SecurityFocal
With the rapidly growing adoption of Bluetooth by portable devices and IoT devices primarily because of the ease of use, the threats related to Bluetooths are growing manifold. Like any other technology, Bluetooth is vulnerable to several attacks, including BlueSmacking, BlueJacking, BlueSnarfing, and BlueBugging.
In this post, we will be discussing common Bluetooth Attacks in detail, but before that, let’s understand the basics of Bluetooth.
What is Bluetooth?
Bluetooth is a wireless technology standard widely used to exchange data and information between different devices using UHF (Ultra high frequency) radio waves in the ISM Bands over a short distance. It was invented in 1998 as an alternative to RS 232 Data Cables. Bluetooth typically has a range of up to 10 meters or 30 feet.
Bluetooth is not a single protocol but a collection of multiple different protocols grouped under a single specification. The latest Bluetooth standard is Bluetooth 5. However, most devices available use versions 4.0 to 4.2. Several IoT vendors actively work to extend support to legacy authentication protocols, sometimes as old as Bluetooth 2.0, which can eventually compromise the level of security.
The IEEE, which initially standardized Bluetooth as IEEE 802.15.1, does not maintain the standard anymore. Bluetooth is managed by Bluetooth SIG (Special Interest Group). Bluetooth SIG is a non-profit and non-stock organization established in September 1998. Since then, SIG has evolved as a network of member organizations working as caretakers and innovators of Bluetooth technology.
Following are the common types of Bluetooth attacks typically used by attackers to target mobile devices.
1. BlueSmacking
BlueSmacking is a DoS (Denial of Services) attack executed on Bluetooth-enabled devices. The attacker uses Logic Link Control And Adaptation Protocol (L2CAP) to transfer oversized packets to a Bluetooth-enabled device, eventually overwhelming the device and making it temporarily inoperable.
The attacker can use a standard Linux utility like l2ping to launch the attack. However, attackers can typically perform this attack in a limited range (<10 meters) for smartphones. For laptops, the attack can be extended up to 100 meters using powerful transmitters.
2. BlueJacking
Bluejacking is a method to exploit Bluetooth functionality to send unsolicited anonymous messages to another device. These messages may include from anonymous admiration to marketing material or a business opportunity. While it may be annoying, Bluejacking is not illegal in most countries.
You can consider Bluetooth as another method of spamming. However, Bluejacking is uninvited and invasive as the messages will appear without your consent or control. Also, It is worth noting that using Bluejacking; an attacker can not take control of your device.
Bluejacking is pretty easy to execute since most mobile handsets support sending contacts via Bluetooth, which is the only prerequisite of Bluejacking. The sender can use this functionality to insert a message in the contact name field and send it via Bluetooth.
For example, if someone is sitting in a coffee shop and notices another person sitting to enjoy a cup of coffee. He can set up a contact with the name “Is your coffee hot enough?”. Once he chooses to send the contact via Bluetooth, his phone will search and display other enabled Bluetooth devices. He can simply select the desired one and send the unsolicited message. A Bluejacker’s glory moment comes when the victim reads the message and exhibits a mix of confusion and fear, knowing that they are under surveillance.
First known instance of Bluejacking was carried out between 2001 and 2003 by a Malaysian IT consultant in a Malaysian bank, who used his mobile phone to advertise Ericsson to a Nokia 7650 phone owner.
3. BlueSnarfing
BlueSnarfing is an advanced attack that allows an attacker to access the data on the victim’s phone using Bluetooth. An attacker can execute this attack if the victim’s phone has Bluetooth on and is discoverable. The attacker can then discover and exploit the OBEX (Object Exchange) protocol vulnerabilities to gain access to the victim’s data. BlueSnarfing is illegal in most countries.
An attacker can execute a BlueSnarfing attack using a third-party utility like Bluediving. The motive of this attack is to steal sensitive data from the victim’s device. The attacker will pair their device with the victim’s phone to execute this attack, allowing the hacker to access and download the information and data from the victim’s device.
An experienced attacker can write a program by himself, get one from the dark web or even hire another hacker to execute the attack. Devices like laptops or tablets are typically at less risk of this attack since their complex security mechanism can immediately come into action and block the attack; however, this is not true for smartphones.
BlueSnarfing was first observed in 2003, at the time of security testing of Bluetooth devices.
4. BlueBugging
BlueBugging is a hacking attack that allows a hacker to gain access and control of a device with a discoverable Bluetooth connection. Once the exploit is executed on the victim’s device, the attacker can gain complete control of it. The hacker can now send and receive messages, access the phonebook, and initiate or eavesdrop on the phone calls.
An attacker initiated the attack by pairing with a victim’s device using Bluetooth. Once the connection establishes, the hacker can use the connection to push a rootkit or malware to bypass authentication. The malware is typically a keylogger or a RAT (Remote access trojan) that can give unauthorized access to the attacker by exploiting a vulnerability.
BlueBugging is much more advanced than BlueSnarfing and BlueJacking and requires a seasoned hacker to execute the attack. Mobile devices are more vulnerable to Bluebugging attacks compared to a laptop or a system. Attackers can also use Bluejacking to deploy Stalkerware for eavesdropping. Please refer to our earlier blog post around Stalkerware for more details.
A German researcher Martin Herfurt first developed BlueBugging in 2004. He initially created a code against laptops with Bluetooth capability, which later targeted mobile phones and PDAs.
How to secure your device against Bluetooth Attacks?
Bluetooth typically has a short range (<10 meters). However, in some cases, an attacker may use a laptop or special tools to enhance it further. Whenever you are in a public place, be extra cautious. Following tips will help you stay secure from the prying eyes of an attacker.
1. Turn off Bluetooth
The best way to defend against Bluetooth attacks is by completely turning off Bluetooth in your device and only switching it on when required. If the attacker cannot see or connect to your device, he can not execute an attack.
2. Make your device hidden using Bluetooth configuration
If you need to keep Bluetooth on, keep your device hidden or non-discoverable by other Bluetooth devices. While it’s not a full-proof way, if the attacker can not see the MAC address of your device, it will be challenging for them to launch an attack.
3. Discard any unsolicited messages
Any unsolicited messages from strangers must be immediately discarded or deleted instead of responding or starting a conversation.
4. Reject unexpected pairing requests
Reject pairing requests from any suspicious devices or anything that may look like a typo squat.
5. Limit the use of Bluetooth hands-free
Do not use hands-free when not required or when transferring data.
6. Monitor your Data Usage
Keep track of your phone’s data usage. Any sudden spikes or changes may be an indication that your device is compromised.
7. Keep your device updated
Always make sure to update your Bluetooth device to use the latest software versions. This will help ensure that your device is bug-free. If you are using an old mobile device, better switch to a new one.
8. Observe suspicious activities
If you observe any unexpected actions like restarting, sudden disconnect and reconnect, or a recent call is historical data that you do not make, this is an indicator of compromise. Reset your device to factory settings. This will erase all applications and data from your phone, including any malware installed by the attacker.