A false sense of security

Bluetooth, like WiFi, is rapidly becoming a standard feature on portable computing equipment, such as laptops and mobile phones. It should come as no surprise then, that Bluetooth's security has come under intense scrutiny.

There has been a wide range of highly publicised, if often misunderstood, hacks against Bluetooth devices. A quick browse of trifinite.org's tool list at trifinite.org/trifinite_stuff.html gives a flavour of the range available "off the shelf", and an hour with Google will turn up a hefty collection of technical papers about various attacks.

To date, though, the attacks have largely concentrated on poor implementation choices by vendors rather than real problems with the Bluetooth standard itself. A common target is the pairing process, whereby a user creates a trusted link between two devices.

Often this is based on a fixed pin, especially for devices with no means of entering a custom one (for example, Bluetooth headsets for mobile phones). The RedFang tool from @Stake showed early on that it was feasible, for a patient attacker, to "brute force" round the pairing process but, due to the time involved, this is largely an academic attack unless your enemies are well-funded with lots of spare time.

Bluetooth's saving grace has been the high cost of "Bluetooth sniffers" that collect all the traffic passing the antenna. Normally, network devices listen only for traffic directed to them, specifically traffic sent for their MAC address, a unique identifier for each physical card. For sniffing purposes, it's necessary to switch into "promiscuous mode", where the card listens for all traffic.

For WiFi, it is trivially easy to convert a standard card into a WiFi sniffer under Linux, and suitable devices are now available for Windows at a reasonable cost. The economical availability of promiscuous-mode devices has led to a mature and extremely powerful range of WiFi security tools, most of which are free.

In the Bluetooth world, the only option for promiscuous mode has been to purchase a customised "Bluetooth sniffer", the price of which is outside the average Black Hat's toy budget. Visit most vendors' sites for such devices and you'll find the pricing policy is very much "If sir has to ask... ". That may be about to change.

In a short but interesting research paper (www.remote-exploit.org/research/busting_bluetooth_myth.pdf), researcher Max Moser revealed that it's possible to convert a "standard" Bluetooth USB adaptor, the sort that cost about £10 on eBay, into a promiscuous-mode Bluetooth sniffer. That on its own is an interesting result, because if it works as expected, it will open up a whole new range of attacks.

What is more significant is the nature of the "conversion" process. Moser's modifications didn't even break open the case; he was able to load the firmware for a Bluetooth sniffer on to the standard USB adaptor. Again this isn't that surprising. It makes sound engineering sense to make a network card that listens to everything, then reprogramme it to listen only to its own traffic by firmware.

The failure here is relying on this production engineering choice as a security feature. A long history of modifications and hacks in the gaming console world has shown how foolish it is to assume that no one will mess about with firmware.

This isn't the only case of unwisely relying on a non-security characteristic. In the WiFi world, MAC addresses are often used for access control. Nice idea, but they are simple to change from the standard tools in Linux, or using a tool like SMAC (www.klcconsulting.net/smac/) under Windows. The result is a false sense of security. MAC filtering will keep out the clueless, but not any serious attacker.

To paraphrase my military friends, assumption is the mother of many security problems. If your security depends on assumptions of product functionality, you should be careful to test them. And make sure that, if one of them turns out to be wrong, your system doesn't fail with it.

falseofsecuritysense