WiFi security is capturing attention everywhere, from airports to coffee shops. But with the growing number of Bluetooth-ready laptops, security experts say the personal area network wireless technology could pose more of a hacking risk than your average WiFi network.
Unlike WiFi, which uses wireless access devices that connect clients, each Bluetooth device is an access point itself, experts observe. "The potential for abuse is a lot greater for Bluetooth than for WiFi, as every Bluetooth device is a potential entry point to the local network," say Thierry Zoller, a security consultant with n.runs AG. "There are hundreds of these in every company."
Zoller, who recently presented some of his research at the Chaos Communications Congress hacker conference in Berlin, says third-party Bluetooth device driver software is a weak link in Bluetooth security.
Researcher HD Moore agrees. "Bluetooth is still a mess right now."
Kevin Finisterre, a researcher who's also co-authoring the Month of Apple Bugs, says several of the Bluetooth-related bugs he has found are not in the Bluetooth specification, but in the way the vendors are implementing it. "Quite a bit of the bugs I have found are due to the vendors driver-install packages, or their stack in general." (See Buggin' Out?)
Finisterre also released an exploit he created that demonstrates how an attacker can compromise OS X via Bluetooth. "The attacker actually gets a root prompt and the ability to masquerade themselves as the compromised Mac," he says. InqTana GenerationTwo is a more aggressive version of a worm that he had developed in the past.
Among the Bluetooth device driver bugs Zoller points to are ones in Widcomm, Toshiba, and Bluesoil. There's a flaw in the Widcomm driver's recording and playing sounds that allows an attacker to eavesdrop on a laptop's Bluetooth microphone; a directory bug in Widcomm, Toshiba, and Bluesoil drivers that lets the attacker access all files on the hard drive; and buffer overflow flaws in Toshiba and Widcomm's drivers that can allow remote-code execution.
"Bluetooth attacks pierce through all of your existing defense layers, your firewalls, IPS, etc.," he says. "The remote root shell gained on the MAC [media access control layer] can be used to pivot to internal server over the internal LAN or over Bluetooth. It's slow, but it works."
Moore agrees that the stakes have gotten higher with Bluetooth, which is no longer just a headset phenomenon. "A vulnerability in a phone or headset only gets you so far -- but being able to connect to a PC, transfer files, and join the network is much more serious and something many folks don't pay attention to," he says. "A great example of this is KF's [Kevin Finisterre's] Bluetooth worm for Mac OS X."
Zoller, meanwhile, also points out that Bluetooth's main protection -- that a device can't be sniffed if it's in "non-discoverable mode" -- can actually be cracked. "Because if an attacker can find a Bluetooth device, he can connect to it."
An existing tool called Redfang grabs the name of a Bluetooth device's address. Zoller says this approach is slow and sometimes misses its target, and it could take weeks to find a Bluetooth device. But another more brute-force attack is to sniff a channel and wait for the device to "hop by," he adds.
"Then [you can] take part of the Bluetooth packet to reverse-engineer the MAC address."
Zoller's own recently released BTCrack hacker tool, meanwhile, takes advantage of weak PINs in Bluetooth devices. Most vendors have only implemented digit-based PINs for their Bluetooth products for authentication, even though they could also use characters as well. "This is [what] makes BTCrack so fast," he says. "The entropy on the PIN is just too low."
So with all these obvious weaknesses in Bluetooth, why haven't there been many attacks on Bluetooth devices yet? Moore says the tools for sniffing Bluetooth are tough to obtain, and expensive. "The most popular Bluetooth protocol analyzer is around $10,000."
Kelly Jackson Higgins, Senior Editor, Dark Reading