MOTILAL NEHRU NATIONAL INSTITUTE OF TECHNOLOGYALLAHABAD

SECURITY IN BLUETOOTH, CDMA AND

UMTS

BLUETOOTH System for short range wireless communication

Wireless data transfer via ACL link

Data rates up to 3 Mb/s

2.4 GHz ISM band (Industrial Scientific Medicine)

Typical communication range is 10-100 meters

Bluetooth SIG (Special Interest Group) developed the

technology

SECURITY THREATS

Disclosure Threat

Integrity Threat

Denial of Service (DoS)

ATTACKS

Snarf Attack

Backdoor Attack

BlueBug Attack

BlueJack Attack

Denial of Service Attack

BluePrinting Attack

SECURITY LEVELS AND MODES

Security Levels:

Silent

Private

Public

Security Modes:

Non Secure

Service Level Enforced Security

Link Level Enforced Security

AUTHENTICATION, AUTHORIZATION , ENCRYPTION

Authentication is the process of proving the identity of

one piconet member to another

Authorization determines whether the user is authorized

to have access to the services provided

Encryption is the process of encoding the information so

that no eavesdropper can read it

SECURITY OPERATIONS

AUTHENTICATION

AUTHORIZATION

ENCRYPTION

Encryption Mode 1

Encryption Mode 2

Encryption Mode 3

ENCRYPTION PROCEDURE

KNOWN VULNERABILITIES

Spoofing through Keys

Spoofing through a Bluetooth Address

PIN Length

COUNTERMEASURES Know your Environment

Be Invisible

Abstinence is best

Use only long PIN codes (16 case sensitive

alphanumerical characters)

Requiring Authentication for every L2CAP request

Using additional security at software level and an

additional password to physically protect the Bluetooth

devices

COUNTERMEASURES CONTD… Requiring re authentication always prior to access of a

sensitive information / service

To prevent Man-in-the-middle attack, approach is to

make it difficult for an attacker to lock onto the

frequency used for communication. Making the

frequency hopping intervals and patterns reasonably

unpredictable might help to prevent an attacker from

locking onto the devices signal.

PROPOSED SOLUTION FOR DOS ATTACK

When the pairing message is sent by one device

When the attacker is sending the message with the

address, which is already connected to Bluetooth device

When the pairing message sent by more than one device

When the attacker is changing the Bluetooth address of

itself with another Bluetooth address

UMTS security

UMTS system architecture (R99) is based on GSM/GPRS

POSSIBLE ATTACKS ON UMTS

Denial of service Identity catching Impersonation of the network Impersonation of the user

3G SECURITY FEATURES „ Mutual Authentication

The mobile user and the serving network authenticate each other

„ Data Integrity Signaling messages between the mobile station and RNC

protected by integrity code Network to Network Security Secure communication between serving networks. IPsec

suggested Secure IMSI (International Mobile Subscriber

Identity) Usage The user is assigned a temporary IMSI by the serving

network

3G SECURITY FEATURES CONTD…

� User – Mobile Station Authentication

The user and the mobile station share a secret key, PIN � Secure Services

Protect against misuse of services provided by the home network and the serving network

� Secure Applications

Provide security for applications resident on mobile station

AUTHENTICATION AND KEY AGREEMENT

„ AuC and USIM share

permanent secret key K

Message authentication functions f1, f1*, f2

key generating functions f3, f4, f5

„ AuC has a random number generator

„ AuC has scheme to generate fresh sequence numbers

„ USIM has scheme to verify freshness of received

sequence numbers

AUTHENTICATION AND KEY AGREEMENT

128 bit secret key K is shared between the home network and the mobile user

Home Network Mobile station

Complete Message flow for successful AKA

Encryption

Integrity Check

NETWORK DOMAIN SECURITY IPSec

IP traffic between networks can be protected with IPSEC between security gateways

Encapsulating Security Payload (ESP) is used for protection of packets

ESP is always used in tunnel mode Advance Encryption Standard (AES)

CDMA

CODE DIVISION MULTIPLE ACCESS (CDMA)

Channel access method used by various radio

communication technology

Employs spread spectrum technology and a special

coding scheme

Attacks are very difficult and rare

DIFFERENCE BETWEEN CDMA, TDMA AND FDMA

TYPES OF CDMA

Frequency Hopping Spread Spectrum CDMA

Direct Sequence Spread Spectrum CDMA

SECURITY

By design, CDMA technology makes eavesdropping very

difficult

42-bit PN (Pseudo Random Noise) sequence

64-bit authentication key (A-Key)

Electronic Serial Number (ESN) of the mobile

AUTHENTICATION

AUTHENTICATION MODEL

ENCRYPTION

Thank You!!!!!