In my last blog entry I started to cover the kinds of tools that are available in attacking Bluetooth devices. I discussed Bluescanner and Bluesnarf and said that these are only two of the surprising large number of such tools. Now I’ll cover the remaining Bluetooth attack tools of which I am aware:
- A.I.O. Bluetooth Hacking Tools. These tools are downright scary. They allow someone to read Bluetooth messages and contacts on another phone, change another phone’s profile and/or ring volume, make someone’s phone restart, switch off or ring (even if the phone is in silent mode), play songs on another phone (imagine the shock value of this!), and more.
- Btcrack. Btcrack allows an attacker to make phone calls on another phone with any charges billed to the owner of the other phone. This tool also cracks Bluetooth PINs and attempts to reconstruct the pass key and the link key, both of which are captured during the pairing process that was discussed in part one of this series.
- BlueSniff. This one finds discoverable and hidden Bluetooth devices. One of the major advantages of this tool is that it has a very intuitive graphical user interface (GUI).
- Btcrack. As its name implies, Btcrack cracks Bluetooth PINs. It also tries to reconstruct the pass and the link keys during the pairing process.
- BlueSniff. Blue Sniff, like other, similar tools finds discoverable and hidden Bluetooth-enabled devices. It also features a very easy-to-use GUI.
- BlueBug. This tool tries to gain unauthorized access to phone-books, call lists and other private information in remote Bluetooth devices within the discovery zone.
- Bluediving. This one is highly useful because it consists of a Bluetooth penetration testing suite, thus making obtaining and running each tool contained within unnecessary. Instead, it provides a menu that allows users to run each tool and function whenever they want. It contains Bluebug, BlueSnarf, BlueSnarf++, and BlueSmack. It also provides additional functions such as address spoofing, packet forging, connection resetting, and many others. If I were allowed to have only one Bluetooth attack tool, there is no doubt in my mind that I would choose this one.
In short, attacking Bluetooth devices has become rather easy because of a variety of tools designed specifically for this purpose. The widespread availability of these tools and the fact that most of them are free raises the risk level in Bluetooth environments considerably. Information security professionals need not only to know how these tools work, but they also need to use them in their vulnerability assessment programs. Auditors also need to learn about these tools, which can also be very useful when audits are being conducted.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
- – - – - – - – - – - – - – - – -
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.