Relay Attacks on Bluetooth Authentication and Solutions
We describe relay attacks on Bluetooth authentication protocol. The aim of these attacks is impersonation. The attacker does not need to guess or obtain a common secret known to both victims in order to set up these attacks, merely to relay the information it receives from one victim to the other during the authentication protocol run. Bluetooth authentication protocol allows such a relay if the victims do not hear each other. Such a setting is highly probable. We analyze the attacks for several scenarios and propose practical solutions. Moreover, we simulate attacks to make sure about their feasibility. These simulations show that current Bluetooth specifications do not have defensive mechanisms for relay attacks. However, relay attacks create a significant partial delay during the connection that might be useful for detection.
Unable to display preview. Download preview PDF.
- 1.Bluetooth SIG. Specification of the Bluetooth System – Bluetooth Core Specification, Vol. 0-3, Version 1.2 (2003), http://www.bluetooth.org
- 3.Vainio. J.T.: Bluetooth Security (2000), http://www.niksula.cs.hut.fi/~jiitv/bluesec.html
- 5.Welsh, E., Murphy, P., Frantz, P.: Improving Connection Times for Bluetooth Devices in Mobile Environments. In: International Conference on Fundamentals of Electronics, Communications and Computer Sciences (ICFS), Tokyo, Japan (2002)Google Scholar
- 6.Bray, J., Sturman, C.F.: Bluetooth: Connect Without Cables. Prentice-Hall, Englewood Cliffs (2000)Google Scholar
- 7.Bhagwat, P., Segall, A.: A Routing Vector Method (RVM) for Routing in Bluetooth Scatternets. In: IEEE International Workshop on Mobile Multimedia Communications, MoMuC 1999 (1999)Google Scholar
- 8.Wang, Z., Thomas, R.J., Haas, Z.: Bluenet - A New Scatternet Formation Scheme. In: 35th Annual Hawaii International Conference on System Sciences (2002)Google Scholar
- 9.Kapoor, R., Gerla, M.: A Zone Routing Protocol for Bluetooth scatternets. In: WCNC (2003)Google Scholar