From Bluetooth to RedFang
Going wireless has so far meant trading in desk phones for cell phones and desktops for laptops. It hasn’t meant going completely wireless any more than the paperless office has completely eliminated paper; after all, a cell phone connects to a headset with a wire, and unless you’ve got an elaborate wireless print server configured in your home office, you probably connect your laptop to a printer with a cable. But the promise of going completely wireless is now closer than ever. The reason: an increasing number of devices can use a short-range wireless protocol called Bluetooth.
Creative business applications for this emerging technology that go far beyond cell phones and home networks are hitting the market regularly. Companies are rolling out Bluetooth-enabled medical devices (such as a wrist-worn sensor that transmits pulse data to a monitor), consumer appliances (including microwave ovens, refrigerators, and washers and dryers), and office goods (for example, a whiteboard that transmits notes as they’re written). Properly implemented, tools like these could be timesavers or even lifesavers. However, the growing number of Bluetooth devices also means that there’s a lot of personal and financial information going through the air. Any business considering such applications must first understand what the technology is, how it works, and the nature of the risks and rewards.
Origins. Bluetooth, whose name is taken from a tenth century Danish king, is a trade name that refers to a short-range wireless specification for a low-power radio chip created in the late 1990s. Devices that are Bluetooth-enabled—these include computers and laptops, mobile phones, printers, and PDAs—can communicate with each other over short distances in what’s known as a personal-area network (PAN).
An association of professionals called the Bluetooth Special Interest Group (SIG), founded in 1998, owns the Bluetooth trademark and licenses the use of the trademark and standards. Member companies write the specifications, and the SIG publishes them and runs qualification programs in which manufacturers test their devices, explains Michael Foley, executive and technical director of the SIG.
Any vendor that wants to use the Bluetooth technology in a product must be a member of the SIG. The more than 3,000 member companies of the Bluetooth SIG include well-known giants from the telecommunications, computing, automotive, industrial automation, and network sectors, such as Ericsson, IBM, and Intel, as well as many small tech companies.
There are three classes of Bluetooth devices, says Foley. Each class has a different range. Class 1 devices have a range of about 100 meters; Class 2 extends to about 20 meters; and Class 3 reaches to about 10 meters.
The specifications are changing continually. For example, one relatively new specification “describes how to stream stereo audio over a Bluetooth link,” Foley says. This type of “profile specification” defines how different devices interoperate and allows for new types of products such as stereo headsets for portable CD or MP3 players.
Applications. Whatever the range, Bluetooth is not designed to transfer large amounts of data quickly, so it’s not competing with other types of wireless technologies. The chips don’t need much power to work, meaning that they are a good fit for small devices such as phones.
Cell phones that use Bluetooth have been available in Europe for some time. But the protocol is starting to gain acceptance in the United States market as well, and market researchers In-Stat predict an explosion of Bluetooth chipsets from 69 million in 2003 to 720 million in 2008. New hands-free driving laws have provided an added impetus for the use of Bluetooth headsets in the United States.
In addition, the protocol is increasingly being built into new laptops and PDAs, and vendors like Iogear are coming out with new products designed to take advantage of Bluetooth PANs. Joseph Zhang, Bluetooth product manager for Iogear, which makes wireless networking devices, says that Iogear has built a USB-dongle that fits into a computer’s USB port and instantly Bluetooth-enables that computer, and a Bluetooth print adapter that fits into a printer’s port and allows a Bluetooth-enabled computer to communicate wirelessly.
How it works. To create a PAN, users need to “pair” the authorized Bluetooth-enabled devices that will constitute the network, which typically takes only a few keystrokes. Steve Rhorer, director of marketing for electronics giant Toshiba, gives the example of a Bluetooth-enabled laptop that will be paired with a similarly enabled printer.
“I just turn on the laptop, and it will show me all the Bluetooth-enabled devices that I have the ability to connect to and communicate with,” he says. “Then I simply open the print driver, select the Bluetooth printer I’m printing to, and the document will be sent wirelessly to that printer.”
Zhang says that an authentication passkey is shared during the pairing process, which typically requires a user to enter a password. Many devices that don’t have user interfaces (a headset, for example) have a static password that cannot be changed.
Devices that have been paired remain paired, even if one is turned off or taken out of range; they don’t need to be paired again each time they’re used, and passwords don’t need to be repeatedly entered. As many as eight devices can be connected in a PAN. Data sent within the PAN is encrypted with 128-bit encryption.
Devices can be left in discoverable mode, meaning that they can be seen by other Bluetooth devices. For example, in an office a Bluetooth printer might remain discoverable so that all employees in a shared area can send a print job wirelessly. They can also be left in nondiscoverable mode, meaning that they do not respond to queries from other devices and are invisible to the typical Bluetooth device. The discoverability function is often turned on by default to make it easier for users to set up PANs and for Bluetooth cell phones to be able to locate nearby Bluetooth users.
Security risks. Bluetooth has some built-in security measures (such as the encryption mentioned previously), but when technology advances, security risks are sure to follow. So it has been with Bluetooth.
Some of the risks are the result of savvy engineers simply tweaking the protocol to make it work more productively. In this category are projects to widen Bluetooth’s range. The protocol’s small footprint—particularly as compared with traditional wireless networks—has been considered a level of protection; after all, if devices are able to communicate only within a few feet of each other, it becomes much more difficult for an attacker to even locate a network.
But not anymore. For example, U.K.-based IT consultancy Pentest Limited has released research showing an easy way to add a small but powerful antenna to a Bluetooth USB dongle. Tests run by Pentest found that using these altered dongles increased the protocol’s range to more than 240 meters. This could conceivably allow someone outside a building—say, sitting in a parking lot—to see a PAN inside, says Tim Hurman, a security consultant with Pentest. It also means that Bluetooth PANs are subject to the same threat of eavesdropping as more traditional wireless networks. (More later on software tools such as RedFang and btscanner that can locate these networks.)
A proof-of-concept high-power antenna called BlueSniper was unveiled in 2004 at the computer-security conference known as DefCon. The device looks alarmingly like a rifle with a high-power scope that has an antenna instead of a barrel. Its creators aimed it out a hotel window and were able to “see” a Nokia phone more than a mile away.
Bluesnarfing. Adam Laurie, a network security expert who is chief security officer of The Bunker, a secure colocation facility in the U.K., discovered flaws in Bluetooth that allowed several types of attacks, including one he has dubbed “bluesnarfing” (“snarfing” is techie jargon meaning to taking unauthorized copies of information).
Bluesnarfing, explains Laurie, “is basically the ability over the Bluetooth channel to make an unauthorized connection to a phone and copy the contents of the phone book, calendar,” and some technical details including the phone’s IMEI number—a unique numerical identifier of cell phones that forgers need to clone a phone. Laurie alerted the Bluetooth SIG, but it wasn’t until he posted the research on security newsgroups such as BugTraq, he says, that the SIG responded to him and provided technical contacts with whom he could discuss the problem.
The problem with bluesnarfing goes far beyond loss of privacy, Laurie explains. He tells the story of demonstrating bluesnarfing to a friend who managed a chain of coffee shops. She moved around among her multiple shops, so in her cell phone she made electronic notes about the shops that she managed, including door PIN codes, alarm codes, and the safe combination. Laurie was able to easily extract all that information from her phone without her knowledge. He adds that it’s not uncommon for cell-phone owners to use their phones as electronic repositories for data, all of which can be vulnerable to attack.
Austrian IT-security researcher Martin Herfurt conducted bluesnarfing experiments at CeBIT 2004, a heavily attended computer exhibition held annually in Germany. Herfurt found that he could snarf 44 of 135 Nokia 6310i phones that passed by his booth (other types of phones were vulnerable as well). In a white paper on the experiment, Herfurt notes that he could have sent a text message from, initiated a phone call from, or even created a new phone-book entry on the vulnerable phones.
Laurie himself carried out his own experiment to see how many vulnerable phones he could find. “I went into the houses of Parliament and found 46 Bluetooth-visible phones in the space of 15 minutes within the lobby of the House of Commons and the House of Lords,” he says. Each was vulnerable to bluesnarfing. “On the London Underground during rush hour, I found over 300 devices in the space of about an hour and half,” he says, adding that in London he can find a new target every ten seconds or so.
Bluebugging. Some Bluetooth attacks seem custom-made for spies, corporate and otherwise. The vulnerabilities Laurie discovered also make possible a type of attack he calls bluebugging. This is a more serious attack than bluesnarfing, which only provides access to restricted parts of a Bluetooth device. Bluebugging “gives you the ability to take full control of the [victim’s] phone itself to a level where you can make calls, send SMS [text] messages, read received SMS messages, edit the phone book, delete entries, whatever you want,” says Laurie, who is now working with Martin Herfurt to test the limits of this capability.
Laurie explains the risk of bluebugging, again through an anecdote in which his friend has played the victim. “I’ve actually done it as a test to a friend who was sitting in a pub chatting up two girls. He had his phone sitting on the table in front of him. I basically connected to his phone, had it dial my voicemail, and recorded the conversation and played it back to him later,” Laurie says.
All this was accomplished without his friend having any idea of what was happening. Laurie adds that he could have done the same for any other Bluetooth phone in the pub.
RedFang. Devices in nondiscoverable mode should be invisible, but according to prominent Bluetooth researcher Ollie Whitehouse of IT consultancy @stake, that’s not the case. Whitehouse has designed a software tool called RedFang that can discover Bluetooth devices that have been set to be nondiscoverable.
“RedFang was originally released as a proof-of-concept research tool back in 2003,” Whitehouse says. He explains that Bluetooth devices have addresses, similar to the MAC (media access control) address that every computer has—an exclusive numerical identifier for a particular device. Half of the Bluetooth address identifies a particular vendor; the other half is specific to a particular device. So, Whitehouse says, RedFang tries to “brute-force the entire Bluetooth address space asking for a device’s name,” and if a legitimate name is found, even devices in nondiscoverable mode can be seen. Once the devices are discovered, they become exposed to threats such as bluesnarfing.
Btscanner. Pentest has released a software tool called btscanner, which is designed to extract information from a Bluetooth device without having to pair with it, meaning that it operates noninvasively and, therefore, invisibly. Hurman notes that the current version of btscanner can only find information about discoverable devices (such as channel information and a list of services running); but if those devices are discovered using RedFang, for example, then btscanner can learn enough about them to provide a potential weak point to a determined attacker.
Other risks to Bluetooth devices are still theoretical, but research continues apace. These include attacks on the pairing process and viruses.
Purloined pairing. Research by Whitehouse notes that an attacker working with an antenna at long range (such as one built by Pentest) can potentially exploit Bluetooth devices by watching the pairing process, where two devices such as a PDA and a computer are paired into a personal-area network. During this process, a user is prompted to enter a PIN to establish the relationship between the two. If an attacker can observe the bonding process, that can yield information that can help crack the PIN used for bonding as well as the keys used to encrypt data, according to Whitehouse, thus giving them the ability to capture, decode, and expose any transferred information.
Cracking the PIN is typically a simple matter, Whitehouse says. “In @stake’s testing, if the user uses a six-digit PIN, then it will take an attacker approximately 12.5 seconds to recover this PIN and all associated information,” he says.
But how feasible would such an attack be? Adam Laurie posits that an attacker going for a specific target could arrange for it to happen. “For example, you send somebody a gift of a headset, and you know they’re going to switch it on and pair with it,” he says. He suggests it could be done anonymously by telling the recipient that he or she has won a prize.
“If you’re in the vicinity and you know that event is going to occur, you could arrange that you sniff all the traffic and so you will witness that pairing,” he says. Then the attacker would be able to listen in on conversations as they passed between the phone and the headset. Again, this scenario is easy to imagine being carried out at a trade show by a rival eager to eavesdrop.
Viruses in the air. Airborne viruses and worms aimed at wireless electronics are already in existence, though virus writers are so far targeting cell phones more than other types of Bluetooth devices that are still comparatively rare. But, says Hurman, there’s little doubt that Bluetooth will ultimately be subject to the same types of attacks that other products are.
Hurman has already found that some Bluetooth devices are subject to buffer overflow attacks in products made by WIDCOMM, which supplies Bluetooth software to a range of well-known hardware manufacturers from Alcatel to Sony. (Buffer overflow attacks target the same type of software vulnerabilities that plague conventional software and allow viruses and worms to spread.) Hurman also notes that with some development, hackers would be able to use a buffer overflow attack to run their own code on vulnerable devices. Pentest reports that this vulnerability was corrected in newer releases of the software, but it helps confirm that Bluetooth’s threatscape is likely to be similar to that of the wired and longer-range wireless worlds.
Joe Lawless, director of global data networks at UPS, agrees that while the virus threat is still largely theoretical, it’s “just a matter of time” until attackers learn to exploit the protocol “to inject viruses into our system.”
One primitive attempt at this type of virus—Cabir—has already been developed as a proof-of-concept worm (that is, one not found “in the wild” but strictly within research labs). With some user help, Cabir would propagate itself wirelessly to the first Bluetooth phone it found itself near.
Cabir is not considered a major threat, because users would have to allow two software installations before it would work. But it proves that “both cell phones and Bluetooth attack targets or vectors are valid,” says Whitehouse. “If, for example, this method of propagation can be taken and combined with another vulnerability to get around the requirement for user interaction, then there could be some interesting impacts when combined with a malicious payload such as people having their SMS inbox being sent to a random telephone number.”
Pushing problems. Some attacks on Bluetooth are more annoyances than security concerns. However, it’s important to remember that spam was at first considered an annoyance that only later began to work as a vector for spreading worms and viruses.
Security researchers say that many of the annoying attacks directed against mobile phones can happen because of the way that some cell-phone companies implement the protocol known as object exchange (OBEX) that allows two Bluetooth-enabled devices to share information. These types of attacks work by pushing data onto a Bluetooth device rather than pulling data off a device (as with bluesnarfing).
For example, German Bluetooth researcher Collin Mulliner released a software tool called BlueSpam that “searches for all discoverable Bluetooth devices and sends a file to them (spams them) if they support OBEX,” according to a Mulliner’s Web site.
A practice called bluejacking similarly pushes text or pictures to other Bluetooth devices. It’s not necessarily a malicious practice; rather, according to a description on the Bluetooth.org Web site, it’s the perfect way for the painfully timid to contact a nearby stranger to “gauge his or her interest in meeting, to send a compliment, or to send a picture.” Nor does bluejacking infiltrate a Bluetooth device and threaten to expose its contents. Rather, it simply takes advantage of one of Bluetooth’s features.
But it can also be a way to send a more hostile or threatening message anonymously to an unwitting victim. A forum on a Web site dedicated to bluejacking features stories from those who have bluejacked unsuspecting members of the public. One anecdote from the forum took place on a train, where a message was sent telling a man, who was sitting behind the bluejacker, to look under the seat. After a nervous moment trying to figure out where the message came from, the man began to feel around under the seat, to the amusement of the bluejacker. It’s easy to imagine how a practical joke like this could cause panic or be used to make threatening statements with relative anonymity.
Fred Hoit, who manages the wireless LAN department at UPS, which recently installed a host of Bluetooth devices, says that UPS has tried to eliminate any potential threats from OBEX by not using the protocol at all. He adds that the company worked with its vendors to analyze and test the devices in use to ensure that they were not subject to these types of attacks. (For more on the UPS installation, see sidebar, page 80.)
Sniffers. Sniffers are software programs that are used to discover the existence of wireless networks. Once located, devices on these networks are potentially vulnerable to the attacks mentioned.
One proof-of-concept sniffer from Adam Laurie called bluestumbler can monitor and log all visible Bluetooth devices in a particular area and identify the devices’ manufacturers. It can obtain, monitor, and log data such as signal strength, address, and manufacturer from Bluetooth devices. Its name and function derive from Netstumbler, a freeware program that identifies similar information about traditional wireless networks.
A similar tool is bluesniff, designed by The Shmoo Group, a loose connection of security professionals who conduct IT security research in their free time. Bluesniff allows an attacker with a laptop and an antenna to sniff out Bluetooth networks and map them using GPS, to make it easier for the attacker to return to a Bluetooth PAN. The group hopes next to integrate bluesniff into more traditional wireless-network scanning tools such as AirSnort, which monitors wireless transmissions to collect enough information to enable it to crack encryption keys, also a product of this group.
Disclosure. The Bluetooth SIG’s Michael Foley maintains that Bluetooth’s security model remains secure; he says that it is the various vendor implementations of the specifications that have had problems. “That’s still a significant issue,” he admits. “From an end-user’s perspective, it’s a fine line between the specification being bad or the implementation being bad. To them it’s just that their device has a potential security risk.”
Foley says that the SIG has an expert group focused on security that works proactively to ensure that new specifications don’t include any known vulnerabilities. “We’re confident that when we publish a specification, we’ve tried to look at it from every angle and plug any potential holes,” he says. But he recognizes that it’s likely to be a cat-and-mouse game between plugging holes and discovering new ones.
Companies that make Bluetooth products have not been sitting idly by as the security threats mount. For example, phone makers like Nokia have been updating the software in their handsets to prevent bluesnarfing.
Meanwhile, new applications are hitting the market regularly, including, Laurie says, one bank that hopes to issue Bluetooth keyfobs to customers that will allow account information to pop up on tellers’ screens as the customer reaches the counter. Properly implemented, tools like this could be conveniences, but they could also lead to theft of information.
Bluetooth is only just starting to get to the point where the work of security researchers is being taken seriously. “It’s like going back five years to the early days of the Internet,” Laurie says. “Someone goes to a software vendor saying we’ve found a flaw in your product, and their reaction is to deny everything, put their head in the sand,” and hope the problem goes away.
Laurie adds that progress is being made, with manufacturers open to the “full disclosure” model when researchers approach companies with vulnerabilities and then work together to fix the problem and not announce it until there’s a fix. The biggest hurdle, he says, is convincing them that he’s not the bad guy.
The proliferation of tools to sniff out or attack Bluetooth devices highlights the digital arms race between manufacturers and attackers. Any company considering rolling out Bluetooth devices should brush up on the risks to help avoid the blues.
Peter Piazza is an associate editor at Security Management.