Serious flaws in bluetooth security lead to disclosure of personal data
folks,
please find attached a disclosure paper on bluetooth.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adam@xxxxxxxxxxxxx
UNITED KINGDOM PGP key on keyservers
Summary
-------
There are serious flaws in the authentication and/or data transfer mechanisms
on some bluetooth enabled devices. Specifically, two vulnerabilities have been
found:
Firstly, confidential data can be obtained, anonymously, and without the
owner's knowledge or consent, from some bluetooth enabled mobile phones. This
data includes, at least, the entire phonebook and calendar.
Secondly, it has been found that the complete memory contents of some mobile
phones can be accessed by a previously trusted ("paired") device that has since
been removed from the trusted list. This data includes not only the phonebook
and calendar, but media files such as pictures and text messages. In essence,
the entire device can be "backed up" to an attacker's own system.
Finally, the current trend for "Bluejacking" is promoting an environment which
puts consumer devices at greater risk from the above attacks.
Vulnerabilities
---------------
The SNARF attack:
It is possible, on some makes of device, to connect to the device without
alerting the owner of the target device of the request, and gain access to
restricted portions of the stored data therein, including the entire phonebook
(and any images or other data associated with the entries), calendar, realtime
clock, business card, properties, change log etc. This is normally only
possible if the device is in "discoverable" or "visible" mode, but there are
tools available on the Internet that allow even this safety net to be
bypassed[4]. Further details will not be released at this time (see below for
more on this), but the attack can and will be demonstrated to manufacturers and
press if required.
The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the
"pairing" mechanism, but ensuring that it no longer appears in the target's
register of paired devices. In this way, unless the owner is actually observing
their device at the precise moment a connection is established, they are
unlikely to notice anything untoward, and the attacker may be free to continue
to use any resource that a trusted relationship with that device grants access
to (but note that so far we have only tested file transfers). This means that
not only can data be retrieved from the phone, but other services, such as
modems or Internet, WAP and GPRS gateways may be accessed without the owner's
knowledge or consent. Indications are that once the backdoor is installed, the
above SNARF attack will function on devices that previously denied access, and
without the restrictions of a plain SNARF attack, so we strongly suspect that
the other services will prove to be available also.
Bluejacking:
Although known to the technical community and early adopters for some time, the
process now known as "Bluejacking"[1] has recently come to the fore in the
consumer arena, and is becoming a popular mechanism for exchanging anonymous
messages in public places. The technique involves abusing the bluetooth
"pairing"[2] protocol, the system by which bluetooth devices authenticate each
other, to pass a message during the initial "handshake" phase. This is possible
because the "name" of the initiating bluetooth device is displayed on the
target device as part of the handshake exchange, and, as the protocal allows a
large user defined name field - up to 248 characters - the field itself can be
used to pass the message. This is all well and good, and, on the face of it,
fairly harmless, but, unfortunately, there is a down side. There is a potential
security problem with this, and the more the practice grows and is accepted by
the user community, and leveraged as a marketing tool by the vendors, the worse
it will get. The problem lies in the fact that the protocol being abused is
designed for information exchange. The ability to interface with other devices
and exchange, update and synchronise data, is the raison d'e^tre of bluetooth.
The bluejacking technique is using the first part of a process that allows that
exchange to take place, and is therefore open to further abuse if the handshake
completes and the "bluejacker" successfully pairs with the target device. If
such an event occurs, then all data on the target device bacomes available to
the initiator, including such things as phone books, calendars, pictures and
text messages. As the current wave of PDA and telephony integration progresses,
the volume and quality of such data will increase with the devices'
capabilities, leading to far more serious potential compromise. Given the
furore that errupted when a second-hand Blackberry PDA was sold without the
previous owner's data having been wiped[3], it is alarming to think of the
consequences of a single bluejacker gathering an entire corporate staff's
contact details by simply attending a conference or camping outside their
building or in their foyer with a bluetooth capable device and evil intent. Of
course, corporates are not the only potential targets - a bluejacking
expedition to, say, The House of Commons, or The US Senate, could provide some
interesting, valuable and, who's to say, potentially damaging or compromising
data.
The above may sound alarmist and far fetched, and the general reaction would
probably be that most users would not be duped into allowing the connection to
complete, so the risk is small. However, in today's society of instant
messaging, the average consumer is under a constant barrage of unsolicted
messages in one form or another, whether it be by SPAM email, or "You have
won!" style SMS text messages, and do not tend to treat them with much
suspicion (although they may well be sceptical about the veracity of the
offers). Another message popping up on their 'phone saying something along the
lines of "You have won 10,000 pounds! Enter this 4 digit PIN number and then
dial 0900-SUCKER to collect your prize!" is unlikely to cause much alarm, and
is more than likely to succeed in many cases.
Workarounds and fixes
---------------------
We are not aware of any fixes for the SNARF attack at this time other than to
switch off bluetooth.
To permanently remove a pairing, and protect against future BACKDOOR attacks,
it seems you must perform a factory reset, but this will, of course, erase all
your personal data.
To avoid Bluejacking, "just say no". :)
The above methods work to the best of our knowledge, but, as the devices
affected are running closed-source proprietory software, it not possible to
verify that without the collaboration of the manufacturers. We therefore make
no claims as to the level of protection they provide, and you must continue to
use bluetooth at your own risk.
Who's Vulnerable
----------------
To date the quantity of devices tested is not great. However, due to the fact
that they are amongst the most popular brands, we still consider the affected
group to be large. It is also assumed that there are shared implementations of
the bluetooth stack, so what affects one model is likely to affect others.
The devices known to be vulnerable at this time are:
SNARF attack:
Ericsson: T68, T68i, T610
Nokia: 6310i, 7650
BACKDOOR attack:
Nokia: 6310i, 7650
* It is not known at this time if Ericsson's are also vulnerable to the
BACKDOOR attack.
Disclosure
----------
What is the Philosophy of Full Disclosure, and why are we providing the tools
and detailing the methods that allow this to be done? The reasoning is simple
- by exposing the problem we are achieving two goals: firstly, to alert users
that the dangers exist, in order that they can take their own precautions
against compromise, and secondly, to put pressure on manufacturers to rectify
the situation. Consumers have a right to expect that their confidential data is
treated as such, and is not subject to simple compromise by poorly implemented
protocols on consumer devices. Manufacturers have a duty of care to ensure that
such protection is provided, but, in practice, commercial considerations will
often take precedence, and, given the choice, they may choose to simply supress
or hide the problem, or, even worse, push for laws that prevent the discovery
and/or disclosure of such flaws[5]. In our humble opinion, laws provide scant
consumer protection against the lawless.
However, having said that, in this particular case, we do not feel it is
appropriate to follow the normal procedure of liaising with manufacturers and
giving them an opportunity to rectify the problem before disclosing to the
general public (this is not to say we haven't contacted them - we have), as
there are simply too many of them, and the problem is too widespread to
realistically believe that they could either adhere to the strict levels of
confidentiality required until the problem has been rectified, or that there
is even the possibilty that the problem can be rectified in a reasonable
timescale. Also, the volume of data currently at risk is too great to allow the
situation to continue unchecked.
Instead, we feel it is more important to achieve our primary goal, and alert
the general public to the fact that the problem exists, and to give them the
information required to adequetely defend themselves. Fortunately, the defence
is relatively simple, and is detailed above. To date we do not have a large
selection of phones or other devices to test, so the advice is somewhat
generic, but we will publish more detailed information as and when it becomes
available.
Tools
-----
Proof of concept utilities have been developed, but are not yet available in
the wild. They are:
bluestumbler - Monitor and log all visible bluetooth devices (name,
MAC, signal strength, capabilities), and identify manufacturer from MAC address
lookup.
bluebrowse - Display available services on a selected device (FAX,
Voice, OBEX etc).
bluejack - Send anoymous message to a target device (and optionally
broadcast to all visible devices).
bluesnarf - Copy data from target device (everything if pairing
succeeds, or a subset in other cases, including phonebook and calendar. In the
latter case, user will not be alerted by any bluejack message).
Tools will not be released at this time, so please do not ask. However, if you
are a bona-fide manufacturer of bluetooth devices that we have been otherwise
unable to contact, please feel free to get in touch for more details on how you
can identify your device status.
Credits
-------
The above vulnerabilities were discovered by Adam Laurie, during the course of
his work with A.L. Digital, in November 2003, and this announcement was
prepared thereafter by Adam and Ben Laurie for immediate release.
Adam Laurie is Managing Director and Chief Security Officer of A.L. Digital
Ltd.
Ben Laurie is Technical Director of A.L. Digital, and author of Apache-SSL and
contributor to many other open source projects, too numerous to expand on here.
A.L. Digital Ltd. are the owner operators of The Bunker, the world's most
secure data centre(s).
e: adam@xxxxxxxxxxxxx
w: http://www.aldigital.co.uk
w: http://www.thebunker.net
e: ben@xxxxxxxxxxxxx
w: http://www.apache-ssl.org/ben.html
Further information relating to this disclosure will be updated at
http://www.bluestumbler.org
References:
[1] - http://www.bluejackq.com/
http://www.theregister.co.uk/content/6/33781.html
http://news.bbc.co.uk/1/hi/technology/3237755.stm
[2] - http://www.palowireless.com/infotooth/tutorial/lmp.asp
[3] - http://www.out-law.com/php/page.php?page_id=blackberryforsale1061969777
[4] - http://bluesniff.shmoo.com/
[5] - http://www.eff.org/
Copyright (c) 2003, Adam Laurie, Ben Laurie, A.L. Digital Ltd., all rights
reserved.