BlueBug is the name of a bluetooth security loophole on some bluetooth-enabled
cell phones. Exploiting this loophole allows the unauthorized downloading
phone books and call lists, the sending and reading of SMS messages
from the attacked phone and many more things.
Under ideal conditions, a BlueBug attack takes only a few seconds
(depending on the things, which are done during the attack). Due
to the limited transmit power of class 2 bluetooth radios, the distance
of the victim's device to the attacker's device during the attack
should not exceed 10-15 meters. Similar to wardriving, also for
bluetoothing a directional antenna can be attached to the radio
in order to increase the range.
Since the BlueBug security loophole allows to issue AT commands
via a covert channel to the vulnerable phones without prompting
the owner of this phone,
this security flaw does allow a vast number of things that may
be done when the phone is attacked via bluetooth:
- initiating phone calls
- sending SMS to any number
- reading SMS from the phone
- reading phonebook entries
- writing phonebook entries
- setting call forwards
- connecting to the internet
- forcing the phone to use a certain service provider
- ... and many more things
As mentioned above, the BlueBug security loophole allows the attacker
to initiate phone calls from the victim's device. Things that can
be done with initiating phone calls include:
when the victim passes, a phone that is owned by the attacker
(e.g. an anonimously used prepaid-card phone) is called. From
this moment on, the attacker is able to listen to all the conversations
that the victim does until the victim hangs up the phone
- causing financial damage
since phone calls to any number can be established, it is also
possible to call premium service numbers from the victim's device.
If the victim does not realize that a phone call is connected
to a premium service number, this would cause severe financial
damage to the victim.
Sending SMS from the victim's device can be used for quite a lot
- finding out the victim's phone number
The phone number of the respective device is not storedd at a
predefined location. The devive's number can be gained by sending
an SMS from the victim's device to a phone that is owned by the
- causing financial damage
There are quite a lot of SMS-based services that cost the client
about 3 Euros per SMS. Usually, these services are used to sell
ringtones and logos. There are also news subscriptions that can
be ordered by SMS that continously cause costs to the victim.
- tracking the victim
As a location-based service, some providers allow other users
to locate their customers by the GSM global cell id which their
phone is connected to. According to the the mode the respective
GSM cells are configured, this information can be very detailed.
In order to do this, the provider must get the permission from
the customer. This permission is usually given via SMS (which
is sent by the attacker).
- revealing secrets
Often SMS messages are used to silently communicate secret information
with other people. Reading SMS of the attacked device is often
touching the victim's privacy. Paparazzi could use this attack
in order to find out more about certain celebrities.
Reading and writing phonebook entries could be used for:
- finding out callers and called persons
In GSM handsets, phonebooks are also used for managing call lists.
So the attacker may find out who the victim called last, who was
trying to reach the victim's device and who reached the victim's
- doing nasty entries
A nasty phonebook entry could be the name "Darling"
and the international emergency number 112 :)
- obfuscating the abuse
After initiating phone calls, the list of dialed numbers could
Setting call forwards on the victim's phone could cause a lot of
confusion. So instead of calling the victim, the caller reaches
the device connected to a random number that has been set.
The attacker can use the BlueBug loophole to establish an Internet
connection that could for example be used for the illegal injection
of Mail-Worms like Sasser, Phatbot or NetSky.
Network Provider Preselection
Especailly in locations like airports, where many users are arriving
with their cell phones, service providers could use the BlueBug
loophole in order to register these phones with their networks.
The history of the BlueBug started as a friend of Martin Herfurt
pointed out that there was a bluetooth security loophole that allowed
the downloading of various information from mobile phones without
prompting the owner of the phone. This security loophole has been
identified by Adam Laurie from A.L. Digital Ltd. and was explained
In order to get a little more attention for a talk about wardriving
(the exploitation of WLAN insecurity), Martin Herfurt decided to
also present this more recent security issue. Since no snarfing
tools were available on the Internet, an application has been hacked
that could read out the phonebooks of the devices that were also
listed on Adam Lauries page. Believing to having found the same
security loophole as Adam Laurie, this application was successfully
demonstrated at the IKT 2004 Forum.
For curiousity, the laptop with the bluesnarf application has been
taken to the CeBIT technology fair in Hannover, Germany. There,
about 1300 unique bluetooth devices could have been found of which
about 50 phones were provenly vulnerable to this attack.
One week later, a report about the CeBIT fieldtrial has been written
and published on the austrian news-portal futurezone and the high
impact site slashdot. The german newsticker of Heise did not react
to the announcement of the report.
Jeremy Wagstaff, the technical columnist for the Wall Street Journal
cited the report in his WebLog and later in his column in the Wall
About this time, (middle of April 2004) Adam Laurie was visiting
Salzburg. Talking to Martin Herfurt it turned out that the identified
security loopholes were not the same. Adam's Bluesnarf attack does
allow the unauthorized downloading of items via the OBEX protocol,
while the loophole identified by Martin Herfurt allows to contol
the device device via a plain serial connection. Adam and Martin
decided to do some work together in this point.
After meeting Adam Laurie in Salzburg it has been decided to co-operate
in bluetooth security issues.
The idea of determining the model information of discovered bluetooth
devices by means of hashing SDP profiles is invsetigated.
A BlueBug application that runs on Java-enabled bluetooth phones
is currently implemented. Unfortunately, the debugging of this application
is not easy.
In the morning of Wednesday 5 people (Martin Herfurt (Salzburg
Research), John Hering (Flexilis), James Burgess (Flexilis), Kevin
Mahaffey (Flexilis) and Mike Outmesguine (Bookauthor Wi-Fi Toys)
were doing a long-distance snarf at the santa monica bay close to
Los Angeles. It was possible to BlueSnarf a phone from a distance
of 1.08 miles. Therefore we used a usual unmodified Nokia 6310i
on the one side and a laptop with a modified class 1 bluetooth dongle
where we were connecting a 19dBi gain quad antenna to.
TechTV documented this experiment. Pictures can be found here.
Bluetooth Security Issues
- Adam and Ben Laurie's page about bluetooth security issues
- BlueJacking page
BlueBug in the press
story on this report [DE]
story on this report [EN]
Wire WebLog [EN]
from a distance [EN]
you being bugged by your rivals? [EN]
Chinese Site citing the report
Story on WIRED News [EN]
Story about Long Distance Snarfing on Jeremy's LOOSE wire blog [EN]
Distance Snarf [DE]
in the Wall Street Journal [EN]
in the Wall Street Journal Europe [EN]
Interview at CNBC Europe [EN]
about BlueBug on German Television Station Pro7 (Focus TV) [DE]
about BlueBug on Swiss Television SFDRS (Kassensturz) [DE]
Talk at Defcon 12 in Las Vegas
Talk at BlackHat in Las Vegas
We believe that at this time the damage caused by persons exploiting
these security loopholes would be too big. Therefore, we only disclose
information to device manufacturers.
Do not ask for tools, please.
You should at least switch bluetooth to hidden mode. This prevents
possible attackers from finding (and attacking) your device.
The safest choice would be to turn bluetooth off completely. Then
you are not able to use eventual bluetooth accessories.