BLUETOOTH
SECURITY
(Written By: Sandeep Sinha, PGDM PT 2012-2015)
Bluetooth defines
three security modes. Security Mode 1 provides no security enforcement, meaning
that the device is effectively taking no steps to protect itself. Security Mode
2 enforces security at the service level. In this mode, a particular application
might be relatively safe but no additional device protection has been added.
Security Mode 3 is the highest level of security, employing link level enforced
security mechanisms. Security Mode 3 protects the device from certain
intrusions and, therefore, all services and applications
All Bluetooth
services have a default set level of security. Within the service level
security, there are also three levels of security. Some services that require
authorization and authentication in order to be used, some require
authentication only, and some are open to all devices. Bluetooth devices
themselves have two levels of security when describing other devices, namely
trusted devices and untrusted devices.
TYPES
OF ATTACKS
There are a variety
of attacks that can be employed against Bluetooth devices, many with colorful
names such as blue bugging, blue bumping, blue dumping, blue jacking, blue
smacking, blue sniffing, blue spoofing, blue stabbing, blue toothing, and car
whisperer. All take advantage of weaknesses in Bluetooth that allow an attacker
unauthorized access to a victim's phone. It is imperative to note that while
Bluetooth is commonly associated with networks limited in scope to 100 m,
attacks on Bluetooth devices have been documented at ranges in excess of 1,500
m. using Bluetooone.
One common approach
to hacking Bluetooth devices is to employ malformed objects, which are legal
files exchanged between BT devices that contain invalid information, thus
causing unexpected results. When a Bluetooth device receives a malformed
object, such as a vCard or vCal file, the device may become unstable or fail
completely. Alternatively, an attacker might also use a vCard or vCal file to
inject commands allowing the attacker to take control of the device. This kind
of an attack can be very harmful to a phone.
Some of the common
attacks on Bluetooth devices include:
• Bluebugging: An extraordinarily powerful attack mechanism, bluebugging allows an attacker to take control of a victim's phone using the AT command parser. Bluebug allows an attacker to access a victim's phone in order to make phone calls, send short message service (SMS) messages, read SMS messages stored on the phone, read and write contact list entries, alter phone service parameters, connect to the Internet, set call forwarding, and more.
• Bluejacking: The sending of unsolicited
messages to open Bluetooth devices by sending a vCard with a message in the
name field and exploiting the OBEX protocol.
• Bluesmack: A Bluetooth analog of the
Ping-of-Death denial-of-service attack. This is a buffer overflow attack using
L2CAP echo messages.
• Bluesnarf and Bluesnarf++: Attacks
allowing for the theft of information from a Bluetooth device using the OBEX
Push Profile. The attacker needs only find a phone that has Bluetooth in
discoverable mode. Bluesnarf works by a connection to most of the Object Push
Profile services and the attacker retrieves the file names of known files from
the Infrared Mobile Communications (IrMC) list instead of sending vCard information
as expected. With these attacks the hacker can retrieve items such as the
phonebook, calendar, and other personal information. With Bluesnarf++, the
attacker has full read and write access to the file system of the phone. When
an attacker is connected via the OBEX Push Profile, he/she has full access to
the victim's phone without having to pair the two devices. The biggest risk
with this function is that an attacker can delete crucial file system files,
rendering the victim's device useless. In addition, the attacker can access any
memory cards that are attached to the device.
• Helomoto: Helomoto is functionally
similar to the Bluebug attack but takes advantage of poor implementations of
"trusted device" handling on some phones. As in bluebug attacks, the
attacker pretends to send a vCard to an unauthenticated OBEX Push Profile on
the victim's phone. Once started, the attacker interrupts the transfer process
and the victim then lists the attacker’s phone as a trusted device. The
attacker can then connect to the victim's phone and take control of the device
by issuing AT commands. This attack is so-named because it was first discovered
on Motorola phones.
These attacks are
only a few that can be launched against Bluetooth interfaces in phones,
laptops, and even automobiles. E-Stealth and Laurie et al. offer information
about a wide range of attacks that can be launched via Bluetooth
vulnerabilities.