Bluetooth Vulnerabilities

  1. Link keys based on unit keys are static and reused for every pairing
  2. PINs can be too short.
  3. PIN management and randomness is lacking
  4. Just Works association model does not provide MITM protection during pairing, which results in an unauthenticated link key.
  5. Attempts for authentication are repeatable.
  6. Device authentication is simple shared-key challenge/response
  7. End-to-end security is not performed.

Bluetooth Threats

  1. Bluesnarfing. Bluesnarfing32 enables attackers to gain access to a Bluetooth-enabled device
    by exploiting a firmware flaw in older (circa 2003) devices. This attack forces a connection
    to a Bluetooth device, allowing access to data stored on the device including the device’s
    international mobile equipment identity (IMEI). The IMEI is a unique identifier for each
    device that an attacker could potentially use to route all incoming calls from the user’s
    device to the attacker’s device.
  2. Bluejacking. Bluejacking is an attack conducted on Bluetooth-enabled mobile devices,such as cell phones. An attacker initiates bluejacking by sending unsolicited messages to the user of a Bluetooth-enabled device. The actual messages do not cause harm to the
    user’s device, but they may entice the user to respond in some fashion or add the new
    contact to the device’s address book. This message-sending attack resembles spam and
    phishing attacks conducted against email users. Bluejacking can cause harm when a user
    initiates a response to a bluejacking message sent with a harmful intent.
  3. Bluebugging. Bluebugging33 exploits a security flaw in the firmware of some older (circa
    2004) Bluetooth devices to gain access to the device and its commands. This attack uses
    the commands of the device without informing the user, allowing the attacker to access
    data, place phone calls, eavesdrop on phone calls, send messages, and exploit other
    services or features offered by the device.
  4. Car Whisperer. Car Whisperer34 is a software tool developed by European security
    researchers that exploits the use of a standard (non-random) passkey in hands-free
    Bluetooth car kits installed in automobiles. The Car Whisperer software allows an attacker
    to send to or receive audio from the car kit. An attacker could transmit audio to the car’s
    speakers or receive audio (eavesdrop) from the microphone in the car.
  5. Denial of Service. Like other wireless technologies, Bluetooth is susceptible to DoS
    attacks. Impacts include making a device’s Bluetooth interface unusable and draining the
    device’s battery. These types of attacks are not significant and, because of the proximity
    required for Bluetooth use, can usually be easily averted by simply moving out of range.
  6. Fuzzing Attacks. Bluetooth fuzzing attacks consist of sending malformed or otherwise
    non-standard data to a device’s Bluetooth radio and observing how the device reacts. If a
    device’s operation is slowed or stopped by these attacks, a serious vulnerability potentially
    exists in the protocol stack.
  7. Pairing Eavesdropping. PIN/Legacy Pairing (Bluetooth 2.0 and earlier) and low energy
    Legacy Pairing are susceptible to eavesdropping attacks. The successful eavesdropper who
    collects all pairing frames can determine the secret key(s) given sufficient time, which
    allows trusted device impersonation and active/passive data decryption.
  8. Secure Simple Pairing Attacks. A number of techniques can force a remote device to
    use Just Works SSP and then exploit its lack of MITM protection (e.g., the attack device
    claims that it has no input/output capabilities). Further, fixed passkeys could allow an
    attacker to perform MITM attacks as well.

Recommended Tips for Bluetooth

  1. use if possible random PINS Codes
  2. Turn Power settings for Bluetooth down, so range is limited to close devices
  3. When in doubt if possible Turn Bluetooth Off.