Bluetooth Vulnerabilities Spell Risk

Bluetooth (define) is a common feature in cell phones, Smartphones and laptops. When left on “visible to all” mode, research from Kaspersky Labs suggests vulnerabilities could leave the device open to malicious code or unauthorized use.

When Bluetooth runs on a device, it leaves a communication port open. Users can set the connection to “invisible” mode, which allows only previously connected devices to communicate. The default setting, however, is often “visible to all” which allows other Bluetooth users to connect to a device.

“The threat is real,” said Shane Coursen, senior technical consultant for Kaspersky Labs. “Is it something that we need to pay attention to? Absolutely. Is it something that should keep you up at night? Not at this point.”

The Cabir virus is the most widespread malicious virus spread to cell phones via a Bluetooth connection. Other worms include the Lasco and Comwar, each spread to infect phones using the Symbian OS (define).

The three tactics used by hackers to gain access to a device include:

  • Social Engineering: Hackers gain access by establishing a connection as a “trusted device” or persuades a user to authorize a connection, lowering or disabling security and authentification protocols.
  • Vulnerabilities in the protocol: Hackers steal data from the phone, or use it to make calls, send messages, conduct DoS attacks (define) or listen to calls with an earpiece.
  • Malicious code: Infect a telephone with a worm which spreads to other devices via Bluetooth or MMS. The code can corrupt, steal or encrypt data on an infected phone.

While a phone is under the control of hackers, vulnerabilities allow it to authorize the intruders to:

  • Initiate a phone call.
  • Send SMS messages to any number.
  • Read SMS messages stored on the phone.
  • Read and write phonebook entries.
  • Configure call forwarding.

To determine the potential damage an attack over Bluetooth, the software security firm observed how many devices had the wireless protocol active at InfoSecurity 2006 in London, and also counted enabled devices at various locations in London and Moscow.

During InfoSecurity, which ran three days, the team of researchers detected over 2,000 Bluetooth-enabled devices at the show and other sites in London. Over half of the devices were detected at the show, and belonged to exhibitors and attendees at the event. Additional locations in London included the London Underground’s Victoria, King’s Cross and Waterloo stations during rush hour.

In Moscow, tests were conducted at local supermarkets and the Moscow metro. The team detected about 100 devices in ‘visible to all’ mode in about an hour’s time.

Part of the research entailed an attempt to catch a virus in one of these locations. Devices were configured with names near the top of the alphabet, which would be detected before letters occurring later in the alphabet. Device names like BlueSoleil, Blue Auditor and BT Scanner were used in the test. No virus was actually received during the test.

While the devices remained safe, the firm used data on epidemics caused by biological viruses and mathematical epidemiological models to estimate the likelihood of a mobile virus epidemic. The report estimates a worm for a mobile device would be able to infect nearly all vulnerable devices in Moscow within a 15 day period. An outbreak of that size would likely start in a busy area like a subway station, shopping mall or sporting event.

“In a football stadium, there’s going to be a lot of people in a fairly small area, and the chance for targeting phones that are compromise-able could cause a minor outbreak,” said Coursen.

Bluetooth does have characteristics that might protect users, or prolong the spread of a virus. It works in close proximity, and requires a pairing which a user is often aware of.

“It’s pretty simple to avoid most of today’s mobile malware, it’s not fully automatic,” said Coursen. “Most of it requires that you accept a file that’s being transferred, another way is that Bluetooth devices have a way to turn to invisible mode. Simply set your device to that mode once you have your devices configured.” Coursen said it’s not necessary to have the device on visible to all mode once it’s been paired with the devices meant to be used for that session.

While Smartphones may have more functionality than standard handsets, Coursen said basic handsets with Bluetooth can offer more services than Smartphones. “Those services open them up to a couple more attacks than Smartphones, but there really isn’t a whole lot of interest in the malware side,” he said.

Accessible Bluetooth Services on All Electronic Devices
Click to view Accessible Bluetooth Services on All Electronic Devices chart
Accessible Bluetooth Services on Smartphones
Click to view Accessible Bluetooth Services on Smartphones chart
Accessible Bluetooth Services on Handsets
Click to view Accessible Bluetooth Services on Handsets chart

Related reading