Term
| Summarise the six security weaknesses of bluetooth? |
|
Definition
Unit key
PIN
Location privacy - tracking devices
Denial of service attacks
Implementation attacks
Problems with cryptographic algorithms |
|
|
Term
| What protection is provided by the UNIT KEY from attacks from trusted devices |
|
Definition
|
|
Term
| How might a trusted device eavesdrop traffic? |
|
Definition
a trusted device (a device that
possesses the unit key) that eavesdrops on the initial authentication messages
between two other units that utilize the unit key will be able to eavesdrop on any
traffic between these two units |
|
|
Term
| What are the three weaknesses associated with the pass-key or PIN |
|
Definition
Fixed PIN
Weak PINs
Security keys are based upon the security PIN |
|
|
Term
| As a result of sec keys being based on security PIN an attack could do what? |
|
Definition
| Brute force possible PINs |
|
|
Term
| What are the three main issues related to location privacy? |
|
Definition
Devices can be in discoverable mode
Every device has a fixed hardware address
These hardware addresses are sent in clear |
|
|
Term
| What actually is location privacy? |
|
Definition
| It is possible to track devices |
|
|
Term
| There are five types of location tracking attacks, what are they? |
|
Definition
Inquiry attacks
Traffic monitoring attacks
Paging attack
Frequency hoping attack
User-friendly name attack |
|
|
Term
| So, despite the shit description in the notes - what is the massive fuck-up that makes the UNIT KEY such an issue? |
|
Definition
unit that uses a unit key is only
able to use one key for all its secure connections. Hence, it has to share this key
with all other units that it trusts |
|
|
Term
| What can prevent location tracking? |
|
Definition
To protect a device against location tracking, an anonymity mode is
needed. Devices operating in anonymous mode regularly update their device
address by randomly choosing a new one |
|
|
Term
| What's the BD_ADDR? What does it stand for? How long is it |
|
Definition
a unique ID given to each BT device
It stands for Bluetooth Device Address
It is 48 bits long |
|
|
Term
| What is an inquiry attack? |
|
Definition
| Say you've scattered BT devices everywhere, you can track by constantly sending out inquiry messages and track the responses |
|
|
Term
| Why is an inquiry attack limited? |
|
Definition
| If a device is not in discoverable mode the attack will not work |
|
|
Term
| The limitations of an inquiry attack is that a device must be in discoverable, what other attack can you use but without this limitation? |
|
Definition
| traffic monitoring attack |
|
|
Term
| How does a traffic monitoring attack work? |
|
Definition
attacker simply monitors the communication
between two trusted devices belonging to the victim. These devices will communicate
using a specific CAC. This CAC is computed from the device address of
the master device in the piconet. Therefore, an attacker can determine the master
devices in the area by simply monitoring all network traffic nearby |
|
|
Term
|
Definition
| If you know the BD_ADDR then you page the target device and wait for the ID to be returned. If it is returned, then the device is present. |
|
|
Term
| What is a frequency hopping attack? |
|
Definition
| Use a repeating hopping sequence |
|
|
Term
| What is a 'user friendly name'? |
|
Definition
| There is a bluetooth command to request a user friendly name after a paging request |
|
|
Term
| What is a user friendly name attack? |
|
Definition
| Enquire whether the user-friendly name is there |
|
|
Term
| List the three implementation attacks |
|
Definition
Bluejacking
Bluebugging
Bluesnarfing |
|
|
Term
| What is a bluesnarfing attack? |
|
Definition
The attacker is able to set up a connection to an (unpaired) victim’s
device without alerting the victim or requiring the victim’s consent. After
doing this, the attacker is able to access restricted portions of the victim’s personal
data, such as the phone book, address book, and calendar. |
|
|
Term
| What is a bluejacking 'attack'? |
|
Definition
| Sending messages to the phone.. |
|
|
Term
| Is bluejacking a real threat to security? |
|
Definition
|
|
Term
| What is bluebugging (AKA backdoor attack) |
|
Definition
| You set up a pairing, 'erase' the entry from the list of paired devices, but not really delete it from the link key's database. |
|
|
Term
| Why bother doing the bluebugging? |
|
Definition
| You can access the services etc of a trusted device but without a user knowing you can do it |
|
|
