TUCoPS :: Networks :: Wireless :: bt1701.txt

Serious flaws in bluetooth security lead to disclosure of personaldata


Summary
-------

There are serious flaws in the authentication and/or data transfer
mechanisms on some bluetooth enabled devices. Specifically, two
vulnerabilities have been found:

Firstly, confidential data can be obtained, anonymously, and without the
owner's knowledge or consent, from some bluetooth enabled mobile phones.
This data includes, at least, the entire phonebook and calendar.

Secondly, it has been found that the complete memory contents of some
mobile phones can be accessed by a previously trusted ("paired") device
that has since been removed from the trusted list. This data includes
not only the phonebook and calendar, but media files such as pictures
and text messages. In essence, the entire device can be "backed up" to
an attacker's own system.

Finally, the current trend for "Bluejacking" is promoting an environment
which puts consumer devices at greater risk from the above attacks.

Vulnerabilities
---------------

The SNARF attack:

It is possible, on some makes of device, to connect to the device
without alerting the owner of the target device of the request, and gain
access to restricted portions of the stored data therein, including the
entire phonebook (and any images or other data associated with the
entries), calendar, realtime clock, business card, properties, change
log etc. This is normally only possible if the device is in
"discoverable" or "visible" mode, but there are tools available on the
Internet that allow even this safety net to be bypassed[4]. Further
details will not be released at this time (see below for more on this),
but the attack can and will be demonstrated to manufacturers and press
if required.

The BACKDOOR attack:

The backdoor attack involves establishing a trust relationship through
the "pairing" mechanism,  but ensuring that it no longer appears in the
target's register of paired devices. In this way, unless the owner is
actually observing their device at the precise moment a connection is
established, they are unlikely to notice anything untoward, and the
attacker may be free to continue to use any resource that a trusted
relationship with that device grants access to (but note that so far we
have  only tested file transfers). This means that not only can data be
retrieved from the phone, but other services, such as modems or
Internet, WAP and GPRS gateways may be accessed without the owner's
knowledge or consent. Indications are that once the backdoor is
installed, the above SNARF attack will function on devices that
previously denied access, and without the restrictions of a plain SNARF
attack, so we strongly suspect that the other services will prove to be
available also.

Bluejacking:

Although known to the technical community and early adopters for some
time, the process now known as "Bluejacking"[1] has recently come to the
fore in the consumer arena, and is becoming a popular mechanism for
exchanging anonymous messages in public places. The technique involves
abusing the bluetooth "pairing"[2] protocol, the system by which
bluetooth devices authenticate each other, to pass a message during the
initial "handshake" phase. This is possible because the "name" of the
initiating bluetooth device is displayed on the target device as part of
the handshake exchange, and, as the protocal allows a large user defined
name field - up to 248 characters - the field itself can be used to pass
the message. This is all well and good, and, on the face of it, fairly
harmless, but, unfortunately, there is a down side. There is a potential
security problem with this, and the more the practice grows and is
accepted by the user community, and leveraged as a marketing tool by the
vendors, the worse it will get.  The problem lies in the fact that the
protocol being abused is designed for information exchange. The ability
to interface with other devices and exchange, update and synchronise
data, is the raison d'e^tre of bluetooth. The bluejacking technique is
using the first part of a process that allows that exchange to take
place, and is therefore open to further abuse if the handshake completes
and the "bluejacker" successfully pairs with the target device. If such
an event occurs, then all data on the target device bacomes available to
the initiator, including such things as phone books, calendars, pictures
and text messages. As the current wave of PDA and telephony integration
progresses, the volume and quality of such data will increase with the
devices' capabilities, leading to far more serious potential compromise.
Given the furore that errupted when a second-hand Blackberry PDA was
sold without the previous owner's data having been wiped[3], it is
alarming to think of the consequences of a single bluejacker gathering
an entire corporate staff's contact details by simply attending a
conference or camping outside their building or in their foyer with a
bluetooth capable device and evil intent. Of course, corporates are not
the only potential targets - a bluejacking expedition to, say, The House
of Commons, or The US Senate, could provide some interesting, valuable
and, who's to say, potentially damaging or compromising data.

The above may sound alarmist and far fetched, and the general reaction
would probably be that most users would not be duped into allowing the
connection to complete, so the risk is small. However, in today's
society of instant messaging, the average consumer is under a constant
barrage of unsolicted messages in one form or another, whether it be by
SPAM email, or "You have won!" style SMS text messages, and do not tend
to treat them with much suspicion (although they may well be sceptical
about the veracity of the offers). Another message popping up on their
'phone saying something along the lines of "You have won 10,000 pounds!
Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your
prize!" is unlikely to cause much alarm, and is more than likely to
succeed in many cases.

Workarounds and fixes
---------------------

We are not aware of any fixes for the SNARF attack at this time other
than to switch off bluetooth.

To permanently remove a pairing, and protect against future BACKDOOR
attacks, it seems you must perform a factory reset, but this will, of
course, erase all your personal data.

To avoid Bluejacking, "just say no". :)

The above methods work to the best of our knowledge, but, as the devices
affected are running closed-source proprietory software, it not possible
to verify that without the collaboration of the manufacturers. We
therefore make no claims as to the level of protection they provide, and
you must continue to use bluetooth at your own risk.

Who's Vulnerable
----------------

To date the quantity of devices tested is not great. However, due to the
fact that they are amongst the most popular brands, we still consider
the affected group to be large. It is also assumed that there are shared
implementations of the bluetooth stack, so what affects one model is
likely to affect others.0

The devices known to be vulnerable at this time are:

SNARF attack:

  Ericsson: T68, T68i, T610
  Nokia: 6310i, 7650

BACKDOOR attack:

  Nokia: 6310i, 7650

  * It is not known at this time if Ericsson's are also vulnerable to
  the BACKDOOR attack.

Disclosure
----------

What is the Philosophy of Full Disclosure, and why are we providing the
tools and detailing the methods that allow this to be done?  The
reasoning is simple - by exposing the problem we are achieving two
goals: firstly, to alert users that the dangers exist, in order that
they can take their own precautions against compromise, and secondly, to
put pressure on manufacturers to rectify the situation. Consumers have a
right to expect that their confidential data is treated as such, and is
not subject to simple compromise by poorly implemented protocols on
consumer devices. Manufacturers have a duty of care to ensure that such
protection is provided, but, in practice, commercial considerations will
often take precedence, and, given the choice, they may choose to simply
supress or hide the problem, or, even worse, push for laws that prevent
the discovery and/or disclosure of such flaws[5]. In our humble opinion,
laws provide scant consumer protection against the lawless.

However, having said that, in this particular case, we do not feel it is
appropriate to follow the normal procedure of liaising with
manufacturers and giving them an opportunity to rectify the problem
before disclosing to the general public (this is not to say we haven't
contacted them - we have), as there are simply too many of them, and the
problem is too widespread to realistically believe that they could
either adhere to the strict levels of confidentiality required until the
problem has been rectified, or that there is even the possibilty that
the problem can be rectified in a reasonable timescale. Also, the volume
of data currently at risk is too great to allow the situation to
continue unchecked.

Instead, we feel it is more important to achieve our primary goal, and
alert the general public to the fact that the problem exists, and to
give them the information required to adequetely defend themselves.
Fortunately, the defence is relatively simple, and is detailed above. To
date we do not have a large selection of phones or other devices to
test, so the advice is somewhat generic, but we will publish more
detailed information as and when it becomes available.

Tools
-----

Proof of concept utilities have been developed, but are not yet
available in the wild. They are:

        bluestumbler - Monitor and log all visible bluetooth devices
                       (name, MAC, signal strength, capabilities), and
                       identify manufacturer from MAC address lookup.

        bluebrowse -   Display available services on a selected device
                       (FAX, Voice, OBEX etc).

        bluejack -     Send anoymous message to a target device (and
                       optionally broadcast to all visible devices).

        bluesnarf -    Copy data from target device (everything if
                       pairing succeeds, or a subset in other cases,
                       including phonebook and calendar. In the latter
                       case, user will not be alerted by any bluejack
                       message).

Tools will not be released at this time, so please do not ask. However,
if you are a bona-fide manufacturer of bluetooth devices that we have
been otherwise unable to contact, please feel free to get in touch for
more details on how you can identify your device status.

Credits
-------

The above vulnerabilities were discovered by Adam Laurie, during the
course of his work with A.L. Digital, in November 2003, and this
announcement was prepared thereafter by Adam and Ben Laurie for
immediate release.

Adam Laurie is Managing Director and Chief Security Officer of A.L.
Digital Ltd.

Ben Laurie is Technical Director of A.L. Digital, and author of
Apache-SSL and contributor to many other open source projects, too
numerous to expand on here.

A.L. Digital Ltd. are the owner operators of The Bunker, the world's
most secure data centre(s).

e: adam@algroup.co.uk
w: http://www.aldigital.co.uk
w: http://www.thebunker.net

e: ben@algroup.co.uk
w: http://www.apache-ssl.org/ben.html

Further information relating to this disclosure will be updated at
http://www.bluestumbler.org

References:

[1] - http://www.bluejackq.com/
      http://www.theregister.co.uk/content/6/33781.html
      http://news.bbc.co.uk/1/hi/technology/3237755.stm

[2] - http://www.palowireless.com/infotooth/tutorial/lmp.asp

[3] - http://www.out-law.com/php/page.php?page_id=blackberryforsale1061969777

[4] - http://bluesniff.shmoo.com/

[5] - http://www.eff.org/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH