Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2924 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Version 6 Module XXXVII Bluetooth Hacking Ethical Hacking and Countermeasures v6 Module XXXVII: Bluetooth Hacking Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2925 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://www.fin24.co.za/  News The bluetooth technology was invented to connect the wireless devices such as laptops, printers, mobile phones, and video game consoles. But the experts said that, the devices with make use of Bluetooth are vulnerable to attacks. The devices which are vulnerable can be hacked and attacker can gain unauthorized access. The most common methods of attack are Bluebugging, BlueSnarfing, and Bluejacking etc. The Bluebug attack performs illegal transaction on vulnerable devices. Another technique named BlueSnarfing makes use of the OBEX Push Profile (OPP) technology designed for business card exchange to hack the devices. Authentication is not required in maximum cases, so the attackers make use of common filename like pd.vcf which accesses phone book on a cell phone. The hidden Bluetooth device can also be identified using the technique “brute force scanning”. The hackers use Red Fang to forcibly reveal the Bluetooth address from the devices and retrieve confidential information. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2926 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Bluetooth • Security Issues in Bluetooth • Attacks in Bluetooth • Bluetooth Hacking Tools • Viruses and Worms • Bluetooth Security Tools This module will familiarize you with: Module Objective This module will familiarize you with:  Bluetooth Hacking  Security Issues in Bluetooth  Attacks in Bluetooth  Bluetooth Hacking Tools  Viruses and Worms  Bluetooth Security Tools Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2927 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Str ictly Prohibited Module Flow Bluetooth Bluetooth Security Tools Bluetooth Hacking Tools Attacks against Bluetooth Viruses and Worms Security Issues in Bluetooth Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2928 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bluetooth: Introduction Bluetooth is a short-range wireless communications technology intended to replace the cables connecting portable or fixed devices while maintaining high levels of security It wirelessly connects mobile phones, portable computers, stereo headsets, MP3 players, and more Bluetooth technology has achieved global acceptance such that any Bluetooth enabled device, almost everywhere in the world, can connect to other Bluetooth enabled devices in proximity Bluetooth enabled electronic devices connect and communicate wirelessly through short- range, ad hoc networks known as piconets Security within Bluetooth itself covers three major areas: • Authentication • Authorization • Encryption  Bluetooth: Introduction According to http://searchmobilecomputing.techtarget.com/, “Bluetooth is a telecommunications industry specification that describes how mobile phones, computers, and personal digital assistants (PDAs) can be easily interconnected using a short-range wireless connection.” The common uses of Bluetooth in today’s world are:  Transferring the data such as phone book and other information between the mobile devices and PC  Connecting a printer, keyboard, or mouse to a PC without cables  Sending the photos and ring tones from one device to another Bluetooth is useful in case of emergency to send the information from one device to another. These devices connect and communicate via short-range, ad hoc networks known as piconets. Security within Bluetooth itself covers three main areas:  Authentication  Authorization  Encryption Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2929 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Issues in Bluetooth • Short PINS are allowed • Encryption key length is negotiable • Unit key is reusable and becomes public once used • The master key is shared • No user authentication exists • Unit key sharing can lead to eavesdropping • End-to-end security is not performed • Security services are limited The following are the various security issues in Bluetooth:  Security Issues in Bluetooth Security issues related to Bluetooth include:  Short PINs are allowed. PINs generate encryption keys and links, so increasing the PIN length will increase security. Short or weak PINs can be easily identified.  The length of the encryption key is negotiable. A stronger initialization key generation process is required to increase the Bluetooth security  A unit key is a link key that one device generates and uses as a link key with any other device. In bluetooth communication, unit key is reusable and once used it becomes public. Unit keys can be safely used only under full trust environments because every paired device can copy any other device holding the same unit key.  The master key of the pairing devices is shared. The Bluetooth security can be increased by using a superior broadcast keying method  An attacker can gain unauthorized access to two other users, if that attacker has communicated with either of the other two users before. This is mainly because the link key that has resulted from shared information is disclosed.  In bluetooth communications, only the device is authenticated, not individual users, which means anyone can use the device as long as it is authenticated. For better security, application level security and user authentication could be employed.  End-to-end security is not performed. Only the individual links are encrypted and authenticated, so it is possible to decrypt the data at intermediate points  Security services are limited in bluetooth. Auditing, non-reputation, and other types of services do not exist Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2930 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bluetooth Attacks Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2931 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Str ictly Prohibited Attacks against Bluetooth Bluejacking BlueSpam Blue snarfing BlueBug Attack Short Pairing Code Attacks Man-In-Middle Attacks BTKeylogging attack BTVoiceBugging attack Blueprinting Bluesmacking Denial-of-service attack  Attacks against Bluetooth  Bluejacking  BlueSpam  BlueSnarfing  BlueBug Attack  Short Pairing Code Attacks  Man-In-Middle Attacks  BTKeylogging attack  BTVoiceBugging attack  Blueprinting  Bluesmacking  Denial-of-service attack Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2932 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bluejacking Bluejacking is the art of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones A loophole in the initialization stage of the Bluetooth communication protocol enables this attack Before starting the communication, both the Bluetooth devices exchange information during an initial handshake period In this period, initiating Bluetooth device name is necessary to be displayed on other device’s screen Initiating device sends a user defined field to the target device An attacker hacks and uses this field to send the unsolicited messages on the target device  Bluejacking According to http://searchmobilecomputing.techtarget.com/, Bluejacking is the practice of sending messages between mobile users using a Bluetooth wireless connection. These wireless devices include PDA, laptop devices, and mobile phones. Bluejacking is not meant for hijacking any devices but making use of a feature for sending messages on the recipient’s device. It does not cause any damage to the devices but may be irritating and disruptive for the victims. Bluejacking is achievable due to the small loopholes in the initialization stage of the Bluetooth communication protocol. The Bluetooth devices exchange the information at the time of the first connection before allowing the communication. In this period, the initiating Bluetooth device’s name has to be shown at the other device’s screen. The initiating device sends a user defined field to the destination device. Attacker uses this information to send unsolicited messages to the target device. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Bluetooth Hacking Module XXXVII Page | 2933 Ethical Hacking and Countermeasures v6Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlueSpam BlueSpam finds out the other bluetooth enabled devices and sends a file to them (spam them) BlueSpam is sent using the OBEX protocol The file ranges from VCFs (electronic business cards) to simple ASCII text files, images files, audio, and video files Attacker should have palm with an SD/MMC card to customize the message that should be sent, he/she then creates a directory /PALM/programs/BlueSpam/Send/ and puts the file in it BlueSpam supports backfire, if it finds any palm into discoverable and connectable mode, BlueSpam intercepts all connection attempts of other Bluetooth devices and starts sending messages back to sender EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited BlueSnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection For this attack, attacker requires to connect to the OBEX Push Profile (OPP), which is used to exchange information between wireless devices Attacker connects to the OBEX Push target and performs an OBEX GET request for known filenames such as 'telecom/pb.vcf' for the devices phone book or 'telecom/cal.vcs' for the devices calendar file If the device is not implemented properly, attacker can gain access to all the files  BlueSnarfing According to, http://searchmobilecomputing.techtarget.com, “Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection” Bluesnarfing attack helps attackers to gain access to the sensitive data in a Bluetooth enabled device. If the attacker is within the access of the Bluetooth enabled device, he/she can steal the information present at the victim’s device with the use of the right tools. For performing BlueSnarfing, an attacker exploits the vulnerability that occurs while implementing the object exchange (OBEX) protocol. This protocol is mainly used for exchanging the data. BlueSnarf attack connects with OBEX Push target and performs OBEX GET request for the known filenames of /pb.vcf' for the device phone book or 'telecom/cal.vcs' for the device’s calendar file. The improper implementation of the device firmware can lead to the attacker retrieving all the files with known or correctly guessed names. Other devices such as laptop, PDA, and desktop computers are also vulnerable in this attack.