[ISN] Security Cavities Ail Bluetooth

[InfoSec News]

http://www.wired.com/news/privacy/0,1848,64463,00.html

By Kim Zetter
Aug. 06, 2004

Serious flaws discovered in Bluetooth technology used in mobile phones
can let an attacker remotely download contact information from
victims' address books, read their calendar appointments or peruse
text messages on their phones to conduct corporate espionage.

An attacker could even plant phony text messages in a phone's memory,
or turn the phone sitting in a victim's pocket or on a restaurant
table top into a listening device to pick up private conversations in
the phone's vicinity. Most types of attacks could be conducted without
leaving a trace.

Security professionals Adam Laurie and Martin Herfurt demonstrated the
attacks last week at the Black Hat and DefCon security and hacker
conferences in Las Vegas. Phone companies say the risk of this kind of
attack is small, since the amount of time a victim would be vulnerable
is minimal, and the attacker would have to be in proximity to the
victim. But experiments, one using a common laptop and another using a
prototype Bluetooth "rifle" that captured data from a mobile phone a
mile away, have demonstrated that such attacks aren't so far-fetched.

Laurie, chief security officer of London-based security and networking
firm ALD, discovered the vulnerability last November. Using a program
called Bluesnarf that he designed but hasn't released, Laurie modified
the Bluetooth settings on a standard Bluetooth-enabled laptop to
conduct the data-collection attacks.

Then, German researcher Herfurt developed a program called Bluebug
that could turn certain mobile phones into a bug to transmit
conversations in the vicinity of the device to an attacker's phone.

Using Bluebug from a laptop, an attacker could instruct a target phone
to call his phone. The phone would make the call silently and, once
connected, open a channel for the attacker to listen to conversations
near the targeted phone. The attacker's phone number would appear on
the victim's phone bill, but if the attacker used a throwaway phone,
the number would be out of service.

"(A victim) will know that his phone made a call that it shouldn't
have made, but he won't necessarily come to the right conclusion that
someone listened in on the conversation that he was having at that
particular time," Laurie said. "He may think he accidentally pressed
buttons to make the call while the phone was in his back pocket."

An attacker could also install a gateway on the victim's phone to
reroute phone calls through his own phone so that he could hear and
record conversations between parties without their knowledge. And he
could send text messages from his computer through a victim's phone to
another phone so the receiver would think the message originated from
the victim. There would be no record of the sent message on the
victim's phone unless the attacker planted it there.

"I can plant the message on the phone and make it look like he sent a
message that he never sent. So when the FBI grabs the phone (for
evidence), the message will be in the first guy's outbox," Laurie
said. "It has really serious consequences."

The use of Bluetooth, a wireless technology that lets two devices
exchange information over a short distance, is growing rapidly in
Europe and the United States. About 13 percent of mobile phones
shipped in the United States this year have Bluetooth, according to
IDC research. The number will grow to about 53 percent globally and 65
percent in the United States by 2008.

These are just the phones. According to IMS Research, 2 million
Bluetooth-enabled devices -- phones, laptops and PDAs -- are shipped
weekly in the world. Laurie and Herfurt have only tested phones for
vulnerabilities so far.

"They're talking about putting Bluetooth in everything: home security,
medical devices," Laurie said. "If they don't do something about
security there is some really serious stuff ahead of us."

The attacks, dubbed "Bluesnarfing" and "Bluebugging," work on several
models of the most popular brands of mobile phones: Ericsson, Sony
Ericsson, and Nokia (Laurie provides a chart of affected phones on his
website). In each case, the researchers needed access to the target
phone for only a few seconds to conduct attacks.

Phones are vulnerable when they are in "discoverable" or "visible"  
mode, and the Bluetooth functionality is enabled. Visible mode lets
Bluetooth phones find other Bluetooth phones in their vicinity so
phone owners can exchange electronic contact information. Users can
turn the visible mode off, but some models of Nokia can be attacked
even when a user turns off the visible mode, Laurie said. The attacker
would need to know the device's Bluetooth address, but Laurie said
hacking programs available online make it possible to discover the
address.

"The Nokia 6310 and 8910 series and the Sony Ericsson T610 are
probably the worst affected because they are very popular phones," he
said. They're "at least 70 percent of the market in Europe."

Laurie and Herfurt found problems with Motorola phones as well, but
Siemens phones came out clean.

"Motorola said they would fix it in the current release so they
started immediately to correct the problem," Laurie said, adding that
the Motorola vulnerability was limited since the phones can be in
visible mode for only brief periods when the owner exchanges
information with other phone users.

Although phone owners can leave Nokia and Sony Ericsson phones in
visible mode, the phone companies said people don't usually do this.  
They also said that because Bluetooth's range is generally 30 feet, an
attacker could target only people who stayed within range long enough
to be attacked.

But Laurie said that he achieved ranges closer to 50 feet in tests.  
With either range he could stand in a building lobby or hallway and
collect data from mobile phones on floors above and below him. And a
device demonstrated at DefCon could increase that range more than
tenfold.

The BlueSniper "rifle," created by John Hering and colleagues at
Flexilis as a proof-of-concept device, resembles a rifle. It has a
vision scope and a yagi antenna with a cable that runs to a
Bluetooth-enabled laptop or PDA in a backpack. Aiming the rifle from
an 11th-floor window of the Aladdin hotel at a taxi stand across the
street in Las Vegas, Hering and colleagues were able to collect phone
books from 300 Bluetooth devices. They bested that distance and broke
a record this week by attacking a Nokia 3610i phone 1.1 miles away and
grabbing the phone book and text messages.

"The odds of anybody (attacking a phone) are very slim to begin with,"  
said Nokia spokesman Keith Nowak, noting that the only vulnerable
model sold by the company in the United States is the 6310i. "But if
you're worried about it, just turn the Bluetooth off or take it out of
discoverable mode."

This works for regular phones, Laurie said, but not the Nokia car
phone, which does not let users switch to hidden mode or turn off
Bluetooth.

Nokia announced in May that it would have software upgrades to address
the Bluetooth problem for all of its phones by the end of the summer,
though this will not include car phones, and users would have to send
in their phones to Nokia to have the patch installed.

Sony Ericsson told Laurie it fixed the problem. But when he examined
the phones, he discovered they fixed the bugging problem but not the
data-theft issue. Sony Ericsson could not be reached for comment.

Laurie found that most people forget to switch off Bluetooth and the
visible mode after exchanging information with someone. About 50
percent to 70 percent of phones he examined in road tests were in
visible mode and vulnerable to one type of attack or another. In one
experiment, standing for about two hours in London Underground
stations during rush hour, Laurie found 336 Bluetooth phones, 77 of
which were vulnerable to attack.

He conducted a similar test at Britain's House of Parliament, carrying
a laptop in his backpack. After going through security, he wandered
the ground floor for 14 minutes looking at paintings and passing
politicians while the attack ran automatically from his backpack. Of
46 Bluetooth devices he found, eight phones were vulnerable to attack.

Herfurt is working on developing Bluebug to run from a phone so an
attacker wouldn't even need a bulky laptop.

Laurie said most people don't think they have valuable data on their
phones, but many people store passwords, PINs and financial account
numbers in their phones. A London shopkeeper he knows didn't care
about the vulnerability until he attacked her phone and extracted the
door and alarm codes for three of her businesses.

Michael Foley, executive director for the Bluetooth Special Interest
Group, said the risk of attacks has gone down since the issue came to
light. But as long as the risk is above zero, the industry group is
taking it seriously and working with phone makers to address the
problems.

"Now that the manufacturers are aware of these vulnerabilities, I
don't think you'll see new phones coming out that are vulnerable to
the attack," he said.