Bluetooth Vulnerabilities
- Link keys based on unit keys are static and reused for every pairing
- PINs can be too short.
- PIN management and randomness is lacking
- Just Works association model does not provide MITM protection during pairing, which results in an unauthenticated link key.
- Attempts for authentication are repeatable.
- Device authentication is simple shared-key challenge/response
- End-to-end security is not performed.
Bluetooth Threats
- Bluesnarfing. Bluesnarfing32 enables attackers to gain access to a Bluetooth-enabled device
by exploiting a firmware flaw in older (circa 2003) devices. This attack forces a connection
to a Bluetooth device, allowing access to data stored on the device including the device’s
international mobile equipment identity (IMEI). The IMEI is a unique identifier for each
device that an attacker could potentially use to route all incoming calls from the user’s
device to the attacker’s device. - Bluejacking. Bluejacking is an attack conducted on Bluetooth-enabled mobile devices,such as cell phones. An attacker initiates bluejacking by sending unsolicited messages to the user of a Bluetooth-enabled device. The actual messages do not cause harm to the
user’s device, but they may entice the user to respond in some fashion or add the new
contact to the device’s address book. This message-sending attack resembles spam and
phishing attacks conducted against email users. Bluejacking can cause harm when a user
initiates a response to a bluejacking message sent with a harmful intent. - Bluebugging. Bluebugging33 exploits a security flaw in the firmware of some older (circa
2004) Bluetooth devices to gain access to the device and its commands. This attack uses
the commands of the device without informing the user, allowing the attacker to access
data, place phone calls, eavesdrop on phone calls, send messages, and exploit other
services or features offered by the device. - Car Whisperer. Car Whisperer34 is a software tool developed by European security
researchers that exploits the use of a standard (non-random) passkey in hands-free
Bluetooth car kits installed in automobiles. The Car Whisperer software allows an attacker
to send to or receive audio from the car kit. An attacker could transmit audio to the car’s
speakers or receive audio (eavesdrop) from the microphone in the car. - Denial of Service. Like other wireless technologies, Bluetooth is susceptible to DoS
attacks. Impacts include making a device’s Bluetooth interface unusable and draining the
device’s battery. These types of attacks are not significant and, because of the proximity
required for Bluetooth use, can usually be easily averted by simply moving out of range. - Fuzzing Attacks. Bluetooth fuzzing attacks consist of sending malformed or otherwise
non-standard data to a device’s Bluetooth radio and observing how the device reacts. If a
device’s operation is slowed or stopped by these attacks, a serious vulnerability potentially
exists in the protocol stack. - Pairing Eavesdropping. PIN/Legacy Pairing (Bluetooth 2.0 and earlier) and low energy
Legacy Pairing are susceptible to eavesdropping attacks. The successful eavesdropper who
collects all pairing frames can determine the secret key(s) given sufficient time, which
allows trusted device impersonation and active/passive data decryption. - • Secure Simple Pairing Attacks. A number of techniques can force a remote device to
use Just Works SSP and then exploit its lack of MITM protection (e.g., the attack device
claims that it has no input/output capabilities). Further, fixed passkeys could allow an
attacker to perform MITM attacks as well.
Recommended Tips for Bluetooth
- use if possible random PINS Codes
- Turn Power settings for Bluetooth down, so range is limited to close devices
- When in doubt if possible Turn Bluetooth Off.