T 5.160 Abuse of the Bluetooth profiles
Bluetooth provides individual profiles for standardised data exchange, transmission of messages and configuration. These profiles may be exploited to access Bluetooth end devices and manipulate them, to listen in on them and/or to steal data. Some examples of the threats caused by misuse of these profiles are described below.
In order to access another Bluetooth end device, the end devices usually need to be paired. Authentication is always part of the pairing. However, the Bluetooth specification allows access to the Service Discovery Protocol (SDP) without authentication prior to the pairing. The Bluetooth devices use this protocol to exchange the available profiles. In the past, Bluetooth implementations became known that included profiles that were not displayed via the SDP. Apparently, the manufacturers had opened a kind of backdoor. Based on this vulnerability, individual profiles could be used to exchange data between Bluetooth end devices without a prior pairing, i.e. without authentication.
- For example, an attacker may use the OBEX Push Profile intended for simple data exchange to read out calendar entries and phone books. If the end device also supports an OBEX-based FTP server, the attacker also gains write access to the end device.
- Due to the missing authentication, the HID profile which is provided to enter data using input devices (i.e. mouse or keyboard) may also be used. If authentication is omitted and there is already a successful pairing, e.g. between a keyboard and a computer, this information can be used to simulate another input device and to record keyboard input using keylogger software, for example.
Even more dangerous is the misuse of the SIM Access profile. With this profile, direct access to the SIM cards of mobile phones using Bluetooth is possible. Typically, this profile is used with integrated car phones that try to access another phone via Bluetooth. Due to the direct access to the SIM card, the mobile connection may be manipulated without the user realising this. For example, using the SIM Access profile the SIM Application Toolkit implemented in many SIM cards may be used to send the session key used to encrypt the mobile connection via SMS. With this session key, recorded communication can be decrypted and spied on via the wireless interface of a mobile phone. Combining the Bluetooth and mobile communication technologies creates attack scenarios that would not be possible with each technology alone.