Security Cavities Ail Bluetooth

By Kim Zetter| Also by this reporter Page 1 of 2

02:00 AM Aug. 06, 2004 PT

Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage.

An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace.

Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched.

Laurie, chief security officer of London-based security and networking firm ALD, discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks.

Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone.

Using Bluebug from a laptop, an attacker could instruct a target phone to call his phone. The phone would make the call silently and, once connected, open a channel for the attacker to listen to conversations near the targeted phone. The attacker's phone number would appear on the victim's phone bill, but if the attacker used a throwaway phone, the number would be out of service.

"(A victim) will know that his phone made a call that it shouldn't have made, but he won't necessarily come to the right conclusion that someone listened in on the conversation that he was having at that particular time," Laurie said. "He may think he accidentally pressed buttons to make the call while the phone was in his back pocket."

An attacker could also install a gateway on the victim's phone to reroute phone calls through his own phone so that he could hear and record conversations between parties without their knowledge. And he could send text messages from his computer through a victim's phone to another phone so the receiver would think the message originated from the victim. There would be no record of the sent message on the victim's phone unless the attacker planted it there.

"I can plant the message on the phone and make it look like he sent a message that he never sent. So when the FBI grabs the phone (for evidence), the message will be in the first guy's outbox," Laurie said. "It has really serious consequences."

The use of Bluetooth, a wireless technology that lets two devices exchange information over a short distance, is growing rapidly in Europe and the United States. About 13 percent of mobile phones shipped in the United States this year have Bluetooth, according to IDC research. The number will grow to about 53 percent globally and 65 percent in the United States by 2008.

These are just the phones. According to IMS Research, 2 million Bluetooth-enabled devices -- phones, laptops and PDAs -- are shipped weekly in the world. Laurie and Herfurt have only tested phones for vulnerabilities so far.

"They're talking about putting Bluetooth in everything: home security, medical devices," Laurie said. "If they don't do something about security there is some really serious stuff ahead of us."

The attacks, dubbed "Bluesnarfing" and "Bluebugging," work on several models of the most popular brands of mobile phones: Ericsson, Sony Ericsson and Nokia (Laurie provides a chart of affected phones on his website). In each case, the researchers needed access to the target phone for only a few seconds to conduct attacks.

Story continued on Page 2

[Print story] [E-mail story] Page 1 of 2

Note: You are reading this message either because you can not see our css files (served from Akamai for performance reasons), or because you do not have a standards-compliant browser. Read our design notes for details.