Sunday, June 05, 2005

BlueTooth Troubles

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIsraeli researchers have found a major flaw in many common BlueTooth implementations. Bruce Schneier notes:

I can't be sure, but I believe it would allow an attacker to take control of someone's Bluetooth devices. Certainly it allows an attacker to eavesdrop on someone's Bluetooth network.

That's certainly how it appears. At its heart, the vulnerability appears to have two primary causes: (a) device manufacturers' use of a four-digit PIN instead of eight digits; and (b) a quirk in the protocol that allows one device to tell the other that it "forgot" the link key. The combination of these two weaknesses? Some serious security deficiencies.

Treo 650 (

Where's BlueTooth deployed these days? Lots of places. For instance, Acura automobiles use BlueTooth to provide handsfree integration with certain mobile phones (e.g., Treo phones/PDAs). And the protocol is used in a wide variety of other devices with many, many applications.

For instance, the HP DeskJet 650 is positioned in the market as a "mobile printer" that can be moved around a SOHO environment. It uses BlueTooth to establish a link with various computers in the home or office.

BlueTooth is also used in Toshiba's home appliances: microwaves, refrigerators, and washer-dryers. And in medical devices such as the Avant 4000 Digital Pulse Oximetry System. This device relays pulse and oxygen data from a wrist-worn sensor to a central monitor.

All, told BlueTooth is used in a host of office, home, medical, consumer, and related applications that require close-proximity device connectivity.

Now consider advanced hacking tools like the BlueSniper Rifle, pictured above. The rifle, a device that can be assembled from a couple of hundred dollars worth of parts, can scan and attack BlueTooth devices from distances exceeding a mile. In fact, when the crew at Flexilis used BlueSniper, they came to some interesting conclusions:

...John pointed the BlueSniper at the AON building, which was 0.6 miles (just about 1 km) from our position (this distance was verified by GPS after the shoot).

It didn't take long for the MAC address of Bluetooth devices to appear on the laptop's screen. After a few seconds, John pointed the gun at the Library Tower / US Bank Building, which is the tallest building in Los Angeles. The building was .75 miles (a little over 1 km) from our position.

As more Bluetooth devices started appearing, John said, "This building is full of Bluetooth! Look we got some Blackberries!" He also explained that, with multiple guns, it would be possible to track a single Bluetooth device as the person walked around. In less than a few minutes, twenty devices were detected—all at distances over a half mile away!

When we combine this newly discovered vulnerability, the popularity of BT-enabled devices, and powerful hacking tools like BlueSniper... well, you get the picture. At best, bad guys can wreak havoc -- remotely -- with home, automobile, office, and medical devices. At worst, who yet knows?

The key question: have device manufacturers considered the necessity of patching their implementations of BlueTooth to address ongoing security issues? My guess, in most cases, is no. I hope I'm surprised to find that they have considered these possibilities.

Schneier: Attack on BlueTooth

No comments: