Security Weaknesses in Bluetooth
We point to three types of potential vulnerabilities in the Bluetooth standard, version 1.0B. The first vulnerability opens up the system to an attack in which an adversary under certain circumstances is able to determine the key exchanged by two victim devices, making eavesdropping and impersonation possible. This can be done either by exhaustively searching all possible PINs (but without interacting with the victim devices), or by mounting a so-called middle-person attack. We show that one part of the key exchange protocol — an exponential back-off method employed in case of incorrect PIN usage — adds no security, but in fact benefits an attacker. The second vulnerability makes possible an attack - which we call a location attack — in which an attacker is able to identify and determine the geographic location of victim devices. This, in turn, can be used for industrial espionage, blackmail, and other undesirable activities. The third vulnerability concerns the cipher. We show two attacks on the cipher, and one attack on the use of the cipher. The former two do not pose any practical threat, but the latter is serious. We conclude by exhibiting a range of methods that can be employed to strengthen the protocol and prevent the newly discovered attacks. Our suggested alterations are simple, and are expected to be possible to be implemented without major modifications.
KeywordsApplication Layer Stream Cipher Location Attack Security Weakness Master Device
Unable to display preview. Download preview PDF.
- 1.A. Colden: “Expansion of Wireless Technology Could Bring as Many Problems as Benefits”, The Denver Post, August 14, 2000, http://www.newsalert.com/bin/story?StoryId=CozDUWaicrfaTv0LsruXfu1m
- 2.J. Daemen and V. Rijmen, http://csrc.nist.gov/encryption/aes/
- 3.J. Dj. Golić: ”Cryptanalysis of Alleged A5 Stream Cipher”, Proceedings of Eurocrypt’ 97, Springer LNCS 1233, 1997, pp. 239–255.Google Scholar
- 4.M. Hermelin and K. Nyberg, “Correlation Properties of the Bluetooth Combiner”, Proceedings of ICISC’ 99, Springer LNCS 1787, 1999, pp. 17–29.Google Scholar
- 5.The Offcial Bluetooth SIG Website, http://www.bluetooth.com
- 6.“RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography, Version 4.1”, http://www.rsasecurity.com/rsalabs/faq/
- 7.“Specification of the Bluetooth System”, Specification Volume 1, v.1.0B, December 1, 1999. See .Google Scholar
- 8.“Specification of the Bluetooth System”, Specification Volume 2, v.1.0B, December 1, 1999. See .Google Scholar
- 9.“Bluetooth FAQ-Security”, http://www.bluetooth.com/bluetoothguide/faq/5.asp, November 15, 2000.
- 11.M. Stoll, “Natel-Benü;tzer im Visier der Staatsschützer”, SonntagsZeitung Zürich, December 28, 1997. http://www.sonntagszeitung.ch/1997/sz52/93419.HTM
- 12.J.T. Vainio, “Bluetooth Security,” Proceedings of Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory, Seminar on Internetworking: Ad Hoc Networking, Spring 2000, http://www.niksula.cs.hut.fi/~jiitv/bluesec.html
- 13.L. Weinstein: “Cell Phones Become Instant Bugs!”, The Risks Digest, Volume 20, Issue 53, August 10, 1999, http://catless.ncl.ac.uk/Risks/20.53.html#subj1.1