Konstantin Hyppönen

Man-In-The-Middle attacks on bluetooth: a comparative analysis, a novel attack, and countermeasures

We provide a comparative analysis of the existing MITM (Man-In-The-Middle) attacks on Bluetooth. In addition, we propose a novel Bluetooth MITM attack against Bluetooth- enabled printers that support SSP (Secure Simple Pairing). Our attack is based on the fact that the security of the protocol is likely to be limited by the capabilities of the least powerful or the least secure device type. Moreover, we propose improvements to the existing Bluetooth SSP in order to make it more secure.

An open, PKI-based mobile payment system

Most mobile commerce applications require a secure mobile payment solution for performing financial transactions. However, it is difficult to strongly authenticate users remotely and provide non-repudiation of transactions. In this paper, we present a novel mobile payment scheme which supports both virtual point-of-sale (POS) and real POS transactions. For user authentication, our scheme uses PKI-SIM cards. In virtual POS payments, the mobile phone communicates with a service provider through SMS messaging or IP-based data transfer (e.g. GPRS). In real POS payments, Bluetooth is used as the communication channel. Communication with a bank is done using either SMS messaging or IP-based data transfer. The system is open to any mobile network operator, any merchant, and any financial institution.

“Nino” man-in-the-middle attack on bluetooth secure simple pairing

As an interconnection technology, Bluetooth has to address all traditional security problems, well known from the distributed networks. Moreover, as Bluetooth networks are formed by the radio links, there are also additional security aspects whose impact is yet not well understood. In this paper, we describe a new man-in-the-middle (MITM) attack on Bluetooth secure simple pairing. The attack is based on the falsification of information sent during the input/output capabilities exchange. In addition, we propose countermeasures that render the attack impractical, although not totally eliminating its potential danger.

Utilizing national public-key infrastructure in mobile payment systems

Payments are the locomotive behind any business domain. It has been predicted that mobile payments will become one of the most successful mobile services, and the security of payments is an important requirement. However, it is difficult to strongly authenticate mobile users remotely and provide an adequate level of non-repudiation of transactions. In this article, we argue that a nationwide public-key infrastructure supported by governmental bodies can be used in a mobile payment system. Not only does it provide strong security, but it also makes the system open to any mobile user, merchant, or financial service provider. Two payment protocols are described: one for virtual point-of-sale payments, and one for vending machine payments. We argue that such a system can be implemented using open development platforms, and its performance is adequate for enabling swift transactions. A prototype of a system which accepts virtual point-of-sale payments is implemented, and its performance and usability are evaluated.

Combining Biometric Authentication with Privacy-Enhancing Technologies

Although state of public research in privacy-enhancing technologies (PET) is reasonably good, they are not yet widely used in common electronic documents. We argue that low acceptance of PET is due to a large gap between ordinary paper-based documents and new e-ID schemes. We show how to make the gap narrower by introducing a mobile electronic identity tool with privacy-preserving biometric authentication scheme.

SIM-enabled Open Mobile Payment System Based on Nation-wide PKI

Many current mobile payment systems rely on mobile network operators for authentication, and lack adequate nonrepudiation. In this work we describe a mobile payment system that uses a governmentally administered public-key infrastructure, namely, the Finnish Electronic Identity. FINEID cards store user credentials and private keys for authentication and digital signature, and upon user request can be issued as an application on a PKI-enabled SIM card which is used as a trusted module in our application. Using FINEID, our system authenticates persons, not customers of a certain bank, mobile network operator, or payment service provider. It also ensures non-repudiation, integrity and confidentiality of the messages related to the payment transactions. As the administration of the PKI system is the responsibility of the government, the system is very economical for both the service providers and the users. Fhe proof-of-concept implementation, a system for purchasing train tickets, is done using freely available development tools and platforms. Implementing an open payment system based on a nation-wide PKI has proven to be feasible.

XHTML with RDFa as a semantic document format for CCTS modelled documents and its application for social services

For achieving semantic interoperability, messages or documents exchanged electronically between systems are commonly modelled using standard specifications, such as the UN/CEFACT CCTS (core components technical specification). However, additional requirements, such as the need for layout markup or common metadata for certain archiving scenarios might be applied to the documents. Furthermore, the management of resulting artefacts, i.e., core components, XML schemas and related infrastructure, could be cumbersome in some cases. This paper investigates the use of the W3C XHTML+RDFa (extensible hypertext markup language with resource description framework attributes) for representing both the layout and semantics of documents modelled according to CCTS. The paper focuses on the validation of XHTML+RDFa documents against a core components library represented as an ontology. In addition, the paper illustrates and validates this demand-driven solution in the scope of the Finnish National Project for IT in Social Services.

Pseudonymous Mobile Identity Architecture Based on Government-Supported PKI

An electronic ID scheme must be usable in a wide range of circumstances, especially in ordinary situations, such as proving your right to a concession ticket on a bus. One of the problems to be addressed is privacy. Indeed, when documents are read by electronic means, a lot of information is not only revealed, but can be copied, stored and processed without our consent. Another issue is ubiquity, reliability and acceptance of the involved technology. In this paper we attempt to address these issues by combining an officially recognised national mobile e-ID infrastructure with identification procedures based on controlled identity revelation. We report a prototype implementation of an identity tool on a mobile phone with a PKI-SIM card.

Overview of Bluetooth Security

The basic Bluetooth security configuration is done by the user who decides how a Bluetooth device will implement its connectability and discoverability options.

Reasons for Bluetooth Network Vulnerabilities

Overall security in Bluetooth networks is based on the security of the Bluetooth medium, the security of Bluetooth protocols, and the security parameters used in Bluetooth communication. There are several weaknesses in the Bluetooth medium, Bluetooth protocols, and Bluetooth security parameters, which can significantly weaken the overall security of Bluetooth networks.