Bluebag

Seminar 2011

ABSTRACT

Current Bluetooth worms pose relatively little danger compared to Internet scanning worms-but things might change soon. The authors BlueBag project shows targeted attacks through Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility. Basically, it's a Bluetooth-sniffing computer hidden in a suitcase that was rolled through train stations, a shopping center, and even a computer security Conference show floor this year to see how many Bluetooth-enabled devices attackers could potentially infect with a worm or a virus. The BlueBag project shows targeted attacks through Bluetooth malware using proofof-concept codes and devices that demonstrate their feasibility. The purpose of BlueBag to gather data on the prevalence of insecure devices to understand how susceptible people are to simple social engineering attacks, and to demonstrate the easibility of attacks in secured areas. To mount any type of attack without being noticed, led to create a covert attack and scanning device, which later came to call the BlueBag.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

INTRODUCTION
Mobile computing is quickly gaining ground in our daily experience; for this reason it is very important to understand the potential risks linked with all types of wireless devices. Bluetooth became the pervasive technology to support wireless communication in various contexts of everyday life. It is basically the new alternative to infrareds and is based on a shortwave radio technology able to transmit data across physical obstacles such as walls or other objects. At present, the greatest level of diffusion is witnessed in so-called smart phones, the latest generation of cellular phones, devices that, on top of offering all the functions of cutting- edge telephone technology enclose functions and applications typical of palm pilots, managed by an operative system, such as Symbian or Microsoft Windows Mobile. Now Bluetooth group was working hard to show hardware firms and users the technology's versatility. Finding and connecting to other Bluetooth using devices was sometimes difficult. Future versions of the Bluetooth software will hide this complexity and make devices negotiate a radio link without the need for setting up pairing codes. The cellular phone represents in fact a precious source of personal data with its phonebook, messages agenda and much more. Wireless networks pose a threat to the security of anyone using them, warn security experts. Many organizations and individuals are turning to wireless networks because they are easy to set up and make it much easier to re-arrange offices or computer equipment. The cost of this convenience can be a significant drop in security, particularly now that tools are available to let people spot and penetrate these wireless networks. Smart phones are now very similar to personal computers because of this; they are at the same time more vulnerable, more useful and more attractive for a potential attack. This increased vulnerability is due to the presence of a system of evolved connectivity applications that expose the telephone and the data it contains to a series of risks deriving from

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

activities such as sending e-mail, the transfer of data through the Internet, the exchange of MMS and WAP messages and the use of accessories .

viral epidemic, using well-known attacks that are constantly evolving. Specifically, communications that take place through Bluetooth connections become potential vehicles for viruses and the target of attacks that can extract information from the smart phone. Mobile phones are more vulnerable than PCs because a computer typically has a single entry port, whereas a phone has many: GSM, GPRS, Bluetooth, IR and so on. The immediate need for Bluetooth came from the desire to connect peripherals and devices without cables. The available technology-IrDA OBEX (IR Data Association Object Exchange Protocol) is based in IR links those are limited to line of site connections. Bluetooth integration is further fueled by the demand for mobile and wireless access to LANs, Internet over mobile and other existing networks, where the backbone is wired but the interface is free to move. This not only makes the network easier to use but also extends its reach. The advantages and rapid proliferation of LANs suggest that setting up personal area networks, that is, connections among devices in the proximity of the user, will have many beneficial uses. Bluetooth could also be used in home networking applications. With increasing numbers of homes having multiple PCs, the need for networks that are simple to install and maintain, is growing. There is also the commercial need to provide "information push" capabilities, which is important for handheld and other such mobile devices and this has been partially incorporated in Bluetooth. Bluetooth's main strength is its ability to simultaneously handle both data and voice transmissions, allowing such innovative solutions as a mobile hands-free headset for voice calls, print to fax capability, and automatically synchronizing PDA, laptop, and cell phone address book applications

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

CHAPTER 2
BASICS Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The objective of the Bluetooth protocol is in fact to unify different wireless data transmission technology among mobile and static electronic devices. The key features of Bluetooth technology are robustness, low power, and low cost. Bluetooth technology has achieved global acceptance such that any Bluetooth enabled device, almost everywhere in the world, can connect to other Bluetooth enabled devices in proximity. A fundamental Bluetooth wireless technology strength is the ability to simultaneously handle both data and voice transmissions. Bluetooth is the term used to describe the protocol of a short range frequency-hopping radio link between devices. These devices are then termed Bluetooth - enabled. Bluetooth technology operates in the unlicensed industrial, scientific and medical (ISM) band at 2.4 to 2.485 GHz, using a spread spectrum, frequency hopping, full-duplex signal at a nominal rate of 1600 hops/sec. The 2.4 GHz ISM band is available and unlicensed in most countries. Bluetooth technology's adaptive frequency hopping (AFH) capability was designed to reduce interference between wireless technologies sharing the 2.4 GHz spectrum. The signal hops among 79 frequencies at 1 MHz intervals to give a high degree of interference immunity. AFH works within the spectrum to take advantage of the available frequency. This is done by detecting other devices in the spectrum and avoiding the frequencies they are using. This adaptive hopping allows for more efficient transmission within the spectrum, providing users with greater performance even if using other technologies along with Bluetooth technology.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

CHAPTER3

ARCHITECTURE

The Bluetooth specification was developed in 1994 by Jaap .Haartsen and Sven Mattisson, who were working for Ericsson Mobile Platforms in Lund, Sweden. The specification is based on frequency-hopping spread spectrum technology. The specifications were formalized by the Bluetooth Special Interest Group (SIG). It was established by Ericsson, IBM, Intel, Toshiba, and Nokia. Standard or Basic Rate transmission uses the Gaussian Frequency Shift Keying (GFSK) method, while EDR uses a combination of GFSK and Phase Shift Keying (PSK). Bluetooth protocols simplify the discovery and setup of services between devices. The Bluetooth core system consists of an RF transceiver, baseband, and protocol stack. Bluetooth controller is a sub-system containing the Bluetooth RF, baseband, resource controller, link manager, device manager and a Bluetooth HCI.

3.1 PICONETS
Bluetooth enabled electronic devices connect and communicate wirelessly through short- range, ad-hoc networks known as piconets. Each device can also belong to several piconets simultaneously. The low range and low power of Bluetooth was intended for devices within a few meters of each other swap information. Ad-hoc is a network typically created in a spontaneous manner. An ad hoc network requires no formal infrastructure and is limited in temporal and spatial extent. A piconet is an ad-hoc computer network, using Bluetooth technology protocols to allow one master device to interconnect with up to seven active devices. Bluetooth specification allows connecting two or more piconets together to form a scatternet, with some devices acting as a bridge by simultaneously playing the master role and the slave role in one piconet. Piconets are established dynamically and automatically as Bluetooth enabled devices enter and leave radio proximity. A piconet consists of two or more devices that occupy the same physical channel. The common clock is identical to the

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Bluetooth clock of one of the devices in the piconet, known as the master of the piconet, and the hopping sequence is derived from the master clock and the master Bluetooth device address.

All other synchronized devices are referred to as slaves in the piconet. The terms master and slave are only used when describing these roles in a piconet. Within a common location a number of independent piconets may exist. Each piconet has a different physical channel.

A Bluetooth enabled device may participate concurrently in two or more piconets. It does this on a time-division multiplexing basis. A Bluetooth enabled device can never be a master of more than one piconet. Any Bluetooth device can host any other Bluetooth device. This makes using services easier because there is no longer a need to set up network addresses or permissions as in many other networks. When an individual connects different Bluetooth devices together, he creates around himself a so called PAN that is a small network with the possibility to exchange data and information as it usually occurs with a regular company LAN. 3.2 CLASSIFICATION With regards to power, Bluetooth devices can be grouped in grades, each corresponding to a different reach: Grade 1 - able to communicate with Bluetooth devices in a 100 m range.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Grade 2 - able to communicate with Bluetooth devices up to a 10 m range. Grade 3 - able to communicate with Bluetooth devices within a lm range. Class Grade 1 Grade 2 Grade 3 Maximum Permitted Power mW( dBm) 100 mW (20 dBm) 2.5 mW (4 dBm) 1 mW (0 dBm)

Table 1. Various Bluetooth devices and their maximum power The various classes of Bluetooth devices and their maximum power. Version
Version 1.2 Version 2.0 + EDR WiMedia Alliance (Proposed)

Data Rate 1
IMbit/s 3Mbit/s 53 - 480Mbit/s

Table 2. Data rates of various Bluetooth versions. The data rates of various Bluetooth versions are given in above table.
Documentation on Bluetooth is split into two sections, the Bluetooth Specification and Bluetooth Profiles.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

The Specification describes how the technology works (the Bluetooth protocol architecture).

The Profiles describe how the technology is used (how different parts of the specification can be used to fulfill a desired function for a Bluetooth device).

3.3 CORE SYSTEM ARCHITECTURE

The Bluetooth core system covers the four lowest layers and associated protocols defined by the Bluetooth specification as well as one common service layer protocol, the Service discovery protocol (SDP) and the overall profile requirements are specified in the generic access profile (GAP). A complete Bluetooth application requires a number of additional services and higher layer protocols that are defined in the Bluetooth specification. The lowest three layers are sometimes grouped into a subsystem known as the Bluetooth controller. This is a common implementation involving a standard physical communications interface between the Bluetooth contro ller and remainder of the Bluetooth system including the L2CAP, service layers and higher layers (known as the Bluetooth host). Although this interface is optional, the architecture is designed to allow for its existence and characteristics. The Bluetooth specification enables interoperability between independent Bluetooth enabled systems by defining the protocol messages exchanged between equivalent layers, and also interoperability between independent Bluetooth sub-systems by defining a common interface between Bluetooth controllers and Bluetooth hosts.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 2. Core System Architecture

3.4 BLUETOOTH PROTOCOL STACK

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Fi

3. Bl t

t Protocol St ck

The e h Spec f ca a w f r de e ping interactive services and applications over interopera le radio modules and data communication protocols. The ultimate objective of the Specification is to allow applications written in a manner that is conformant to the Specification to interoperate with each other. To achieve thi s interoperability, matching applications in remote devices must run over identical protocol stac s. Each one of these different protocol stac s use a common Bluetooth data link and physical layer.
Protocol l r Bl toot Core Protocols C le Replacement Protocol Telephony Control Protocols Adopted Protocols Protocol i t st ck B seband [1], LMP {2], L2C P [3], SDP [4] RFC MM [5] TCS Binary [6], AT-commands [7],[8],[9] PPP [10], UDP/TCP/ P [10], OB [11], WAP [12], vCard [13], vCal [14], IrMC1 [15], WAE [16]

Table 3.The protocols and layers in the Bluetooth protocol stack. 3.5 BLUETOOTH CORE PROTOCOLS
Dept fC puter Science & Engg. IESCE, C ittil ppill
  

Blu

S min r

Bluebag

Seminar 2011

Baseband - Baseband protocol forms the lowest layer in Bluetooth architecture. It is responsible for the functionality contained in the physical layer of the OSI/ISO model, but also performs some tasks from higher layers. Its main tasks are synchronization, transmission of the information, error correction, logical channels division and data whitening. Bluetooth supports both synchronous and asynchronous channels.
ACCESS CODE HEADER PAYLOAD

Figure 4. Standard Basic Rate packet format

Figure 5. Standard Enhanced Data Rate packet format

Link Manager Protocol (LMP) - The link manager protocol is responsible for link set-up between Bluetooth devices. This includes security aspects like authentication and encryption by generating, exchanging and checking of link and encryption keys and the control and negotiation of baseband packet sizes. Furthermore it controls the power. Modes and duty cycles of the Bluetooth radio device, and the connection states of a Bluetooth unit in a piconet.

Service Discovery Protocol (SDP) - Discovery services are crucial part of the Bluetooth framework. These services provide the basis for all the usage models. Using SDP, device information, services and the characteristics of the services can be queried and after that, a connection between two or more Bluetooth devices can be established. SDP is defined in the Service Discovery Protocol specification.
IESCE, Chittilappilly

Dept. Of Computer Science & Engg.

Bluebag

Seminar 2011

Logical Link Control and Adaptation Protocol (L2CAP) - The Bluetooth logical link control and adaptation protocol) adapts upper layer protocols over the baseband. It can be thought to work in parallel with LMP in difference that L2CAP provides services to the upper layer when the payload data is never sent at LMP messages. L2CAP provides connection-oriented and connectionless data services to the upper layer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions. L2CAP permits higher level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. Although the Baseband protocol provides the SCO and ACL link types, L2CAP is defined only for ACL links and no support for SCO links is specified in Bluetooth Specification 1.0. The figure above illustrates the use of channel identifier (CID) in a communication between corresponding peer L2CAP entities in separate devices.

Figure 6. Bluetooth Core Protocol

3.6 CABLE REPLACEMENT PROTOCOLS

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

RFCOMM - RFCOMM is a serial line emulation protocol and is based on ETSI 07.10 specification. This "cable replacement" protocol emulates RS-232 control and data signals over Bluetooth baseband, providing both transport capabilities for upper level services that use serial line as transport mechanism. The figure below illustrates point-topoint signaling to establish a voice or data call in a single-point configuration. First the other device is notified of the call request using the point-to-point signaling channel (A). Next, this signaling channel is used to further establish the speech or data channel (B).

Figure 7. Signalling in a single point configuration

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 8.Point-to-point signalling in a single point configuration

3.8 BLUETOOTH PROFILES The Generic Object Exchange profile defines the protocols and procedures that shall be used by the applications providing the usage models which need the object exchange capabilities. The usage model can be, for example, Synchronization, File Transfer, or Object Push model.

The most common devices using these usage models can be notebook PCs, PDAs, smart phones, and mobile phones. The Bluetooth profile structure and the dependencies of the profi les are depicted. A profile is dependent upon another profile if it re-uses parts of that profile, by implicitly or explicitly referencing it. Dependency is illustrated in the figure: a profile has dependencies on the profile(s) in which it is contained - directly and indirectly. For example, the Object Push profile is dependent on Generic Object Exchange, Serial Port, and Generic Access profiles.
Dept. Of Computer Science & Engg. IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 9. Bluetooth Profiles

CHAPTER 4
OPERATION

Bluetooth networking transmits data via low-power radio waves. Up to 255 further devices can be inactive, or parked, which the master device can bring into active status at any time. At any given time, data can be transferred between the master and one other device, however, the devices can switch roles and the slave can become the master at any time. The master switches rapidly from one device to another in a round-robin fashion. Bluetooth Device Address is a 48 bit address used to identify each Bluetooth enabled device. Often this is referred to in technical specifications as BD ADDR. Bluetooth and other devices don't interfere with one another has been a crucial part of the design process. One of the ways Bluetooth devices avoid interfering with other systems is by sending out very weak signals of about 1 mill watt. By comparison, the most powerful cell phones can transmit a signal of 3 watts. The low power limits the range of a Bluetooth device to about 10 meters, cutting the chances of interference between your computer system and your portable telephone or television. Bluetooth uses a technique called spread-spectrum frequency hopping that makes it rare for more than one device to be transmitting on the same
Dept. Of Computer Science & Engg. IESCE, Chittilappilly

Bluebag

Seminar 2011

frequency at the same time. It is unlikely that two transmitters will be on the same frequency at the same time. This same technique minimizes the risk that portable devices will disrupt Bluetooth devices, since any interference on a particular frequency will last only a tiny fraction of a second. When Bluetooth-capable devices come within range of one another, an electronic conversation takes place to determine whether they have data to share or whether one needs to control the other. Any Bluetooth device will transmit the following information on demand:

Device name. Device class. List of services.

Technical information, for example, device features, manufacturer, Bluetooth specification used, clock offset. Pairs of devices may establish a trusted relationship by learning a shared secret known as a passkey. A device that wants to communicate only with a trusted device can cryptographically authenticate the identity of the other device. Trusted devices may also encrypt the data that they exchange over the airwaves so that no one can listen in. The encryption can be turned off, and passkeys are stored on the device file system. Since the Bluetooth address is permanent, a pairing is preserved, even if the Bluetooth name is changed. Pairs can be deleted at any time by either device. Devices generally require pairing or prompt the owner before they allow a remote device to use any or most of their services. Some devices, such as mobile phones, usually accept OBEX business cards and notes without any pairing or prompts. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 Kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR) and reach 2.1 Mbit/s. The steps involved in trusted Bluetooth pairing are:

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Charge the Devices. Power up the Devices. Turn the Bluetooth Functionality On. Make the Devices Visible. Place Both Devices in the Connection Mode. Enter the Passcode. Deleting or Disconnecting Trusted Devices.

CHAPTER 5 SECURITY ISSUES

Bluetooth implements confidentiality, authentication and key derivation with custom algorithms. In Bluetooth, key generation is generally based on a Bluetooth PIN, which must be entered into both devices. This procedure might be modified if one of the devices has a fixed PIN. During pairing, an initialization key or master key is generated. The stream cipher is used for encrypting packets, granting confidentiality and is based on a shared cryptographic secret, namely a previously generated link key or master key. Bluetooth offers several security modes, and device manufacturers determine which mode to include in a Bluetooth-enabled gadget. The Bluetooth specification includes security features at the link level. These features are based on a secret link key that is shared by a pair of devices. To generate this key a pairing procedure is used when the two devices communicate for the
Dept. Of Computer Science & Engg. IESCE, Chittilappilly

Bluebag

Seminar 2011

first time. Service level security and device level security work together to protect Bluetooth devices from unauthorized data transmission.

Trusted Device: Device with fixed relationship that is trusted and has unrestricted access to all services.

Untrusted Device: Device with no permanent fixed relationship or device that has a fixed relationship, but is not considered as trusted. The access to services is restricted. Security methods include authorization and identification procedures that limit the

use of Bluetooth services to the registered user. As long as these measures are enabled on the user's phone or other device, unauthorized access is unlikely. A user can also simply switch his Bluetooth mode to "non-discoverable" and avoid connecting with other Bluetooth devices entirely. . Cell-phone virus writers have taken advantage of Bluetooth's automated connection process to send out infected files. When the virus arrives in the user's cell phone, the user has to agree to open it and then agree to install it. Security can be defined by four fundamental elements: availability, access, integrity, and confidentiality. A security architecture defines the protocols and functionality required to implement the four elements of security within a specific application category. The rules that determine the access rights

to different resources on the devices are called the access policy. There are three modes of security for Bluetooth access between two devices.

Security Mode 1: non-secure (Public) Security Mode 2: service level enforced security(Private) Security Mode 3: link level enforced security(Silent)

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 10. Bluetooth security threats

Some reported viruses and their vital statistics are listed below.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Table 4. Reported viruses and their vital sta

The names bluesnarfing and bluebugging have been given to these methods of illegal and improper access to information. Although the Bluetooth standard incorporates very robust security mechanisms that application developers can use to create secure architectures, researchers have discovered a series of theoretical glitches and possible attacks in Bluetooth's core specifications. The most serious of these can lead to a compromise of the cryptographic algorithm protecting communication through sniffing, but this attack is impractical because the attacker must be present at the pairing of devices and then must be able to sniff communications between them. The specific attacks through Bluetooth are:
y

BlueSnarf - Bluesnarfing allows hackers to gain access to data stored on a Bluetooth enabled phone using Bluetooth wireless technology without alerting the phones user of the connection made to the device. The information that can be accessed in this manner includes the phonebook and associated images, calendar, and IMEI (international mobile equipment identity). By setting the device in non-discoverable, it becomes significantly more difficult to find and attack the device. Without specialized

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

equipment the hacker must be within a 10 meter range of the device while running a device with specialized software. Only specific older Bluetooth enabled phones are susceptible to bluesnarfing. Bluejacking - Bluejacking allows phone users to send business cards anonymously using Bluetooth wireless technology. Bluejacking does NOT involve the removal or alteration of any data from the device. These business cards often have a clever or flirtatious message rather than the typical name and phone number. Bluejackers often
y

Look for the receiving phone to ping or the user to react. They then send another, more personal message to that device. Once again, in order to carry out a bluejacking, the sending and receiving devices must be within 10 meters of one another. Phone owners who receive bluejack messages should refuse to add the contacts to their address book. Devices that are set in non-discoverable mode are not susceptible to bluejacking.

HeloMoto- A combination of BlueSnarf and BlueBug, this attack's name comes from the fact that it was originally discovered on Motorola phones.

BlueSmack- This denial-of-service (DoS) attack knocks out certain types of devices; attackers can perform it with standard tools.

BlueDump- This attack causes a Bluetooth device to dump its stored link key, creating an opportunity for key-exchange sniffing or for another pairing to occur with the attacker's device of choice.

Car Whisperer- This attack abuses the default configuration of many hands-free and headset devices, which come with fixed PINs for pairing and transmission.

BlueChop- This DoS attack can disrupt any established Bluetooth piconet by means of a device that isn't participating in it, if the piconet master supports multiple connections. BlueBugging - Bluebugging allows skilled individuals to access the mobile phone commands using Bluetooth wireless technology without notifying or alerting the phones user. This vulnerability allows the hacker to initiate phone calls, send and receive text messages, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with all the attacks, without specialized equipment, the hacker must be within a 10 meter range of the phone. This is a separate vulnerability from bluesnarfing and does not affect all of the same phones as bluesnarfing. The code below is an example of bluebugging program.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag y

Seminar 2011

Denial of service (DoS)- The Well known denial of service (DoS) attack, which has been most popular for attacking internet Web sites and networks, is now an option for hackers of Bluetooth wireless technology enabled devices. This nuisance is neither original nor ingenious and is, very simply, a constant request for response from a hackers. Bluetooth enabled computer to another Bluetooth enabled device such that it causes some temporary battery degradation in the receiving device. While occupying the Bluetooth link with invalid

communication requests, the hacker can temporarily disable the products Bluetooth.
y

Blue Bump- This attack takes advantage of a Weakness in the handling of Bluetooth link keys, giving devices that are no longer authorized the ability to access services as if still paired. It can lead to data theft or to the abuse of mobile Internet connectivity services, such as Wireless Application Protocol (WAP) and General Packet Radio Services (GPRS)

CHAPTER 6
Dept. Of Computer Science & Engg. IESCE, Chittilappilly

Bluebag

Seminar 2011

CREATING A BLUEBAG The BlueBag project shows targeted attacks through Bluetooth malware using proofof- concept codes and devices that demonstrate their feasibility. The purpose of BlueBag to gather data on the prevalence of insecure devices to understand how susceptible people are to simple social engineering attacks, and to demonstrate the easibility of attacks in secured areas. To mount any type of attack without being noticed, led to create a covert attack and scanning device, which later came to call the BlueBag. A Linux-based embedded system with several Bluetooth dongles to process many discovered devices in parallel, using an omni directional antenna to improve the range and cover a wide area. Researchers needed both a hidden tool and an instrument that could e asily be carried around and still have a long battery life. To fulfill these requirements, we created the BlueBag by modifying a standard blue trolley and inserting a Mini-ITX system with the following off-the shelf components:
y y y

a VIA EPIA Mini-ITX motherboard (model PD6000E) 256 MBytes of RAM in a DDR400 DIMM module; EPIA Mil PCI back plate to extend the available onboard USB connections from two to six

A 20-Gbyte iPod, with a 1.8-inch hard drive that can resist an acceleration of up to 3gs;

eight class-1 Bluetooth dongles with Broadcom chipsets (some were connected to a four-port USB hub);

A modified class-1 Linksys Bluetooth dongle (Cambridge Silicon Radio chipset) modified with a Net gear Omni directional antenna with 5dBi gain.

a picoPSU, DC-DC converter (this small power supply can generate up to 120 watts at over 96 percent efficiency);

A 12V-26Ah lead acid battery to power our lengthy surveying sessi

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 11. The Bluebag open The BlueBag runs on GNU/Linux OS on top of which researchers created a software infrastructure in Python that makes it easy to devise, control, and perform survey sessions. The software is completely multithreaded, and can use the available dongles to perform different tasks concurrently. They implemented a simple but useful dongle management and allocation scheme to dynamically learn about available resources and lock them when needed. By doing so, they can reserve specific dongles to run applications that need to lock single physical interfaces for some time. The software is quite modular and was designed with the typical producer/consumer pattern: producers put found devices in a queue, using the standard utilities that come with BlueZ (official Linux Bluetooth stack) in order to collect information. The software also includes customized versions of well-known Bluetooth information-gathering techniques such as blueprinting. A distinct thread manages the queue and assigns tasks to different consumers. They designed the BlueBag software suite to allow us to monitor and control the test's execution from a palmtop or smart phone via a web interface that runs on top of a TCP/IP over Bluetooth connection.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

CHAPTER 7 THE BLUEBAG PROJECT Researchers initially focused on identifying how many active Bluetooth devices were in discoverable or visible mode. They have demonstrated that it's possible to find devices with active Bluetooth technology in nondiscoverable mode using a brute-force attack. An attack with this method is possible only if attackers want to target a specific device they know to be active and in range, and even then, they must first identify the brand and model in order to prune the address space. Therefore, keeping a phone in nondiscoverable mode provides a basic form of protection against targeted attacks. For this reason, their test focused exclusively on detecting devices in discoverable modethe only ones actually in a condition of potential risk of attack from Bluetooth malware. Researchers conducted survey in several high-transit locations surrounding Milan: Milan's Exhibition Centre, during the InfoSecurity 2006 trade show; the Orio Center Shopping Mall; the MM2 Cadorna Metro Station; the Assago MilanoFiori Office District; Milan's Central Station; the Milan Malpensa Airport; and Politecnico di Milano Technical University, Leonardo Branch. Table 5 shows the results; "unique devices" denotes the number of unique devices in discoverable mode that researchers found during a specific session, and "device rate" indicates the average number of unique devices discovered per minute. This data shows the capillary diffusion of Bluetooth technology in everyday life and also highlights the huge number of potentially vulnerable devices researchers found, even in such a short duration. After grouping the devices, researchers tried analyzing the types of services the devices offered and, in particular, those that can be used to propagate worms.

LOCATION

DATE

DURATION (HH:MM) 1

UNIQUE DEVICES

DEVICE RATE

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Insecurity 2006 Ono Center Shopping Mall MM2 Metro Station Assago Office District Milan Central Station Mian Malpensa Airport Politecnico di Milano Technical University Total

02/08-10/06 03/01-11/06 03/09/06 03/09/06 03/09/06 03/13/06

4:42 6:45 0:39 111 1:12 4:25

149 377 56 236 185 321

0.53 0.93 1,44 1.60 157 1.21

03/14/06

2:48 22:58

81 1405

0.48

Table 5.Summery of surveying results

SERVICE TYPE OBEX Object Push, OBEX file transfer Headset hands-free audio gateway Dial-up networking NUMBER OF DEVICES 313 303 292

Table 6.Services offered by mobile devices

Table 6 shows, the OBEX Push service was active and in range for enough time to allow the scanning of 313 devices; this service is normally used for transferring information or files and applications including worms. Important finding from the survey was "visibility time" that is, the average time in which a device remains in a potential attacker's range, or the time in which an aggressor could exploit the device. This time depends substantially on the different activity patterns of people in different contexts and in some cases. Some cell phone models on the market are configured to be in discoverable mode by default if the Bluetooth connection is activated, thus requiring the user to manually modify the setting to the secure, nondiscoverable mode. Most existing worms rely on the user accepting a file to propagate, so they wanted to know the ratio of users who would accept an unknown file transfer from an unknown source. To obtain this data, they developed an

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

OBEX Pusher, an add-on to their normal survey scripts, which searches for all discoverable Bluetooth devices with OBEX Push support enabled and then sends them a file. Using this tool, they found that an astounding 7.5 percent of device owners carelessly accepted unknown file transfers from unknown sources and were thus highly vulnerable to social engineering attacks.

Envelope

Figure 12. Pseudocode of Bluetooth worm with dynamic payloads for targeted attacks

All the elements are thus in place for a huge risk, to both companies and individuals; they can almost certainly foresee an increase in attacks that aim not only to make a mobile device unusable or connect it to premium-rate telephone numbers but also target specific information on the device. The effort it takes to reach a target device is often thought of as a form of protection. To prove this assumption wrong, they created a network of viral agents that can spread among mobile devices looking for a target, zero in on it, and then report information back to the attacker. They designed a proof-of-concept worm infrastructure that uses an envelope-payload mechanism. The envelope component is a piece of software that can scan for Bluetooth devices and propagate to found devices; it has a list of targets to propagate to and a set of payloads that it can "deploy" on the targets. The payload components can be any type of malicious code that we want to execute on victim devices within the limits of cell phone operating systems. Such payloads can use the high connectivity of Bluetooth-enabled devices to transmit harvested information back to the

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

device doesn't need to be within the attacker's range to send the retrieved data. In other words, attackers could create a botnet of Bluetooth enabled, remotely controlled zombie machines, which they could then use to perform further attacks on devices they couldn't normally reach. One of the barriers to mobile malware propagation has historically been differences among various operating systems and hardware platforms. Features tha t would make this worm really dangerous are ways to autoexecute with as little interaction with the device user as possible. On Symbian phones, for instance, a worm can overwrite system files due to various structural flaws in access control. Researchers used results from the ad hoc network research community to simulate the transient geographical relationships caused by the movement of people in physical places. 18 Cecelia Mascolo and Mirco Musolesi's CMMTool generates realistic traces of movement for people and their respective devices. They developed a small simulator that takes such feed as an input and then reproduces the behavior of a Bluetooth worm that propagates across them. The resulting BlueSim tool can replicate, under various hypotheses, the behavior of real worm propagation, taking into account the visibility time of the devices, the inquire time needed, the data transfer rate, and so on. Researchers then tested two different conditions: the first was a worm propagating marked "no BlueBag" in the figure, and the second was the presence of an attacker with a tool similar to our BlueBag, who was actively disseminating a worm. In this work, researchers tried to envision possible future attack scenarios involving targeted malware propagated through Bluetooth-enabled covert attack devices. They demonstrated existence of a very high risk potential, created by low awareness, everincreasing functionalities and complexity, and by the feasibility of targeted, covert attacks through Bluetooth-enabled malware. Like common worms, our malware doesn't currently use Bluetooth attacks to spread itself: in the future, they want to investigate whether we can use a sort of attack library, combining social engineering attacks and Bluetooth technology attacks. As Figure 4 shows, after little more than 30 minutes on average a simple worm could infect any susceptible device in the lunch area through propagation alone. An attacker with a device such as the BlueBag would obtain the result even faster.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

Figure 13.Infection ratio

Summary of Bluetooth security operations

Figure 14. Summary of Bluetooth security operations

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

CHAPTER 8 CONCLUSION

Bluetooth device should never be public as default or as fixed factory setting. A user should have at least a possibility to change the factory setting of security level somehow. Other possibility is to set private security level as mandatory and print the BD ADDR of the device in every manual. 16 case sensitive.

Alphanumerical characters long PIN codes should always be used when possible. This also requires minor changes to the Bluetooth specification if Bluetooth SIG wants to force device manufacturers to use it. On the other hand, some public Bluetooth services are not possible if all devices must be nondiscoverable. Bluetooth device manufacturers and users should also take security issues much more seriously.

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly

Bluebag

Seminar 2011

9. REFERENCES BOOKS 1. S.F. Hager and C.T. Midkiff, "Demonstrating Vulnerability in Bluetooth
Security," ProcIEEE Global Telecommunications Conf. (GLOBECOM 03), vol. 3, 2003, IEEE CS Press, pp. 1420-1424. 2. R. Morrow, Bluetooth Implementation and Use, McGraw-Hill Professional, 2002.

ONLINE REFERENCE 1. www.computer.org 2. www.bluetooth.com 3.www.f-secure.com 4.www.wikipedia.org

Dept. Of Computer Science & Engg.

IESCE, Chittilappilly