.png.3b3332cc2256ad0edbc2fe9404feeef0.png)
Para
-
Posts
937 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Posts posted by Para
-
-
A glimpse of Bluetooth security flaws
Whilst my back ground is IT mobile communications wasn’t a topic I knew a great deal about. When I started to use Bluetooth/GPRS connections between my laptop, cell phone and internet I started to also explore the technical aspects of what I was using. Initially my desire was to make sure I had the most optimized configuration possible.
I am fascinated by both social engineering and the darker side of IT and it was not long before I was looking at Bluetooth from this angle. Between media propaganda, urban myths and misinformation sometimes it is hard trying to find information but if it was easy where is the challenge!
What I have written here is what I have learned it is true in my eyes but that does not make it fact. It is only my opinion, nothing more, nothing less.
So he is what has caught my eye with Bluetooth I will list any relevant links at the end and I will try as best I can not to make it a hackers guide rather a user awareness guide. If any of the moderators or senior members feel that any part of this is inappropriate for the board please delete/edit where you feel necessary and let me know for any future posts.
Bluetooth History 101
Bluetooth wireless technology is a short-range radio technology that is designed to fulfill the particular needs of wireless interconnections between different personal devices, which are very popular in today’s society. The development of Bluetooth started in the mid-1990s, when a project within Ericsson Mobile Communications required a way to connect a keyboard to a computer device without a cable. The wireless link turned out to be useful for many other things, and it was developed into a more generic tool for connecting devices. A synchronous mode for voice traffic was added and support for up to seven slaves was introduced. In order to promote this ‘new’ technology the Bluetooth Special Interest Group (SIG) was founded in 1998. Currently there are over 1000 companies involved in SIG so it does not look to be disappearing anytime soon.
Technical
When 2 or more devices connect they are said to of formed a piconet. A piconet shares a common communication data channel master and up to seven slaves.
The data channel has a total capacity of 1 megabit per second (Mbps). Bluetooth 2.0 allows 2.1Mbps.
In the United States and Europe, the frequency range is 2,400 to 2,483.5 MHz,
In Japan, the frequency range is 2,472 to 2,497 MHz with 23 1-MHz RF channels.
Bluetooth Security Overview
Bluetooth has three different modes of security. Each Bluetooth device can only operate in one mode only at a particular time
Security Mode 1: Non-secure mode
In this non-secure mode, the security functionality (authentication/encryption) is completely bypassed. This is often referred to as being in a promiscuous mode this mode is provided for applications for which security is not required, such as exchanging business cards.
Security Mode 2: Service-level enforced security mode
In this mode security procedures are initiated AFTER channel establishment. Mode 2 grants access to some services without providing access to other services. A very basic level of authorization
Security Mode 3: Link-level enforced security mode
In the link-level security mode, a Bluetooth device initiates security procedures BEFORE the channel is established. This is a built-in Bluetooth security mechanism which is not aware of any of any application layer security that may exist. This mode supports both authentication and encryption. These features are based on a secret link key that is shared by a pair of devices. To generate this key, a pairing procedure is used when the two devices communicate for the first time.
Bluetooth Key Generation from PIN
The link key is generated during an initialization phase, while two Bluetooth devices that are communicating are 'associated' or 'bonded.' As per the Bluetooth specification, two associated devices simultaneously derive link keys during the initialization phase when a user enters an identical PIN into both devices. After initialization is complete, devices automatically and transparently authenticate and perform encryption of the link. The PIN code used in Bluetooth devices can vary between 1 and 16 bytes. Whilst the typical 4-digit PIN may be sufficient for some applications, longer codes are obviously more secure
Bluetooth Authentication
The Bluetooth authentication procedure is in the form of a standard ‘challenge-response’ process. The challenge response protocol validates devices by verifying the knowledge of a secret key (the Bluetooth link key).
Bluetooth Encryption
Encryption Mode 1. No encryption is performed on any traffic.
Encryption Mode 2. Broadcast traffic goes unencrypted, but individually addressed traffic is encrypted according to the individual link keys.
Encryption Mode 3. All traffic is encrypted.
Bluetooth Classes
Class 1 Range up to 100 meters
Class 2 Range up to 10 meters
Class 3 Range very much within 10
Currently the most common devices are Class 3 or 2 which include cellular telephones, personal digital assistants, computer peripherals, audio accessories, laptop computers, access. Remember that if you have a Class 2 device you are not only at risk from other Class 2 devices. This means someone with a Class 1 adapter can potentially be up to 100m away from you and see you. They will be able to see you in a Bluetooth browse but your device will not have to power to see them.
Ok before you get too bored here is the interesting stuff!
Attack, Attack, Attack!
It has been found that a no paired device can initiate and form a connection to enable potential access to data stored on the device. This can be obtained, anonymously, and without the owner's knowledge or consent from Bluetooth enabled computers or mobile phones. This data can include the entire phonebook and calendar, and the phone's IMEI. A stolen IMEI can be used to clone a phone/number.
It has also been found that the complete memory contents of some mobile phones can be accessed by a previously trusted, ‘paired’ device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. Basically it has become possible for the entire devices data to be copied to an attacker's own system.
Access can also be gained to the AT command set of the device, giving full control to the higher level commands and channels, such as data, voice and messaging. This could allow an attacker to use your phone’s data connection functionality to connect to the Internet, or to make a long distance call both at your expense. Once the voice connection has been made it does not matter if the attacked phone moves out of Bluetooth range as the voice connection has already been established
The list of attack methods and tools to perform these attacks is growing no media myth or urban legend. The number of easily accessible forums, groups and tools is scary as a basic Google search will show.
There has been a ‘Philosophy of Full Disclosure’ submitted to both the mobile manufacturing community as well as (apparently) Governments by Trifinite. They spent 13 months exploring and exploiting the flaws in BT writing tools to perform these tasks. Thankfully they made the ethical decision to keep these tools away from the market but of course it will only be a matter of time before they start to leak out.
http://www.thebunker.net/security/bluetooth.htm.
Here are specific examples of the bigger and currently more common attacks and what if any possible forms of defense we can take to protect from them.
Bluejacking
BlueJackX is the software that brought Bluetooth’s security flaws to everyone’s attention. It allows a hidden use to send what appears to be a SMS message to anyone in range with Bluetooth enabled on their phone. It's not an attack as such, as no data on the receivers phone is made available to the attacker. Naturally I have tested this purely for research and obviously in a secure environment. Well I could not get access to a data lab so I thought a Go-Go bar in Walking Street would be just as good. ;-)
Bluejacking is possible because the ‘name’ of the initiating Bluetooth device is displayed on the target device as part of the handshake exchange and as the protocol allows a large user defined name field - up to 248 characters - the field itself can be used to pass the ‘message’.
There has been recent media hype in the UK concerning ‘Toothing’. This was taking away the anonymity of Bluejacking for the gain of sexual contact. Reports of people ‘hooking up’ for sex is always an obvious media seller but it appears to be nothing more than another Urban Myth
Bluesnarfing, Bluestumbling or Snarf attack
It is possible on some makes of device to connect to another device without alerting the owner of the target device of the request. This gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real-time clock, business card, properties, change log, IMEI number, ouch!
This is normally only possible if the device is in ‘discoverable’ or ‘visible’ mode, but there are tools available on the Internet that allow even this safety net to be bypassed.
I have a copy of a version of this software BUT as using it crosses into actual hacking I am not keen to use it. I tried to Snarf my laptop but it did not work. I will however try and find a willing friend and with their prior agreement try it. The software I have has been downloaded 13,000 times according to the site stats which means it is out there.
People tracking
This one really scares me. Your IMEI number is unique so being able to track a device means it is possible to track the person with the device. Of course this has been available since the birth of Cell phones but the device has only been able to be located ‘somewhere’ within a Cell. Bluetooth can allow the device to be located to a person simply by scanning for your Bluetooth key with a directional scanner.
Denial-of-Service attack on the device
Streaming random data to you phone over Bluetooth at such a rate the phone processor is unable to do anything other than try and deal with all the data. Results in phone lockup.
Backdoor attack
This attack involves establishing a trust relationship through the ‘pairing’ mechanism, but ensuring that it no longer appears in the target's register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to. This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner's knowledge or consent.
The Bluebug attack:
The Bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set. This gives access to messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to a premium rate number, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone.
Its would seem that a Bluebug attack can also turn an attacked phone into a bug via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner's incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim.
HeloMoto
The HeloMoto attack has been discovered and is a combination of the Bluesnarf attack and the Bluebug attack. It’s called HeloMoto since it was discovered on Motorola phones.
The HeloMoto attack takes advantage of the incorrect implementation of the 'trusted device' handling on some Motorola devices. The attacker initiates a connection to the unauthenticated dev ice hiding behind sending a business card, vCard. The attacker interrupts the sending process and without interaction the attacker's device is stored in the 'list of trusted devices' on the victim's phone. With an entry in that list, the attacker is able to connect to the headset profile without authentication. Once connected to this service, the attacker is able to take control of the device by means of AT-commands start a Bluebug process
Bluetooning
The hardware modification of a Bluetooth dongle to improve its range. Generally requires the connection of a directional antenna
The BlueSniper, the Long-Distance Attack
This has apparently been tested and allowed a phone to have its contents read and modified from a distance of 1.01 miles. There are a number of companies offering the hardware for this which leads me to believe it is possible.
Blueprinting
Involves the collection of information pertaining to the hardware device. Not really hacking but can be used to identify certain types of device and maybe targeting them for Bluetooth spam.
Workarounds and fixes
I hope you’re not expecting a nice concise fix for all of the above!
The obvious answer would be not to have Bluetooth unless you are actually using it. But given the possibility of tools being available to remotely enable Bluetooth there may not be any answer based on current versions of Bluetooth. I think the SIG need to get a new version of Bluetooth out that locks down the security flaws that have been identified.
To avoid Bluejacking, ‘just say no’.
Useful links
http://www.thebunker.net/security/bluetooth.htm
http://www.bluejackq.com/what-is-bluejacking.shtml
http://www.mulliner.org/bluetooth/
I hope this has been of some use.
-
Take a look at this link it may be of use....http://bbs.conqueronline.com/
-
I'll let you know when I can't get the bloody thing to work, as will inevitably happen when technology and I interact.
Scouse.
How the ###### did this happen?
I move half way around the world to get away from IT support in London and what happens! ;-)
Just joking happy to help
-
Sorry UMTS is better known as 3g!
-
Yep thats pretty much about it.
Installed the cd that comes with it, plug in the Dongle it should run a wizard that will set up the pairing and set a dial up networking (DUN) entry so you can use the phone as a modem.
Your headset will (should) not be affected.
Have fun and welcome to the dongle club!
-
Thanks guys!
I had to do both things. Nevertheless...still trying to find a place to download the driver for my card, but an interim solution keeps the PC working at least.
Bull
What video card/version/machine/os you have I may be able to find the drivers for you.
-
I am more than happy to post more information but was concerned as being new I did not want to break any board rules.
-
What does a bluetooth dongle look like, does it connect to the port, and roughly how much does it cost?
Also: When bluetooth is connected and on, does that mean my neighbours in the local 10-20 metres will be able to 'suck' all my files out of my laptop?
W.S.
They are a similar size/shape to a USB memory stick and cost around 1000Baht
The coverage range is somewhere around 10m so yes there is a chance of abuse by others if not set correctly.
BT security works by a key exchange which is done when the devices are initially paired. As long as you stop the 'discover' option as soon as you pair you should be fine.
I have just posted a new thread on BT hacking.
-
I know this is not a hacking board but I really think anyone who leaves their phone with BT set on should be aware of what can happen.
There are various programs out the run on Symbian mobile that will initiate a silent BT connection and search your phone.
The most worrying is an app called Bloover. It can change settings (call forwarding) copy contacts/Notes and initiate another call from yours.
So guys keep your dongels to yourself incase someone wants to play with it....
-
Don't forget to ask for a "long range dongle"
LMFAO!
Thanks for that one I needed a laugh tonight.
:D -
I installed Nokia's Field Test Display on my 6630 and whilst I could not understand most of what it does it shows EDGE is running and that UMTS is not. :-(
-
Scouse if you are buying kit then can I suggest you get a Bluetooth dongle (dont you just LOVE that word!)
The data transfer rate is a lot higher than either IR or cable.
-
I you have a desktop I doubt you will have an IR port by default.
To see if you have go
control panel ->system -> hardware -> device manager
Check to see if you have an infrared device icon.
Did you get a cable with the phone in place of using IR ?
-
I use Norton 2005 NIS in plae of the native Windows firewall/anti virus software.
IMO its a lot better and easier to configure.
-
George welcome to my world!
Had exactly the same problem after an update tried everything I could to get the system up without any luck.
I ended up having to ebuild my laptop.
Good luck!
-
I had only rebuilt my laptop the week before so it was fairly 'new' but agree that anyone who has not installed SP2 yet should have at least a backup other than the Windows backup/restore.
I had installed the latest bios but have heard stories where an old biao version stopped an upgrade.
No big deal the rebulid only took 24hrs, not as if there is much else to do here in Pattaya....
-
Well that will teach me.
After holding off putting SP2 on my laptop I finally (I have no idea why) decided to upgrade yesterday.
Needless to say my laptop became totally screwed up, the RPC service refused to start which stopped the XP Restore working.
No problem of course i had a current backup, did I ###### I work in IT these things happen to users not use.
Just spent the last I dont know how long rebuilding my laptop from the ground up. The problem I now have is I am back at the same point fully working but without SP2. Rumour is MS will do a forced download in 4 weeks for anyone who does not have SP2 on their machine.
Maybe I should learn Linux.....
-
iTunes will let you query all your off line ripped music in one go.
It used the Gracenotes database www.cddb.com its not often that I have have had to manually input the information for my iPod.
-
Just signed up for this months promotion they are doing 20 hours GPRS/month for 100baht.
Anything over the 20hrs is only 0.08 Baht/ minute.
That will do for me!
-
There is a hidden control panel in XP that sets up login/password prompts...
Start->run->control userpasswords2
-
Should work fine out of the box.
Make sure you have the correct operator settings, download them from the Nokia site.
I use a 6630 and it works very well.
BTW Make sure you set up Bluetooth I found the cable to be a lot slower.
-
How are you trying to connest VPN? HTTP? FTP?
I would of expected your company to of secured their servers through a firewall so maybe the network guys there need to ad your IP address to the ACL???
-
from what i read in adslthailand's forum, WIMAX is highly restrected in thailand...
only tot has tried it...and that too will be used for rural areas where phone line isint there.
the equipment cost is very high...
btw wimax is a new technology using IEEE 802.16.
under line of sight condiditions max distance is 75 Km and maximum bandwidth is 26 mbps...
maybe wait 2 yrs and wimax would become popular in thailand....
no more cluter of cables for the net....just take yr notebook...drive accross the town....use the net during traffic jams....
govt should allow wimax...that way we wont crib about the traffic....;-)
I have used WIMAX in Auckland and it works well. Zoom who offer it dont tie you into any contract just pay the monthly cancel at the end of a month. They also offer a buy back on your 'modem' if you want. Only problem with Zoom is there is a low data cap
-
I see there are a few threads relating to GPRS/WiFi connections so thought it would be easier to post a new thread.
I have been using the following setup for a while now and have to admit I am happy with the connection speed/download rates. I don’t know if this is of any use to you I hope it may be!
Ok spec
Hardware
Laptop is a Acer TM371tci 50gb HDD/512mb Ram
Bluetooth D-Link DBT120 USB running 1.4.2 Build 10 software
Nokia 6630 firmware 3.45.113
Software
Windows XP pro SP1 all patches (holding off SP2 for as long as I can)
Browser is Opera Version 8.0 Build 7522
Download Manager GetRight 5.2
I am on AIS 1 2 Call (Pattaya) they are offering crazy GPRS prices I think its 1 baht/minute after 7pm. There is no cap on downloads which is good as I have just checked and have a download total on my phone of 4.76Gig in 4 weeks.
First to get ANY idea of your connection speeds you need a local n/work data monitor. Forget the networking tab in Windows Task Manager, I have spent ages looking and trying loads and have finally found one I am happy with.
DU Meter 3.0 www.dumeter.com
TweakMaster 2.04 Build 764 from www.tweakmaster.com
TweakMaster is the first internet optimizer that actually knows what EDGE/GPRS actually does!
I used to use an older Nokia (7610) with a DKU2 cable and it was a pain the transfer rate was a killer. Upgraded to the 6630 which connects via EDGE and the difference was amazing. Forget cables if you want high bandwidth you MUST use Bluetooth.
Her is a stat dump from the last online session I had (does that sound funny? ;-))
Maximum transfer rate 235.9 kbps 7.5 kbps
Average transfer rate 171.3 kbps 3.9 kbps
I am sure anyone would be happy with an average transfer of 171kbps @ 1baht a minute
I have tried various config changes of the modem driver and it does not appear to make any difference. I am guessing this is controlled by AIS when you connect via *99#.
Hope this is of some help
Peace
Para
Yahoo Messenger
in IT and Computers
Posted
If you get any more unwanted f/21/philippines feel free to send them my way...