacks? The answer is that Bluetooth can defend against some attacks well, but does not fare very well when other types of attacks are launched against it.
One of the most potentially straightforward kinds of attacks is a cryptanalysis attack against the encrypted content that is transmitted between paired Bluetooth devices. Bluetooth uses the Eo encryption algorithm for safeguarding data in motion. Eo is a stream cipher, thereby making it potentially vulnerable to a variety of cryptanalysis methods developed against stream cipher algorithms. For example, it is possible to recover the initial value used in generating stream cipher keys by solving sets of non-linear equations over finite fields. If the sets of equations are next transformed into linear versions, the resulting number of linear independent equations becomes sufficiently small to solve for unknowns using brute force methods. However, Bluetooth’s encryption algorithm differs just enough from other stream cipher algorithms such that it is not vulnerable to these types of attacks.
The best method of breaking Eo encryption is using a known-plaintext attack in which a weakness in Eo synchronization is exploited. Synchronous stream ciphers require faultless synchronization between the sender and receiver. A resynchronization mechanism helps keep this synchronization working correctly. It is, however, possible to derive the original encryption key for Eo encryption by exploiting a resynchronization weakness by computing conditional correlations for the finite state machine that determines Eo’s keystream output. The good news is that although a known, successful cryptanalytic method against Eo encryption exists, the work effort involved is reasonably high to the point that casual attacks against Eo are currently not feasible.
Despite the amount of work effort needed to break Eo encryption, Bluetooth transmissions are nevertheless vulnerable to a variety of attacks, one of which is very straightforward. Bluetooth authentication is based on connection nodes that share the same encryption key, not on the individual identity of users. Anyone who gains physical access to a Bluetooth device can thus pair that device with the device of a user whom the owner of the first device trusts, resulting in ability to read the content of transmissions.
Another attack targets Bluetooth challenge-response protocol, which is based on an algorithm called E1. E1 is in turn based on a block cipher called SAFER+. A flaw in SAFER+ key scheduling allows the number of potential keys to be reduced, thereby making a making a brute force attack against the remaining keyspace feasible.
Because Bluetooth authentication is not based on user identities, Bluetooth is also vulnerable to man-in-the-middle attacks that are relatively easy to perpetrate. The perpetrator must first get a copy of the link key used between two paired Bluetooth devices. Once the perpetrator has this key, s/he can set up a link with one of these devices by impersonating the identity of the other. The device with which a link has been created will behave as if it is linked to the device for which the identity has been impersonated.
The attacks I have described so far may seem a bit complicated. If so, it might be good to know that any user of a Bluetooth device can rather easily turn off security on that device. Additionally, some Bluetooth devices come out-of-the-box with no security whatsoever enabled.
In my next blog entry I’ll describe other Bluetooth attacks and the types of tools that can be used to perpetrate them.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.