T 4.79 Vulnerabilities in Bluetooth implementation

The Bluetooth specifications offer many possibilities to implement the described functions. There are already several vulnerabilities in the Bluetooth specifications and the respective implementations of the Bluetooth devices may add additional vulnerabilities.

There are several known attack mechanisms that target the vulnerabilities in the Bluetooth implementations in end devices and/or the Bluetooth specifications. Below, some of the important attack mechanisms are explained:

Bluejacking

Bluejacking refers to an attack that involves sending a message via Bluetooth from a Bluetooth end device, e.g. a mobile phone or PDA, to another Bluetooth device. In most cases the purpose is to confuse the receiver. Typical messages are statements such as "I really like your red trousers.", "You should take better care of your mobile on the Cebit." or simply "Hello, you've been bluejacked." This demonstrates on the one hand that a real attack would be very easily possible and on the other hand that the user is being watched. However, since Bluetooth only works in close proximity, this is not astonishing.

The message sent is simply the name of the sending Bluetooth device that was extended into a "message". When a connection request is made, the name of the requesting Bluetooth device is usually displayed on the other device. The name of a Bluetooth device is arbitrary and may have up to 248 characters. Therefore, it can also be used to send short messages that are supposed to confuse the user.

Blueprint

The Blueprint method is used to read out the ID of a Bluetooth end device. With this ID the end device version can be determined. By analysing freely accessible information on the vulnerabilities of the device, a targeted attack is then possible.

Bluesnarfing

Bluesnarfing is the unauthorized access to information stored on Bluetooth mobile phones such as address book and calendar entries without the mobile user realising it. Bluesnarfing exploits a security gap of Bluetooth mobile phones. With some models there is free access to the stored data if Bluetooth is turned on and the phone is set to "visible".

Bluesnarfing, like Bluejacking, uses an incorrect implementation of an Object Exchange Profile in end devices. This attack establishes a direct connection to a Bluetooth end device and gives access to any data stored on the end device. This means that address books on mobile phones may be spied on without the phone user being any the wiser. It is therefore also possible to read out the International Mobile Equipment Identity (IMEI) of mobile phones and smartphones. The IMEI of all end devices is unique. For example, an attacker may divert received calls to an end device in their possession by having the end device pretend to be the device that was called. The Bluesnarfing++ method additionally offers write access to the end device.

Bluebugging

Bluebugging exploits faulty Bluetooth implementations in some older end devices to gain direct access to the end device and/or control of the end device. This attack method uses channels 16 and 17 of the Bluetooth protocol RFCOMM (Radio Frequency Communication), which serves to emulate serial interfaces, to read data or change the settings of the Bluetooth end device. In addition, Bluebugging may be used to initiate phone calls and thereby to generate costs or to monitor calls made by the user. Using Bluebugging, other services provided by the end device may also be impaired. With older end devices the user has no clue that their device is being attacked. Newer end devices usually display a security prompt indicating that another end device is trying to establish a connection.

Bluesniping

Bluesniping refers to attacks targeting Bluetooth devices at long ranges using directional antennas. In laboratory environments, this has worked on distances of up to two kilometres. Bluesniping extends the various Bluetooth methods of attack to a larger range.

Denial of Service / BlueSmacking

Denial of service attacks are usually employed to compromise the Bluetooth interface, rendering the end device unusable, e.g. because pairing requests have to be answered constantly, or to quickly drain the battery of the end device. A typical denial of service attack on Bluetooth devices is BlueSmacking. BlueSmacking misuses L2CAP requests to interfere with all Bluetooth devices in range simultaneously. The L2CAP request "Echo Request" basically serves to test the readiness to receive and the connection speed, like a ping command.