 |
Since its inception (way back in 1994) by Ericsson, Bluetooth has spread across numerous categories of devices and astronomical number of gadgets. Here, in India, the first time the general public heard about such technology was when we got phones with integrated Bluetooth chips. Since then there's been no looking back... the usage of Bluetooth has spread across to all spheres of digital communication be it home, office, school, or college. But, how many of us actually know how the technology works? Not many. And even fewer know about the security issues surrounding this avatar of short range communication. While we all hear reports of networks and PCs being hacked all the time, a similar phenomenon has been bugging mobile phone users as well. Bluetooth-hacking (read Hacking of Bluetooth enabled devices) has grown exponentially in the last couple of years. Remember the Paris Hilton fiasco, wherein her phone was hacked and all her data including contacts, messages, pics, etc, was stolen? If somebody could hack into her phone, I'd say hacking a random person's phone is a walk-in-the-park. There's lot more to talk about on this issue but before that, just to get everyone on the same page, let's understand the technology better. Basically Blue As they say, 'Necessity is the mother of invention'; so is the case with Bluetooth. Before Bluetooth was conceived, people had to rely on the leisurely pace of IrDA (Infrared Data Association) devices for short range wireless file transfers that had some serious shortcomings in terms of speed and connectivity. The size of the files was increasing much faster than the refinements in IR and a new technology was the need of the hour. This is when Bluetooth stepped in, giving users the much needed boost in terms of speed, visibility (for devices), and connectivity at the same time also giving more bandwidth. Bluetooth is a method for communication specification that uses short-range radiolinks to replace cables between computers and their connected units. Ericsson Mobile Communication started the project that was named Bluetooth (1994.) in honor of Harald Bluetooth, king of Denmark in the mid-tenth century. The global acceptance of Bluetooth is largely due to the formation of the Bluetooth Special Interest Group (SIG). The Bluetooth SIG has a huge member-base that includes companies from the telecommunications, computing, automotive, music, apparel, industrial automation, and network industries. Ericsson, IBM, Intel, Lucent, Microsoft, Motorola, Nokia, Toshiba, and 3COM are some of the leading members of this group who have been there since its inception. All the members of the SIG have a common goal of making products that qualify Bluetooth standard and enable interoperability of Bluetooth-enabled devices from different manufacturers. Bluetooth: Features The key features of Bluetooth technology are robustness, low power, low cost, and a single uniform structure for a wide range of devices that eliminates protocol conflicts. To use Bluetooth, a device needs to have a transceiver chip that transmits and receives data. It operates in the unlicensed ISM band at 2.4GHz and gives a throughput of 1Mbits/s with version 1.1 and up to 3Mbits/s with version 2.0 with EDR (Enhanced Data Rate.) In addition to data, Bluetooth specifications allow upto three voice channels allowing voice-based communication along with data transfers. The operating range depends on the device class: Class 3 - Range of up to 1 meter or 3 feet. Class 2 - Range of up to 10 meters or 30 feet (most mobile phones and PDAs.) Class 1 - Range of 100 meters or 300 feet (mainly used for industrial applications.) The most commonly used device is Class 2 and uses 2.5 mW of power. Low power usage is an added bonus as is the ability of Bluetooth devices to power down the radios when not in use. A frequency hop (1600 hops/s) scheme allows full duplex communication even in areas with a great deal of electromagnetic interference with built-in encryption and verification. That's Bluetooth in a nutshell, let's see how it actually works. Bluetooth: Protocol Stack As we proceed, we will talk about the Protocol Stack and operation of Bluetooth. Bluetooth specification consists of a series of layers that are implemented in hardware and software viz. Physical layer (radio transmission), Baseband, Link Manager Protocol (LMP), Host Controller Logical Link Control and Adaptation Protocol (L2CAP) and, Application Layer. 
The Radio, Baseband, and Link Manager (LM) layers are all incorporated on the Bluetooth chip itself. Link Manager functions include setting up links, link configuration, and other protocols. A major task for LM is to discover other remote LMs and communicate with them using the Link Manager Protocol (LMP.) The HCI provides a command interface to the baseband controller and link manager, and access to hardware status and control registers. Essentially this interface provides a uniform method of accessing the Bluetooth baseband capabilities. L2CAP provides connection-oriented and connectionless services to the upper layers of the protocol stack. Protocol multiplexing, segmentation, and reassembly of data packets and group abstraction are some of the important functions of this layer. L2CAP allows higher level protocols and applications to send and receive L2CAP data packets up to 64 kilobytes in length. Bluetooth: Operation A typical Bluetooth communication scenario looks like this: The physical radio channel is shared by a group of devices that are synchronized to a common clock and frequency-hopping pattern. One of these devices provides the synchronization reference and is known as the master. All other devices are known as slaves. A group of devices synchronized in this fashion form a piconet. This is the fundamental form of communication for Bluetooth wireless technology. 
All devices in a piconet use the same frequency-hopping pattern, which is determined by Bluetooth specifications and clock of the master. The basic hopping pattern is a pseudo-random ordering of the 79 frequencies in the ISM band. The physical channel is sub-divided into time units known as slots. Data is transmitted between Bluetooth enabled devices in packets that are positioned in these slots. With the use of a Time-Division Duplex (TDD) mechanism, a full duplex communication channel is provided to all devices. Above the physical channel, there is a layering of links and channels and associated control protocols. The hierarchy of channels and links from the physical channel upwards is physical channel, physical link, logical transport, logical link, and L2CAP channel. Each of the above mentioned layers performs specific functions (that are obviously out-of-scope for this article.) that allow further transmission of data and voice packets. Hacked! How? Bluetooth has some built-in security measures (such as the encryption mentioned previously), but when technology advances, security risks are sure to follow. So has been the case with Bluetooth. Before we move on lets understand what phone-hacking is: Hacking means illegally accessing information on other people's computer systems without destroying or disrupting data or resources on the network or computer systems. The same applies to mobile phones as well. But, let's not confuse Hacking with its more evil avtaar called Cracking. Cracking involves breaking into a system, and altering data or settings. Since Bluetooth works with short-range radio waves, security is one of the most important concerns, as anyone in a specific range has access to your device (mobile phone, PDA, etc.) Hackers can use a multitude of methods to hack into your Bluetooth device. These methods can range from simple broadcasting techniques to complex algorithms that can access all your data (on the device) without your permission and obvious knowledge. Let's see some of the known methods of hacking Bluetooth enabled mobile phones. We'll start with the most basic methods that anyone can employ and graduate towards the methods used by skilled individuals. Bluejacking Picture this, you are sitting in a caf with all your friends (ladies included) and one of them starts getting anonymous Bluetooth messages that are quite abusive. What do you do? Rather, what can you do? Well, that's what happens when you are Bluejacked. Bluejacking is one of the oldest and most common and the simplest of all forms of mobile phone-hacking. It involves phone-users sending business cards anonymously using Bluetooth technology. No data is removed or altered from the device in bluejacking. These business cards often have a witty or flirtatious message rather than the typical name and phone number. Bluejackers often look for the receiving phone to ping or the user to react. They then send another, more personal message to that device. Although it sounds like harmless fun, it can be real nasty (try using your imagination.) Tips to avoid getting bluejacked Never add funny sounding messages from unknown sources to your contacts/address book. Set your bluetooth phone on non-discoverable mode when not in use. Bluesnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to a calendar, contact list, emails, and text messages. Bluesnarfing is one of the more dangerous forms of phone-hacking. With the help of software, a skilled individual can connect wirelessly to some early Bluetooth phones without the owner being aware and download the phonebook, the calendar, pictures, etc. Some advanced versions of bluesnarfing can even alter files in some bluesnarfed phones. Bluesnarfing works much like bluejacking does; through the mechanism for exchanging business cards. Using the OBEX protocol (see protocol stack), which is used for such exchanges, the bluesnarfing software connects to a target device via Bluetooth's OBEX Push profile. But, instead of pushing a business card, it pulls, using a "get" request for files with known names, such as the phonebook file (telecom/pb.vcf) or the calendar file (telecom/cal.vcs.) What made such a hack possible was the lack of security features in earlier Bluetooth-enabled mobile phones. One particular bug that the hackers took advantage of was the failure of the earlier software versions to require authentication of another Bluetooth device that attempted a push operation. Initially, Bluesnarfing required the use of a laptop and some software to hack into a phone, but these days blusnarfing software developed using J2ME can run on any J2ME-enabled mobile phone. A program called Bloover (developed by Martin Herfurt) is used for bluesnarfing. But, this was some time back, some mobile phone manufacturers have released firmware upgrades that rectify, but many phone owners haven't installed them. Tips to avoid getting bluesnarfed As with bluejacking, being non-discoverable also helps a Bluetooth mobile phone avoid bluesnarfing. Although we are aware of the possibility that a device may also get detected even if it is on non-discover mode, computing limitations will deter the amateur hacker from doing that. So, unless you are some big-shot executive with loads of confidential data on your phone, we suggest you check if required firmware updates have been installed. Bluebugging First publicized by Martin Herfurt (in March 2004), Bluebugging allows an intruder to access the mobile phone commands using Bluetooth without notifying or alerting the phone's user. This chink in the armor for Bluetooth allows the hacker to initiate phone calls, send and read SMSs, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. The hacker may make long distance or overseas calls without you even noticing it (unless you happen to glance at your screen at that moment.) The threat of getting bluebugged is bound to give any executive sleepless nights as their phone can/may be used as a bugging device like a microphone. Imagine the same happening when you are in some highly classified company-meeting (guess it won't be classified anymore.) or worse what if someone sends an SMS to your boss telling him what 'you' feel about him?? Well, the possibilities of you getting screwed are endless if you've been bluebugged. Bluesniper As the name suggests, this mode of attack makes use of a gun-like high power antenna that boosts the range of Bluetooth so much that it can hack a device that's placed even a mile away using Bluetooth. The range of a Bluetooth dongle can be enhanced by connecting a directional antenna to it. 
Cabir Worm Since the entry of Symbian Series 60 phones, security issues have grown exponentially as these phones allow users to install and run applications as we normally do on our PCs. And just like PCs, the threats of viruses, worms, and other malicious software emerged as well. In June 2004, a new worm was discovered that can bluejack nearby cellphones running Symbian Series 60 OS. Phones like the Nokia 3650, 7650, N-Gage, and many more were victims of this worm. The worm, dubbed Cabir, sends itself as a SIS format file named caribe.sis. When launched, the worm seeks out available Bluetooth devices and sends itself to them. The recipient receives a message on their cellphone that reads either just 'Caribe' or 'Caribe - VZ/29a'. If receipt is confirmed, the cellphone owner will then be asked if they wish to 'install Caribe'. Each time an infected cellphone is turned on, it automatically seeks out available Bluetooth users and attempts to infect them. Although no major reports of Cabir spreading have been reported, this worm is still perfectly functional and very much able to spread if released. Now, if that was the situation two years back, just try and imagine what all could be happening at this very moment. Observations Well, looking at all this misuse of potentially excellent technology, we need to know, how did it come to this? The main reason for widespread Bluetooth hacking was poor implementation of Bluetooth security mechanisms by various manufactures of Bluetooth devices. But, with the SIG taking keen interest on security, most of the low-level problems have been fixed, but not all. The Bluetooth SIG continues to study security risks associated with the technology and determine their viability as the technology spreads and develops. All in all, we must say that Bluetooth, as a technology specification is pretty robust. The problem arises at the application-level. And, as most of the phones these days are Java-enabled, it becomes easier for a hacker to plant a program that can provide access to various phone-features and functions. At this point you would be wondering, what were the mobile phone manufacturers doing while this was happening? Well, the two major mobile phone manufacturers, Nokia and Sony Ericsson, have developed software upgrades for all vulnerable phones (patches are available only for bluesnarfing and bluebugging.) And both of them are also working towards making all future releases attacks-free. That was about what others are doing to protect you and your data from being hacked. Let's see what we can and must do to protect ourselves from getting hacked. Fighting Back We never know how important our data is until we lose it (or someone misuses it.) But, there are a few things that you can do to avoid being a victim of hacking. The following points should set you in the right direction. If you have a phone that is vulnerable to bluesnarfing or bluebugging, you should contact the phone's manufacturer or take the phone to a manufacturer authorized service point to get the necessary patches or install them yourself. Turn your Bluetooth device to non-discoverable mode when not using Bluetooth and in unknown areas. Do not 'pair' with unknown devices. Never give away your PIN codes or other important details which are meant for your security. In case you are using a phone that allows you to install applications, install an anti-virus software. Such software is easily available over the internet. F-Secure and Trend Micro are some of the companies that develop anti-virus software for mobile devices. Do not download stuff from un-trusted sources especially websites hosting adult content as they tend to carry the maximum number of viruses. We won't say that following these steps will give you immunity to being hacked, but that's the least you can do to protect yourself and your data. Paranoid? Don't Be Whatever we discussed in the article is definitely not to create any paranoia or widespread fear for a certain type of product or technology. This article is meant purely to create awareness of the obscure threats we encounter in everyday life. But, as with any other technology, the war between the good guys and bad guys will go on and on. But, some believe that it may not be long (or too late) before developers come up with a so-called 'fix' to prevent unauthorized access in general. Blueprinting is one such technique. The idea here is to give a permanent unique identity to every Bluetooth device; much like the IP address for our computers. Collin R. Mulliner and Martin Herfurt have been working on the development of this methodology for device identification. As such, every device will be linked to an owner/s whose identity is recorded by the manufacturer of the device. This sounds to be effective, but again, no system can ever be foolproof. Although it may seem like a small step for mobile security, it sure is a giant leap for the technology as a whole. I say this because, in the near future, not only are mobiles, PDAs, and some other devices going to feature Bluetooth but your own home could be littered with devices that 'talk' to each other via Bluetooth (Smart Home concept.) Thus the need for such methods to prevent hacking. All said and done, we'd like to reiterate that Bluetooth is not a bad technology nor are we saying that you WILL be hacked, but I guess it's always better to play safe rather than be sorry. Cheerio.
|
|||||||||||||||||||
