2 Flashcards
Bluetooth classic
Frequency:
Modulation:
Channel #:
H/S:
Data Rate:
Range:
Payload:
2.4Ghz
FHSS
79 Channels
1600
3 mbps
10-100 m
none
What is the difference between Bluetooth smart and Bluetooth ready?
Smart - Can only connect to devices with Bluetooth low energy mode
Smart Ready- can connect too both new and old bluetooth
Bluetooth low energy
Frequency:
modulation:
Channels? How many are data transfers and BD_ADDR advertisments?
H/S:
2.4 Ghz
FHSS
40, 37 tx, 3 adver
100 h/s
BLE ver4.0-4.2
Data rate:
Range:
Payload:
1 mbps
10m
2-39 bytes
BLE ver 5.0-5.2
Data Rate:
Range:
Payload:
2 Mbps - 20 m or 40m -1 mbps
2 - 257 bytes
What does Bluetooth Low energy do for security?
Will send out a randomized BD_Addr in order to prevent location tracking
Why is exploiting BT difficult?
Use of FHSS; based on a secret value
standard equipment doesn’t support
What is it called that determines the hopping pattern of BT classic?
How long before it resets?
What are the two components its made of?
Pseudorandom hopping pattern
23 hours
Master Mac
Clock value
What is the relationship within a piconet?
How many devices in total/different types?
Master-Slave
1 master, 7 slaves, 8 in total
What are the two devices discovery modes? And what are there characteristics?
Discoverable:
Responds to Inquiry scans with inquiry response
Non-Discoverable
cannot make new connections, dosen’t respond to inquiry scans. Can still react w/ devices they have previously interacted with
What is a BD_ADDR?
48-bit mac address of a bluetooth device
What parts make up the BD_ADDR?
SB:CD:DE:12:34:56
SB:CD - NAP Non-significant address part
First sixteen bits of BD_ADDR
DE - UAP Upper-address part
Last 8 bits of the oui
12:34:56 - Lower-address part
last 24 bits of the MAC address
When is a BD_ADDR sent over the air?
Only when a device is in discoverable mode and never in the layer 2 header
What are the characteristics of the Host in a Bluetooth Protocol stack?
-Computer
-soft-ware based
-upper-layer protocols
- Profiles are stored here
- easily accessible to developers
What are the characteristics of the Host Controller Interface (HCI) in a Bluetooth Protocol stack?
- Communication link b/w the host layer and the controller layer, *Last layer easily accessible by developers
What are the characteristics of the Controller (dongle) in a Bluetooth Protocol stack?
-hardware-based
-comes from a manufacturer
- encryption and authentication
- not accessible to developers
What is a Bluetooth Profile?
Define additional functionality w/ a BT device, In order for a BT device to use certain functionality they must be operating the same profile
What are the two types of authentications within BT?
Traditional pairing
Secure Simple Pairing
What is the Link Key made of in a traditional pairing?
What can be found during the initial pairing of a device
What is traditional pairing vulnerable too?
BD_ADDR
PIN
Random #s
Random #s
pin attacks
What is the Link Key made of in a secure simple pairing
Is it vulnerable to pin attacks? Why or why not?
ECC w/the Diffie Helman key exchange
No, because it isn’t used in the creation of the key. Preventing man-in-the-middle attacks
Bluetooth Power classes
What is the power/range of class 1?
100 mw 100m
Bluetooth Power classes
What is the power/range of class 1.5?
10 mw 20m
Bluetooth Power classes
What is the power/range of class 2?
2.5mw 10m
Bluetooth Power classes
What is the power/range of class 3?
1mw 1m
When trying to find the BD_ADDR what are the methods to do so?
- Active Discovery - Scanning inquiry response
- Passive Discovery - looking for label that has BD_ADDR
- Hybrid Discovery - off by one method, looking at last byte of a wifi mac address and adding or subtracting one the last value too guess the BD_ADDR
- Traffic Analysis- reconstructing the BDR_ADDR from a BT frame, taking the LAP from the Sync word which comes from the Access code and the UAP from the frame size fo the payload
When trying to exploit BT Classic pin attacks what’s the order?
Scan and recon for BD_ADDR using AD, PD, HD, TA > Get BD_ADDR from Inquiry Response > Brute Force PIN > get the link key
What is the repairing exploit in BT?
Disconnect Bluetooth devices to force them into another session and get another opportunity for an inquiry response
What is the vulnerability of Bluetooth low energy ver 4.0-4.2?
A weak temporary key
What is the Device Identity Manipulation?
-Happens before A connection
- Changing class information too bypass any connection restrictions
What exploit is abusing profiles
Happens after a connection
- takes advantage of a preloaded profile for uses it was not designed for
RFID
Communication:
Frequencies(3):
Componenets(3):
Simplex “one way”
Low, High, Ultra High
Reader/Interrogator
Antennae
Tag
Within RFID what is the difference between an active and passive tag?
Active:
Power source?
Transmit capable?
range?
Devcies?
Passive
Power source?
Transmit capable?
range?
Devcies?
Active:
Power source
transmits 300 ft
Transponder: transmits when interrogated
Beacon: Transmits periodically
Passive:
No power Source
Can’t transmit
can be read 30 ft
What are the security concerns of RFID?
Skimming, tag data manipulation, jamming
NFC
Communication:
Freq:
Data Rate:
Range:
Components
Simplex, Half-duplex, and full duplex
13.56 MHz
424 kbps
4cm-10cm
initiator, target
What NFC mode of operation emulates a physical card?
Card emulation
What NFC mode of operation allows interaction w/an information source
Discovery
What NFC mode of operation has two NFC enabled devices to communicate directly to each other.
Perr-to-Peer communication
NFC Security?
Skimming
Tag manipulation
jamming
ZigBee
Layer 1 and Layers 2:
Layer 3 and Layer 4:
Frequency:
Data rate:
Range:
Toplogies:
max # of hops:
max # of nodes:
IEEE 802.15.4
ZigBee
2.5GHz
250kbps
10-20m between nodes
star, tree, or mesh
unlimited
65,535
ZigBee device types:
__________ Trust center, can only be 1 in the network, All keys are unique and stored here
ZigBee Coordinator (Zc)
ZigBee device types:
____________ - forwards traffic
Zigee Router (ZR)
ZigBee device types:
_____________ - can only communicate w/ a zigbee coordinator for a ZigBee Router. No perr-to-peer communication
ZigBee End Device (ZED)
What are 2 security models of Zigbee?
Centralized - unique keys, (Zc)
Distributed - identical keys (no Zc)
What are the two security modes of ZigBee?
High Security- Enterprise
Standard - Residential
Zwave
Layer 1 and Layer 2:
Layer 3 and 4:
Frequency:
data rate:
Range:
Topologies:
max # of hops:
max # of nodes:
ITU-T Rec. G.9959
Zwave
Sub-1 GHz
100 kbps
100m b/w nodes
mesh only
4
232
What is Zwave security charecxteristics?
Zsnare downgrade S2 > S0
-optional encryption is Zwaves biggest threat