Bluetooth 2.1 + EDR feat. Bluetooth Security Reloaded

There is a new Bluetooth Standard to be released. Bluetooth Core 2.1 + EDR has some major changes including changes in the pairing process. The changes made are called “Secure Simple Pairing”.

Secure, because they improved the key exchange, in response to the recent attacks on the Pairing Process. Diffie Hellman Elliptic Curves are used to make the key exchange more secure. There is a whitepaper on Secure Simple Pairing around and of course the draft for the upcoming release of the specification, but unfortunately not available for the regular user. You have to be a member of the SIG to get these documents (just get yourself an account).

Simple, because in the simplest scenario the user has nothing more to do to pair two devices, than to get them into a specific physically range. There is no other interaction needed by the user, like the input of a PIN. That makes the life of the casual Bluetooth user much easier. In this scenario a technology called Near Field Communication (NFC) is used. NFC is a very, very short-range wireless technology where the devices are only able to communicate when they are very close to each other, like for example 10cm. In the case of Bluetooth, NFC is only used as some kind of “door opener” for the connection of the devices. Only the initial pairing is done over NFC. The real data transfer is handled with Bluetooth. First NFC mobiles have been presented at CES this year from Nokia and Sagem.

There is a nice little interview at with Mike Foley, the head of the Bluetooth SIG. They are showing some features of the new specification with some prototype devices and give an impression on how pairing is going to be done in the future.

Now, talking about security of the Bluetooth 2.1 devices….
When Mike Foley sends a picture from the camera to the picture frame or to the printer he seemed just to get into a certain physical distance and then the pictured gets transfered to the other device. There is no interaction needed by the user for the transfer. Just bring the two devices together and everything is done. The security we have here is just the limited physical distance between the two devices. But is this security? Come on! Ever heard of beam antennas? I am pretty sure that you can extend the range of NFC to more than 10cm. Pretty cool when you have preeeety strange pictures on your trendy Bluetooth 2.1 picture frame, aight?

Update: It is not that easy with NFC. NFC is based on RFID and therefore the extension of range is more difficult. NFC and RFID are using mutual inductance coupling. Even there were some successful experiments on eavesdropping such connections it is not as easy as in WiFi or Bluetooth connections.

At least Mike had to confirm the pairing of the headphone, so there is hope that manufactures think about implementing a “Press to confirm” button. This might be less user friendly but more secure.
Anyway, this just would be an implementation issue. I think the upcoming specification has some pretty good improvements in security with Diffie Hellman key exchange and simplicity with several pairing scenarios which might make life easier.

F-Secure Visualizations

This is not directly related to wireless stuff, but anyway it’s definitely worse to mention it. I am a big fan of visualization and F-Secure is doing great work. For example their World Map, where you can see (more or less) live how a virus or worm spreads around the world. Anyway, their newest visualization describes the structure of the Bagle Worm. Pretty cool.


Don’t forget to check out their weblog!

Bluetooth Sniffing Pt.1

Most people will know sniffers for 802.11 Networks. One of them is Kismet. While sniffing with Kismet the Wireless Network card is set into raw monitoring mode. In this mode the card basically listens for all incoming traffic on a specific channel.

The main differences between 802.11 networks and Bluetooth are:

  1. A Bluetooth connection is not using one specific channel, it hops over 79 different channels, changing the channel every 0.625 seconds in a pseudo random sequence. That’s called FHSS (Frequency-hopping spread spectrum).
  2. You don’t have that much control over your Bluetooth hardware – the radio and baseband layer are insulated from you by a layer called “HCI” (Host Controller Interface). You can only control these lower layers with predefined HCI commands.

As you can see, sniffing Bluetooth is not as easy as in 802.11 Networks: Buy your regular hardware, put it into monitoring mode and lean back. For Bluetooth it is a little bit more difficult. For now, the only way for sniffing a Bluetooth connection is to sniff on your local device’s HCI layer, but this will only let you see the traffic that is passed through the HCI Layer from devices that connect to you. Hcidump from Bluez is such a sniffer. That’s a start, but not to good. You will often want to see what’s going on on the baseband and radio layer. The only way to do this is to sniff on the Air.

There are two ways to do this:

  1. A device, which monitors the whole 79 Channels at the same time and is able the differentiate between Piconets
  2. A device, which is able to follow the hopping sequence of the Piconet.

Option number one: Forget it. I mean, of course it might be possible but you would need the hardware to monitor 79 channels, implement the logic to differentiate between different Piconets – I guess this device would cost at least a few ten thousands of Euro.

For the other option, you need to be able to follow the hopping sequence of the Piconet. Since the hopping sequence depends on the Masters Bluetooth device address and internal clock, you just have to find out these two informations (which isn’t to hard) and follow the Piconet’s hopping sequence with your device. The easiest way to do this would be using your regular Bluetooth Dongle with some kind of modified Firmware, with which you could control the sniffer’s hopping sequence. The problem with creating your own Firmware for your Dongle are the manufactures. They won’t give you enough information on the Bluetooth chip.

There are serveral Bluetooth sniffers out there which are doing exactly this. For example FTE’s FTS4BT or LeCroy’s Merlin II. But what you really want is an Open Hardware Blueooth device with Open Source firmware in it. A viewer is already available, our network protocol analyzer of choice, Wireshark (former Ethereal), is already supporting Bluetooth capture files.

Since a commercial Bluetooth Sniffer would cost you around 10.000$, a Open Source Bluetooth Sniffer would be pretty cool.