BlueTooth Hacking For Fun and Profit
WiFi wardriving tools have now advanced to the point where it is less a sign of techno-machismo and more a sign of social maladjustment to actually go out and wardrive in your neighborhood. So what's a young wireless data enthusiast to do?
Software Defined Radio is a good suggestion, but you're limited to the frequencies you can use without relatively expensive equipment. Another recommendation might be investigating the security characteristics of your BlueTooth enabled device.
Bluejacking became a relatively popular sport last year. According to the
Bluejackq with a Q site, Bluejacking is the sending unsuspecting Bluetooth device owners unsolicited message for fun.
Bluejacking works because many people leave their phone in the "visible" state. This means it's viewable by other Bluetooth devices within range. The bluejacker takes advantage of the fact that BlueTooth device names can be as long as 254 characters. By temporarily changing the bluejacking device's name to include a saucy message like "
Mama, konna toi tokoro made, yuko oide kudasaimashita *." When sent, the target phone displays a message like '"Mama, konna toi tokoro made, yuko oide kudasaimashita." just sent you a message.' The social goal of Bluejacking appears to be to use a message interesting enough so that the receiver does not pay attention to the "just sent you a message." part of the alert, but not so interesting that the sender would be arrested for violating local obscenity regulations.
Bluejacking is a mostly harmless activity. Though it is an unintended use of a technical feature, most hard-core geeks do not find sufficient technical challenge in the activity. For the more serious hacker, looking to explore the security features of their Handset, more technically demanding sport is required.
The first step for any self-respecting hacker is always to do a little field research. There are a few BlueTooth books on the market:
BlueTooth Revealed by Brent A. Miller and Chatschik Bisdikian was an early favorite of the hacker crowd, while
Bluetooth: Connect Without Cables gets the nod from the non-tech crowd. Investigators on a budget should investigate the BlueTooth section of
Palo Wireless for online documents covering all manner of wireless protocols including BlueTooth.
To get an idea for the types of security vulnerabilities with which BlueTooth device owners must contend, there are a number of good resources a few mouse clicks away. NIST has published a report on wireless network security entitled
Special Publication 800-48 : Wireless Network Security : 802.11, Bluetooth and Handheld Devices. Authors Tom Karygiannis and Les Owens walk the reader through a high-level overview of wireless networks and specific risks faced by wireless data users. Ollie Whitehouse of At Stake published a report last year entitled
War Nibbling : Bluetooth Insecurity. It provides a good overview to common vulnerabilities and tools used to test the security of BlueTooth enabled devices. Going to "the source" is a great idea if one is technically minded. Adam and Ben Laurie investigated security features of a number of BlueTooth enabled phones last year, their results are available at:
BlueStumbler.Org.
After a little investigation, the next step is to install and/or configure a BlueTooth networking stack on their device of choice. The ever-popular Linux operating system is a good choice for persons wishing to experiment with a broad range of BlueTooth features.
Bluez is a BlueTooth networking stack that runs on Linux (and possibly other Unices.) You'll need it to work with the tools listed below.
Assuming everything went well installing and configuring Bluez, you may now investigate the security characteristics of your handset. The
BlueTooth Security Database archives results from popular phones, as does the BlueStumbler.Org site. If you have a device that's not already in the database, consider adding information you find.
BlueSniff and
RedFang are two popular applications that eavesdrop on BlueTooth conversations.
BTScanner is a tool that will query your device and report common settings; very useful when trying to figure out if a device is susceptible to attack.
As a final note it should be added. BlueTooth hacking tools
should be used in a legal and ethical way. Remember, real people own these devices, and rely on them for everyday tasks, so please remember to "do no harm."
* "Mama, konna toi tokoro made, yuko oide kudasaimashita," is Japanese for "My Goodness! What a pleasure to see you in this neck of the woods."
JTRS, GNU, and Software Defined Radio
Imagine receiving a mobile phone call on your convergence PDA. It's your significant other; you forgot to send an email to an old college friend inviting them to a cocktail party later that week. Your convergence device holds a copy of the email message, so you flip over into WiFi mode and start scanning for open access points so you can connect to the net and forward the message. No luck finding 802.11 coverage so you flip over to 3G mode. It's eight cents a megabyte and slower than WiFi, but since you're nowhere near an access point, it's your only option. You send the message and tag on a voice mail asking the college friend to RSVP quickly. You're going to be spending most of the afternoon in a building with notoriously poor mobile coverage, but that's okay, you'll set your smartphone to use the MobiText pager network that works reasonably well inside buildings. You may not be able to receive a call, but you will get the page.
How many radio circuits are packed inside that convergence device anyway? Only one, but it's driven by a "software controlled radio." Such devices promise to radically alter the mobile handset landscape, providing support for every imaginable radio protocol in a single device. We should also see the ability for clever programmers to add encrypted voice, data, and video channels to commercial products based on the technology. Software Defined Radios are still in their infancy, but they promise to seriously shake up the industry.
So who are the power players behind this market bending technology? One would expect market leaders like Sony, Ericsson, or Nokia to have a firm hold on commercial applications in SDR. A Google search for "software defined radio" yields a surprising result. The most popular SDR page is run by an open source project,
GNU Radio, a Free Software Foundation project.
The project is still in it's infancy, it's still a long time before a major handset manufacturer announces they'll be releasing a smartphone with GNU Radio code inside. But according to the project's Wiki, providing a platform to tinker with is a major part of their mission. Like the early "homebrew hackers" of personal computer fame, GNU Radio hackers may be on the cusp of a redefining moment in personal radio technology. Radio modulation schemes were, until now, defined by relatively large groups of engineers working for relatively large companies who built radio hardware. The hardware had to be expensive enough to pay for the engineers, locking out experimenters. Clever hackers wishing to experiment with encrypted radio can put together a software defined radio using
free software, a Linux PC, a high-end sound card, and a handful of analog parts. (Please note: experimenting with encrypted radio may be illegal in some jurisdictions.)
The military is already working on software defined radio. The
Joint Tactical Radio System is the next generation system for use by allied military commands. At the forefront of technology, JTRS securely transports voice, data, and video across the battlefield (and presumably back to home base as well.)
Modern militaries have a tradition of using "bleeding edge" technologies to accomplish their missions. As the technology is developed and refined, it leaks into the commercial sector, but not before it falls into the hands of hobbyists.
Don't think you need a software defined radio? That's okay, a lot of people said the same thing about personal computers in the mid-70's. If the PC revolution could be said to be about anything, it was about personal control of critical resources. The Apple ][ with VisiCalc freed an entire generation of business-people from dependence on centralized corporate computing resources. Financial managers often had to wait months for detailed reports as programmers wrote code to query early databases and tabulate results. VisiCalc could generate similar results in less than an hour.
It is probably safe to say that the "killer app" for software defined radio be yet to emerge. Encrypted FRS radios? Authenticated ad-hoc wireless communication for wearables or PDAs? Or maybe it's just a smartphone that can talk every protocol from Bluetooth to CDMA. Whatever it is, mere mortals will for the first time be able to define open, secure radio protocols. This changes everything.
Are Terrorists Using Crypto?
News reports from the Hamburg, Germany trial of a Moroccan man indicate terror networks may be using encrypted email to plan their attacks. Abdelghani Mzoudi is currently being tried on charges of helping the 9/11 terrorists. During the trial it was alleged that Mzoudi was trained in the use of encrypted communications.
The witness that testified that Mzoudi was an "encryption expert," was considered somewhat unreliable by Germany's Federal Intelligence Service (BND), but the accusation still raises the question, are terror networks using encrypted digital communications. And if so, what should be done about it?
Time Magazine's European online edition has the following text in it's article,
Witness-Box Weirdness:
The Hamburg trial of Abdelghani Mzoudi, a 31-year-old Moroccan accused of helping the Sept. 11 hijackers, took a strange twist last week when the prosecution produced a surprise witness in a bushy brown wig and glasses. The witness, an Iranian who goes by the alias Hamid Reza Zakeri and who claims to be a former Iranian intelligence operative, testified that in 1997 Mzoudi spent three months at a training camp in Iran learning how to encrypt e-mail messages. Zakeri also said that Ziad Samir Jarrah, one of the Sept. 11 terrorists, received training in hijacking airplanes at an Iranian camp.
For several years some very well-meaning members of the law enforcement community have been advocating a course of outlawing or curtailing domestic crypto rights. Louis Freeh, former director of the FBI is the highest-profile member of that community. (see
Louis Freeh Still Campaigning against Cryptography.) Given Mr. Freeh's record as FBI director it would be difficult to question his motives, but a wide range of groups oppose his suggestions to restrict domestic access to strong crypto.
In 1996, the National Academies Press published the results of a study directed by Herb Lin titled
Cryptography's Role in Securing the Information Society. The study pointed out that encryption technology is a dual-use technology. While it could certainly be used by very bad people to mask their plans, it also has a fundamental, legitimate use.
Cryptography enables a number of beneficial technologies: secure credit-card transmissions, strong authentication for corporate information technology systems, etc. Outlawing encryption technology to prevent terrorists and criminals from shielding their plans from law enforcement will only serve to eliminate it's use by law abiding citizens. There is little evidence that indicates that terrorists planning to do grievous harm to American citizens or interests will be dissuaded from using cryptographic tools simply because they are illegal. The upside of making encryption technology illegal is minimal (unless law enforcement can force terrorists to not use crypto) while the downside is disastrous to Internet businesses.
There have been cases already in which investigators have gone up against criminals using strong encryption products. Nicodemo Scarfo is an alleged mob boss who was using PGP to encrypt his computer records. The FBI was able to complete it's investigation by surreptitiously installing a keystroke recorder on Mr. Scarfo's PC. The next time he unlocked his PGP key, the FBI was listening. (see
United States v. Scarfo (Key Logger Case) at the EPIC web site.)
It's important to note that the FBI investigated Mr. Scarfo "by the book." They approached a federal judge, displayed evidence of their suspicions, and waited until the judge granted their request to secretly recover Mr. Scarfo's encrypted private key and key pass-phrase.
Despite the use of strong cryptographic products, the FBI was still able to mount a successful investigation which led to a plea bargain.
Encryption technology is used every day for legitimate, lawful reasons. Encryption technology protects the credit card numbers for millions of web-based transactions every year. It protects trade secrets on corporate servers across the country. It is even occasionally used to hide evidence of illicit extramarital affairs. Even if terrorists were using PGP to shield communications from
Carnivore-style systems, our law enforcement community is equipped with tools to investigate suspected wrong-doers. And they can do it without disabling my browser.
