Professional Documents
Culture Documents
Cracking The Bluetooth PIN: Yaniv Shaked and Avishai Wool
Cracking The Bluetooth PIN: Yaniv Shaked and Avishai Wool
Cracking The Bluetooth PIN: Yaniv Shaked and Avishai Wool
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 39
Term Explanation Broadcasted
Master Slave
PIN Personal Identification Number. (A) messages (B)
The PIN code is 1-8 bytes long (8-
128 bits). However, most devices Randomize 128bit
use PIN sizes of 4 decimal digits. IN_RAND
BD ADDR Each Bluetooth device has a 48 bit IN_RAND
unique address that is called the (128bit)
Bluetooth Device Address.
BD _AD D R
IN _R AND
PIN
BD _AD D R
IN _R AND
PIN
Pairing The process in which two (or more)
Bluetooth devices hook up to cre-
ate a shared secret value called
Kinit . The Kinit forms the ba-
sis for all future Bluetooth negoti- E22 E22
ations between these two devices.
K_init
K_init
Table 1: List of terms
40 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association
Master Broadcasted Slave
(A) messages (B)
Randomize K init K init Randomize
128bit 128bit
LK_RAND A LK_RAND B
LK_RANDA K init
LK_RAND B
Kinit
LK_R AN DA
LK_R AN DB
BD _ADDR A
LK_R AN DB
BD _ADD R A
BD _ADD R B
LK_R AND A
BD _ADD R B
E21 E21 E21 E21
K ab K ab
some devices (like wireless earphones) the PIN is fixed devices have a variable PIN, BD ADDRB shall be used.
and cannot be changed. In such cases, the fixed PIN is The Bluetooth device address can be obtained via an in-
entered into the peer device. If two devices have a fixed quiry routine by a device. This is usually done before
PIN, they cannot be paired, and therefore cannot commu- connection establishment begins. A detailed explanation
nicate. In the following sections we go into the details of of the inner design of E22 can be found in Appendix B.1.
the steps of the pairing process. This initialization key (Kinit ) is used only during the
pairing process. Upon the creation of the link key (Kab ),
2.1.1 Creation of Kinit the Kinit key is discarded.
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 41
Note that E21 is used twice is each device, with two sets Verifier Broadcasted Claimant
of inputs. Figure 2 describes how the link key Kab is (A) messages (B)
created. A detailed explanation of the inner design of Randomize 128bit
E21 can be found in Appendix B.2. AU_RAND A
AU_RAND A
AU _RAN D A
B D_AD D RB
K AB
B D_AD D RB
K AB
A U_R AN DA
2.1.3 Mutual authentication
Upon creation of the link key Kab , mutual authentica-
tion is performed. This process is based on a challenge-
response scheme. One of the devices, the verifier, ran-
domizes and sends (in plaintext) a 128 bit word called E1 E1
AU RANDA . The other device, the claimant, calculates
a 32 bit word called SRES using an algorithm E1 . The
claimant sends the 32 bit SRES word as a reply to the ver- SRES A SRES A ’
(32bit) (32bit)
ifier, who verifies (by performing the same calculations)
NO SRES A = SRES A ’
the response word. If the response word is successful, Halt
SRES A ’?
the verifier and the claimant change roles and repeat the
entire process. Figure 3 describes the process of mutual
YES
authentication. The inputs to E1 are:
1. The random word AU RANDA . Switch role and
repeat process
2. The link key Kab .
3. Its own Bluetooth device address (BD ADDRB ). Figure 3: Mutual authentication process using E1
42 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association
128 bit input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
K1 K 2r-1
SAFER Round, r=1
K2
K3 e l l e e l l e e l l e e l l e
SAFER Round, r=2
K4
K5 K 2r
SAFER Round, r=3
K6
K7 PHT PHT PHT PHT PHT PHT PHT PHT
SAFER Round, r=4
K8
K9
128 bit SAFER Round, r=5 Permute: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
K 10
key
K 11
SAFER Round, r=6
K 12 PHT PHT PHT PHT PHT PHT PHT PHT
K 13
SAFER Round, r=7
K 14 Permute: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
K 15
SAFER Round, r=8
K 16 PHT PHT PHT PHT PHT PHT PHT PHT
KSA
K 17 Bitwise XOR Permute: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
- bitwise xor
mentation is given in equations (1) and (2):
e(x) = (45x (mod 257)) mod 256 (1) Figure 5: Structure of one SAFER+ round
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 43
PIN’=0
4.1.1 The “as-is” version
44 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association
4.4 Algebraic Manipulation PIN Length (digits) Time (seconds)
4 0.063
Our most interesting and most effective optimization is 5 0.75
the algebraic manipulation of the SAFER+ round. A key 6 7.609
observation is that almost the entire SAFER+ round2 can 7 76.127
be implemented as a 16x16 matrix multiplying the vec-
tor of 16 input bytes (all operations modulo 256). This is Table 3: Summary of results obtained running the last
possible since the operations used in the Armenian shuf- version on a Pentium IV 3Ghz HT computer.
fles and Pseudo Hadamard Transformations are linear.
By tracing back through the Shuffles and PHT boxes we
computed the 16x16 matrix coefficients as follows: columns. Furthermore, the product of the other coeffi-
cients can be calculated once and used for both columns,
2 2 1 1 16 8 2 1 4 2 4 2 1 1 4 4 since they differ only by a factor of 2.
1 1 1 1 8 4 2 1 2 1 4 2 1 1 2 2 The fact that the coefficients are all powers of 2 is also
1 1 4 4 2 1 4 2 4 2 16 8 2 2 1 1 helpful, since instead of using multiplication operations,
1 1 2 2 2 1 2 1 4 2 8 4 1 1 1 1 the calculation is done using a shift left operation.
4 4 2 1 4 2 4 2 16 8 1 1 1 1 2 2 The next pseudo code depicts the calculation proce-
2 2 2 1 2 1 4 2 8 4 1 1 1 1 1 1 dure for two columns. Note the saving in shift oper-
1 1 4 2 4 2 16 8 2 1 2 2 4 4 1 1 ations, done by arranging the add operation in an ap-
1 1 2 1 4 2 8 4 2 1 1 1 2 2 1 1 propriate manner. The input vector is denoted by X =
2 1 16 8 1 1 2 2 1 1 4 4 4 2 4 2 (x0 , ..., x15 ), and we show the calculation of the outputs
2 1 8 4 1 1 1 1 1 1 2 2 4 2 2 1 y0 and y1 :
4 2 4 2 4 4 1 1 2 2 1 1 16 8 2 1
2 1 4 2 2 2 1 1 1 1 1 1 8 4 2 1 h1 = x 1 + x 2 + x 3 + x 6 + x 7 +
4 2 2 2 1 1 4 4 1 1 4 2 2 1 16 8
2(x0 + x5 + 2(x4 ))
4 2 1 1 1 1 2 2 1 1 2 1 2 1 8 4
16
h2 = x8 + x9 + x11 +
8 1 1 2 2 1 1 4 4 2 1 4 2 4 2
8 4 1 1 1 1 1 1 2 2 2 1 2 1 4 2 2(x10 + x12 + x13 + 2(x15 + 2(x14 )))
y1 = h 1 + h 2
Our goal is to implement the multiplication (a 16 co- y0 = y 1 + h 2
efficients vector by a 16x16 matrix) faster than the tradi-
tional implementation of the Armenian shuffles and the How fast is the new implementation?
PHT. A naive implementation of multiplying the vec- This implementation consists of 5 shift left operations,
tor with each column of the matrix would have taken 16 add operations, 2 load operations and 2 store opera-
16 multiplication operations and 16 add operations for tions. This yields 25 operations per 2 columns, 200 op-
each column: 32 operations for each column, yielding erations for the entire matrix multiplication: 30% fewer
512 operations for the entire matrix (plus load and store than needed in the normal implementation.
operations). Such an implementation is slower than the
traditional one: We found that each PHT box consists of
7 operations, the Armenian shuffle consist of 32 opera- 4.5 Results
tions. This yields 320 operations for the traditional im-
plementation (32 PHT boxes and 3 Armenian shuffles). This subsection presents the cracking time of the five ver-
However, a careful examination of the above matrix sions. All the versions were run on an old Pentium III
shows that we can do much better. A much faster imple- 450MHz Personal Computer. For each version we tried
mentation is possible because the matrix has a great deal several PIN sizes, ranging from 4 to 7 decimal digits.
of structure, and because all the coefficients are powers Figure 7 compares the results obtained from all five
of 2. versions. The Y axis denotes the running time in seconds
Observe that every pair of consecutive columns, start- (logarithmic scale), and the X axis denotes the number of
ing with the two leftmost columns, are identical in half of decimal digits the PIN contains.
their coefficients. All other coefficients in the left column The final version improves the cracking speed by a
are equal to twice the value of the coefficients in the right factor of 10, and brings the time to crack a 4-digit PIN
column. This structure is very useful, since the result down to 0.27 sec. To gain some insight on how the at-
of multiplication of half the column can be used in both tack improves with stronger hardware, we also ran our
best attack version on a Pentium IV 3Ghz HT. On this
2 Except the lookup tables e and l and the key addition steps. computer we were able to crack a 4-digit PIN in 63 msec
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 45
Timing Test Results
10000
2596.82
1000 1134.87
577.16
437.64
260.35 269.58
As-Is Version
100 113.53
Time (Sec.)
1 1.15
0.55
0.44
0.27
0.1
4 5 6 7
# of PIN digits
(see Table 3) – 4 time faster than on the Pentium III. This 5.2 Attack details
makes the attack near-real-time.
Assume that two Bluetooth devices that have already
been paired before now intend to establish communica-
tion again. This means that they don’t need to create the
link key Kab again, since they have already created and
5 The Re-Pairing attack stored it before. They proceed directly to the Authentica-
tion phase (Recall Figure 3). We describe three different
methods that can be used to force the devices to repeat
5.1 Background and motivation the pairing process. The efficiency of each method de-
pends on the implementation of the Bluetooth core in the
device under attack. These methods appear in order of
This section describes an additional attack on Bluetooth efficiency:
devices that is useful when used in conjunction with the
primary attack described in Section 3. Recall that the pri- 1. Since the devices skipped the pairing process and
mary attack is only applicable if the attacker has eaves- proceeded directly to the Authentication phase, the
dropped on the entire process of pairing and authentica- master device sends the slave an AU RAND mes-
tion. This is a major limitation since the pairing process sage, and expects the SRES message in return. Note
is rarely repeated. Once the link key Kab is created, each that Bluetooth specifications allow a Bluetooth de-
Bluetooth device stores it for possible future communi- vice to forget a link key. In such a case, the slave
cation with the peer device. If at a later point in time the sends an LMP not accepted message in return, to
device initiates communication with the same peer - the let the master know it has forgotten the link key
stored link key is used and the pairing process is skipped. (see subsection 4.2.1.2 “Claimant has no link key”
Our second attack exploits the connection establishment of Part C of Vol 2 of [Blu03]). Therefore, after the
protocol to force the communicating devices to repeat master device has sent the AU RAND message to
the pairing process. This allows the attacker to record all the slave, the attacker injects a LMP not accepted
the messages and crack the PIN using the primary attack message toward the master. The master will be con-
described in this paper. vinced that the slave has lost the link key and pairing
46 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association
will be restarted (see subsection 5.1 “AUTHENTI- 3. If the slave device verifies that the message it
CATION” of Part C of Vol 3 of [Blu03]). Restart- receives is from the correct BD ADDR, then the
ing the pairing procedure causes the master to dis- attack requires the injected message to have its
card the link key (see subsection 6.5 “BONDING” source BD ADDR “spoofed” - again requiring cus-
of Part C of Vol 3 of [Blu03]). This assures pairing tom hardware.
must be done before devices can authenticate again.
4. If the attack is successful, the Bluetooth user will
2. At the beginning of the Authentication phase, the need to enter the PIN again - so a suspicious user
master device is supposed to send the AU RAND to may realize that his Bluetooth device is under attack
the slave. If before doing so, the attacker injects a and refuse to enter the PIN.
IN RAND message toward the slave, the slave de-
vice will be convinced the master has lost the link
key and pairing is restarted. This will cause the con- 6 Countermeasures
nection establishment to restart.
This section details the countermeasures one should con-
3. During the Authentication phase, the master de- sider when using a Bluetooth device. These countermea-
vice sends the slave an AU RAND message, and ex- sures will reduce the probability of being subjected to
pects a SRES message in return. If, after the mas- both attacks and the vulnerability to these attacks.
ter has sent the AU RAND message, an attacker in- Since Bluetooth is a wireless technology, it is very dif-
jects a random SRES message toward the master, ficult to avoid Bluetooth signals from leaking outside the
this will cause the Authentication phase to restart, desired boundaries. Therefore, one should follow the rec-
and repeated attempts will be made (see subsection ommendation in the Bluetooth standard and refrain from
5.1 “REPEATED ATTEMPTS” of Part H of Vol 2 entering the PIN into the Bluetooth device for pairing
of [Blu03]). At some point, after a certain number as much as possible. This reduces the risk of an attacker
of failed authentication attempts, the master device eavesdropping on the pairing process and finding the PIN
is expected to declare that the authentication pro- used.
cedure has failed (implementation dependent) and Most Bluetooth devices save the link key (Kab ) in
initiate pairing (see subsection 5.1 “AUTHENTICA- non-volatile memory for future use. This way, when
TION” of Part C of Vol 3 of [Blu03]). the same Bluetooth devices wish to communicate again,
The three methods described above cause one of the they use the stored link key. However, there is another
devices to discard its link key. This assures the pairing mode of work, which requires entering the PIN into both
process will occur during the next connection establish- devices every time they wish to communicate, even if
ment, so the attacker will be able to eavesdrop on the en- they have already been paired before. This mode gives a
tire process, and use the method described in Section 3 false sense of security! Starting the pairing process every
to crack the PIN. time increases the probability of an attacker eavesdrop-
In order to make the attack “online”, the attacker can ping on the messages transferred. We suggest not to use
save all the messages transferred between the devices af- this mode of work.
ter the pairing is complete. After breaking the PIN (0.06- Finally, the PIN length ranges from 8 to 128 bits. Most
0.3 sec for a 4 digit PIN), the attacker can decode the manufacturers use a 4 digit PIN and supply it with the
saved messages, and continue to eavesdrop and decode device. Obviously, customers should demand the ability
the communication on the fly. Since Bluetooth supports to use longer PINs.
a bit rate of 1 Megabit per second (see Part A of Vol 1
of [Blu03]), a 40KB buffer is more than enough for the 7 Conclusion
common case of a 4 digit PIN.
Notes: This paper describes the implementation of an attack on
the Bluetooth security mechanism. Our results show that
1. The Bluetooth specification does allow devices to
using algebraic optimizations, the most common Blue-
forget link keys and to require repeating the pairing
tooth PIN can be cracked within less than 0.06-0.3 sec-
process. This fact makes the re-pairing attack appli-
onds. If two Bluetooth devices perform pairing in a hos-
cable.
tile area, they are vulnerable to this attack.
2. Re-Pairing is an active attack, that requires the at-
tacker to inject a specific message at a precise point References
in the protocol. This most likely needs a cus-
tom Bluetooth device since off-the-shelf compo- [Arm02] Frederik Armknecht. A linearization attack on the
nents will be unable to support such behavior. Bluetooth key stream generator. Cryptology ePrint
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 47
Archive, report 2002/191, available from http:// A Detailed specifications of SAFER+
eprint.iacr.org/2002/191/, 2002.
[Blu03] Specification of the Bluetooth system, v.1.2. A.1 SAFER+ Key Scheduling Algorithm
Core specification, available from http://www.
bluetooth.org/spec, 2003. In continuation to section 2.2.1, the key scheduling algo-
rithm uses 16 constant Bias vectors. The Bias vectors,
[Blu04] Bluejackq. http://www.bluejackq.com/,
denoted B2 to B17 , are derived from the following equa-
2004.
tion:
[FL01] Scott R. Fluhrer and Stefan Lucks. Analysis of
17c+i+1
the E0 encryption system. In Proc. 8th Workshop Bc [i] = ((45(45 mod 257)
mod 257) mod 256),
on Selected Areas in Cryptography, LNCS 2259.
Springer-Verlag, 2001. for i = 0, .., 15.
[Flu02] Scott R. Fluhrer. Improved key recovery
One bias vector is used in each step, except for the first
of level 1 of the Bluetooth encryption sys-
step. Note that the first step doesn’t contain the cyclic
tem. Cryptology ePrint Archive, report 2002/068,
available from http://eprint.iacr.org/ rotate. Figure 8 describes the entire process of the key
2002/068/, 2002. scheduling algorithm in SAFER+.
[HN99] Miia Hermelin and Kaisa Nyberg. Correlation prop-
erties of the Bluetooth combiner generator. In Infor- A.2 SAFER+ modified version
mation Security and Cryptology, LNCS 1787, pages
17–29. Springer-Verlag, 1999. Besides using SAFER+ as is, Bluetooth uses a slightly
modified version of SAFER+. This modified version is
[JW01] Markus Jakobsson and Susanne Wetzel. Security
weaknesses in Bluetooth. In Proc. RSA Security identical to the original SAFER+ implementation, only
Conf. – Cryptographer’s Track, LNCS 2020, pages it also combines the input of SAFER+’s round 1 to the
176–191. Springer-Verlag, 2001. input of round 3: Some bytes are xored and some are
[Kra02] Matthias Krause. BDD-based cryptanalysis of added. This combination is done to make the modified
keystream generators. In L. Knudsen, editor, Ad- version non-invertible. Figure 9 describes how the input
vances in Cryptology – EUROCRYPT’02, LNCS of round 1 is combined with the input of round 3.
1462, pages 222–237. Springer-Verlag, 2002. As stated before, all of the algorithms used dur-
[Lau03] Adam Laurie. Serious flaws in Bluetooth security ing Bluetooth pairing and authentication process, use
lead to disclosure of personal data. http://www. SAFER+ as is, or the modified version of SAFER+. In
bluestumbler.org, 2003. the remainder of this paper, SAFER+ is denoted as Ar ,
0
[LV04] Y. Lu and S. Vaudenay. Faster correlation attack on and the modified version of SAFER+ is denoted as Ar .
Bluetooth keystream generator E0. In Advances in Next subsections describe how E22 , E21 , E1 are imple-
Cryptology – CRYPTO’04, LNCS 3152, pages 407– mented using SAFER+.
425. Springer-Verlag, 2004.
[LW05] Ophir Levy and Avishai Wool. A uniform frame- B SAFER+ Based Algorithms
work for cryptanalysis of the Bluetooth E0 cipher.
Cryptology ePrint Archive, Report 2005/107, 2005.
http://eprint.iacr.org/2005/107.
B.1 Inner design of E22
[MKK98] J. L. Massey, G. H. Khachatrian, and M. K. Kure- As described in subsection 2.1, E22 is used to generate
gian. SAFER+. In Proc. First Advanced Encryption the initialization key. The inputs used are:
Standard Candidate Conference. National Institute
of Standards and Technology (NIST), 1998. 1. a BD ADDR (48 bits long).
[Reh03] Gregory Rehm. 802.11b homebrew WiFi an- 2. the PIN code and its length L.
tenna shootout. http://www.turnpoint.
net/wireless/has.html, 2003. 3. a 128 bit random number IN RAND.
[Whi03] Ollie Whitehouse. War nibbling: Bluetooth
insecurity. http://www.atstake.com/ At first, the PIN and the BD ADDR are combined to cre-
research/reports/acrobat/atstake_ ate a new word: if the PIN contains less than 16 bytes,
war_nibbling.pd%f, 2003. some of the BD ADDR bytes are appended to the PIN. If
[Whi04] Ollie Whitehouse. Bluetooth: Red fang, blue the PIN is less than 10 bytes long, all bytes of BD ADDR
fang. CanSecWest/core04. Available from shall be used. Let PIN’ denote the new word created,
http://www.cansecwest.com/csw04/ and L’ denote the number of bytes the new word con-
csw04-Whitehouse.pdf, April 2004. Van- tains. Now, if L’ is less than 16, the new word is cyclic
couver, CA. expanded till it contains 16 bytes. Let PIN” denote this
48 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association
128 bit input
Sum all 16
bytes bit by bit
modulo 2
Select bytes
0 1 2 13 14 15 16 K1
0,1,2,…,14,15
Select bytes + 16 K2
0 1 2 13 14 15 16
1,2,…,14,15,16
Select bytes + 16
0 1 2 13 14 15 16 K3
2,…,14,15,16,0
Select bytes + 16 K 17
0 1 2 13 14 15 16
16,0,…,13,14
B 17
second new word. PIN” is used as the 128 bit input key
0
B.3 Inner design of E1
of Ar . IN RAND is used as the 128 bit input data, af-
As described in subsection 2.1, E1 is used to perform
ter xoring the most significant byte with L’. Figure 10
mutual-authentication. The inputs used are:
describes the inner design of E22 .
1. A random word AU RANDA .
B.2 Inner design of E21 2. The link key Kab .
As described in subsection 2.1, E21 is used to generate 3. a BD ADDR (48 bits long).
the link key. The inputs used are: 0
The inner design of E1 contains both Ar and Ar . The
1. a BD ADDR (48 bits long). link key is used twice. Once, it is supplied as is for the
key input of Ar . Later, it goes through a transformation
0
2. a 128 bit random number LK RAND. denoted Offset and supplied as the key input of Ar . The
“Offset” transformation consists of adding and xoring its
At first, the BD ADDR is cyclic expanded to form a 128 bytes with some constants. For the full description of
0
bit word which is used as the input data of Ar . The this transformation see page 778 of part H of Vol 2 of
0
key used for Ar consists of the 128 bit random number [Blu03].
LK RAND, after xoring its most significant byte with 6 As for the BD ADDR, it is cyclic expanded to form a 128
(result denoted LK RAND’). Figure 11 describes the in- bit word denoted BD ADDR’. The inner design of E1 is
ner design of E21 . depicted in figure 12.
USENIX Association MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services 49
- Addition modulo 256
Round 1
- bitwise xor
Round 2
Xor/Add Modulo 16
byte-by-byte the input of
round 1 with the output of
Round 3 round 2 to form the input
of round 3
Combine
IN_RAND[15]^=L’
PIN &
BD_ADDR (K ab ,16) (AU_RAND,16) (BD_ADDR,6)
(PIN’, L’)
(PIN’’,16)
Expansion Ar’
Ar
Expansion
(K init,16)
Offset
Figure 10: Inner design of E22 (BD_ADDR’,16)
~
(LK_RAND,16) (BD_ADDR,6) K ab
A r’
Expansion
(BD_ADDR’,16)
- 16 xor operations
LK_RAND[15]^=6 Ar ’
Figure 12: Inner design of E1
(LK_K ,16)
50 MobiSys ’05: The Third International Conference on Mobile Systems, Applications, and Services USENIX Association