Abschlussarbeiten

Bluetooth Security in Industrial Applications

Autor : Ahmad Ali Tabassam
Betreuer : Prof. Dr. rer. nat. Stefan Heiss
Typ : Master
Forschungsbereich : IT-Sicherheit
Kurzbeschreibung :

Abstract

In today's arena, information system's security is one of the major issues in

industrial wireless networks. Most of the Information systems have some kind of

vulnerabilities and security threats. A vulnerability of an information system may be

caused by a logical design flaw, an implementation flaw and/or a fundamental

weakness, which may cause damage. An attacker may arise some threat in order to

exploit the vulnerability to inflict damage. Damage may also cause by an incidental

and/or non-intentional exploitation of the vulnerability.

This research work is referring to exploring the threats against the Bluetooth

industrial wireless networks as a whole, when the built-in security mechanism is

enabled and when it is not enabled. This thesis also presents a critical literature review

of state of the art. It also puts an exclusive focus on attacker's capabilities equipped

with protocol analyzer and/or packet sniffer to get the required information for hop

sequence synchronization to eavesdrop the piconet communication in both scenarios;

with capturing the frequency hop synchronization packet and without capturing the

frequency hop synchronization packet.

A new proposed idea is published at one IEEE conference which presents a

scenario to get the required information for hop sequence synchronization using

software defined radio (SDR), so that Bluetooth protocol analyzer can always work

even though the Bluetooth devices are not discoverable and the analyzer has not

participated in the paring process. The proposed idea describes how to get the

required information for hop sequence synchronization, if an attacker is failed to

capture the frequency hop synchronization (FHS) packet. An attacker can get the 24-

bits of the lower address part (LAP) of a device by demodulating the access code of a

captured packet, while 4-bits from the upper address part (UAP) can be obtained by an

exhaustive search among the possible 4-bits patterns. After having all the required bits

of the device address, clock of the piconet can be recovered from a rather short

measurement of the channel activities of any fixed RF channel. The author argues that

more comparative laboratories experiments can be taken to crypt analysis the different

attacks against the Bluetooth wireless industrial networks.

 

Kontakt : Prof. Dr. rer. nat. Stefan Heiss