Bluetooth devices easily hacked

2007-10-23 13:31

Cape Town - Bluetooth-enabled devices are vulnerable to unscrupulous hackers, an expert warns.

Bluetooth was invented to connect devices such as cellphones, laptops, PCs, printers, digital cameras and video game consoles over a short-range radio frequency, but like any computer network, using Bluetooth can leave you vulnerable.

"Bluetooth hacking techniques vary tremendously. There are various attacks that have proved to be very effective over the last few years. Some of these attacks include making unauthorised calls and transactions, reading and sending SMSs on a target phone, erasing information and downloading personal information such as phone books and access codes," says ICT security expert Dino Covotsos.

Covotsos is MD of Telspace, a Johannesburg-based company specialising in managed security services. Telspace routinely makes use of Bluetooth vulnerabilities to test the security level of its corporate clients' networks.

"From our case studies and actual attack and penetration tests, we have often utilised specific Bluetooth attacks to gain further entrance into a network," Covotsos says.

"Specific implementations or versions of Bluetooth are susceptible to exploitation because of design flaws and various other factors," he explains. "Hacking Bluetooth is quite a broad subject so in terms of taking advantage of certain devices (not only cellphones) one can literally control the device completely once it is exploited or paired.

"As an example, successful exploitation would include being able to access the entire contents of the phone such as call records, SMSs, keylock codes and so on."

Methods of attack

Covotsos explains that there are many different methods to get confidential information off a mobile device. Hacking methods such as Bluebugging, BlueSnarfing and Carwhispering are just a few of the most common methods of attack.

"The Bluebug attack, for example, allows attackers to perform unauthorised transactions on vulnerable devices. Distance is very important and is limited by the transmitting power of class 2 Bluetooth radios, which is 10-15 metres. But this distance can be increased with directional antennas.

Bluesnarfing is the best known form of attack and hackers take advantage of the OBEX Push Profile (OPP), which was developed for purposes such as business card exchange. In most cases this service does not require authentication, so attackers can then request common filenames such as pb.vcf, which is the phonebook on a cellphone.

Even a Bluetooth device that is set on "hidden" can be found and broken into. This is possible through a technique known as "brute force scanning". An application called RedFang is used to find non-discoverable Bluetooth devices by forcing the device to reveal the last six bytes of its Bluetooth address and also reading its name. Hackers can then extract confidential information from the device such as phonebook entries and SMSs.

"There are some serious vulnerabilities in certain implementations of Bluetooth which allow for exploitation of the device," Covotsos observes, "so the most vulnerable phone is one which has an older implementation. However people often forget about the social engineering factor for attacks, where it literally takes just a few seconds to pair with a device and once that has been done the device is compromised."

What to do?

There are various ways in which you can prevent your phone, PDA or PC from being exploited.

Firstly, turn off Bluetooth when it's not required all of the time. Enable "hidden mode" and change the phone name from the default one because hackers will usually first go for such known vulnerabilities.

At the very least enable PIN-based authentication and use anti-virus software, although this is a cost factor. Also, keep up-to-date with firmware and any security updates for the device.

But, warns Covotsos, while newer versions and implementations of software are being brought out continuously, hackers will constantly try to break them - so keeping up to date is essential.