Bluetooth Security Problems

[Para]

A glimpse of Bluetooth security flaws

Whilst my back ground is IT mobile communications wasn’t a topic I knew a great deal about. When I started to use Bluetooth/GPRS connections between my laptop, cell phone and internet I started to also explore the technical aspects of what I was using. Initially my desire was to make sure I had the most optimized configuration possible.

I am fascinated by both social engineering and the darker side of IT and it was not long before I was looking at Bluetooth from this angle. Between media propaganda, urban myths and misinformation sometimes it is hard trying to find information but if it was easy where is the challenge!

What I have written here is what I have learned it is true in my eyes but that does not make it fact. It is only my opinion, nothing more, nothing less.

So he is what has caught my eye with Bluetooth I will list any relevant links at the end and I will try as best I can not to make it a hackers guide rather a user awareness guide. If any of the moderators or senior members feel that any part of this is inappropriate for the board please delete/edit where you feel necessary and let me know for any future posts.

Bluetooth History 101

Bluetooth wireless technology is a short-range radio technology that is designed to fulfill the particular needs of wireless interconnections between different personal devices, which are very popular in today’s society. The development of Bluetooth started in the mid-1990s, when a project within Ericsson Mobile Communications required a way to connect a keyboard to a computer device without a cable. The wireless link turned out to be useful for many other things, and it was developed into a more generic tool for connecting devices. A synchronous mode for voice traffic was added and support for up to seven slaves was introduced. In order to promote this ‘new’ technology the Bluetooth Special Interest Group (SIG) was founded in 1998. Currently there are over 1000 companies involved in SIG so it does not look to be disappearing anytime soon.

Technical

When 2 or more devices connect they are said to of formed a piconet. A piconet shares a common communication data channel master and up to seven slaves.

The data channel has a total capacity of 1 megabit per second (Mbps). Bluetooth 2.0 allows 2.1Mbps.

In the United States and Europe, the frequency range is 2,400 to 2,483.5 MHz,

In Japan, the frequency range is 2,472 to 2,497 MHz with 23 1-MHz RF channels.

Bluetooth Security Overview

Bluetooth has three different modes of security. Each Bluetooth device can only operate in one mode only at a particular time

Security Mode 1: Non-secure mode

In this non-secure mode, the security functionality (authentication/encryption) is completely bypassed. This is often referred to as being in a promiscuous mode this mode is provided for applications for which security is not required, such as exchanging business cards.

Security Mode 2: Service-level enforced security mode

In this mode security procedures are initiated AFTER channel establishment. Mode 2 grants access to some services without providing access to other services. A very basic level of authorization

Security Mode 3: Link-level enforced security mode

In the link-level security mode, a Bluetooth device initiates security procedures BEFORE the channel is established. This is a built-in Bluetooth security mechanism which is not aware of any of any application layer security that may exist. This mode supports both authentication and encryption. These features are based on a secret link key that is shared by a pair of devices. To generate this key, a pairing procedure is used when the two devices communicate for the first time.

Bluetooth Key Generation from PIN

The link key is generated during an initialization phase, while two Bluetooth devices that are communicating are 'associated' or 'bonded.' As per the Bluetooth specification, two associated devices simultaneously derive link keys during the initialization phase when a user enters an identical PIN into both devices. After initialization is complete, devices automatically and transparently authenticate and perform encryption of the link. The PIN code used in Bluetooth devices can vary between 1 and 16 bytes. Whilst the typical 4-digit PIN may be sufficient for some applications, longer codes are obviously more secure

Bluetooth Authentication

The Bluetooth authentication procedure is in the form of a standard ‘challenge-response’ process. The challenge response protocol validates devices by verifying the knowledge of a secret key (the Bluetooth link key).

Bluetooth Encryption

Encryption Mode 1. No encryption is performed on any traffic.

Encryption Mode 2. Broadcast traffic goes unencrypted, but individually addressed traffic is encrypted according to the individual link keys.

Encryption Mode 3. All traffic is encrypted.

Bluetooth Classes

Class 1 Range up to 100 meters

Class 2 Range up to 10 meters

Class 3 Range very much within 10

Currently the most common devices are Class 3 or 2 which include cellular telephones, personal digital assistants, computer peripherals, audio accessories, laptop computers, access. Remember that if you have a Class 2 device you are not only at risk from other Class 2 devices. This means someone with a Class 1 adapter can potentially be up to 100m away from you and see you. They will be able to see you in a Bluetooth browse but your device will not have to power to see them.

Ok before you get too bored here is the interesting stuff!

Attack, Attack, Attack!

It has been found that a no paired device can initiate and form a connection to enable potential access to data stored on the device. This can be obtained, anonymously, and without the owner's knowledge or consent from Bluetooth enabled computers or mobile phones. This data can include the entire phonebook and calendar, and the phone's IMEI. A stolen IMEI can be used to clone a phone/number.

It has also been found that the complete memory contents of some mobile phones can be accessed by a previously trusted, ‘paired’ device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. Basically it has become possible for the entire devices data to be copied to an attacker's own system.

Access can also be gained to the AT command set of the device, giving full control to the higher level commands and channels, such as data, voice and messaging. This could allow an attacker to use your phone’s data connection functionality to connect to the Internet, or to make a long distance call both at your expense. Once the voice connection has been made it does not matter if the attacked phone moves out of Bluetooth range as the voice connection has already been established

The list of attack methods and tools to perform these attacks is growing no media myth or urban legend. The number of easily accessible forums, groups and tools is scary as a basic Google search will show.

There has been a ‘Philosophy of Full Disclosure’ submitted to both the mobile manufacturing community as well as (apparently) Governments by Trifinite. They spent 13 months exploring and exploiting the flaws in BT writing tools to perform these tasks. Thankfully they made the ethical decision to keep these tools away from the market but of course it will only be a matter of time before they start to leak out.

http://www.thebunker.net/security/bluetooth.htm.

Here are specific examples of the bigger and currently more common attacks and what if any possible forms of defense we can take to protect from them.

Bluejacking

BlueJackX is the software that brought Bluetooth’s security flaws to everyone’s attention. It allows a hidden use to send what appears to be a SMS message to anyone in range with Bluetooth enabled on their phone. It's not an attack as such, as no data on the receivers phone is made available to the attacker. Naturally I have tested this purely for research and obviously in a secure environment. Well I could not get access to a data lab so I thought a Go-Go bar in Walking Street would be just as good. ;-)

Bluejacking is possible because the ‘name’ of the initiating Bluetooth device is displayed on the target device as part of the handshake exchange and as the protocol allows a large user defined name field - up to 248 characters - the field itself can be used to pass the ‘message’.

There has been recent media hype in the UK concerning ‘Toothing’. This was taking away the anonymity of Bluejacking for the gain of sexual contact. Reports of people ‘hooking up’ for sex is always an obvious media seller but it appears to be nothing more than another Urban Myth

Bluesnarfing, Bluestumbling or Snarf attack

It is possible on some makes of device to connect to another device without alerting the owner of the target device of the request. This gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real-time clock, business card, properties, change log, IMEI number, ouch!

This is normally only possible if the device is in ‘discoverable’ or ‘visible’ mode, but there are tools available on the Internet that allow even this safety net to be bypassed.

I have a copy of a version of this software BUT as using it crosses into actual hacking I am not keen to use it. I tried to Snarf my laptop but it did not work. I will however try and find a willing friend and with their prior agreement try it. The software I have has been downloaded 13,000 times according to the site stats which means it is out there.

People tracking

This one really scares me. Your IMEI number is unique so being able to track a device means it is possible to track the person with the device. Of course this has been available since the birth of Cell phones but the device has only been able to be located ‘somewhere’ within a Cell. Bluetooth can allow the device to be located to a person simply by scanning for your Bluetooth key with a directional scanner.

Denial-of-Service attack on the device

Streaming random data to you phone over Bluetooth at such a rate the phone processor is unable to do anything other than try and deal with all the data. Results in phone lockup.

Backdoor attack

This attack involves establishing a trust relationship through the ‘pairing’ mechanism, but ensuring that it no longer appears in the target's register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to. This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner's knowledge or consent.

The Bluebug attack:

The Bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set. This gives access to messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to a premium rate number, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone.

Its would seem that a Bluebug attack can also turn an attacked phone into a bug via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner's incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim.

HeloMoto

The HeloMoto attack has been discovered and is a combination of the Bluesnarf attack and the Bluebug attack. It’s called HeloMoto since it was discovered on Motorola phones.

The HeloMoto attack takes advantage of the incorrect implementation of the 'trusted device' handling on some Motorola devices. The attacker initiates a connection to the unauthenticated dev ice hiding behind sending a business card, vCard. The attacker interrupts the sending process and without interaction the attacker's device is stored in the 'list of trusted devices' on the victim's phone. With an entry in that list, the attacker is able to connect to the headset profile without authentication. Once connected to this service, the attacker is able to take control of the device by means of AT-commands start a Bluebug process

Bluetooning

The hardware modification of a Bluetooth dongle to improve its range. Generally requires the connection of a directional antenna

The BlueSniper, the Long-Distance Attack

This has apparently been tested and allowed a phone to have its contents read and modified from a distance of 1.01 miles. There are a number of companies offering the hardware for this which leads me to believe it is possible.

Blueprinting

Involves the collection of information pertaining to the hardware device. Not really hacking but can be used to identify certain types of device and maybe targeting them for Bluetooth spam.

Workarounds and fixes

I hope you’re not expecting a nice concise fix for all of the above!

The obvious answer would be not to have Bluetooth unless you are actually using it. But given the possibility of tools being available to remotely enable Bluetooth there may not be any answer based on current versions of Bluetooth. I think the SIG need to get a new version of Bluetooth out that locks down the security flaws that have been identified.

To avoid Bluejacking, ‘just say no’.

Useful links

https://www.bluetooth.org/

http://www.thebunker.net/security/bluetooth.htm

http://www.bluejackq.com/what-is-bluejacking.shtml

www.bluetooth.com

http://www.mulliner.org/bluetooth/

http://www.bluedriving.com/

I hope this has been of some use.

Edited April 20, 2005 by Para