Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security


Dispelling Common Bluetooth Misconceptions


Joshua Wright

Bluetooth technology is a fast-growing technology, being adopted in all forms of technology from mobile phones, headsets, laptops, handhelds and even watches and children’s toys [1]. As a decidedly “ad-hoc” technology, Bluetooth devices are often utilized within organizations, outside of the control of IT management.

Few organizations recognize the threat of Bluetooth technology, often due to misconceptions in the technology, and the threats of use. This whitepaper will dispel several common misconceptions regarding Bluetooth technology, allowing organizations to better assess their exposure to Bluetooth threats.

Misconception 1: "Bluetooth is a short-range technology"

Many organizations disregard the security of Bluetooth networks as a concern because they consider Bluetooth to be a short-range technology. Bluetooth technology is not limited to short-range connections however, offering three ranges of standard range connectivity, as shown in figure 1. With class 1 Bluetooth devices transmitting at 100mW, which have a standard range of approximately 100 meters or 328 feet, range is comparable to that of an 802.11b WLAN device. Class 1 devices are most commonly implemented in devices where power is plentiful, such as laptop and desktop systems.


Device Class Transmit Power Intended Range
Class 3 1 mW less than 10 meters
Class 2 2.5 mW 10 meters, 33 feet
Class 1 100 mW 100 meters, 328 feet
Figure 1. Bluetooth device transmitter classes [2]

In contrast, class 2 devices transmit at 2.5 mW with a range of approximately 10 meters or 32 feet. Class 2 devices are the most common Bluetooth transmitters for their fair range with less power requirements than class 1 devices. Most mobile phones and Bluetooth headsets are class 2 devices.

Since Bluetooth devices operate in the 2.4 GHz spectrum, they use the same commodity antennas designed for WLAN devices. While vendors don't design Bluetooth dongles with external antenna connectors, some Bluetooth dongles such as the Linksys USBBT100 can be modified to accommodate an external antenna connector. By soldering on an external antenna cable, the range of a Bluetooth Class 1 dongle can be extended, allowing an attacker to connect to class 2 devices (intended for a range of 10 meters) from a range of over a mile.


Modified Linksys USBBT100 Dongle

Misconception 2: "Bluetooth does not expose sensitive data"

Another misconception regarding Bluetooth networks is that they don't represent a mechanism that exposes any sensitive data. To dispel this notion, consider the attack known as the BlueSnarfing attack. Targeting several popular Nokia and Ericsson phones, the BlueSnarfing attack leverages a flaw where phones expose the RFCOMM profile on an undocumented service that allows an attacker to connect to the device without authentication. Using the serial connectivity provided by the RFCOMM profile, an attacker can execute arbitrary AT commands to manipulate the remote device, including the ability to retrieve, modify and delete phonebook and calendar entries.

The bluesnarfer tool implements this attack [3], where the attacker can specify a remote phonebook (stored numbers, recent outgoing calls, recent incoming calls, etc) and retrieve, modify or delete the results. If the attacker connects to the RFCOMM service manually with a terminal emulator tool (either on Windows or Linux systems), they can enter manual AT commands, such as initiating a call ("ATDT911"), forwarding all calls to a specified number ("AT+CCF911") or redial the last number called ("ATDL"). Even more potentially useful information is available for the attacker, including the Electronic Serial Number of the phone ("AT+CGSN").


Sample Bluesnarfer attack

While it is widely recognized in wireless LAN environments that rogue APs can expose an organization, Bluetooth can also pose a rogue AP risk, where a Bluetooth-enabled device that supports PPP over the RFCOMM profile, or the BNEP profile can grant a remote attacker the ability to connect to the LAN remotely. Although some organizations have implemented WLAN IDS systems used to monitor their wireless networks and identify the presence of policy violations including rogue APs, these systems cannot detect Bluetooth APs since they are designed to identify IEEE 802.11 WLAN activity and are not equipped with the appropriate hardware to detect Bluetooth transmitters.

One example of a Bluetooth AP is the Belkin F8T030 device [4]. This device implements the Radio Frequency Communications profile (RFCOMM) through PPP, as well as the Bluetooth Network Encapsulation Profile (BNEP) profile for connectivity, and is permanently in discoverable mode. The hostname of the device is set automatically to the IP address of the wired interface, making it convenient for an attacker to associate their target network with the name of the device. In addition, the device itself is vulnerable to several attacks including unauthenticated access to the management interface through directory recursion and buffer overflow vulnerabilities.


Belkin F8T030 Bluetooth AP

Likely the most popular use of Bluetooth technology, Bluetooth headset devices are becoming increasingly popular as a fashion accessory, and as an alternative to continue using a mobile phone while driving in states that have passed "no handheld phones while driving" laws. While it is still challenging for an attacker to capture an active conversation when the initial device pairing is not avaialble, headsets that are not actively in a call can be exploited to use the headset microphone as an audio bug, with the ability to inject arbitrary audio into the headset device as well. Tools such as the CarWhisperer [5] allow an attacker to pair with a headset device, playing and recording audio through the device.

Misconception 3: "Weaknesses are limited to implementation flaws"

In the design of the Bluetooth specification, the Bluetooth SIG invented their own encryption mechanism, known as the E0 cipher. It is generally frowned upon in the cryptography community when someone invents their own encryption mechanism, since it can take many years to fully understand the implications of the cipher and potential weaknesses. Recent research into the E0 cipher from the LASEC Security and Cryptography Labs [5] has revealed that while E0 was designed to provide 128-bit security levels, it has sufficient weaknesses such that it can be compromised with 238 operations, instead of 2128.

The research paper highlighting this weakness in the E0 cipher is available at http://lasecwww.epfl.ch/pub/lasec/doc/LMV05.pdf, with presentation slides from the International Association for Cryptologic Research available at http://www.iacr.org/conferences/crypto2005/p/16.pdf.

Misconception 4: "Non-discoverable devices cannot be found"

Many devices rely on the secrecy of the Bluetooth Device Address (BD_ADDR) information for security. In order to facilitate this, Bluetooth devices can be configured in discoverable mode, where they answer to page request messages from other devices with their BD_ADDR information, and in non-discoverable mode, where they ignore requests for the BD_ADDR. Devices in discoverable mode are especially at risk since they can easily be identified by an attacker. Tools such as BTScanner will send repeated page request messages to identify all Bluetooth devices in the area.


BTScanner device discovery

While keeping Bluetooth devices in non-discoverable mode is a recommended security practice, it does not prevent an attacker from being able to capture information about an active piconet in progress. While the Bluetooth frame header does not transmit the full BD_ADDR information (unlike IEEE 802.11 and Ethernet frame headers), it is possible to determine at least the trailing three bytes of address information by capturing the access code information that precedes the frame header [6]. Once the trailing three bytes of BD_ADDR are known, an attacker can send connection request messages to every common BD_ADDR prefix or OUI until the full BD_ADDR is known. A list of common BD_ADDR prefixes are available through the results of the BNAP, BNAP project at [7]. Using this list, an attacker can test all known Bluetooth OUI values in less than 2 minutes. Once a response is received for a probe, the attacker knows the full BD_ADDR of the target device.

Once the full BD_ADDR is known, an attacker can connect to the target directly. This can lead to further vulnerability discovery such as buffer overflows in the Bluetooth stack [8], directory recusion attacks [9] and unauthenticated device access [10].


Conclusion

Many organizations overlook the security threat of Bluetooth technology in their organizations due to misconceptions in the range, exposure, risks and use of Bluetooth-enabled devices. These threats should not be overlooked, however, and should be evaluated as part of an overall wireless security plan.

==
About the Author
Joshua Wright is the author of the SANS Institute Assessing and Securing Wireless Networks course and the author of several open-source tools designed to assess and demonstrate the flaws in common wireless networks. He can be reached via email at jwright@willhackforsushi.com.

===
[1] Bluetooth RC Car, http://www.pocket-lint.co.uk/reviews/review.phtml/316/1340/sony-ericsson-bluetooth-car-100-car.phtml
[2] Bluetooth class ranges, http://www.tomshardware.com/forum/32906-39-bluetooth-class-ratings
[3] Bluesnarfer attack, http://trifinite.org/trifinite_stuff_bluesnarf.html
[4] F8T030 Bluetooth Access Point, http://www.amazon.com/Belkin-F8T030-Bluetooth-Access-Server/dp/B00008I9IR
[5] CarWhisperer, http://trifinite.org/trifinite_stuff_carwhisperer.html
[6] "BlueSniff: Eve Meets Alice and Bluetooth", Spill, Bittau, http://www.usenix.org/events/woot07/tech/full_papers/spill/spill.pdf
[7] BNAP, BNAP Project, http://802.15ninja.net/bnapbnap
[8] "Flaw found in Toshiba wireless device driver", http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1224746,00.html
[9] "Toshiba Bluetooth Stack Directory Transversal", http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt
[10] "Widcomm BTW - Bluetooth for Windows Remote Audio Eavesdropping", http://www.digitalmunition.com/DMA%5B2005-1214a%5D.txt © 2005-2007 The SANS™ Technology Institute