BlueBug Introduction BlueBug is the name of a bluetooth security loophole on some bluetooth-enabled cell phones. Exploiting this loophole allows the unauthorized downloading phone books and call lists, the sending and reading of SMS messages from the attacked phone and many more things. Facts Under ideal conditions, a BlueBug attack takes only a few seconds (depending on the things, which are done during the attack). Due to the limited transmit power of class 2 bluetooth radios, the distance of the victim's device to the attacker's device during the attack should not exceed 10-15 meters. Similar to wardriving, also for bluetoothing a directional antenna can be attached to the radio in order to increase the range. Since the BlueBug security loophole allows to issue AT commands via a covert channel to the vulnerable phones without prompting the owner of this phone, this security flaw does allow a vast number of things that may be done when the phone is attacked via bluetooth: * initiating phone calls * sending SMS to any number * reading SMS from the phone * reading phonebook entries * writing phonebook entries * setting call forwards * connecting to the internet * forcing the phone to use a certain service provider * ... and many more things Phone Calls As mentioned above, the BlueBug security loophole allows the attacker to initiate phone calls from the victim's device. Things that can be done with initiating phone calls include: * eavesdropping when the victim passes, a phone that is owned by the attacker (e.g. an anonimously used prepaid-card phone) is called. From this moment on, the attacker is able to listen to all the conversations that the victim does until the victim hangs up the phone * causing financial damage since phone calls to any number can be established, it is also possible to call premium service numbers from the victim's device. If the victim does not realize that a phone call is connected to a premium service number, this would cause severe financial damage to the victim. SMS Sending SMS from the victim's device can be used for quite a lot of things: * finding out the victim's phone number The phone number of the respective device is not storedd at a predefined location. The devive's number can be gained by sending an SMS from the victim's device to a phone that is owned by the attacker. * causing financial damage There are quite a lot of SMS-based services that cost the client about 3 Euros per SMS. Usually, these services are used to sell ringtones and logos. There are also news subscriptions that can be ordered by SMS that continously cause costs to the victim. * tracking the victim As a location-based service, some providers allow other users to locate their customers by the GSM global cell id which their phone is connected to. According to the the mode the respective GSM cells are configured, this information can be very detailed. In order to do this, the provider must get the permission from the customer. This permission is usually given via SMS (which is sent by the attacker). * revealing secrets Often SMS messages are used to silently communicate secret information with other people. Reading SMS of the attacked device is often touching the victim's privacy. Paparazzi could use this attack in order to find out more about certain celebrities. Phonebook Entries Reading and writing phonebook entries could be used for: * finding out callers and called persons In GSM handsets, phonebooks are also used for managing call lists. So the attacker may find out who the victim called last, who was trying to reach the victim's device and who reached the victim's device. * doing nasty entries A nasty phonebook entry could be the name "Darling" and the international emergency number 112 :) * obfuscating the abuse After initiating phone calls, the list of dialed numbers could be overwritten. Call Forwards Setting call forwards on the victim's phone could cause a lot of confusion. So instead of calling the victim, the caller reaches the device connected to a random number that has been set. Internet Abuse The attacker can use the BlueBug loophole to establish an Internet connection that could for example be used for the illegal injection of Mail-Worms like Sasser, Phatbot or NetSky. Network Provider Preselection Especailly in locations like airports, where many users are arriving with their cell phones, service providers could use the BlueBug loophole in order to register these phones with their networks. History The history of the BlueBug started as a friend of Martin Herfurt pointed out that there was a bluetooth security loophole that allowed the downloading of various information from mobile phones without prompting the owner of the phone. This security loophole has been identified by Adam Laurie from A.L. Digital Ltd. and was explained on bluestumbler.org In order to get a little more attention for a talk about wardriving (the exploitation of WLAN insecurity), Martin Herfurt decided to also present this more recent security issue. Since no snarfing tools were available on the Internet, an application has been hacked that could read out the phonebooks of the devices that were also listed on Adam Lauries page. Believing to having found the same security loophole as Adam Laurie, this application was successfully demonstrated at the IKT 2004 Forum. For curiousity, the laptop with the bluesnarf application has been taken to the CeBIT technology fair in Hannover, Germany. There, about 1300 unique bluetooth devices could have been found of which about 50 phones were provenly vulnerable to this attack. One week later, a report about the CeBIT fieldtrial has been written and published on the austrian news-portal futurezone and the high impact site slashdot. The german newsticker of Heise did not react to the announcement of the report. Jeremy Wagstaff, the technical columnist for the Wall Street Journal cited the report in his WebLog and later in his column in the Wall Street Journal. About this time, (middle of April 2004) Adam Laurie was visiting Salzburg. Talking to Martin Herfurt it turned out that the identified security loopholes were not the same. Adam's Bluesnarf attack does allow the unauthorized downloading of items via the OBEX protocol, while the loophole identified by Martin Herfurt allows to contol the device device via a plain serial connection. Adam and Martin decided to do some work together in this point.