Wednesday, July 13, 2011

Discoverability is Not a Mitigating Factor

Four years after BlueSniff: Eve Meets Alice and Bluetooth by Dominic Spill and Andrea Bittau, people are still saying that Bluetooth vulnerabilities can be mitigated by turning off discoverability. If there is one thing that should have been learned from all of the Bluetooth security research done over the last few years, it is that a non-discoverable device is no safer than a discoverable one, but perhaps this message has been buried too deeply in technical presentations. Let me try to make this point clearer.

A discoverable Bluetooth device is one that is willing to respond to an inquiry, a single packet transmitted by any device looking for others. When you tell a device to "find new Bluetooth devices" it transmits a large number of inquiry packets and waits for responses. A discoverable device's inquiry response contains information including the device's address (BD_ADDR). This address can then be used by the inquirer to initiate a connection between the two devices.

Since most Bluetooth vulnerabilities can only be exploited once a connection is established, people used to recommend turning off discoverability. The reasoning was that, without a way to learn the target's address, an attacker would be unable to connect to the target and exploit any vulnerability. This idea that it is possible to keep a Bluetooth device address secret is completely wrong.

Turning off discoverability is like hiding the SSID of an 802.11 network. It prevents people from casually or accidentally connecting to your Bluetooth device. It might be worth doing for this reason alone, but I no longer recommend it as a security practice. Turning off discoverability does nothing to thwart skilled attackers. Worse, it creates a false sense of security and makes it harder for the good guys to notice that Bluetooth devices are in use.

A BD_ADDR is a 48 bit number (it's a MAC address) that is unique to a particular Bluetooth device. It consists of three sections, the 16 bit Non-Significant Address Part (NAP), the 8 bit Upper Address Part (UAP), and the 24 bit Lower Address Part (LAP). In order to connect to a target, an attacker needs only the UAP and LAP.

LAP sniffing is easy. Every Bluetooth packet contains the LAP in cleartext. Spill and Bittau showed how to sniff LAPs with a USRP for about $1000. Now it can be done with an Ubertooth One for about a tenth of that price. It can even be done using Travis Goodspeed's method for promiscuous sniffing with lower cost platforms. LAP sniffing has always been easy, but now the tools and methods are more well known.

The UAP is only slightly more difficult for an attacker to learn. Project Ubertooth and gr-bluetooth include software that implements automatic UAP determination based on passive observation of just a few packets. The function is integrated into the Ubertooth Kismet plugin. Even without this method, it isn't hard to figure out the 8 bit UAP. In Hacking Exposed Wireless, Second Edition, Joshua Wright showed how to determine the UAP with a simple brute force attack.

Turning off discoverable mode doesn't make your Bluetooth device any more secure. If your security model depends on secrecy of the BD_ADDR, you are doing it wrong.

And, by the way, frequency hopping doesn't help you either.

14 comments:

Agen Bola Terpercaya said...

Getting up in the morning is a sign that you can achieve the goal’s life better than yesterday.

Agen bola terpercaya

Agen Bola said...


Blog artikel kelinci ras holland lop netherland dwarf.
Agen Bola

Jenny Wijaya said...

1
2
3
4
5
6 osg777 download
7
8

Food Vlog brisbane said...

Thank you for sharing this informative post. Looking forward to read more.
Mechanics Brookevale | Car service rookvale

Saim Aly said...

avs video editor
iobit uninstaller pro crack
nearly dead game PC
universe sandbox 2 game download
easeus partition master crack
xilisoft video converter crack
hitman pro crack free
windows 11 enterprise product key

Charles Knott said...

Smadav Pro Crack
Adobe Photoshop CC Crack
AnyDesk Crack
Microsoft Office 2013 Product Key
V-Ray For SketchUp Crack
Norton Utilities Premium Crack
Master PDF Editor Crack
DP Animation Maker Free Download
MAGIX VEGAS Movie Studio Crack
KeyShot Pro Crack

go web said...

Thanks For Sharing You're article It is very useful us
satta matka trick
KALYAN MATKA
DP BOSS
MATKA RESULT
KALYAN WEEKLY MATKA
https://indianmatka.world/

casinosite777.info said...

Daebak! that’s what I was looking for, what a information! present here at this website 바카라사이트

baccaratsite.biz said...

It is very well written, and your points are well-expressed. I request you warmly, please, don’t ever stop writing.
바카라사이트

slotmachine777.site said...

Such an amazing and helpful post this is. I really really love it. It’s so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. 릴게임

오공슬롯 said...

Looking at this article, I miss the time when I didn't wear a mask. 오공슬롯 Hopefully this corona will end soon. My blog is a blog that mainly posts pictures of daily life before Corona and landscapes at that time. If you want to remember that time again, please visit us.

oncasino said...

oncasino

메이저토토사이트^ said...

I’m very pleased to discover this site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every part of it and i also have you saved as a favorite to see new information on your blog. 메이저토토사이트

Anonymous said...

QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
CC with CVV Fullz (USA, UK, CANADA)
Tutorials & E-Books For Ethical Hacking
Tools For Everything You Need

I'm On Telegram = @killhacks & I C Q = 752822040

Stuff available for
(Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
Availability 24/7
FASTEST DELIVERY

Build Your Own Business with proper guide & Legit Tools
Always glad to serve

GOOD LUCK
Here I'm:
I C Q = 752822040
Tele-gram = @killhacks