8 mins read
BlueBug is the name of a bluetooth security loophole on some bluetooth-enabled cell phones. Exploiting this loophole allows the unauthorized downloading phone books and call lists, the sending and reading of SMS messages from the attacked phone and many more things.
Under ideal conditions, a BlueBug attack takes only a few seconds (depending on the things, which are done during the attack). Due to the limited transmit power of class 2 bluetooth radios, the distance of the victim’s device to the attacker’s device during the attack should not exceed 10-15 meters. Similar to wardriving, also for bluetoothing a directional antenna can be attached to the radio in order to increase the range.
Since the BlueBug security loophole allows to issue AT commands via a covert channel to the vulnerable phones without prompting the owner of this phone, this security flaw does allow a vast number of things that may be done when the phone is attacked via bluetooth:
As mentioned above, the BlueBug security loophole allows the attacker to initiate phone calls from the victim’s device. Things that can be done with initiating phone calls include:
when the victim passes, a phone that is owned by the attacker (e.g. an anonimously used prepaid-card phone) is called. From this moment on, the attacker is able to listen to all the conversations that the victim does until the victim hangs up the phone
causing financial damage
since phone calls to any number can be established, it is also possible to call premium service numbers from the victim’s device. If the victim does not realize that a phone call is connected to a premium service number, this would cause severe financial damage to the victim.
Sending SMS from the victim’s device can be used for quite a lot of things:
finding out the victim’s phone number
The phone number of the respective device is not storedd at a predefined location. The devive’s number can be gained by sending an SMS from the victim’s device to a phone that is owned by the attacker.
causing financial damage
There are quite a lot of SMS-based services that cost the client about 3 Euros per SMS. Usually, these services are used to sell ringtones and logos. There are also news subscriptions that can be ordered by SMS that continously cause costs to the victim.
tracking the victim
As a location-based service, some providers allow other users to locate their customers by the GSM global cell id which their phone is connected to. According to the the mode the respective GSM cells are configured, this information can be very detailed. In order to do this, the provider must get the permission from the customer. This permission is usually given via SMS (which is sent by the attacker).
Often SMS messages are used to silently communicate secret information with other people. Reading SMS of the attacked device is often touching the victim’s privacy. Paparazzi could use this attack in order to find out more about certain celebrities.
Reading and writing phonebook entries could be used for:
finding out callers and called persons
In GSM handsets, phonebooks are also used for managing call lists. So the attacker may find out who the victim called last, who was trying to reach the victim’s device and who reached the victim’s device.
doing nasty entries
A nasty phonebook entry could be the name “Darling” and the international emergency number 112 :)
obfuscating the abuse
After initiating phone calls, the list of dialed numbers could be overwritten.
Setting call forwards on the victim’s phone could cause a lot of confusion. So instead of calling the victim, the caller reaches the device connected to a random number that has been set.
The attacker can use the BlueBug loophole to establish an Internet connection that could for example be used for the illegal injection of Mail-Worms like Sasser, Phatbot or NetSky.
Especailly in locations like airports, where many users are arriving with their cell phones, service providers could use the BlueBug loophole in order to register these phones with their networks.
The history of the BlueBug started as a friend of Martin Herfurt pointed out that there was a bluetooth security loophole that allowed the downloading of various information from mobile phones without prompting the owner of the phone. This security loophole has been identified by Adam Laurie from A.L. Digital Ltd. and was explained on bluestumbler.org
In order to get a little more attention for a talk about wardriving (the exploitation of WLAN insecurity), Martin Herfurt decided to also present this more recent security issue. Since no snarfing tools were available on the Internet, an application has been hacked that could read out the phonebooks of the devices that were also listed on Adam Lauries page. Believing to having found the same security loophole as Adam Laurie, this application was successfully demonstrated at the IKT 2004 Forum.
For curiousity, the laptop with the bluesnarf application has been taken to the CeBIT technology fair in Hannover, Germany. There, about 1300 unique bluetooth devices could have been found of which about 50 phones were provenly vulnerable to this attack.
One week later, a report about the CeBIT fieldtrial has been written and published on the austrian news-portal futurezone and the high impact site slashdot. The german newsticker of Heise did not react to the announcement of the report.
Jeremy Wagstaff, the technical columnist for the Wall Street Journal cited the report in his WebLog and later in his column in the Wall Street Journal.
About this time, (middle of April 2004) Adam Laurie was visiting Salzburg. Talking to Martin Herfurt it turned out that the identified security loopholes were not the same. Adam’s Bluesnarf attack does allow the unauthorized downloading of items via the OBEX protocol, while the loophole identified by Martin Herfurt allows to contol the device device via a plain serial connection. Adam and Martin decided to do some work together in this point.
After meeting Adam Laurie in Salzburg it has been decided to co-operate in bluetooth security issues.
The idea of determining the model information of discovered bluetooth devices by means of hashing SDP profiles is invsetigated.
A BlueBug application that runs on Java-enabled bluetooth phones is currently implemented. Unfortunately, the debugging of this application is not easy.
In the morning of Wednesday 5 people (Martin Herfurt (Salzburg Research), John Hering (Flexilis), James Burgess (Flexilis), Kevin Mahaffey (Flexilis) and Mike Outmesguine (Bookauthor Wi-Fi Toys) were doing a long-distance snarf at the santa monica bay close to Los Angeles. It was possible to BlueSnarf a phone from a distance of 1.08 miles. Therefore we used a usual unmodified Nokia 6310i on the one side and a laptop with a modified class 1 bluetooth dongle where we were connecting a 19dBi gain quad antenna to.
TechTV documented this experiment.
BlueSerial-Maemo - BlueSerial tool compiled to be used on a Nokia 770 Tablet PC
(written for for Linux using BlueZ)
by Adam Laurie
Bluesnarfing @ CeBIT 2004 - Detecting and Attacking bluetooth-enabled Cellphones at the Hannover Fairground [english]
by Martin Herfurt
published in March 2004
more information on the Bluebug project page
futurezone story on this report [DE]
slashdot story on this report [EN]
LOOSE Wire WebLog [EN]
Robbed from a distance [EN]
Züricher Sonntagszeitung [DE]
Are you being bugged by your rivals? [EN]
SFDRS Kassensturz [DE]
Chinese Site citing the report
Story on WIRED News [EN]
Story about Long Distance Snarfing on Jeremy’s LOOSE wire blog [EN]
Long Distance Snarf [DE]
We believe that at this time the damage caused by persons exploiting these security loopholes would be too big. Therefore, we only disclose information to device manufacturers.
Do not ask for tools, please.
You should at least switch bluetooth to hidden mode. This prevents possible attackers from finding (and attacking) your device.
The safest choice would be to turn bluetooth off completely. Then you are not able to use eventual bluetooth accessories.
Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.