Features
Bluetooth - Security Scare or Fun Features?
by Nick Hunn | posted on 10 May 2004
As with all new technologies, users are finding ways to use Bluetooth that were never envisaged by its founders, and as with all such innovation there is a range of opinion as to whether these usage models are good or bad.
In recent months there have been a number of news stories regarding possible security risks with Bluetooth-enabled mobile phones. The comments from both press and manufacturers have ranged from the scary to the dismissive.
Will Bluetooth generate an exciting new step in social interaction, or herald the end of civilisation as we know it? This papers aims to explain the current situation, examine the real risk and place it in perspective.
The furore has centred around the use of Bluetooth in mobile phones. Bluetooth has become a popular feature of mobile phones, particularly within Europe. Around 80 million mobile phones containing Bluetooth have now been sold, and over 1 million more are sold every week - that's two per second. Within a phone, Bluetooth provides a short range, wireless link that is most commonly used to connect the phone to a wireless car-kit or headset.
It's also finding favour for sending pictures and messages between phones, or between a phone and a PC without the need to pay for transmission over the mobile phone network. As colour camera phones become more popular, this feature of the technology is being heavily promoted. Sony Ericsson are now openly advertising it under their trade name of "QuickShare".
As the number of phone owners has increased they've started to explore the features of their new phones and have discovered that they can do even more than they expected. This has led to three new words entering the Bluetooth lexicon - "Bluejacking", "Toothing" and "Bluesnarfing". The first two of these activities pose no real threat, although the moral minority that found texting and chatrooms insidious has been quick to add their criticism. Bluesnarfing is more serious, as it relates to a flaw in the design of certain mobile phones that allows a hacker to access data if the phone is configured in a certain manner. It is important that in all three of these cases users understand the risk, as well as the potential that Bluetooth provides so that they can choose and use their mobile phone accordingly. To do that they need to know what the different scenarios are.
BlueJacking
The name Bluejacking is somewhat unfortunate as it implies a nefarious attempt to take over your phone. The reality is different - it's just another form of messaging. One of the features that was designed into the Bluetooth standard was the ability to share business cards between devices. Once you've entered your details into your phone it's possible to send them to, or exchange them with another Bluetooth phone. Anyone who has used a Palm PDA will know the principle as "beaming", where data is sent over infra-red. The technology behind the Bluetooth business card transfer is identical.
Bluejacking came into existence when users realised that they didn't need to enter their personal data into the business card - they could enter whatever text they wanted. And they could then send it to any other Bluetooth phone that they discovered.
This is where Bluetooth has a technical advantage which has spawned a new way to play. Normally when two electronic devices talk to each other it's obvious who they both are - they're physically connected with a cable. Even with infra-red the connection is normally unambiguous as the infra red is essentially a narrow beam of light: the two devices need to be pointing at each other. That implicit knowledge of whom you are talking to disappears when you add a radio connection. You effectively become the centre of a 10 metre bubble within which you could be talking to anyone. The phone you want to talk to may be in front of you, behind you, or even in someone's pocket. So how do you know which one it is?
That lack of knowledge, the element of surprise, is what has caught the imagination of Bluejackers. Once you've composed a message and decided to send it, your phone will ask you whom you want to send it to. At this point you start a process of discovery, where your phone searches for every other Bluetooth device within range and that range is typically around five to ten meters. After ten seconds or so of searching you'll see a list of all of the Bluetooth devices that were discovered (more on the details of Bluetooth discovery later). The list appears as names; when a phone is shipped the name is normally the model number, but users can change that to any name or phrase they want.
Now comes the serendipitous part that makes Bluejacking exciting for its devotees. They're unlikely to know any of the people that they are sending a message to, but at this point they start guessing. If it's a real name that shows up on their phone, they may try to match it to someone they see. Or they might guess what model of phone a particular person is likely to have. They choose their recipient and send the message.
It may be "I like your hair", or if they're on the train "Turn your phone off". What happens next is that the recipient's phone will beep to indicate a message has been received. The sender gets their adrenaline rush as they watch to see whether the person staring at their phone was the intended recipient or not, and what their response is. The cult growing up around Bluejacking is primarily a good natured one that wants to amuse. Bluejacking can't do anything other than place a message on a screen - the Bluejacker can't access the phone, and the recipient can either reply or delete the message. For most young phone users in Europe for whom texting is as ingrained a part of their life as breathing, Bluejacking offers an amusing extension of textual communication without the need to pay for an SMS bill.
Toothing
Toothing has arrived as an extension of Bluejacking. If you've seen the film Cabaret, you'll probably remember the scene in the Kit Kat Klub where there are telephones on every table, allowing clients to make assignations with each other. Toothing is the mobile version, where Bluejacking is used for arranging serendipitous liaisons. It's nothing to do with the inherent technology of Bluetooth, it is more a statement of that aspect of human behaviour which in the past has employed methods as diverse as dropped handkerchiefs and billet-doux to achieve the same end. If Malvolio had possessed a Bluetooth phone in Twelfth Night, it is almost certain that Maria would have "toothed" him.
"Toothing" has reached a sufficient level of popularity in the Netherlands and the UK that there are now web forums where potential "toothers" list the trains they will be travelling on. At least it stops them talking on the phone!
Bluesnarfing
Whereas Bluejacking and toothing are simply unexpected ways of using Bluetooth, Bluesnarfing is a more serous issue. "Snarfing" is a word used in the programming community to describe grabbing a file without the owner's permission. Bluesnarfing extends that to the specific case of stealing information from or accessing a mobile phone without its owner's knowledge or permission.
When the Bluetooth standard was being developed the consideration of security was an immensely important issue. The wireless LAN community had been plagued with problems regarding poor security within the Wi-Fi 802.11b standard, and the Bluetooth developers were keen to ensure that the same criticisms could not be levelled at their technology. Because Bluetooth was aimed at consumer devices as well as computing and corporate devices there were conflicting requirements between security and usability. The solution was to create a two-level approach to security; the fist level allowing basic data transfer between devices as long as that data would only be displayed on a device screen; a far stricter barrier would be deployed at the second level to prevent any deeper access within a Bluetooth device.
That stricter security method involves a requirement for devices to be authenticated with each other. From a user perspective, this means that a physical password has to be entered on each of the connecting devices. The process is called pairing, and must be performed whenever two Bluetooth devices need a more intimate connection, such a between a mobile phone and a laptop PC to synchronise data, or to use the phone to access the internet over a cellular network.
No-one has yet identified a flaw in this security mechanism. However, a security expert - Adam Laurie, has discovered that some Bluetooth handsets have not implemented the Bluetooth security mechanism correctly, which can place a handset at risk of being interrogated by a malicious hacker within ten metres of that handset.
Adam, and security experts like him serve a valuable but little publicised service to the industry in trying to "break" new technologies and alert the standards bodies and manufacturers to any failing they might find. The benefit they bring is that it allows manufacturers to fix security issues before hackers get to know of them. What he discovered is that a number of handsets manufactured by Nokia and Sony Ericsson have a flaw in their Bluetooth implementation that inadvertently provides a back door into the handset. This allows a hacker to retrieve phone numbers and other data from the handset, and in an extreme case even allow calls to be made from the phone. Both Nokia and Sony Ericsson are working to close this fault. However, unlike the PC industry where upgrades and patches can be downloaded from the web, phones owners and manufacturers are unfamiliar with the concept of deploying upgrades, even when they are available.
It is likely that phone suppliers will provide a way to upgrade affected handsets, but in the meantime there are ways to set up a handset that largely eliminate the problem. Before describing what users can do to lessen, or eliminate security risks I believe it would be useful to put the risks to mobile devices in proportion.
Risk and the mobile device
Every new technology goes through a stage of balancing risks against benefits. Often the relative merits of each has more to do with technophobia than with reality, but it takes time for social usage to determine the balance. When cars were first introduced the law in the UK required them to preceded by a man on foot carrying a red flag. That requirement has been removed, but we still balance convenience and risk in our everyday lives. We worry about flying despite the fact that we are more likely to be killed travelling to the airport; we campaign against seat belts and crash helmets because of their inconvenience; we smoke and drink and disregard the agreements we signed with our banks when we give credit cards to waiters who take them away from our sight and clone them. Life is not black and white - it's about balancing risk.
The risk from Bluejacking and Toothing is small. We may be offended by the message, or by the resulting actions, but the phone is only the latest carrier of the information. Both are essentially a new form of junk mail, delivered to our phone instead of our home, and more personally tailored than ever before. The risk that needs to be considered is that of Bluesnarfing.
Bluesnarfing poses the threat that information is removed from your handset. As long as your phone is turned on it is potentially "snarfable" - you don't need to be using it. For most phone owners that's probably a negligible risk. Where it becomes more worrying is at a business level, where that information is a list of business contacts and a diary. But it needs to be put in perspective. Bluesnarfing a phone is not easy. You cannot do it from another phone, you need a PC. There are no Bluesnarfing programs available on the net - the attacks that have been demonstrated have been constructed by experienced programmers writing specific code on Linux machines after analysing several thousand pages of the Bluetooth standard. To attack your phone they need to be within ten metres of you - that's not the profile of the average teenage hacker that strikes fear into the PC community.
And Bluesnarfing is not the only way to lose valuable corporate data. Figures recently released by police authorities in the UK and Australia respectively report that 430,000 and 170,000 mobile phones were stolen in the last 12 months, despite efforts to reduce crime by barring stolen phones. Extrapolating those numbers equates to around 10 million stolen and lost handsets around the world every year. A further report by the operator O2 in the U.K. suggested that one third of all business users have lost a mobile phone at some stage in the last ten years. Thirty per cent of those questioned had left phones in taxis and trains, and a further quarter in restaurants and bars. More worryingly 63% of IT managers reported that they had no strategy either for the security of mobile devices or rules for how the confidential information within them should be protected. Although all phones allow users to enter a PIN number to lock the handset, the reality is that only a small percentage do - once again convenience is more highly prized than security.
Which puts the risk of Bluesnarfing in perspective. Today, there are maybe a few dozen experts in the world who have written personal programs to investigate the weaknesses of actual Bluetooth implementations. They have done the right thing by highlighting the issue, but they're not out there stealing your data. In contrast ten million users are giving their precious data away for free every year by losing their handsets. If you're worried about the security of your phone data, all of the evidence suggests that your attention should be directed at keeping hold of your phone. Even if Bluesnarfing software becomes available to a wider hacking community, the profile of the average hacker is not that of the industrial espionage spy. They're already served by a host of companies such as Spystuff who specialise in selling covert radio transmitters. If they want to know about you, they're probably already doing it. A quick web search shows that there are plenty of them around.
What to do next
The phone manufacturers involved are working to provide an update. If you have an affected handset then check their website. It seems that the problem is limited to Nokia and Sony Ericsson handsets that do not run the Symbian operating system. The models that have currently been identified are Nokia's 6310, 6310i, 8910 and 8910i, Ericsson's T68 and R520m and Sony Ericsson's T68i, T610, Z600 and Z1010. Adam's Laurie's website at www.bluestumbler.com contains an up to date list, along with the level of vulnerability. There are no validated problems with Motorola, Panasonic, Philips or Siemens handsets, or with any Symbian models. It also seems that current phones are OK.
If you have one of the affected models, you can restrict the possibility of attack in two ways:
- Turn off Bluetooth. If you're not using any Bluetooth accessories, such as a headset or a PC and you don't want to send or receive data from another handset, then you can turn off Bluetooth. That blocks any external attack. It will also increase the battery life slightly. Should you want to use it in the future, you can turn it back on. Check your phone's manual to see how to do it.
- Hide Bluetooth. This is a more subtle approach, but is equally effective. Once you have paired your Bluetooth phone with any accessories that you want to use with it, you can set the Bluetooth feature to be invisible to other Bluetooth devices. Your phone will still talk to the accessories that you've paired it with, but won't be visible to anyone trying to hack into it. In the parlance of the Bluetooth standard this is called making it non-discoverable. (Some manufacturers call it "hidden"). Again, read your manual to find out how to do this. Some manufacturers make this the standard setting, for example the Sony Ericsson T68 - when you want to pair, the phone is only made visible for a period of three minutes.
The advantage of making your phone invisible is that it is safe from a malicious attack. You can still use the Bluetooth features, but because it is invisible you will not be able to receive Bluejacking or toothing messages. If you want to take part in these, either ask the manufacturer to update your handset or decide on the risk. I would personally advise business users to place their handsets in this non-discoverable mode.
There is some debate as to whether it is possible to hack into a phone that is invisible. In theory, given enough time it could be possible. Every Bluetooth phone contains a unique identification number - its Bluetooth address, and if an attacker tried every one of these it could eventually discover the existence of the phone. It's possible, but it's likely to take many hours, during which the hacker would need to stay within ten metres of you. If someone is assiduously following your around with their laptop for that long you ought to be getting suspicious.
" If you decide to make your phone discoverable, it is probably best to change the name that it displays to other Bluetooth devices. Retaining the default model number both advertises who you are if people can see it, and also identifies whether it is a vulnerable model. I'd also advise against using your real name, as that again identifies you as well as your gender. But then again, you may want to advertise that. It's all down to informed personal choice.
" If you do allow bluejacking messages to be sent to your phone, the only risk is from acting on the contents of the message. It's quite credible to envisage someone sending a "spam" message of the form "Congratulations - you've won $100. Dial xxxx to claim it". That xxxx could be a premium rate number that charges you $5. Unfortunately the only defence against human gullibility seems to be experience. Just don't do it.
Conclusions
In conclusion, Bluetooth still remains a secure standard. There is a risk on a few of the early handsets, but more recent ones have resolved these issues. You need to assess the benefits and risks. You can limit the exposure of your Bluetooth device and still enjoy significant advantages over a non-Bluetooth phone whilst being safe. Or you can decide to live a little on the wild side and join in the growing band of Bluejackers and Toothers. The world needs to decide just what to do with each new technology. We know the Internet has scary corners, but we all use it. Bluetooth starts off from a far higher level of security. It is new, and anything new can be scary, but it's here to stay and is already motivating users to develop new cultures.
References
For more detail on Bluetooth try the following resources:
1. Flaws in Bluetooth Security. An update to the original discovery of the Bluesnarfing flaw by Adam Laurie. Contain a list of vulnerable handsets.
2. A research project carried out by Martin Herfurt at the CeBit computer fair in March 2004 to investigate the number of susceptible Bluetooth handsets.
3. Bluejackq - "blue-jack you"A website devoted to the discovery and practice of Bluejacking.
4. A forum for those wanting to "find partners for sex using Bluetooth mobile phones".
Enough said.
You can discuss this article on our discussion board.
Nick Hunn is chief technology officer at Ezurio, the Bluetooth specialist startup with the longest experience of any in the field
in Features
Opinion: Can business ban the mobile camera phone if the Army can't..?
net.wars: Taxation with representation
you're reading:
Bluetooth - Security Scare or Fun Features?
Flarion and Vodafone trial high speed wireless internet in Tokyo