Bluetooth Security

From Computing and Software Wiki

The Bluetooth was first defined in 1994 by Jaap Haartsen and Sven Mattisson in Lund, Sweden. Later the specification was formalized and announced on May 20, 1998. Since its first version, the Bluetooth technology has faced numerous major security concerns which have threatened user privacy over the last decade. With its latest specification, v2.1, most of concerns are now corrected and fixed, though it always has been and is an "on-going process" to make the technology safe. [2]

Bluetooth Hack
The growth of mobile phone ownership has reached over 1.5 billion users; which also results in the rise of malware on mobile devices. [9].

Nowadays, despite every effort from the Bluetooth Special Interest Group, there are still numerous Bluetooth security exploits available, easily accessible on the Internet. In the end, it is crucial for end users to recognize the importance of the Bluetooth security, and exercise every security measure to achieve user privacy. The purpose of this Wiki page is to provide brief descriptions of most Bluetooth security exploits, and raise readers’ awareness to protect user privacy.

Brief description of Bluetooth

Bluetooth technology provides an easy access to wireless communication between two Bluetooth devices within 10~100m range. After years of development the final Bluetooth technology uses the free and globally available 2.4GHz Industrial-Scientific-Medical (ISM) radio band, unlicensed for low-power use, and allows to share data with throughput up to 723.2 Kbps, or 2.1Mbps with the new Enhanced Data Rate specification already released in 2005. [4]

Overview of the Bluetooth Security Concern

The "Bluetooth implements confidentiality, authentication and key derivation with custom algorithms based on the SAFER+ block cipher." [1] However it is inevitable for the technology (as they all do) to suffer from security threats as they innovates. Major cell-phone companies have had admitted faulty or unsafe Bluetooth implementations, and still at this very moment, it is quite easy to search for Bluetooth hacking mechanisms on the Internet. For the sake of keeping privacy safe, users need to be aware of most, if not all, possible security threats.

Basic Built-in (Available) Security Features

Three levels of security modes

By its specification, Bluetooth offers three modes of security:

• Security Mode 1: non-secure
• Security Mode 2: service level enforced security
• Security Mode 3: link(device) level enforced security

At its highest, the security mode requires authorization and authenticaion (identification) of the device being connected from and to.

Non-discoverable mode

Well-known security mechanism which prevents Bluetooth devices from appearing on the list during a Bluetooth device search process. Though it may still appear visible to those who have already communicated with each other at least once before, this feature should prevent most high profile attacks.

Known Bluetooth Security Holes

Brute force Bluetooth address discovery

Although user can choose to put the Bluetooth device "undiscoverable", malicious hackers may still be able to discover those hidden devices through brute force Bluetooth address discovery. In fact, applications such as RedFang by Ollie Whitehouse tries connecting to Bluetooth address one by one until finally a hidden device responds to the request.

Apparently, each Bluetooth device is assigned with an address of which many fields are already predefined based on its manufacturers, device type, and device model. For instance, most Sony Ericsson P900 cell phones start with the 7 Hex digits 00:0A:D9:E. Moreover, some P900 phones have been found to have same Bluetooth address, 11:11:11:50:11:11. [4] Following such patterns, brute force address search becomes rather simpler as most of fields can be predicted in advance.

Bluejacking
Bluejacking.cz forum available. [http://www.bluejacking.cz/index.php].

Bluejacking

Bluejacking involves 'bluejackers' sending a text message, images or sounds to 'bluejacked' Bluetooth device. Upon receiving the vCard, the unsuspecting user may accept the message, thus automatically add the contact to his address book. This results in 'bluejackers' to become a legitimate sender, and all further messages from these 'bluejackers' are opened up automatically despite user's interests.

BloooverII
Features several bluetooth related attacks. [Bluejacking Tools].

Bluesnarfing

Bluesnarfing works in the same way how bluejacking works. Through OBEX protocol, the bluesnarfing software connects to the target Bluetooth device and pulls phonebook files or the calendar files. While bluesnarfed Bluetooth devices are at risk of privacy invasion, the damage is much more damaging then the bluejacking. [7]

BlueBug
BlueBug is the name of a bluetooth security loophole. [9].

Bluebugging

Simply put, bluebugging (if happens) allows complete takeover of the target Bluetooth device. Due to faulty implementations, early Bluetooth equipped phones suffered from this vulnerability, and most have been corrected after firmware upgrades. [7]

PIN Cracking

Previously, it has been suggested that a "sniffer" could monitor traffic between Bluetooth devices and recover a user PIN. "A sniffer records Bluetooth packets and can decode the packets to determine the information contained in them." [7] The PIN cracking process becomes much simpler and faster when relatively short (say 4 digit) PINs are chosen.

History of Security Concerns

Since 2003, there have been major Bluetooth security concerns due to its specifications and incorrect implementations. Please refer to 'History of security concerns' of Bluetooth on Wikipedia. [1]

Raising Awareness

The Bluetooth Special Interest Group (SIG) is a privately held, not-for-profit trade association. As the SIG puts it, "The reality is the encryption algorithm in the Bluetooth specifications is secure." ... "Cases where data has been compromised on mobile phones are the result of implementation issues." [2]

"If it is a specification issue, we work with members to create patches and ensure future devices don't suffer the same vulnerability. This is an on-going process. The recently reported issues of advanced "hackers" gaining access to information stored on select mobile phones using Bluetooth functionality are due to incorrect implementation." [2]

At the same time, SIG and all manufacturers of Bluetooth devices are working together to ensure safety of using such technology and to create the preferred wireless technology to connect diverse devices.

References

1. Bluetooth. Retrieved on April 5, 2008, from <http://en.wikipedia.org/wiki/Bluetooth>
2. Bluetooth Security. Retrieved on April 5, 2008, from <http://www.bluetooth.com/Bluetooth/Technology/Works/Security/>
3. How Bluetooth Works. Retrieved on April 5, 2008, from <http://electronics.howstuffworks.com/bluetooth.htm>
4. Bluetooth Security Review, Part 1. Retrieved on April 5, 2008, from <http://www.securityfocus.com/infocus/1830>
5. Bluetooth Security Review, Part 1. Retrieved on April 5, 2008, from <http://www.securityfocus.com/infocus/1836>
6. Bluejacking. Retrieved on April 6, 2008, from <http://en.wikipedia.org/wiki/Bluejacking>
7. The Bluejacking, Bluesnarfing, Bluebugging Blues: Bluetooth Faces Perception of Vulnerability. Retrieved on April 6, 2008, from <http://www.wirelessnetdesignline.com/showArticle.jhtml?articleID=192200279>
8. OBEX Protocol. Retrieved on April 6, 2008, from <http://en.wikipedia.org/wiki/OBEX>
9. Handheld hazards: The rise of malware on mobile devices. Retrieved on April 6, 2008, from <http://linkinghub.elsevier.com/retrieve/pii/S1361372305702104>
10. BlueBug. Retrieved on April 6, 2008, from <http://trifinite.org/trifinite_stuff_bluebug.html>

See Also

• Wireless Security
  
• Bluetooth Scanners
  
• How Cell-phone Viruses Work
  
• SIG, Who We Are
  

External Links

• bluejack Q
  
• What is bluebugging?
  
• Bluetooth Security (Part 4)
  
• Bluejacking Tools
  

Last revised by: Parkhb 19:08, 6 April 2008 (EDT)