A BlueDump is an attack in which the attacker tricks a Bluetooth device to abandon its link key and pair with the attacker’s Bluetooth device, resulting in illegitimate activities of the attacker.
What is BlueDump Attack?
Let’s understand in detail what it actually is:
To provide secure communication of data, Bluetooth provides us the functionality of authentication. Whenever a Bluetooth device wants to pair with another Bluetooth device, both of them have to provide a PIN. After that, a verification process starts and if the other device is successfully authenticated, a connection is established.
So, here is how the authentication works :
Let’s say, device B wants to connect with device A and so device B has to authenticate itself to the other device B.
To initiate a connection, users of both the devices enter a PIN, which can be of maximum length of 16 octets.
A 128-bit link key is generated using the PIN code entered.
Device B, which wants to connect to device A, sends its 48-bit address or BD_ADDR.
Device A, which wants to authenticate device B, sends a 128-bit random challenge to device B.
Device B uses its link key, BD_ADDR and the random challenge as inputs and computes the authentication response using E1 algorithm.
Device B sends the authentication response thus computed to device A.
Device A also uses the same inputs as device B and computes the expected authentication response using the same E1 algorithm.
If the authentication response sent by device B matches with that of the expected authentication response computed by device A, device B is successfully authenticated.
Now both device A and device B can go ahead with the pairing.
Though normally authentication follows the steps mentioned above, but there are a few cases where the Bluetooth devices do not always enter a PIN for verification. For example, if a user wants to automate the pairing of two devices using a script, he can change the settings and enable the devices to pair without entering a PIN. In BlueDump Attack, the attacker exploits this functionality.
Suppose device A and device B are two devices which can be paired using authentication. In BlueDump Attack, the attacker spoofs the BD_ADDR of device B and connects to device A.
Device A as usual requests for authentication. But, the attacker does not have the PIN and link key.
So, the attacker responds with a HCI_Link_Key_Request_Negative_Reply to device A.
HCI_Link_Key_Request_Negative_Reply is a Link Control Command and it is used to indicate no link key is associated with the device.
As a result, in most of the cases device A abandons its link key and goes ahead with pairing with the attacker’s device.
Now, the attacker can exploit this pairing for illegitimate purposes.
Turn off the Bluetooth in the devices when not in use.
Configure the Bluetooth device to use the lowest power that meets your needs. For example, Class 3 devices transmit at 1 mW which cannot communicate beyond 10 meters. And, Class 1 devices transmit at 100 mW, which cannot communicate beyong 100 meters. Adjusting power does not eliminate the possibility of outsider attack, but it can reduce the possibility to a great extent.
Do not permanently store the pairing PIN code on Bluetooth devices.
So, beware of various vulnerabilities of Bluetooth so that you can protect your devices in a better way.