axxxr
Joined: Mar 21, 2003
Posts: > 500
From: Londinium
PM, WWW
|
Introduction
BlueBug is the name of a bluetooth security loophole on some bluetooth-enabled cell phones. Exploiting this loophole allows the unauthorized downloading phone books and call lists, the sending and reading of SMS messages from the attacked phone and many more things.
Facts
Under ideal conditions, a BlueBug attack takes only a few seconds (depending on the things, which are done during the attack). Due to the limited transmit power of class 2 bluetooth radios, the distance of the victim's device to the attacker's device during the attack should not exceed 10-15 meters. Similar to wardriving, also for bluetoothing a directional antenna can be attached to the radio in order to increase the range.
Since the BlueBug security loophole allows to issue AT commands via a covert channel to the vulnerable phones without prompting the owner of this phone, this security flaw does allow a vast number of things that may be done when the phone is attacked via bluetooth:
initiating phone calls
sending SMS to any number
reading SMS from the phone
reading phonebook entries
writing phonebook entries
setting call forwards
connecting to the internet
forcing the phone to use a certain service provider
... and many more things
Phone Calls
As mentioned above, the BlueBug security loophole allows the attacker to initiate phone calls from the victim's device. Things that can be done with initiating phone calls include:
eavesdropping
when the victim passes, a phone that is owned by the attacker (e.g. an anonimously used prepaid-card phone) is called. From this moment on, the attacker is able to listen to all the conversations that the victim does until the victim hangs up the phone
causing financial damage
since phone calls to any number can be established, it is also possible to call premium service numbers from the victim's device. If the victim does not realize that a phone call is connected to a premium service number, this would cause severe financial damage to the victim.
SMS
Sending SMS from the victim's device can be used for quite a lot of things:
finding out the victim's phone number
The phone number of the respective device is not storedd at a predefined location. The devive's number can be gained by sending an SMS from the victim's device to a phone that is owned by the attacker.
causing financial damage
There are quite a lot of SMS-based services that cost the client about 3 Euros per SMS. Usually, these services are used to sell ringtones and logos. There are also news subscriptions that can be ordered by SMS that continously cause costs to the victim.
tracking the victim
As a location-based service, some providers allow other users to locate their customers by the GSM global cell id which their phone is connected to. According to the the mode the respective GSM cells are configured, this information can be very detailed. In order to do this, the provider must get the permission from the customer. This permission is usually given via SMS (which is sent by the attacker).
revealing secrets
Often SMS messages are used to silently communicate secret information with other people. Reading SMS of the attacked device is often touching the victim's privacy. Paparazzi could use this attack in order to find out more about certain celebrities.
Phonebook Entries
Reading and writing phonebook entries could be used for:
finding out callers and called persons
In GSM handsets, phonebooks are also used for managing call lists. So the attacker may find out who the victim called last, who was trying to reach the victim's device and who reached the victim's device.
doing nasty entries
A nasty phonebook entry could be the name "Darling" and the international emergency number 112 
obfuscating the abuse
After initiating phone calls, the list of dialed numbers could be overwritten.
Call Forwards
Setting call forwards on the victim's phone could cause a lot of confusion. So instead of calling the victim, the caller reaches the device connected to a random number that has been set.
Internet Abuse
The attacker can use the BlueBug loophole to establish an Internet connection that could for example be used for the illegal injection of Mail-Worms like Sasser, Phatbot or NetSky.
Network Provider Preselection
Especailly in locations like airports, where many users are arriving with their cell phones, service providers could use the BlueBug loophole in order to register these phones with their networks.
History
The history of the BlueBug started as a friend of Martin Herfurt pointed out that there was a bluetooth security loophole that allowed the downloading of various information from mobile phones without prompting the owner of the phone. This security loophole has been identified by Adam Laurie from A.L. Digital Ltd. and was explained on bluestumbler.org
In order to get a little more attention for a talk about wardriving (the exploitation of WLAN insecurity), Martin Herfurt decided to also present this more recent security issue. Since no snarfing tools were available on the Internet, an application has been hacked that could read out the phonebooks of the devices that were also listed on Adam Lauries page. Believing to having found the same security loophole as Adam Laurie, this application was successfully demonstrated at the IKT 2004 Forum.
For curiousity, the laptop with the bluesnarf application has been taken to the CeBIT technology fair in Hannover, Germany. There, about 1300 unique bluetooth devices could have been found of which about 50 phones were provenly vulnerable to this attack.
One week later, a report about the CeBIT fieldtrial has been written and published on the austrian news-portal futurezone and the high impact site slashdot. The german newsticker of Heise did not react to the announcement of the report.
Jeremy Wagstaff, the technical columnist for the Wall Street Journal cited the report in his WebLog and later in his column in the Wall Street Journal.
About this time, (middle of April 2004) Adam Laurie was visiting Salzburg. Talking to Martin Herfurt it turned out that the identified security loopholes were not the same. Adam's Bluesnarf attack does allow the unauthorized downloading of items via the OBEX protocol, while the loophole identified by Martin Herfurt allows to contol the device device via a plain serial connection. Adam and Martin decided to do some work together in this point.
Future Work
After meeting Adam Laurie in Salzburg it has been decided to co-operate in bluetooth security issues.
Bluetooth Fingerprinting
The idea of determining the model information of discovered bluetooth devices by means of hashing SDP profiles is invsetigated.
Handset Application
A BlueBug application that runs on Java-enabled bluetooth phones is currently implemented. Unfortunately, the debugging of this application is not easy.
Latest News
In the morning of Wednesday 5 people (Martin Herfurt (Salzburg Research), John Hering (Flexilis), James Burgess (Flexilis), Kevin Mahaffey (Flexilis) and Mike Outmesguine (Bookauthor Wi-Fi Toys) were doing a long-distance snarf at the santa monica bay close to Los Angeles. It was possible to BlueSnarf a phone from a distance of 1.08 miles. Therefore we used a usual unmodified Nokia 6310i on the one side and a laptop with a modified class 1 bluetooth dongle where we were connecting a 19dBi gain quad antenna to.
TechTV documented this experiment. Pictures can be found here.
Links
Bluetooth Security Issues
www.bluestumbler.org - Adam and Ben Laurie's page about bluetooth
www.bluejackq.com - BlueJacking page
[addsig] |
Posted: 2004-11-17 15:00
