Bluetooth is most commonly used to create a “Personal Area Network” linking mobile phones, PDAs, headsets. etc. the vast majority of users of these networks do not think that their ‘personal network’ can be exploited …
Enter stage left: Multiple variations of wardriving like techniques to locate and exploit Bluetooth devices. It would be good to find vendors shipping their devices with the Bluetooth “off” by default.
Homeland (wireless) defence
… The most basic Bluetooth security mechanism is the user’s ability to choose if a device is in discoverable or non-discoverable mode, but unfortunately, your phone or other Bluetooth is probably discoverable, because that’s the default, and you didn’t know that you should change it. … [1]
Now we have met the problem, how do we determine its scope? Grab a laptop with Knoppix as a live CD/DVD or installed (Knoppix includes bluetooth USB support.) The laptop may have a built-in Bluetooth interface, or you can use a USB Bluetooth key.
A good starting tools is the BlueZ bluetooth stack/suite
The software
While googling on the topic, you will find lots of references to customized software used for the scanning (and by references you see people mention it, but nobody coughs up a link.) Since my initial goal was simple enumeration of devices and quick assessment of how “juicy” a given target area is, I did not have need for actual bluetooth exploits. I found that the basic tools in the BlueZ tool suite were sufficient for my needs.
Starting simply with:
hcitool scan
This will list the hardware ID numbers and a manufacturer’s name of any device advertising in range. That “advertising” part is important. These would be the wardriving equivalent of wide open WAPs broadcasting.
If you are looking for particular services to exploit — er enumerate, you can simply scan for devices that support the feature of interest. For example, to find devices capable of setting up a dial-up internet connections, you would use:
sdptool search DUN
Other interesting services to search for are FTRN (for file transfer,) and OPUSH. [2]
…
Unlike wardriving, this is more of a sit-and-wait game. Bluetooth devices and users are mobile, so it’s better to pick a proper high-traffic area (or better yet: the meeting room where you’re holding your audit kick-off meeting.) With enough sensors and proper placement, you can track the movement of your bluetooth users within your facility or campus. I’m sure nobody would do anything bad with that information. :-\ [2]
…
Trifinite has developed a specialism in unearthing Bluetooth security shortcomings, the latest of which illustrates implementation problems rather than more deep-seated security concerns with the protocol. Car Whisperer only works because many car manufacturers use standard Bluetooth passkeys such as “0000″ or “1234″ which are easy to guess. “This is often is the only authentication that is needed to connect,” according to Trifinite.
…
“Since the attacker’s laptop is fully trusted once it has a valid link key, the laptop could be used in order to access all the services offered on the hands-free unit. Often, phone books are stored in these units. I am quite certain that there will be more issues with the security of these systems due to the use of standard pass keys,” Trifinite notes. [3]
…
Ok, we are suffering from the ‘good old two hit’ on-by-default and known-default-passwords
Bluetooth is a short-range technology, so hackers must be physically close to prospective victims. At first it was thought that they could only eavesdrop on users’ communications, but the Israeli researchers discovered that hackers can force their way into a Bluetooth session by masquerading as a device that has already been paired with a target and assume control of it. [4]
As I have been saying for some time when people ask “What is the safest way to use Bluetooth” … DON’T!
[1] Homeland (wireless) defence [BleedingEdge]
[2] Handler’s Diary October 1st 2005 – Bluetooth Auditing [SANS]
[3] Linux Bluetooth hackers hijack car audio [The Register]
[4] Bluetooth: Those Spying Eyes [VARBusiness]
[5] Cracking the Bluetooth PIN – Yaniv Shaked and Avishai Wool
