Over the past seven weeks, our team at the Leahy Center for Digital Investigation has been working to discover the inherent vulnerabilities in Bluetooth security technology. We have wrapped up the research portion of our project and have begun running tests on our devices. Over the next several weeks we will continue to run more tests and analyses to discover what we can about how Bluetooth can be infiltrated and exploited, and how the average person might protect themselves against this type of attack.
Progress on bluetooth security
One of the first vulnerabilities that we found in Bluetooth is the possibility MAC address spoofing. A MAC address is a unique identifier that is made up of six groups of two hexadecimal digits. Every electronic device is given their own individual MAC address, usually denoting make and model of the device with a few characters that make it unique. However, there are programs that can be used to spoof, temporarily change, a device’s MAC address.
Since Bluetooth technology uses MAC addresses to differentiate between devices, anyone with malicious purposes could theoretically spoof their MAC address to that of a device that has already been paired with the target. This would allow the attacker to gain access to the target device without alerting the target of any malicious activity. This functionality can also be used in conjunction with the smartlock feature of many newer phones, which automatically unlocks the user’s smartphone when in the presence of a bluetooth device the user trusts.
To increase the amount of tests that we can run, our team recently acquired a device known as the Ubertooth One. The Ubertooth is an open-source Bluetooth monitoring and development platform that allows a user to monitor and capture data sent over the low-energy frequencies that Bluetooth uses to connect devices. This tool is the cornerstone to our project as it will allow us to see and interpret substantially more data that is being sent between devices. This will also help us to determine any vulnerabilities that we can capitalize on and possibly exploit.
One example of how we can use the Ubertooth One is to capture a complete pairing between two Bluetooth devices. The data that contains this pairing will be encrypted by default; however, it can be saved and run through a program such as Crackle. Programs like Crackle take advantage of a flaw within Bluetooth low-energy technology that allows the program to guess or brute force the temporary key used to secure Bluetooth pairings. Once the temporary key is discovered, we can utilize it to discover the short-term key (the next step in authentication), as well as the long-term key (the final and lasting step), enabling any captured data between the two devices to be decrypted and analyzed.
When devices communicate over Bluetooth, they use one of 79 channels available to them. Upon connection, the two devices will establish what’s called a hopping sequence. Hopping, in terms of Bluetooth, is when the devices transmit data on one channel to each other, then switch, or hop, to another channel to continue sending data. This is another security feature of Bluetooth, though it is more thought of as ‘security by obscurity.’ Hopping happens over and over at a standard rate of 1,600 hops per second. Because the hopping sequence is picked randomly, it is unlikely that any interference with other devices will occur.
Now, of the 79 channels that exist in Bluetooth, some devices have designated open channels that can be used for development purposes.
Unfortunately, not every device utilizes the same channels, requiring us to find them; however, the Ubertooth comes with a suite of sniffing tools for just this purpose. With these tools, run in a terminal or command line, we can scan every channel and discover which channels each device leaves open.
The Ubertooth analyzes and locks onto these hopping sequences after monitoring traffic for a while, giving us the ability to follow a certain device and record its Bluetooth traffic despite its previously hidden hopping sequence.
By using Ubertooth, our team can also record Bluetooth packets using Wireshark by setting up a data pipe to hold the input data coming from Ubertooth into a profile that Wireshark can read. The data that is read from Wireshark can then be analysed for things like pairings, device names, and device discoverability (which is advertized in Low-Energy Traffic so long as Bluetooth is enabled on the device).
With all this data, our team has begun to run control tests so that we may find the extent of the dangers someone with a device like the Ubertooth One can cause to the average user.
We have taken special care to be only looking at our control devices in these tests, as working with Bluetooth traffic in a lab full of tech-savvy students has proven to be anything but quiet.
Bluetooth is a rapidly growing and adapting technology that is being implemented in everyday devices. As a result, the security of this technology is crucial in making sure it cannot be taken advantage of for malicious purposes. In the coming weeks, our team will continue to test both the security and the capabilities of modern Bluetooth technology, so stay tuned for our complete analysis!