Subscribe
About

Bluetooth opens vulnerability window

The technology can be easily hacked, leaving many digital devices open to attack.
Dino Covotsos
By Dino Covotsos, Founder and CEO, Telspace Systems.
Johannesburg, 19 Oct 2007

Connectivity is vital for doing business these days. The cellphone, laptop PC and PDA are essential connectivity tools - but at the same time these devices may leave us vulnerable to intrusion.

Take the simple technology of Bluetooth, which can be quite easily hacked with a range of different techniques that leave devices - cellphone, laptop or PDA - transparent and usable to unscrupulous eavesdroppers.

Bluetooth hacking techniques include making unauthorised calls and transactions, reading and sending SMSes on a target phone, erasing information and downloading personal information such as phone books and access codes.

I routinely make use of Bluetooth vulnerabilities to test the security level of corporate clients` networks. I recently addressed the annual Hack-in-the-Box security conference in Malaysia on the subject of Bluetooth hacking and the audience was shocked to see just how easy it is to compromise devices through Bluetooth.

Accessing a Bluetooth-enabled device is achieved by hacking the Bluetooth stack. Specific implementations of Bluetooth are susceptible to exploitation because of design flaws and various other factors. By using Bluetooth, one can literally control the device completely once it is exploited or paired.

For example, successful exploitation would include being able to access the entire contents of the phone such as call records, SMSes, key lock codes and so on. This is different to a situation where Bluetooth is left on and discoverable, because then the user will still have to accept a file download if someone sends something to the phone.

Listening in

Even a Bluetooth device that is set on `hidden` can be found and broken into. This is possible through brute force scanning.

Dino Covotsos is the founder and CEO of Telspace Systems

Bluetooth hacking can be used to obtain personal information, particularly when in a public place. It can be used in fraud schemes where fraudsters make illegitimate calls using the phone to call prime rate numbers - so the user ends up with an enormous cellphone bill at the end of the month.

We are seeing many real life scenarios of Bluetooth car devices being compromised with the Carwhisperer program. This software tool was designed to connect to Bluetooth car kits, but it also enables attackers to listen in on other people`s conversations - either a specific person or a range of cellphone conversations on the road.

To hack a car kit, a fixed four-digit PIN code is needed, and obviously the kit cannot be already connected to a mobile device otherwise pairing cannot take place. Those who have a generic unlocking code on their handset, such as 0000 or 1234, should contact their manufacturer for applicable updates.

There are many different methods to gain confidential information off a mobile device. Hacking methods such as Bluebugging, BlueSnarfing and Carwhispering are just a few of the most common methods of attack.

The Bluebug attack, for example, allows attackers to perform unauthorised transactions on vulnerable devices, for example reading and sending SMSes or making phone calls from the other person`s phone. The attack creates a serial profile connection by providing access to the AT command. Distance is very important and is limited by the transmitting power of class two Bluetooth radios (10-15 metres). It can, however, be increased with directional antennas.

Bluesnarfing attacks are the best known and attackers take advantage of the OBEX Push Profile, which was developed for reasons such as business card exchange. In most instances, this service does not require authentication, so attackers can conduct an OBEX GET and request common filenames such as pb.vcf (the phonebook).

Worms such as Cabir have spread via Bluetooth. Cabir runs on Symbian mobile that supports the series 60 platform. Cabir, for example, arrives as a .sis file (with .app and .mdl and .rsc), so the worm activates and starts looking for new devices to infect via Bluetooth.

No place to hide

Even a Bluetooth device that is set on `hidden` can be found and broken into. This is possible through brute force scanning. A proof-of-concept application called RedFang is available to download. This helps in finding non-discoverable Bluetooth devices by brute forcing the last six bytes of the Bluetooth address of the device and doing a read_remote_name().

Attack and penetration tests show that alarm codes, passwords, private and confidential information such as banking details can all be found from phonebook entries and SMSes.

There are various ways to prevent phones, PDAs or PCs from being exploited. Firstly, turn off Bluetooth when it`s not required all of the time. Enable `hidden mode` and change the phone name from the default one because hackers will usually first go for such known vulnerabilities.

At the very least, enable PIN-based authentication and use anti-virus software, although this is a cost factor. Also, keep up-to-date with firmware and any security updates for the device.

* Dino Covotsos is the founder and CEO of Telspace Systems.

Share