[ISN] Bluetooth scanning goes mainstream

[InfoSec News]

http://www.tomsnetworking.com/Sections-article145.php

Humphrey Cheung  
10/31/05  

In the last week, Network Chemistry and Airmagnet both released free
Windows utilities that scan for Bluetooth devices. Several years ago,
NetStumbler, a free 802.11 wireless scanning utility, ushered in the
"wardriving" era. With the release of these easy-to-use utilities, are
we now on the verge of a "BlueDriving" age? I interviewed Andrew
Lockhart, BlueScanner's author and lead security analyst for Network
Chemistry, to find out how he made the program and if we should worry
about Bluetooth vulnerabilities.

Lockhart was hired three months ago by Network Chemistry as their lead
security analyst. In addition to writing BlueScanner, he has written a
white paper on Bluetooth vulnerabilities and was the author of the
O'Reilly book "Network Security Hacks". He told us that BlueScanner
wasn't that hard to write, with the program coded from scratch in C++
and most of the Bluetooth scanning handled by Microsoft's Bluetooth
API and drivers. He told us that Bluetooth functionality is already
there in Windows, adding, "We just provide the interface to make it
more friendly."

Bluetooth scanning is nothing new, as Linux scanners have been
available for a few years. Earlier in the year, TomsNetworking brought
you a two part series on how to build a "BlueSniper" long-range
Bluetooth gun. But this the first time that someone has written a
"Netstumbler like" program for finding Bluetooth devices with
Windows-based systems.

BlueScanner easily finds Bluetooth devices that have been placed in
"discoverable" mode and displays the device name, physical address,
device type (such as cellphone or computer) and available services.  
Unlike NetStumbler, BlueScanner does not have GPS tracking, but you
can type in the location that you are scanning from. For example, if
you were using BlueScanner to search for devices in a multiple story
building, you would start at the first floor and type in location of
"First Floor".

In inital testing of BlueScanner, Lockhart found Bluetooth devices in
places that he expected and some that he didn't, saying, "I initially
didn't expect to find many devices. Sure there were many in the
airports, where you have a lot of business people, but I didn't expect
them to be in restaurants. I also found large amounts in just random
places." Lockhart even used BlueScanner at the Defcon computer
security convention in Las Vegas and found quite a few devices. While
you could assume that Defcon attendees would not have vulnerable
Bluetooth devices, Lockhart says, "I found quite a few phones that
would appear to vulnerable and some people didn't bother to rename the
model number."

I played with BlueScanner in the TG Publishing office and also in the
press room of Blizzcon.Blizzard's recent gaming convention focusing on
World of Warcraft. In our office, BlueScanner immediately found
several devices including my Blackberry and another editor's T610
phone. Surprisingly, it also picked up a hands-free Bluetooth headset
in a BMW car parked about 75 feet away. I didn't expect a Bluetooth
signal to go that far and penetrate several walls. At Blizzcon,
BlueScanner found six devices in thirty seconds.

So why release such a program to the public? Back in the NetStumbler
days there were some people who believed the Wi-Fi-scanning program
could help hackers break into their computers. Lockhart isn't
concerned about ill-intentioned people using BlueScanner, saying, "We
are only here to increase awareness and the nefarious people already
knew about this stuff way way long ago." He also told us that he wants
people to realize just how many devices are in the environment.

Lockhart also said that he has found many Bluetooth devices in
conference rooms and around the office. He has even sent messages to
people's phones telling them that their Bluetooth is on. Some people
were shocked and Lockhart adds, "They didn't know where this message
was coming from. The phone beeps and they pull it out and see
something on the screen."

What's next for Lockhart? He is pretty tight-lipped about future
improvements of BlueScanner, but he has been playing around with a
$17,000 Bluetooth sniffer that can pull raw Bluetooth data from the
air. While the price tag may seem high, Lockhart told us that he has
seen the sniffers sell for as low as $1600 on Ebay. With the sniffer,
he has discovered that a popular brand of phone / PDA syncs via
Bluetooth in clear text. Lockhart told us the model, but said, "Please
don't tell anyone because I want to call the company first."

So is it time to start worrying about Bluetooth? "The normal person
doesn't have to worry much, but it could be a concern for high-profile
people," says Lockhart. He explained that it might be possible to
monitor a person by tracking their phone, but the average person is
probably OK if they keep the phone in non-discoverable mode. Lockhart
summed it up simply by saying, "If you carry sensitive data, you may
want to check if you have Bluetooth in discoverable mode and if you
don't need Bluetooth, just turn it off. Just use common sense."

-=-

Related Links

Network Chemistry's BlueScanner 
http://www.bluescanner.org/
 
Airmagnet's BlueSweep 
http://www.airmagnet.com/products/bluesweep.htm

Building Your Own Bluesniper Rifle 
Part 1: http://www.tomsnetworking.com/Sections-article106-page1.php 
Part 2: http://www.tomsnetworking.com/Sections-article135.php