http://www.wired.com/news/privacy/0,1848,64463,00.html By Kim Zetter Aug. 06, 2004 Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched. Laurie, chief security officer of London-based security and networking firm ALD, discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks. Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone. Using Bluebug from a laptop, an attacker could instruct a target phone to call his phone. The phone would make the call silently and, once connected, open a channel for the attacker to listen to conversations near the targeted phone. The attacker's phone number would appear on the victim's phone bill, but if the attacker used a throwaway phone, the number would be out of service. "(A victim) will know that his phone made a call that it shouldn't have made, but he won't necessarily come to the right conclusion that someone listened in on the conversation that he was having at that particular time," Laurie said. "He may think he accidentally pressed buttons to make the call while the phone was in his back pocket." An attacker could also install a gateway on the victim's phone to reroute phone calls through his own phone so that he could hear and record conversations between parties without their knowledge. And he could send text messages from his computer through a victim's phone to another phone so the receiver would think the message originated from the victim. There would be no record of the sent message on the victim's phone unless the attacker planted it there. "I can plant the message on the phone and make it look like he sent a message that he never sent. So when the FBI grabs the phone (for evidence), the message will be in the first guy's outbox," Laurie said. "It has really serious consequences." The use of Bluetooth, a wireless technology that lets two devices exchange information over a short distance, is growing rapidly in Europe and the United States. About 13 percent of mobile phones shipped in the United States this year have Bluetooth, according to IDC research. The number will grow to about 53 percent globally and 65 percent in the United States by 2008. These are just the phones. According to IMS Research, 2 million Bluetooth-enabled devices -- phones, laptops and PDAs -- are shipped weekly in the world. Laurie and Herfurt have only tested phones for vulnerabilities so far. "They're talking about putting Bluetooth in everything: home security, medical devices," Laurie said. "If they don't do something about security there is some really serious stuff ahead of us." The attacks, dubbed "Bluesnarfing" and "Bluebugging," work on several models of the most popular brands of mobile phones: Ericsson, Sony Ericsson, and Nokia (Laurie provides a chart of affected phones on his website). In each case, the researchers needed access to the target phone for only a few seconds to conduct attacks. Phones are vulnerable when they are in "discoverable" or "visible" mode, and the Bluetooth functionality is enabled. Visible mode lets Bluetooth phones find other Bluetooth phones in their vicinity so phone owners can exchange electronic contact information. Users can turn the visible mode off, but some models of Nokia can be attacked even when a user turns off the visible mode, Laurie said. The attacker would need to know the device's Bluetooth address, but Laurie said hacking programs available online make it possible to discover the address. "The Nokia 6310 and 8910 series and the Sony Ericsson T610 are probably the worst affected because they are very popular phones," he said. They're "at least 70 percent of the market in Europe." Laurie and Herfurt found problems with Motorola phones as well, but Siemens phones came out clean. "Motorola said they would fix it in the current release so they started immediately to correct the problem," Laurie said, adding that the Motorola vulnerability was limited since the phones can be in visible mode for only brief periods when the owner exchanges information with other phone users. Although phone owners can leave Nokia and Sony Ericsson phones in visible mode, the phone companies said people don't usually do this. They also said that because Bluetooth's range is generally 30 feet, an attacker could target only people who stayed within range long enough to be attacked. But Laurie said that he achieved ranges closer to 50 feet in tests. With either range he could stand in a building lobby or hallway and collect data from mobile phones on floors above and below him. And a device demonstrated at DefCon could increase that range more than tenfold. The BlueSniper "rifle," created by John Hering and colleagues at Flexilis as a proof-of-concept device, resembles a rifle. It has a vision scope and a yagi antenna with a cable that runs to a Bluetooth-enabled laptop or PDA in a backpack. Aiming the rifle from an 11th-floor window of the Aladdin hotel at a taxi stand across the street in Las Vegas, Hering and colleagues were able to collect phone books from 300 Bluetooth devices. They bested that distance and broke a record this week by attacking a Nokia 3610i phone 1.1 miles away and grabbing the phone book and text messages. "The odds of anybody (attacking a phone) are very slim to begin with," said Nokia spokesman Keith Nowak, noting that the only vulnerable model sold by the company in the United States is the 6310i. "But if you're worried about it, just turn the Bluetooth off or take it out of discoverable mode." This works for regular phones, Laurie said, but not the Nokia car phone, which does not let users switch to hidden mode or turn off Bluetooth. Nokia announced in May that it would have software upgrades to address the Bluetooth problem for all of its phones by the end of the summer, though this will not include car phones, and users would have to send in their phones to Nokia to have the patch installed. Sony Ericsson told Laurie it fixed the problem. But when he examined the phones, he discovered they fixed the bugging problem but not the data-theft issue. Sony Ericsson could not be reached for comment. Laurie found that most people forget to switch off Bluetooth and the visible mode after exchanging information with someone. About 50 percent to 70 percent of phones he examined in road tests were in visible mode and vulnerable to one type of attack or another. In one experiment, standing for about two hours in London Underground stations during rush hour, Laurie found 336 Bluetooth phones, 77 of which were vulnerable to attack. He conducted a similar test at Britain's House of Parliament, carrying a laptop in his backpack. After going through security, he wandered the ground floor for 14 minutes looking at paintings and passing politicians while the attack ran automatically from his backpack. Of 46 Bluetooth devices he found, eight phones were vulnerable to attack. Herfurt is working on developing Bluebug to run from a phone so an attacker wouldn't even need a bulky laptop. Laurie said most people don't think they have valuable data on their phones, but many people store passwords, PINs and financial account numbers in their phones. A London shopkeeper he knows didn't care about the vulnerability until he attacked her phone and extracted the door and alarm codes for three of her businesses. Michael Foley, executive director for the Bluetooth Special Interest Group, said the risk of attacks has gone down since the issue came to light. But as long as the risk is above zero, the industry group is taking it seriously and working with phone makers to address the problems. "Now that the manufacturers are aware of these vulnerabilities, I don't think you'll see new phones coming out that are vulnerable to the attack," he said. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Fri Aug 06 2004 - 07:03:00 PDT