BlueSmack Attack is an example of Denial of Service Attack for Bluetooth enabled devices. It works like Ping of Death. It uses L2CAP layer to transfer an oversized packet to Bluetooth enabled devices, resulting in a Denial of Service attack.
What is L2CAP ?
To understand L2CAP, we need to know a little bit about Bluetooth protocol stack.
Bluetooth services actually use a protocol stack, which just for ease of understanding can be compared to OSI model of network protocol stack. This Bluetooth protocol stack consists of the following main layers :
SDP – SDP or Service Discovery Protocol is responsible for detecting services provided by other Bluetooth enabled devices. A Bluetooth enabled device keeps track of presence of other Bluetooth enabled devices within its operating range using this protocol.
LMP – LMP or Link Managing Protocol is responsible for keeping track of connected devices. A Bluetooth enabled device pairs with other Bluetooth enabled devices using this protocol.
L2CAP – L2CAP or Logical Link Control and Adaption Protocol provides connectionless and connection-oriented data services to the upper layers of the Bluetooth stack.
RFCOMM – RFCOMM or Radio Frequency Communication protocol uses L2CAP protocol and is responsible for providing emulated serial ports to other devices. A Bluetooth enabled device can simultaneously connect upto 60 other Bluetooth enabled devices because of RFCOMM protocol.
TCS – TCS or Telephony Control Protocol uses L2CAP protocol and provides the functionality of controlling of telephony applications.
What is BlueSmack Attack ?
In L2CAP protocol, there is a possibility of requesting and receiving echo from other Bluetooth enabled peer. This is done through L2CAP ping. This L2CAP ping helps in checking connectivity and roundtrip time of established connections with other Bluetooth enabled devices.
Every device has a limit on the size of the L2CAP ping. If it gets a L2CAP ping packet which is beyond the limit of the size, it will crash. And, in BlueSmack Attack, the attacker does exactly that.
How do attackers perpetrate BlueSmack Attack ?
BlueSmack Attack can be perpetrated with standard tools that ship with the official Linux Bluez utils package.
The l2ping, that ships with the standard distribution of the BlueZ utils, allows the user to specify the packet length of the l2ping using -s <number> option. Many devices start reacting with packet size starting from 600 bytes.
How to prevent BlueSmack Attack ?
- Turn off the Bluetooth in the devices when not in use.
- Configure the Bluetooth device to use the lowest power that meets your needs. For example, Class 3 devices transmit at 1 mW which cannot communicate beyond 10 meters. And, Class 1 devices transmit at 100 mW, which cannot communicate beyong 100 meters. Adjusting power does not eliminate the possibility of outsider attack, but it can reduce the possibility to a great extent.
- Do not permanently store the pairing PIN code on Bluetooth devices.
What is BlueSnarfing ?
What is BlueBugging ?
What is BlueSniping ?
What is BlueJacking ?
What is BlueDump ?
What is BluePrinting ?
What is BlueBump Attack ?