Time to start taking Bluetooth security seriously, as device driver bugs and hacking tools abound

WiFi security is capturing attention everywhere, from airports to coffee shops. But with the growing number of Bluetooth-ready laptops, security experts say the personal area network wireless technology could pose more of a hacking risk than your average WiFi network.

Unlike WiFi, which uses wireless access devices that connect clients, each Bluetooth device is an access point itself, experts observe. "The potential for abuse is a lot greater for Bluetooth than for WiFi, as every Bluetooth device is a potential entry point to the local network," say Thierry Zoller, a security consultant with n.runs AG. "There are hundreds of these in every company."

Zoller, who recently presented some of his research at the Chaos Communications Congress hacker conference in Berlin, says third-party Bluetooth device driver software is a weak link in Bluetooth security.

Researcher HD Moore agrees. "Bluetooth is still a mess right now."

Kevin Finisterre, a researcher who's also co-authoring the Month of Apple Bugs, says several of the Bluetooth-related bugs he has found are not in the Bluetooth specification, but in the way the vendors are implementing it. "Quite a bit of the bugs I have found are due to the vendors driver-install packages, or their stack in general." (See Buggin' Out?)

Finisterre also released an exploit he created that demonstrates how an attacker can compromise OS X via Bluetooth. "The attacker actually gets a root prompt and the ability to masquerade themselves as the compromised Mac," he says. InqTana GenerationTwo is a more aggressive version of a worm that he had developed in the past.

Among the Bluetooth device driver bugs Zoller points to are ones in Widcomm, Toshiba, and Bluesoil. There's a flaw in the Widcomm driver's recording and playing sounds that allows an attacker to eavesdrop on a laptop's Bluetooth microphone; a directory bug in Widcomm, Toshiba, and Bluesoil drivers that lets the attacker access all files on the hard drive; and buffer overflow flaws in Toshiba and Widcomm's drivers that can allow remote-code execution.

"Bluetooth attacks pierce through all of your existing defense layers, your firewalls, IPS, etc.," he says. "The remote root shell gained on the MAC [media access control layer] can be used to pivot to internal server over the internal LAN or over Bluetooth. It's slow, but it works."

Moore agrees that the stakes have gotten higher with Bluetooth, which is no longer just a headset phenomenon. "A vulnerability in a phone or headset only gets you so far -- but being able to connect to a PC, transfer files, and join the network is much more serious and something many folks don't pay attention to," he says. "A great example of this is KF's [Kevin Finisterre's] Bluetooth worm for Mac OS X."

Zoller, meanwhile, also points out that Bluetooth's main protection -- that a device can't be sniffed if it's in "non-discoverable mode" -- can actually be cracked. "Because if an attacker can find a Bluetooth device, he can connect to it."

An existing tool called Redfang grabs the name of a Bluetooth device's address. Zoller says this approach is slow and sometimes misses its target, and it could take weeks to find a Bluetooth device. But another more brute-force attack is to sniff a channel and wait for the device to "hop by," he adds.

"Then [you can] take part of the Bluetooth packet to reverse-engineer the MAC address."

Zoller's own recently released BTCrack hacker tool, meanwhile, takes advantage of weak PINs in Bluetooth devices. Most vendors have only implemented digit-based PINs for their Bluetooth products for authentication, even though they could also use characters as well. "This is [what] makes BTCrack so fast," he says. "The entropy on the PIN is just too low."

So with all these obvious weaknesses in Bluetooth, why haven't there been many attacks on Bluetooth devices yet? Moore says the tools for sniffing Bluetooth are tough to obtain, and expensive. "The most popular Bluetooth protocol analyzer is around $10,000."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights