by September 3, 2004 0 comments



Imagine a scenario where somebody hacks into your Bluetooth-enabled cellphone and gets hold of all your personal
contacts, SMS messages and the pictures you took with the built-in digital camera. Obviously you would never want such a thing 
to happen. 

But with the increasing popularity of Bluetooth, the number of security threats for the same are also on the rise. Almost all mobile devices in the near future would be Bluetooth enabled, carrying a lot of personal data. This makes Bluetooth security an issue of great concern. 

Direct
Hit!
Applies
to:
Frequent Bluetooth users and geeks 
USP:
Security issues in Bluetooth 
Links:
www.shmoo.com, www.pentest.co.uk, www.atstake.com 
 

Bluetooth devices can be used by hackers to keep track of the location of the user carrying the device and the services he is availing. Bluetooth devices can be in two modes, discoverable or hidden. The discoverable devices can easily be detected, but the only way to detect a Bluetooth device in hidden mode is to supply the MAC address of the device. One tool that can be used to find the MAC address of a Bluetooth device is Red Fang, a Linux-based tool. But if there hasn’t been much communication between the two devices using Bluetooth for a long period of time, then to find the MAC address is an even more difficult task. Once the MAC address is discovered and the device is detected, the only way to read the data being transferred is by supplying the pin or key, which has to be the same as being used by the Bluetooth device. There aren’t any tools available on the Net to detect this pin or key, so the information stored inside the device cannot be accessed and remains safe. But it is quite possible that these kinds of tools are being developed. However, a Linux tool known as btscanner can be used to track other information about the Bluetooth device.

When you run the
Netwhere client, you get a login screen similar to the NetWare
client for Windows 

However, there are a few tools available in Linux, which can be used to check the security of Bluetooth-enabled cellphones and devices. For checking security flaws in a Bluetooth cellphone, we used a Bluetooth dongle and a Bluetooth-enabled phone. We took a machine with PCQLinux 2004 full install and inserted the Bluetooth dongle in the USB port. Then we opened a terminal window and issued the following commands.

# hciconfig
# hciconfig hcix up 

Replace x with number of Bluetooth device you are using.

This activated the Bluetooth dongle on your Linux machine.

btscanner
btscanner is a tool designed specifically to extract as much information as possible from an active Bluetooth device, which is in discoverable mode. This means that btscanner extracts information from the device without requiring the pair-key of the device. btscanner has an information screen that acts as user interface. This information screen displays the MAC address of the device, the services running on it and other SDP (Service Discovery Protocol) information. This tool maintains a constant link with the device so that it can inform the realtime changes taking place in the device.

When you run the
Netwhere client, you get a login screen similar to the NetWare
client for Windows 

Download btscanner from http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=downloads and install it on your Linux machine by issuing the following commands.

# tar -zxvf btscanner-1.0.tar.gz
# cd btscanner-1.0
# ./configure
# make 
# make install

To run btscanner, execute ./btscanner. 

Red Fang
Another tool called Red Fang, uses brute force to obtain the MAC address of the Bluetooth devices, which are in hidden mode. You will have to download it from http://www.atstake.com/research/tools/info_gathering/
Then issue the following commands to install the tool on your Linux machine. 

# tar -zxvf redfang-2.5.tar.gz
#cd redfang-2.5
# make
# make install

To run the tool, execute ./fang. Red Fang is only used to discover the MAC address of the non-discoverable device, and once that is done btscanner can be used to keep a track of the services being run on the device. Running this tool is quite time consuming and it may take few days to get the exact MAC address of the Bluetooth Device. However, while running Red Fang, if you use more number of Bluetooth dongles on the system, you can reduce the discovery time by few hours. 

Till now not many tools have been developed that can extract the Pin of your Bluetooth device, major portion of your data that resides inside your device lies safe. All that the hackers can do is find the MAC address of the device, keep a track of the services being used and use this information against you. But one thing is for sure that even the hidden Bluetooth device can be discovered and kept track of. 

Ankit Kawatra and Sanjay Majumder

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<