6 research outputs found
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Device pairing in large Internet of Things (IoT) deployments is a challenge
for device manufacturers and users. Bluetooth offers a comparably smooth trust
on first use pairing experience. Bluetooth, though, is well-known for security
flaws in the pairing process. In this paper, we analyze how Apple improves the
security of Bluetooth pairing while still maintaining its usability and
specification compliance. The proprietary protocol that resides on top of
Bluetooth is called MagicPairing. It enables the user to pair a device once
with Apple's ecosystem and then seamlessly use it with all their other Apple
devices. We analyze both, the security properties provided by this protocol, as
well as its implementations. In general, MagicPairing could be adapted by other
IoT vendors to improve Bluetooth security. Even though the overall protocol is
well-designed, we identified multiple vulnerabilities within Apple's
implementations with over-the-air and in-process fuzzing
Cryptanalysis of the Bluetooth E0 Cipher using OBDD\u27s
In this paper we analyze the E0 cipher, which is the cipher used
in the Bluetooth specifications. We adapted and optimized the Binary
Decision Diagram attack of Krause, for the specific details of
E0. Our method requires 128 known bits of the keystream in order
to recover the initial value of the four LFSR\u27s in the E0 system.
We describe several variants which we built to lower the complexity
of the attack. We evaluated our attack against the real
(non-reduced) E0 cipher. Our best attack can recover the initial
value of the four LFSR\u27s, for the first time, with a realistic space
complexity of 2^23 (84MB RAM), and with a time complexity of
2^87. This attack can be massively parallelized to
lower the overall time complexity. Beyond the
specifics of E0, our work describes practical experience with
BDD-based cryptanalysis, which so far has mostly been a theoretical
concept
Cracking the Bluetooth PIN
This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4-digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer
Cracking the Bluetooth PIN1 Abstract: Cracking the Bluetooth PIN
This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4-digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.
Cryptanalysis of the Bluetooth E 0 Cipher using
In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0