Security Cavities Ail Bluetooth
Date: March 22, 2005Source: wired news
By:
An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace.
John Hering holds the BlueSniper 'rifle' he created with colleagues that lets someone find and attack a Bluetooth-enabled device from a distance. A test-run of the BlueSniper allowed Hering to grab the phone book and text messages from a Nokia 6310i phone 1.1 miles away from him. The BlueSniper rifle for capturing data from Bluetooth-enabled phones is constructed from a Choate Ruger Mini-14 stock, 14dbi semi-directional Yagi antenna, standard rifle scope, electrical tape, zip ties and cardboard.
Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched.
Laurie, chief security officer of London-based security and networking firm ALD, discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks.
Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone.
Using Bluebug from a laptop, an attacker could instruct a target phone to call his phone. The phone would make the call silently and, once connected, open a channel for the attacker to listen to conversations near the targeted phone. The attacker's phone number would appear on the victim's phone bill, but if the attacker used a throwaway phone, the number would be out of service.
"(A victim) will know that his phone made a call that it shouldn't have made, but he won't necessarily come to the right conclusion that someone listened in on the conversation that he was having at that particular time," Laurie said. "He may think he accidentally pressed buttons to make the call while the phone was in his back pocket."
An attacker could also install a gateway on the victim's phone to reroute phone calls through his own phone so that he could hear and record conversations between parties without their knowledge. And he could send text messages from his computer through a victim's phone to another phone so the receiver would think the message originated from the victim. There would be no record of the sent message on the victim's phone unless the attacker planted it there.
"I can plant the message on the phone and make it look like he sent a message that he never sent. So when the FBI grabs the phone (for evidence), the message will be in the first guy's outbox," Laurie said. "It has really serious consequences."
The use of Bluetooth, a wireless technology that lets two devices exchange information over a short distance, is growing rapidly in Europe and the United States. About 13 percent of mobile phones shipped in the United States this year have Bluetooth, according to IDC research. The number will grow to about 53 percent globally and 65 percent in the United States by 2008.
These are just the phones. According to IMS Research, 2 million Bluetooth-enabled devices -- phones, laptops and PDAs -- are shipped weekly in the world. Laurie and Herfurt have only tested phones for vulnerabilities so far.
Original article
Add comment
Email to a Friend
