Bluetooth Phones Could Leak Data
Security researchers say manufacturers skeptical of their claim of easy hacking methods.
Andrew Brandt, PC World
Monday, August 02, 2004
LAS VEGAS--Many of the most popular models of
Bluetooth-enabled cell phones can be hacked easily, enabling a
malicious hacker to steal phone books, images, calendar information, or
virtually anything else stored on the phone, say a pair of security
Adam Laurie, chief security officer and director
of AL Digital and the Bunker, a secure Web hosting facility in Europe,
and Martin Herfurt, a researcher at Salzburg Research, described the
danger at a session Friday at the Defcon 12 conference here.
The pair demonstrated how software tools they
created give them virtually total control over Bluetooth phones from a
wide range of handset manufacturers, including Nokia, Sony-Ericsson,
Herfurt demonstrated three different ways to
attack a phone: He could send unsolicited text messages to the phone's
screen, download all the data stored on a phone (or manipulate the data
on the phone itself), and turn the phone into a roaming bug by forcing
a targeted phone to call another phone.
This last attack, which the pair call
"BlueBugging," is potentially the most damaging because once the
attacker initiates a call on the victim's phone, there's no need to
stay within Bluetooth range, typically about 30 feet. The target need only be in a phone service area to be exploited.
This kind of attack could also be used to commit
fraud, according to Laurie. For example, an attacker could force
victims' phones to dial a phone service that bills the victim per call
or per minute.
Increasingly, "phones are being used as portable
data stores" for information such as passwords, PIN numbers, and other
sensitive data, Laurie added--another danger if a phone can be hacked.
"Fifty to seventy percent of the phones we see
are vulnerable" to at least one of the three types of hacking attacks,
Laurie said. He said security researchers from computer security
consulting firm @stake has further uncovered flaws in Bluetooth
encryption, which could make the danger worse. Bluetooth adoption is growing, especially in Europe.
"If we can implement [@stake researcher] Ollie Whitehouse's cracks, any Bluetooth phone would be vulnerable," Laurie said.
Vulnerable by Default
Many users set their phones on what hackers call discoverable mode in order to use Bluetooth
accessories, such as headsets, but carelessly leave it in that mode, he
noted. Also, many manufacturers set discoverable mode as the default,
to help customers quickly and easily connect accessories or devices.
Data theft using Bluetooth is especially
hazardous because "you don't have to be visible to the person you're
targeting," Laurie said. He found that he could connect to many
Bluetooth devices well beyond the usual range of the wireless
technology: Using just a small dongle on his laptop increased the range
to about 40 meters, and some high-gain antennas could stretch
communications to 90 meters.
The pair tested the data theft portion of their research only on phones they owned, for legal reasons.
In their Defcon presentation, demonstrating how
to steal a phone book, they connected to a Nokia phone that briefly
displayed a telltale message on screen but made no sound. If the owner
isn't looking at the phone's screen at the moment an attacker connects,
it probably won't be apparent that the phone is compromised.
In the Field
Several handset manufacturers dismissed his claims as far-fetched, which prompted him to do field research, Laurie said.
In one experiment, he ran his original Bluetooth
intrusion program on his laptop while standing on the platform of a
London Underground subway station during rush hour. He detected 336
Bluetooth-enabled phones, and deemed 77 of them "definitely vulnerable"
to one or more of the attack methods. Laurie deemed a phone vulnerable
if he was able to recognize the phone's default Bluetooth name, which a
user can change.
Later, he conducted the same experiment inside
the British Houses of Parliament. His laptop was X-rayed at security
checkpoints, but he then wandered through the halls of government and
discovered four vulnerable phones within 14 minutes.
Phone manufacturers have a duty both to their
customers and--with public companies--to shareholders to make a safe
and secure product, Laurie said.
"Manufacturers who knowingly ship phones with problems have broken their fiduciary duty by doing so," Laurie added.
Printer Friendly Version