Bluetooth Security: Part 3
September 12th, 2011
There are more attack methods against Bluetooth devices than one might suspect. In earlier blog entries in this series I discussed attacks such as discovery and cryptanalytic attacks. One of the potential Achilles heels of Bluetooth security is PINs used in authentication. PINs are generally between four and 16 characters long. Shorter PINs can easily be guessed or brute forced if conventional bad login limit lockouts are not built into the devices, and the fact that they are only a maximum of four characters long in some Bluetooth implementations makes these devices unusually vulnerable. Furthermore, in some of these devices PINs are fixed and thus unchangeable by their users. PIN guessing can thus enable perpetrators to impersonate the identity of Bluetooth devices, enabling perpetrators to make long distance calls billed to the account of legitimate users as well as to gain unauthorized access to call lists, phone books, photos, and other information. PIN spoofing can also be used for similar purposes. And if a Bluetooth device falls into the hands of an attacker, the attacker can gain access to the same types of information, often by gleaning PINs from memory and/or the device’s hard drive.
Malicious code such as viruses and worms can and do infect Bluetooth devices and then spread themselves to others. The now infamous /Cabir/Caribe/SymbOS virus that infected so many mobile phones at the Helsinki Games not all that many years ago is one of the best examples of viruses that are capable to infecting Bluetooth and well as other wireless devices. And the fact that relatively few Bluetooth users run anti-malware tools on their devices makes these devices even more vulnerable.
Furthermore, Bluetooth devices are extremely susceptible to denial of service (DoS) attacks, as are wireless devices and networks in general. All an attacker needs to do is to jam the frequency (2.4 GHz) that Bluetooth devices use. And the previously mentioned fact that Bluetooth devices share this frequency with IEEE 802.11b networks as well as baby monitoring devices does not help at all.
A final kind of attack against Bluetooth devices covered here is one in which a perpetrator discovers the physical location of someone who is using a one of these devices. Built-in Global Positioning Systems (GPSs) are handy for Bluetooth users who need to know where they are, but anyone who can intercept Bluetooth transmissions can also discover the physical location.
Attack tools against Bluetooth devices greatly simplify attacking these devices. Bluescanner is one of the most widely used tools of this nature. Bluescanner discovers these devices, their names and their addresses as well as what kind they are (keyboard, mouse, phone, computer, and so forth) and any advertised services. This tool can also be used to record the time of discovery and additional contextual information regarding the devices that are targeted for reconnaissance activity. One of the advantages perpetrators who use this tool have is that they can record these kinds of information without having to authenticate to targeted devices.
Bluesnarf is another attack tool that can be used for reconnaissance purposes. Although it has somewhat less functionality than does Bluescanner, it can download phonebooks and other information stored on Bluetooth devices. One advantage of Bluesnarf is that it works covertly–Bluetooth users do not notice that reconnaissance activity is occurring.
In the next blog entry in this series I’ll describe other Bluetooth attack tools–there are more than you might imagine.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.