BlueTooth

Basic 基础原理

• Unlicensed 2.4 GHz radio band
  • ISM (industnal, scientific, medical band) band
• Supports up to 8 devices
• 蓝牙的通信范围最初是为了「体域」的近距离通信
  • 体域 PANs - personal area networks
• One unit will act as master 主设备
  • Sets clock and frequency hopping pattern
  • Can connect to 7 active or 255 inactive (parked) slaves
  • Determines bit rate allocated to each slave

Physical Layer 物理层设计

Frequency Hopping 跳频

• AFH: Adaptive Frequency Hopping
• 跳频的优点：频点随机跳跃，不易被监听，也能够抗干扰

Time Slots

• The basic piconet physical channel is divided into time slots, each 625 us in length.
• A time division duplex (TDD) scheme is used where master and slave altenatively transmit.

BLE: Bluetooth Low Energy 低功耗蓝牙

• new low power design 新低功耗设计
  • Bluetooth Smart technology: 0.01-0.5W
  • Classic Bluetooth technology: 1W
• 3ms latency from nonconnected state.
  • Classic Bluetooth: >100ms

Bluetooth Security 蓝牙安全

Security Modes of Bluetooth

• Security Mode 1: Non-Secure Mode
• Security Mode 2: Service level enforced security mode
  • 面向应用，服务级强制安全模式
  • 在物理链路建立之后，在逻辑链路建立之前启动
• Security Mode 3: Link level enforced security mode
  • 在物理链路建立之前启动

蓝牙安全性设置

• 0x2 蓝牙的信任模式
  • 受信任：设备已经域另一个设备建立固定关系，且对所有服务的访问不受限制
  • 不受信任：虽然已成功通过身份验证，但设备只能访问一组受限制的服务
• 0x3 设备的可发现性
• 0x4 蓝牙安全服务
  • 基于挑战/应答方式执行身份验证
  • PIN 码/SSP
• 0x5 其他安全功能
  • 自适应跳频
  • E0 加密算法
  • 不可见性
  • 配对

Bluetooth Attack 针对蓝牙的攻击

Threat Model 威胁模型

• Denial of service
  • Makes the device unusable and drains the mobile device battery.
• Fuzzing attacks
  • Sending malformed messages to the bluetooth device.
• Blue jacking
  • Uses IMEI identifier to route all the incoming calls.
• Blue snarfing
  • Causes harm when the user sends the data to the other user.

Sniffing Attack 嗅探攻击

1. 对广播信道的嗅探
2. 对通信过程的嗅探

Replay Attack 重放攻击