Bluetooth-Sicherheit

Bluetooth is everywhere—in headsets, laptops, smart cards, industrial devices, and smartphones. The technology was optimized for user-friendliness, not security. Well-known attacks such as BlueBorne (2017) have shown that an unpatched device within Bluetooth range can be compromised without any user interaction.

Bluetooth Versions and Security Improvements

Bluetooth Classic (BR/EDR)

• Version 1.x/2.x: minimal security (PIN 0000/1234)
• Version 2.1: Secure Simple Pairing (SSP) introduced
• Version 4.0: AES-128 for Classic (patch for MITM)

Bluetooth Low Energy (BLE)

• Introduced in Bluetooth 4.0 (2010)
• Focus: battery life, not security
• BLE Security: Just Works, Passkey, OOB, Numeric Comparison
• BLE 5.0 (2016): longer range (up to 240m!)

Bluetooth 5.2/5.3

• LE Secure Connections: Elliptic Curve Diffie-Hellman
• Enhanced ATT (EATT): better encryption
• Not yet implemented everywhere!

Problem: Backward Compatibility

• Newer devices often still use Bluetooth 2.x
• "Downgrade Attack": Attacker forces weak protocol
• Patch status: many IoT devices are never patched

Known Bluetooth Attacks

1. BlueBorne (2017 - CVE-2017-0781 to 0784)

• Discovered by: Armis Security
• Affected: All devices with Bluetooth (Windows, Linux, Android, iOS)
• Attack: Worm via Bluetooth, NO pairing required!
• What happens: Remote code execution on the target device; worm spreads to other Bluetooth devices; no user interaction required
• Scale: ~5.3 billion devices potentially affected
• Fix: Security patches (Windows/Android/Linux)
• Lesson: Turn off Bluetooth when not in use!

2. KNOB Attack (Key Negotiation of Bluetooth, 2019)

• CVE: CVE-2019-9506
• Attack: Reduce encryption key length to 1 byte
• Result: Brute-force attack in milliseconds → Traffic decryption
• Affected: Bluetooth Classic (virtually all devices)

3. BIAS (Bluetooth Impersonation AttackS, 2020)

• Research: UCSB / EPFL
• Attack: Forge device identity without known link keys
• Result: Authentication bypass → Connection without pairing
• Affected: Bluetooth Classic

4. BLURtooth (2020)

• CVE: CVE-2020-15802
• Attack: Exploit cross-transport key derivation
• Result: Steal keys between Classic and BLE
• Affected: Dual-mode devices (capable of both)

5. BLUFFS (2023)

• Research: EURECOM
• Attack: Reuse session keys from previous sessions
• Result: Long-term tracking, replay attacks
• Affected: Bluetooth 4.2 to 5.4

6. Bluesnarfing

• Steal data without the user’s knowledge
• Contacts, calendar, SMS (via OBEX)
• Older devices particularly vulnerable

7. Bluebugging

• Take complete control of the device
• Make calls, send SMS
• Older devices, but also newer ones if vulnerabilities exist

Bluetooth in Enterprise Environments

Headsets / Headphones

• Eavesdropping on meetings (microphone access)
• Man-in-the-middle on audio stream
• Rarely patched (firmware updates ignored by users)

> Recommendation: Use DECT instead of Bluetooth for conference rooms

Bluetooth mice and keyboards

• Wireless keylogging (MouseJack attack: not Bluetooth!)
• Keyboard injection: attacker types as the user
• Range: up to 100m with inexpensive dongles

> Recommendation: Wired or USB dongle with encryption

Smartcards / ID cards

• Some NFC/Bluetooth access systems are vulnerable
• Relay attack: "use" a card from a distance of 100 m

Printers with Bluetooth

• Often default PIN (0000)
• Intercept or inject print jobs

IoT sensors (BLE)

• Industrial temperature sensors, smart locks
• Often "just works" pairing = no protection
• Replay attack on commands (lock open/close)

Medical Devices

• Insulin pumps, pacemakers with BLE
• FDA warnings due to BLE vulnerabilities
• Critical: potential physical safety consequences

Protective Measures

For Devices

1. Keep firmware/OS up to date:

   • BlueBorne, BIAS, BLUFFS: all fixed via patches
   • Windows Update, Android Security Update, iOS Update
   • Embedded devices: Enable manufacturer updates!

2. Turn off Bluetooth when not in use:

   • No attack surface when off
   • Especially: Laptops in public spaces
   • Company policy: Bluetooth policy

3. Disable discovery mode:

   • Device should not be visible to others
   • Connections only to already paired devices
   • iOS/Android: "Visible only to paired devices"

4. Enforce strong pairing:

   • Numeric comparison instead of "just works"
   • PIN at least 6 digits (preferably 8+)
   • Check: Is pairing truly bidirectional?

For businesses

5. MDM / EMM:

   • Regulate Bluetooth usage via MDM
   • Allow pairing only with known/approved devices
   • Disable Bluetooth in high-security areas (MDM policy)

6. Sensitive Areas: Bluetooth Policy:

   • Server rooms, development department, finance: no Bluetooth!
   • DECT phones instead of Bluetooth headsets
   • Wired mouse/keyboard

7. Asset Tracking:

   • BLE scanners identify all devices within range
   • Unknown BLE devices → investigation
   • Note: Company public areas

8. Security Awareness:

   • Employees: Disable Bluetooth in cafes/trains
   • Explain "Juice Jacking" and Bluetooth risks
   • Company laptops: no personal Bluetooth pairing

Bluetooth Penetration Testing (in authorized tests)

Tools for Bluetooth Security Testing

Passive Reconnaissance:

• btlejuice: BLE proxy (MITM for BLE connections)
• gatttool: BLE GATT service enumeration
• hcitool: Classic Bluetooth scan
• bluetoothctl: Interactive Bluetooth console

# Scanning
hcitool scan          # Classic Bluetooth devices
hcitool lescan        # BLE devices
btlejuice --scan      # BLE services

Vulnerability Analysis:

• Wireshark + Bluetooth Plugin: Protocol analysis
• BtleJuice: BLE MITM
• Ubertooth One (Hardware): Bluetooth sniffing

Typical Test Procedures

1. Device discovery (Discovery, Vendor ID)
2. Service enumeration (which GATT services?)
3. Pairing test (Just Works? PIN?)
4. Authentication test (BIAS variants)
5. Data transfer test (Bluesnarfing possible?)
6. Firmware version check (known CVEs?)