Audit your Bluetooth Devices

Now that mobile devices are becoming increasingly popular,

it's high time we focus on their security. The biggest obstacle, though, is

the use of multiple wireless technologies such as WiFi, Bluetooth and IR for

connectivity. As these techniques don't need any physical connection between

devices to transfer data, it becomes very risky to use them without ensuring

adequate security.

Given that most of us carry so much important data on our

mobile devices, this is a major cause of concern. Depending upon the type of

mobile device you have, information can be in form of your phonebook,

photographs, meeting schedules, or even SMSs. You definitely wouldn't want

anybody to get a hand on to that information. For instance, members of your

sales team would be carrying important client contact information and other deal

clinching data. So, imagine if you have only one guy who has a phone with all

those important data and a vulnerable Bluetooth implementation. Then it's very

much possible that someone from your rival company can come and exploit that

vulnerability and get all your secret client details by using some simple tools.

In this article, we concentrate on the vulnerabilities in using such Bluetooth

devices and the tools you can use to audit their security. The main reason for

such vulnerabilities is that many mobile devices today don't have a secure

enough implementation of Bluetooth.

Generally, Bluetooth devices work in two

modes-discoverable or hidden. The discoverable devices can be easily detected

using a Bluetooth scanning utility. But the only way to detect a Bluetooth

device in hidden mode is to supply its MAC address. Red Fang is one such Linux

based tool that finds the MAC address of a Bluetooth device. But, if there

hasn't been much communication between the two devices using Bluetooth over a

long period of time, then finding the MAC address becomes even more difficult.

Once the MAC address has been discovered and the device detected, the only way

to read the data that is being transferred, is by using its PIN or key. The PIN

or the key has to be the same for both the receiving and sending Bluetooth

devices. There aren't any tools available on the Internet to detect this PIN or

key, but there are tools that can bypass this paring mechanism and give you

direct access to the data. To check whether your device is vulnerable or not,

you could try our testing procedure. The following sections provide the details.

To access the phonebook of any vulnerable phone, all you have to do is to run the above command. The output will show a list of all the names and phone numbers

Attacking machine setup



There's a live Linux CD called Auditor, which is a set of security auditing
tools. This has already been provided in the Multiboot DVD with the July 2005

issue of PCQuest. Once you have this CD, take a notebook, connect a Bluetooth

dongle to it and boot it using Auditor. We used Auditor as it has all the

required tools. Activate the Bluetooth dongle by running the following commands

from the terminal:

# hciconfig hcix up

Here, replace x with the number of the Bluetooth device you

are using. Next, search for all available Bluetooth devices in your surroundings

by running the following command:

# hcitool scan hci0

This command shows a 'Searching........'  line for

some time and then returns all devices available nearby alongwith their MAC

addresses. We used it on three Bluetooth enabled devices. These were a Sony

Ericsson T610 cell phone, an O2 XDA, and a Nokia 6310i mobile phone.

Bluetooth auditing tools



We used a tool called Bluesnarfer to connect to each of these devices. This

tool is capable of connecting to any Bluetooth enabled phone that has the

Bluesnarf vulnerability. We found the vulnerability in Nokia 6310i and were able

to see the first hundred names in its phone book. Some other things that we

could do included reading received calls, deleting phone book and dialing a

number.

btscanner

To access the phonebook of any vulnerable phone, all you have to do is to run the above command. The output will show a list of all the names and phone numbers

Next, we tried btscaner, which is a tool to extract

information from an active Bluetooth device in discoverable mode. This means

that btscanner extracts information from the device without requiring the

pair-key of the device. It has an information screen that acts as the user

interface. This information screen displays the MAC address of the device, the

services running on it and other SDP (Service Discovery Protocol) information.

This tool maintains a constant link with the device so that it can inform the

real time changes taking place in it.

You can download btscanner from http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads

and install it on your Linux machine as follows:

# gunzip

btscanner-1.0.tar.gz



# tar -xvf btscanner-1.0.tar


# cd btscanner-1.0


# ./configure


# make






# make install

Simply execute ./btscanner to run btscanner.

Red Fang



There's another tool called Red Fang, which uses the brute force method to

obtain the MAC address of Bluetooth devices, which are in hidden mode. You can

install it the same way as btscanner, and execute it using the ./fang command.

Red Fang is only used to discover the MAC address of the non-discoverable

device. Once that is done, btscanner can be used to keep a track of the services

that are running on the device. Running this tool is quite time-consuming and it

could even take a few days to get the exact MAC address of the Bluetooth device.

However, while running Red Fang, if you use more Bluetooth dongles on the

system, the discovery time can be reduced by a few hours.

Bottomline



It's better you use these security tools before someone with malicious

intent hacks into your device and causes irreparable damage. Bluetooth

vulnerabilities are more prominent in devices that are more than an year old.

To ensure security, do what you normally do with a PC-upgrade.

Anindya Roy