It's become my mantra that any new electronic convenience carries with it some inherent security risks. So it doesn't surprise me that the popularity of Bluetooth-enabled devices (everywhere these days--in laptops, printers, cell phones, and even new cars, such as the Toyota Prius; roughly 2 million Bluetooth-enabled products are shipped each week) tempts evildoers to ferret out Bluetooth weaknesses. A recent demonstration of attacks on mobile phones bears this out; more on this later. Should you be worried? Yes. Bluetooth attacks are sneaky and leave no trace. A digital thief could, for example, steal data from a Bluetooth-enabled mobile phone or PDA in your shirt pocket or backpack or even eavesdrop on conversations in the vicinity of a compromised mobile phone without the victim knowing.
Ubiquitous Bluetooth
Last year, the IT security company AL Digital asked its chief security officer, Adam Laurie, to test the security of Bluetooth, which is a short-range radio technology that synchronizes data exchanges between Internet-enabled devices and computers. What Laurie found was surprising and scary. The protocol that Bluetooth uses contains some underlying security flaws (in authentication and data-transfer protocols) that could lead to targeted attacks in the future beyond just simple data theft. Currently, the most vulnerable devices are mobile phones when they are in discoverable or visible modes (that is, when the phones are seeking other Bluetooth-enabled devices in their vicinity). That's not too surprising--phones have relatively simple functionality when compared to PDAs and laptops--but future attacks could be scaled to include more-sophisticated devices.
 The protocol that Bluetooth uses contains some underlying security flaws that could lead to targeted attacks.  |  |
|
At the recent Black Hat Briefings USA and Defcon 12 conferences in Las Vegas, Laurie and German security researcher Martin Herfurt presented a talk about their work with certain models of Ericsson, Sony Ericsson, and Nokia Bluetooth-enabled mobile phones. I should note that these vendors have since mitigated these vulnerabilities; however, new exploits are now appearing elsewhere on the Internet.
Collectively, the attacks have been dubbed bluesnarfing, and can be launched from modified Bluetooth-enabled laptops or even certain modified mobile phones. Laurie and Herfurt have identified four specific types of vulnerabilities.
Four types of attacks
The basic snarf attack allows an attacker to gain access to someone else's mobile phone data, such as a phone book, a calendar, a business card, and his or her International Mobile Equipment Identity (IMEI), a code that uniquely identifies the phone to the mobile network. IMEI can be used to clone illegal copies of a compromised phone and force the victim to pay phone changes he or she didn't incur.
A backdoor attack abuses the trusted relationship between a Bluetooth-enabled device and a computer. The attack itself is invisible to the victim and allows the attacker access to the victim's mobile phone anytime, anywhere. Not only can the attacker retrieve data from the phone, the attack also gives access to modem or Internet connections and Wireless Application Protocol (WAP) and General Packet Radio Service (GPRS) gateways. A backdoor attack also makes it easier for an attacker to launch the aforementioned snarf data-theft attack.
A bluebug attack takes over a victim's mobile phone AT command set. This attack also allows the attacker to initiate calls to premium rate numbers, send short-message-service (SMS) messages, read SMS messages, and connect to data services such as the Internet--all through the victim's phone. If the attacker's call is made over a Global System for Mobile Telecommunications (GSM) voice network, the attack could be used to listen in on private conversations anywhere in the world.
| If the attacker's call is made over a Global System for Mobile Telecommunications (GSM) voice network, the attack could used to listen in on private conversations anywhere in the world. | |
|
Finally, bluejacking is a practice that abuses the system by which Bluetooth devices authenticate each other, and it allows an attacker to insert a message into the initial Bluetooth "handshake" phase. Because bluejacking abuses the Bluetooth protocol, Laurie sees it as a basic underlying security threat to all Bluetooth-enabled devices, opening the door to more-sophisticated attacks in the future, beyond those mentioned above.
More information about these attacks is available from AL Digital's bluestumbler Web site, including a table of mobile phones that are considered vulnerable to attack. Laurie concludes that the best defense against these attacks is to turn off your Bluetooth-enabled device when it's not in use.
Are you currently taking security precautions with your Bluetooth-enabled devices? Should you? Talk back to me.
