BlueDump

Jun 2005

1 min read

Bluetooth Classic Security Vulnerability Denial of Service

bluetooth classic security vulnerability denial of service

BlueDumping is the act of causing a Bluetooth device to ‘dump’ it’s stored link key, thereby creating an opportunity for key-exchange sniffing to take place. The attacks on link keys and PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which he describes a method by which the PIN and link-keys can be obtained if a pairing event can be witnessed with a Bluetooth sniffer. More recently, Shaked and Wool have proposed a method by which the key attack can be enhanced, bringing it to near-realtime, as well as a method for forcing the key-exchange to take place at a time of the attacker’s choosing.

Method

In order to perfom a BlueDump attack, the attacker needs to know the BDADDR of a set of paired devices. The attacker spoofs the address of one of the devices and connects to the other. Since the attacker has no link key, when the target device requests authentication, the attacker’s device will respond with an ‘HCI_Link_Key_Request_Negative_Reply’, which will, in some cases, cause the target device to delete it’s own link key and go into pairing mode.

People Involved

For questions about the BlueDump attack, feel free to ask Adam Laurie, Marcel Holtmann or Martin Herfurt.

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties.

Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel.