Now that mobile devices are becoming increasingly popular,
it's high time we focus on their security. The biggest obstacle, though, is
the use of multiple wireless technologies such as WiFi, Bluetooth and IR for
connectivity. As these techniques don't need any physical connection between
devices to transfer data, it becomes very risky to use them without ensuring
adequate security.
|
Given that most of us carry so much important data on our
mobile devices, this is a major cause of concern. Depending upon the type of
mobile device you have, information can be in form of your phonebook,
photographs, meeting schedules, or even SMSs. You definitely wouldn't want
anybody to get a hand on to that information. For instance, members of your
sales team would be carrying important client contact information and other deal
clinching data. So, imagine if you have only one guy who has a phone with all
those important data and a vulnerable Bluetooth implementation. Then it's very
much possible that someone from your rival company can come and exploit that
vulnerability and get all your secret client details by using some simple tools.
In this article, we concentrate on the vulnerabilities in using such Bluetooth
devices and the tools you can use to audit their security. The main reason for
such vulnerabilities is that many mobile devices today don't have a secure
enough implementation of Bluetooth.
Generally, Bluetooth devices work in two
modes-discoverable or hidden. The discoverable devices can be easily detected
using a Bluetooth scanning utility. But the only way to detect a Bluetooth
device in hidden mode is to supply its MAC address. Red Fang is one such Linux
based tool that finds the MAC address of a Bluetooth device. But, if there
hasn't been much communication between the two devices using Bluetooth over a
long period of time, then finding the MAC address becomes even more difficult.
Once the MAC address has been discovered and the device detected, the only way
to read the data that is being transferred, is by using its PIN or key. The PIN
or the key has to be the same for both the receiving and sending Bluetooth
devices. There aren't any tools available on the Internet to detect this PIN or
key, but there are tools that can bypass this paring mechanism and give you
direct access to the data. To check whether your device is vulnerable or not,
you could try our testing procedure. The following sections provide the details.
To access the phonebook of any vulnerable phone, all you have to do is to run the above command. The output will show a list of all the names and phone numbers |
Attacking machine setup
There's a live Linux CD called Auditor, which is a set of security auditing
tools. This has already been provided in the Multiboot DVD with the July 2005
issue of PCQuest. Once you have this CD, take a notebook, connect a Bluetooth
dongle to it and boot it using Auditor. We used Auditor as it has all the
required tools. Activate the Bluetooth dongle by running the following commands
from the terminal:
# hciconfig hcix up
Here, replace x with the number of the Bluetooth device you
are using. Next, search for all available Bluetooth devices in your surroundings
by running the following command:
# hcitool scan hci0
This command shows a 'Searching........' line for
some time and then returns all devices available nearby alongwith their MAC
addresses. We used it on three Bluetooth enabled devices. These were a Sony
Ericsson T610 cell phone, an O2 XDA, and a Nokia 6310i mobile phone.
Bluetooth auditing tools
We used a tool called Bluesnarfer to connect to each of these devices. This
tool is capable of connecting to any Bluetooth enabled phone that has the
Bluesnarf vulnerability. We found the vulnerability in Nokia 6310i and were able
to see the first hundred names in its phone book. Some other things that we
could do included reading received calls, deleting phone book and dialing a
number.
btscanner
To access the phonebook of any vulnerable phone, all you have to do is to run the above command. The output will show a list of all the names and phone numbers |
Next, we tried btscaner, which is a tool to extract
information from an active Bluetooth device in discoverable mode. This means
that btscanner extracts information from the device without requiring the
pair-key of the device. It has an information screen that acts as the user
interface. This information screen displays the MAC address of the device, the
services running on it and other SDP (Service Discovery Protocol) information.
This tool maintains a constant link with the device so that it can inform the
real time changes taking place in it.
You can download btscanner from http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads
and install it on your Linux machine as follows:
# gunzip
btscanner-1.0.tar.gz
# tar -xvf btscanner-1.0.tar
# cd btscanner-1.0
# ./configure
# make
# make install
Simply execute ./btscanner to run btscanner.
Red Fang
There's another tool called Red Fang, which uses the brute force method to
obtain the MAC address of Bluetooth devices, which are in hidden mode. You can
install it the same way as btscanner, and execute it using the ./fang command.
Red Fang is only used to discover the MAC address of the non-discoverable
device. Once that is done, btscanner can be used to keep a track of the services
that are running on the device. Running this tool is quite time-consuming and it
could even take a few days to get the exact MAC address of the Bluetooth device.
However, while running Red Fang, if you use more Bluetooth dongles on the
system, the discovery time can be reduced by a few hours.
Bottomline
It's better you use these security tools before someone with malicious
intent hacks into your device and causes irreparable damage. Bluetooth
vulnerabilities are more prominent in devices that are more than an year old.
To ensure security, do what you normally do with a PC-upgrade.
Anindya Roy