Over the past few years, many products featuring Bluetooth technology have made their way into our day-to-day lives. Everything from cell phones to PDAs to telescopes contain Bluetooth chips these days. It seems as if the technology that was once deemed obsolete may, in actuality, be with us for a bit longer than some had predicted.
This chapter focuses on a real-world scenario that highlights the potential security implications involved in using a Bluetooth device. The applications and devices that are abused in the following text have not been modified in any way. The vendors in question have also patched any vulnerability that we exploited in the example. Keep in mind, however, that the techniques described can be applied to a number of situations.
Note |
This chapter assumes a basic understanding of Bluetooth technology and its usage; if you need further background information on Bluetooth usage, such as the pairing process, how linkkeys and profiles are used, or anything else Bluetooth-related, please refer to http://www.bluetooth.org. |
According to the Bluetooth Special Interest Group (SIG), Bluetooth is a type of short-range wireless connection that can be used to interconnect mobile phones, computers, PDAs and a broad selection of other devices easily. In section 3.10 of the IEEE Standard 802.15.1-2005, Bluetooth is described as a technology that makes use of a wireless communication link operating in the 2.4-GHz range of the unlicensed industrial, scientific, and medical band.
Ericsson originally conceived Bluetooth in 1994 as a method to replace cables. By 1998, the Bluetooth SIG was created, consisting of Ericsson, Intel, IBM, Nokia, and Toshiba. In recent years, the Bluetooth SIG has grown to over 4000 members.
The current role of the SIG is to lay down the standards under which Bluetooth-approved devices must operate. These standards include operating power limitations and distance specifications as well as profile interoperability and security features. Other standards, such as device pairing and channel hopping, are also controlled by the SIG.
A common misconception is that the distance of Bluetooth communications is limited to around 32 feet. Putting any potential modifications aside, the Bluetooth SIG endorses the following distances for Bluetooth devices:
Class 1 |
100 meters (approximately 328 feet) |
Class 2 |
10 meters (approximately 32 feet) |
Class 3 |
1 meter (approximately 3 feet) |
The specs alone go beyond the assumptions that most people have about the maximum distance for Bluetooth connections. As a reference point, an average coach bus is approximately 40 feet in length. You may be shocked to learn that connections can actually occur at much greater distances than even the specs indicate. For instance, a Bluetooth connection and subsequent attack occurred at a distance of 1.08 miles when an experiment dubbed the "Long-Distance-Snarf" was performed by John Hering, James Burgess, Kevin Mahaffey, Mike Outmesguine, and Martin Herfurt. The group was able to exploit a Bluetooth-enabled cell phone with the aid of an external antenna attached to a standard Bluetooth dongle.
Bluetooth offers a number of profiles that allow devices to interact on common ground. There are profiles that aid in everything from file transfers to sharing an Internet connection. A Bluetooth device must conform to the SIG specifications for a particular profile if it wishes to interact with other devices that have similar functionality. As a simple example, if a device wants to make use of an audio headset, it must follow the Headset Audio Gateway profile specifications.
Several profiles are currently available; they include but are not limited to
A2DP Advanced Audio Distribution Profile
BPP Basic Printing Profile
HFP Hands Free Profile
HID Human Interface Device Profile
OBEX Object Exchange Profile
OPP Object Push Profile
PAN Personal Area Networking Profile
Each profile has its own set of standards and accompanying documentation, which is available from the Bluetooth SIG. If you do not already have a basic understanding of the available profiles please consult the SIG website (http://www.bluetooth.com).