Bluetooth Threat Taxonomy

Bluetooth Threat Taxonomy

Bluetooth Threat Taxonomy John P. Dunning Thesis submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Applications James D. Arthur , Chair Randolph Carlos Marchany Danfeng Yao October 8, 2010 Blacksburg, Virginia Keywords: Bluetooth, Security, Taxonomy, Intrusion Detection, Exploit Copyright 2010, John P. Dunning Bluetooth Threat Taxonomy by John P. Dunning ABSTRACT Since its release in 1999, Bluetooth has become a commonly used technology available on billions of devices through the world. Bluetooth is a wireless technology used for information transfer by devices such as Smartphones, headsets, keyboard/mice, laptops/desktops, video game systems, automobiles, printers, heart monitors, and surveillance cameras. Dozens of threats have been developed by researchers and hackers which targets these Bluetooth enabled devices. The work in this thesis provides insight into past and current Bluetooth threats along with methods of threat mitigation. The main focus of this thesis is the Bluetooth Threat Taxonomy (BTT); it is designed for classifying threats against Bluetooth enabled technology. The BTT incorporates nine distinct classifications to categorize Bluetooth attack tools and methods and a discussion on 42 threats. In addition, several new threats developed by the author will be discussed. This research also provides means to secure Bluetooth enabled devices. The Bluetooth Attack Detection Engine (BLADE) is as a host-based Intrusion Detection System (IDS) presented to detect threats targeted toward a host system. Finally, a threat mitigation schema is provided to act as a guideline for securing Bluetooth enabled devices. ACKNOWLEDGMENTS First, I would like to thank my family and friends for all their love and support. Their constant motivation encourages me in life and pushes me to achieve my goals. I wish to convey my utmost gratitude to Randy Marchany for his guidance in my research and his years of mentoring. In the same way I wish to extend my gratitude to Col. Tim Buennemeyer for his encouragement in my graduate studies and getting me started through undergraduate research. I would like to thank the Virginia Tech IT Security Office for providing the resources for my research. This environment facilitated the collaboration which made my research possible. I greatly appreciate all my fellow researchers. Specifically, I would like to thank Lee Clagette and Mike Gora for their collaboration in our undergraduate research under the guidance of Col. Tim Buennemeyer. I further wish to thank Ben Moyers for allowing me to collaborate in his graduate research. I also wish to thank my committee for shaping my thesis research. Finally, I want to extend my gratitude to the Open Source and ethical hacking commu- nities. Without the research conducted by the ethical hacking community and the work put into development of Open Source software this thesis would not be possible. iii Contents 1 Introduction 1 1.1 Motivation . .2 1.2 Significant Contributions . .2 1.3 Thesis Organization . .3 2 Background 4 2.1 Bluetooth . .4 2.1.1 Specification . .4 2.1.2 Stack Protocol Architecture . .7 2.1.3 Transmission Range . .8 2.1.4 Piconet . .8 2.1.5 Device Profile . 10 2.2 Bluetooth Security . 13 2.2.1 Discoverable & Connectable Modes . 13 2.2.2 Adaptive Frequency Hopping . 13 2.2.3 Security Modes . 14 2.2.4 Connection Authentication . 16 2.2.5 Key Generation . 17 2.2.6 Encryption . 19 3 Bluetooth Threat Taxonomy 20 3.0.7 Lab Setup . 22 iv 3.1 Obfuscation . 24 3.1.1 HCIConfig (Device Name) . 24 3.1.2 HCIConfig / BTClass (Class of Device) . 25 3.1.3 Bdaddr (Device Address) . 27 3.1.4 SpoofTooph . 28 3.2 Surveillance . 28 3.2.1 HCITool (Device Discovery) . 29 3.2.2 Sdptool (Service Discovery) . 30 3.2.3 BlueScanner . 33 3.2.4 RedFang . 34 3.2.5 Bt Audit . 36 3.2.6 Blueprinting . 36 3.2.7 WarNibbling . 37 3.2.8 Bluefish . 37 3.2.9 BNAP BNAP / BlueProPro . 38 3.3 Extended Range . 38 3.3.1 BlueSniping / Bluetooone . 39 3.4 Sniffing . 40 3.4.1 Merlin / FT4USB (External Based) . 40 3.4.2 BlueSniff (Frequency Based) . 40 3.4.3 HCIDump (Host Based) . 41 3.5 Man-In-The-Middle . 43 3.5.1 Bthidproxy . 43 3.6 Unauthorized Direct Data Access . 43 3.6.1 Bluebugger . 44 3.6.2 Bluesnarf / Blooover . 44 3.6.3 BTCrack / Btpincrack . 45 3.6.4 Car Whisperer . 47 v 3.6.5 HID Attack . 47 3.6.6 HeloMoto . 49 3.6.7 Btaptap . 49 3.7 Denial of Service . 49 3.7.1 Signal Jamming . 50 3.7.2 L2Ping Flood . 50 3.7.3 BlueSmack / Tanya . 51 3.7.4 BlueJacking / BlueSpam / Smurf . 53 3.7.5 vCardBlaster . 54 3.7.6 Blueper . 54 3.7.7 BlueSYN / Pingblender (Multi-Vector DoS) . 54 3.7.8 Battery Exhaustion . 56 3.8 Malware . 56 3.8.1 BlueBag . 57 3.8.2 Caribe . 58 3.8.3 CommWarrior . 59 3.8.4 Skuller . 59 3.9 Fuzzer . 59 3.9.1 Bluetooth Stack Smasher / BluePAss . 60 3.9.2 BlueStab . 61 3.9.3 HCIDump Crash . 62 3.9.4 L2CAP Header Overflow . 62 3.9.5 Nokia N70 L2CAP DoS . 62 3.9.6 Sonyericson Reset Display . 62 4 Threat Research 63 4.1 SpoofTooph . 63 4.1.1 Device Profile Modification . 65 4.1.2 Credential Spoofing . 65 vi 4.1.3 MITM . 66 4.1.4 Usage . 66 4.2 Bluetooth Profiling Project . 66 4.2.1 Profiling Device Address . 68 4.2.2 Profiling Device Name . 70 4.2.3 Profiling Class of Device . 71 4.2.4 Bluetooth Device Profile Fingerprint . 72 4.3 Blueper . 75 4.3.1 System Alert Flood . 75 4.3.2 Bluetooth OBEX Disk Cache DoS . 76 4.3.3 Bluetooth OBEX Disk Overwrite . 77 4.3.4 Battery Exhaustion . 78 4.3.5 Blueper Usage . 78 4.4 vCardBlaster . 79 4.4.1 Multi-Target Bluejacking . 80 4.4.2 Bluetooth vCard Contact List DoS . 80 4.4.3 vCardBlaster Usage . 81 5 Bluetooth Attack Detection Engine 82 5.1 Intrusion Detection . 82 5.1.1 Intrusion Detection System . 83 5.2 Related Research . 83 5.3 Signature Development . 84 5.4 Threat Signatures . ..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    182 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us