[ISN] Bluejacking ain't hijacking

From: InfoSec News (isn@private)
Date: Sun Nov 23 2003 - 23:33:53 PST

  • Next message: InfoSec News: "[ISN] Half-naked driver faces Net charge"

    http://www.theregister.co.uk/content/69/34139.html
    
    By John Leyden
    Posted: 21/11/2003 
    
    Letter - Last week we reported on preliminary research from security 
    firm A.L. Digital which suggested a number of security problems with 
    Bluetooth-enabled mobile phones from Nokia and Ericsson. The paper 
    argued that digital pickpockets could swipe address books and data 
    from mobile phones because of security shortcomings in the 
    implementation of Bluetooth by the manufacturers. 
    
    Not so, says Nick Hunn, who in addition to his day job at TDK Systems 
    is a long-standing proponent of and expert on Bluetooth. Nick reckons 
    A.L. Digital's research gives little cause for concern. The easiest 
    way to get data off a mobile phone is to steal it, according to Nick: 
    
    -=-
    
    Having just read the article on The Reg, I'd like to explain a bit 
    more about the issues raised. The Laurie pere et fils article jumps 
    between some observations about technology and scare mongering without 
    paying too much attention to actual implementation and user models. 
    
    The recent Bluejacking stories describe a way that Bluetooth users can 
    push messages onto other users' handsets. This uses the same basic 
    OBEX (Object Exchange) stack that was developed for Infrared and used 
    to acclaim in the Palm for "beaming" business cards and applications. 
    When used on Bluetooth phones it behaves in the same way - a user is 
    alerted to a message which they can then read. 
    
    Bluejacking isn't hijacking 
    
    Despite the name it doesn't hijack the phone or suck off the 
    information - it simply presents a message. The recipient can ignore 
    it, read it, respond or delete it. After beaming became such a success 
    on the Palm it seems a little unfair to castigate it on mobile phones 
    just because it is becoming a youth culture rather than an implied 
    serious business use. 
    
    Snarfing is more interesting. If it were possible it would be 
    damaging, but we've yet to find out how to do it. We've been playing 
    with Bluetooth devices at all levels of the protocol stack for six 
    years and have yet to find a commercial device we can hack into. 
    
    That's not for want of trying. 
    
    Pairing up 
    
    To get access you need to pair with a device. Whenever another device 
    requests a pairing, the user of the targeted handset is presented with 
    a message along the lines of "Device xyz is attempting to pair. Enter 
    your password." The password must be the same as the one on the device 
    attempting to pair - in other words you don't know it unless the 
    person trying to hack into your phone comes over and tells you. If 
    they're going to do that it's probably much easier for them to grab 
    your phone and leg it. 
    
    A.L. Digital talk about the risk of removing a pairing from a 
    previously paired device. They don't mention how that device was 
    paired in the first place, but imply this is a major threat. Given 
    that you have to know and have made a conscious effort to pair in the 
    first place I don't see how it is. It is like giving somebody you meet 
    in the street your house key, not changing the locks and then being 
    surprised when the family silver goes missing. 
    
    Show us the vulnerabilities 
    
    It's possible to think up all sorts of scenarios of how it could go 
    wrong, but the industry's been pretty busy doing that itself and 
    ensuring that these access methods are blocked and the user alerted. 
    One of the complaints levelled at Bluetooth is that it should be 
    easier to use. The reason there are restrictions is because of the 
    security and warnings that have been built into real devices. 
    
    Looking specifically at the tools, there is little new: 
    
    bluestumbler - Monitor and log all visible bluetooth devices (name, 
    MAC, signal strength, capabilities), and identify manufacturer from 
    MAC address lookup. This is nothing new - we've had a freeware utility 
    called Blue Alert availed for around 24 months that does exactly that. 
    You can do the same with Mobile phone IMEIs, Ethernet cards, Wi-Fi 
    access points, Web IP addresses - essentially anything that has an IP 
    or Ethernet type address. Knowing the name doesn't give you any deeper 
    access. 
    
    bluebrowse - Display available services on a selected device (FAX, 
    Voice, OBEX etc). This is part of Bluetooth. If a device is 
    discoverable you can ask it what it does. If you couldn't do that it 
    all gets a bit pointless, as you'd have no idea of whether you were 
    trying to print to a headset or a printer. Not a lot of use, Mr Bond. 
    
    bluejack - Send anonymous message to a target device (and optionally 
    broadcast to all visible devices). It's a posh name for Object Push, 
    as described above and comes built into almost every Bluetooth device 
    you buy. It just sounds sexier to give it a name with undertones of 
    hacking. So the major theft is from any user who pays a shareware fee 
    for duplicating what came free with their Bluetooth device. Once 
    again, not world shattering. 
    
    bluesnarf - Copy data from target device (everything if pairing 
    succeeds, or a subset in other cases, including phonebook and 
    calendar. In the latter case, user will not be alerted by any bluejack 
    message. This is the most interesting claim, but in my experience it 
    remains unsubstantiated. We have failed at all attempts to get data 
    off an unpaired device. If the device is paired then yes, you can do 
    it, but to say it's a security flaw to give away data to someone who 
    comes up to you and asks "Can I steal your data", to which you reply 
    "Yes - help yourself" is not a great claim. 
    
    As a Bluetooth manufacturer we've not been approached by A.L. Digital. 
    I've asked them for details of this and look forward to receiving them 
    and putting them to the test. If there is an issue then the Bluetooth 
    industry needs to address it. The people I talk to in the SIG 
    understand the need to get security right and be honest about it - 
    they all saw what the consequence is if you don't - look at the IEEE 
    and 802.11. I suspect that what A.L. Digital have seen is a facet of 
    having previously paired devices and then correlating the subsequent 
    behaviour to that of a pristine, unpaired device. It would not be the 
    first time that mistake has been made. 
    
    At the end of the day all security has to come down to the question of 
    what is adequate for the application. In the case of Bluetooth on a 
    mobile phone my interpretation is that the easiest way to get data off 
    the phone is still to nick it. You can't blame Bluetooth for that. 
    
    Nick Hunn 
    Managing Director 
    TDK Systems Europe Ltd 
    
    
    External Links:
    Serious flaws in bluetooth security lead to disclosure of personal 
    data, paper by A.L. Digital - http://www.bluestumbler.org/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 24 2003 - 08:14:53 PST