Wireless networking blues

24 Jun 2004

Just when you thought it was safe to go back to wireless networking, news emerges of yet more security loopholes with the technology. This time, the Bluetooth short-range networking technology was the centre of attention as Irish IT security experts heard what its vulnerabilities are and how they may be exploited.

Hugh Callaghan, a supervisor at the advanced security centre in Ernst & Young’s technology risk services department, spoke at a recent Information Systems Security Association meeting in Dublin and outlined some of the risks that Bluetooth brings.

He emphasised that the threats to phones and mobile devices are not widespread. “Vulnerabilities depend on the make and model,” he said. For example, certain Bluetooth-enabled mobile phones made by Nokia and Sony Ericsson have been identified with weaknesses.

“Many organisations probably don’t have a policy on networking standards such as Bluetooth and they don’t understand the risks involved,” said Callaghan. “It’s beginning to creep into the consciousness of organisations with data protection concerns and we are starting to advise best practice.”

Devices with Bluetooth technology can be accessed in one of three ways. Unsurprisingly, each of these methods has been tagged with a vaguely cool-sounding name. Bluebugging, probably the most dangerous threat of the three, allows individuals with a laptop and the correct software to access a Bluetooth mobile device’s command set without notifying or alerting the user. According to Callaghan, if a system is compromised the hacker could make phone calls or send and read text messages. Bluebugging also offers read and write phonebook contacts, lets people eavesdrop on phone conversations and connects to the internet.

As with all the attacks, the hacker must be within a 10-metre range of the phone. This is a separate vulnerability from a second method of attack called Bluesnarfing and it does not affect all of the same phones as Bluebugging does. This method allows hackers to gain full, unauthorised access to data stored on a Bluetooth-enabled phone without alerting the phone’s user of the connection made to the device. The information that can be accessed in this manner includes the phonebook and associated images, calendar and International Mobile Equipment Identity. Bluesnarfing has been deemed relatively low risk because of the combination of equipment and skills needed to do it successfully.

A third, separate vulnerability is known as Bluejacking and is “a relatively simple weakness” in Callaghan’s estimation. The practice doesn’t involve the removal or alteration of any data from the device. Instead, it allows phone users to ‘flash’ messages anonymously through the wireless connection to nearby devices within a 10-metre radius. The content is often a clever or flirtatious message rather than the typical business card with a name and phone number. The practice is mostly harmless and tends to happen in crowded public places — reports have emerged of Bluejacking on the Tube in London, for example.

Not all hacking is as harmless as that, however. “If someone is synching the phone up to a laptop running Lotus Notes, it’s possible that could be sniffed,” Callaghan points out, “although you can’t say it’s a critical vulnerability if there’s no data on the device.”

He adds that one of the main flaws in some phones is that while they have a setting that does not allow them to be ‘discovered’ by other nearby Bluetooth devices, this may not actually work, leaving the phone or PDA open to being compromised. “Even if they are anonymous, they are still vulnerable: in other words, this feature doesn’t do its intended purpose. The safest option [in that case] is to disable Bluetooth,” Callaghan advised. “Vulnerabilities are device-specific: keep up to date on patches,” he added.

Other precautions can be taken. One of the main points of risk for Bluetooth devices is when they ‘pair’ with one another; that is, they recognise each other so they can exchange data. For example, for the pairing procedure involved in having a phone talk to a PDA, the PIN in each device sets up a key method. Yet the PIN tends to be short, eg: ‘0000’. According to Callaghan, it’s much easier to eavesdrop on a Bluetooth device when it is synchronising with other wirelessly enabled hardware.

“When pairing, you should set the security level correctly to ensure encryption and when you are choosing a PIN, use non-default, secure PINs, of between six and 10 digits, not 0000. When devices are using encryption, choose combination keys instead of unit keys. A combination key is agreed on by two devices but then only used by those two devices when talking to one another. It is possible to have up to eight devices pairing but, for example, if you have a phone, PDA and a laptop, don’t use the same key for all. Instead, you should use a separate key for each pair.”

Summing up, Callaghan points out that Bluetooth is more resistant to interference than the 802.11 wireless standard, otherwise known as Wi-Fi, whose security shortcomings have been widely covered. “Instead of using one channel it uses short packets of data and frequency hopping,” he observes. As ever, much will rely on user education, he suggests. “The more somebody knows about the potential for abuse, the better. If not, people lose confidence in the technology.”

By Gordon Smith