Information Security News: Bluejacking ain't hijacking

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/69/34139.html

By John Leyden
Posted: 21/11/2003 

Letter - Last week we reported on preliminary research from security 
firm A.L. Digital which suggested a number of security problems with 
Bluetooth-enabled mobile phones from Nokia and Ericsson. The paper 
argued that digital pickpockets could swipe address books and data 
from mobile phones because of security shortcomings in the 
implementation of Bluetooth by the manufacturers. 

Not so, says Nick Hunn, who in addition to his day job at TDK Systems 
is a long-standing proponent of and expert on Bluetooth. Nick reckons 
A.L. Digital's research gives little cause for concern. The easiest 
way to get data off a mobile phone is to steal it, according to Nick: 

-=-

Having just read the article on The Reg, I'd like to explain a bit 
more about the issues raised. The Laurie pere et fils article jumps 
between some observations about technology and scare mongering without 
paying too much attention to actual implementation and user models. 

The recent Bluejacking stories describe a way that Bluetooth users can 
push messages onto other users' handsets. This uses the same basic 
OBEX (Object Exchange) stack that was developed for Infrared and used 
to acclaim in the Palm for "beaming" business cards and applications. 
When used on Bluetooth phones it behaves in the same way - a user is 
alerted to a message which they can then read. 

Bluejacking isn't hijacking 

Despite the name it doesn't hijack the phone or suck off the 
information - it simply presents a message. The recipient can ignore 
it, read it, respond or delete it. After beaming became such a success 
on the Palm it seems a little unfair to castigate it on mobile phones 
just because it is becoming a youth culture rather than an implied 
serious business use. 

Snarfing is more interesting. If it were possible it would be 
damaging, but we've yet to find out how to do it. We've been playing 
with Bluetooth devices at all levels of the protocol stack for six 
years and have yet to find a commercial device we can hack into. 

That's not for want of trying. 

Pairing up 

To get access you need to pair with a device. Whenever another device 
requests a pairing, the user of the targeted handset is presented with 
a message along the lines of "Device xyz is attempting to pair. Enter 
your password." The password must be the same as the one on the device 
attempting to pair - in other words you don't know it unless the 
person trying to hack into your phone comes over and tells you. If 
they're going to do that it's probably much easier for them to grab 
your phone and leg it. 

A.L. Digital talk about the risk of removing a pairing from a 
previously paired device. They don't mention how that device was 
paired in the first place, but imply this is a major threat. Given 
that you have to know and have made a conscious effort to pair in the 
first place I don't see how it is. It is like giving somebody you meet 
in the street your house key, not changing the locks and then being 
surprised when the family silver goes missing. 

Show us the vulnerabilities 

It's possible to think up all sorts of scenarios of how it could go 
wrong, but the industry's been pretty busy doing that itself and 
ensuring that these access methods are blocked and the user alerted. 
One of the complaints levelled at Bluetooth is that it should be 
easier to use. The reason there are restrictions is because of the 
security and warnings that have been built into real devices. 

Looking specifically at the tools, there is little new: 

bluestumbler - Monitor and log all visible bluetooth devices (name, 
MAC, signal strength, capabilities), and identify manufacturer from 
MAC address lookup. This is nothing new - we've had a freeware utility 
called Blue Alert availed for around 24 months that does exactly that. 
You can do the same with Mobile phone IMEIs, Ethernet cards, Wi-Fi 
access points, Web IP addresses - essentially anything that has an IP 
or Ethernet type address. Knowing the name doesn't give you any deeper 
access. 

bluebrowse - Display available services on a selected device (FAX, 
Voice, OBEX etc). This is part of Bluetooth. If a device is 
discoverable you can ask it what it does. If you couldn't do that it 
all gets a bit pointless, as you'd have no idea of whether you were 
trying to print to a headset or a printer. Not a lot of use, Mr Bond. 

bluejack - Send anonymous message to a target device (and optionally 
broadcast to all visible devices). It's a posh name for Object Push, 
as described above and comes built into almost every Bluetooth device 
you buy. It just sounds sexier to give it a name with undertones of 
hacking. So the major theft is from any user who pays a shareware fee 
for duplicating what came free with their Bluetooth device. Once 
again, not world shattering. 

bluesnarf - Copy data from target device (everything if pairing 
succeeds, or a subset in other cases, including phonebook and 
calendar. In the latter case, user will not be alerted by any bluejack 
message. This is the most interesting claim, but in my experience it 
remains unsubstantiated. We have failed at all attempts to get data 
off an unpaired device. If the device is paired then yes, you can do 
it, but to say it's a security flaw to give away data to someone who 
comes up to you and asks "Can I steal your data", to which you reply 
"Yes - help yourself" is not a great claim. 

As a Bluetooth manufacturer we've not been approached by A.L. Digital. 
I've asked them for details of this and look forward to receiving them 
and putting them to the test. If there is an issue then the Bluetooth 
industry needs to address it. The people I talk to in the SIG 
understand the need to get security right and be honest about it - 
they all saw what the consequence is if you don't - look at the IEEE 
and 802.11. I suspect that what A.L. Digital have seen is a facet of 
having previously paired devices and then correlating the subsequent 
behaviour to that of a pristine, unpaired device. It would not be the 
first time that mistake has been made. 

At the end of the day all security has to come down to the question of 
what is adequate for the application. In the case of Bluetooth on a 
mobile phone my interpretation is that the easiest way to get data off 
the phone is still to nick it. You can't blame Bluetooth for that. 

Nick Hunn 
Managing Director 
TDK Systems Europe Ltd 


External Links:
Serious flaws in bluetooth security lead to disclosure of personal 
data, paper by A.L. Digital - http://www.bluestumbler.org/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.