Computer Security (Bluetooth project)
Together with Stefan Ekerfelt, Leith Caldwell and Jean Wu, we studied current privacy and security issues related to Bluetooth. Because of University regulations, we were limited to monitoring students from the class who agreed to be on our list. Nevertheless, the results show that quite detailed tracking, identification and hotlisting is possible with Bluetooth-enabled devices, and that there is still a large number of devices visible.
Additionally, we tested Bluetooth-enabled mobile phones for known vunlerabilities, and implemented a new attack by an OBEX push DoS.
Data collection / BlueTracking
Based on braces from The Schmoo Group, we wrote a monitoring script in Perl which fit our needs. Traces of Bluetooth devices were dumped in a text files (two of our sensors were offline), with a detailed scan being done for each device only once to save time and memory (which was especially limited on one of our sensors, a Gumstix). For evaluation, this data was processed in a SQL database.
The details we were able to obtain from most devices include Bluetooth MAC, clear name, a class ID stating the kind of device (PC, Mobile, Smartphone etc...) and a Blueprint identifying the exact model of the phone. Within the monitored building, we were able to track certain people in detail, e.g. to create movement / working patterns.
OBEX push Denial-of-Service
Besides testing mobile devices for known vulnerabilities, we implemented the following attack based on the OBEX push protocol.
Using ussp-push, it is possible to send out files very quickly. By continuously trying to push a file, the target is flooded with prompts whether to accept the file or not, which disables any other usage on the phone, including the ability to turn off Bluetooth.
All the following phones were tested and found vulnerable to this attack, which made us expect a large range of phones to be vulnerable in general.
- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800
Our proof-of-concept code uses ussp-push and targets a known MAC. This could be easily extended to target all visible devices. Plus, a user could be forced to accept a possibly malicious file with this attack. Using only one Bluetooth-Dongle, we were able to practically disable three phones simlutaneously.
Project report paper
Abstract
As more personal, mobile electronic devices are equipped with the Bluetooth technology for short-range wireless, users of these devices often unknowingly have them enabled to be discoverable all the time. This can lead to security threats as well as privacy concerns, however most people are not aware of these risks or do not perceive them as issues. In this paper, we highlight some of the vulnerabilities of the Bluetooth protocol and extend the mobile Denial of Service attack to Bluetooth. We have found that currently popular Bluetooth-enabled mobile devices are susceptible to DoS attack, since these devices display pop-up notifications whenever they receive an incoming request. Tracing the exact position of the devices is more difficult due to the high range of Bluetooth sensors, although it is still possible using signal strength.
Complete Paper (10 pages, 1.6 MB)