March 2006 Network Security19

Even though Bluetooth has continued toboom, the public still does not seem to beaware of the potential risks with using it.While Wi-Fi is widely recognized as athreat to security by home users and enter-prise users alike, Bluetooth has not bub-bled to the surface as a real threat. Forinstance, many enterprises have Wi-Fi andPDA security policies but few have policiesto deal with Bluetooth.

Public perception is an important part ofthe overall security of an emerging technolo-gy such as Bluetooth. Until the public atlarge (or at least the IT world) is aware ofthe risks of using a technology, the vendorswill not provide secure default configura-tions and third party software providers willnot have solutions to assist users to securetheir systems. And during the time the pub-lic is not aware of the problem, the attackershave an advantage because they can developtools and methods with little fear of beingcaught when they launch their attacks.

Attack toolsOver the last year, attack tools have contin-ued to mature. The Bluetooth specificationcontinues to withstand researchers lookingfor weaknesses in the protocol. Much ofwhat has been successfully exploited in thelast year are errors in implementation thatallow attackers to access data or profiles theyshould not have access to.

Trifinite.org have been the leaders in push-ing the limits of attack tools. They releasedBlooover II, an update to their very popularBluetooth attack tool that runs on mobilephones. The new Blooover integrates manyof their attacks into one tool, including theability to pull address books from vulnerablephones, dialling phones, and even modifyingsome data on phones with specific vulnera-bilities. Trifinite.org also released a tool calledCarwhisperer that exploits the fact that theheadsets implemented in many Bluetooth-enabled cars are always discoverable and use aknown PIN code. Carwhisperer allows anattacker to connect to a vulnerable car andrecord conversations going on within a car.

Another attack tool of note is theBluetooth Stack Smasher (BSS) fromSecuobs.com. BSS works by fuzzing theL2CAP layer on Bluetooth-enabled devices.By fuzzing L2CAP, BSS can methodicallysend a large series of random values to adevice to see how the device handles datathat it may not have been designed to dealwith. Generally a device vulnerable to BSSwill simply crash when presented with mali-cious data. However BSS probably repre-sents a move by those building attack soft-ware to build more robust tools that aredesigned to look for implementation errorsin a rapid and automated fashion.

Audit toolsProbably the biggest advancement withrespect to Bluetooth security in the lastyear is the increased sophistication ofBluetooth auditing tools. Auditing is animportant aspect of securing an enterprise,but until recently there were very fewoptions for IT professionals wishing toaudit their space for Bluetooth devices.

Probably the biggest

advancement in

Bluetooth security in

the last year is the

increased sophistica-

tion of Bluetooth

auditing tools.

There are two major types of Bluetoothdevice discovery tools: those that stay withinthe Bluetooth specification and those that arebroadband spectrum analyzers. The toolsthat use the Bluetooth spec generally usecommodity radios such as those available atyour local computer store. These tools finddevices by looking for discoverable Bluetoothdevices by constantly doing inquiry scansand may also be able to brute force guessMAC addresses. Airmagnet’s Bluesweep and

Network Chemistry’s Bluescanner, forinstance, will find discoverable devices andthen make a connection to each device tofind the name of the device, type of device,and supported profiles [1,2].

Even though these tools only find dis-coverable devices, they are still valuable tothose looking to audit their systems, espe-cially given the price of these types of tools(free, to several hundred US dollars).

Wideband spectrum analyzers The other type of auditing tool available,wideband spectrum analyzers, approach theproblem in a completely different manner.These tools, such as those offered by Cognioor Frontline, listen on the entire 2.4 GHzband for any Bluetooth traffic [3,4]. Thesetools are best described as protocol analyzersthat have the ability to listen to the entire2.4GHz ISM band at one time. Tools in thiscategory can find Bluetooth devices thatdon’t want to be found. Some can evendecode encrypted traffic if they are providedwith the encryption keys in advance. Theproblem with these tools is the price.Wideband Bluetooth tools can run betweenUSD5,000 and USD30,000. This is a largeexpense for many organizations, especiallywith Bluetooth still not generally on ITdepartment’s radar screens.

There are also still some open sourcesolutions for Bluetooth device discoveryand auditing. For example, BTScanner isavailable from PenTest Ltd. and runs onLinux and Windows XP while iStumblerruns on OS X. [5,6]. Both these toolswork within the bounds of the Bluetoothprotocol and therefore generally only finddiscoverable devices. For those looking tostart exploring Bluetooth devices in theirenvironment, these tools are a good start-ing point before deciding to spend moneyon tools with more features.

Defence toolsThere are more Bluetooth stacks on themarket now than ever before. Microsoftfinally came to the market with its ownBluetooth stack in Windows XP ServicePack 2. Unfortunately, even with thesenew stacks, there are few tools and inter-faces for users to understand and tweaktheir security settings. Further, there arevery few tools for users to actually get afeel for what others are doing to theirBluetooth radio. Put another way, there areno security specific Bluetooth toolsdesigned to protect the end user.

BLUETOOTH

Bluetooth security moves Bruce Potter

In the past year the landscape of Bluetooth security has changed dra-matically and it’s time for an update. A year ago, we examined the latesttrends in Bluetooth security, what the current threats were, the state ofthe tools, and how to protect yourself. In the past 12 months Bluetoothhas continued to gain in popularity. More and more cars, phones, lap-tops, and peripherals are shipping with integrated Bluetooth radios.

NEWS

Network Security March 200620

22-23 March 2006UKUUG Spring ConferenceLocation: Durham, UKWebsite:www.ukuug.org/events/spring2006/

4-6 April 20065th Annual PKI R&DWorkshopLocation: Gaithersburg MD, USAWebsite:http://middleware.internet2.edu/pki06/

19-20 April 20063rd International Conference– Security in PervasiveComputingLocation: York, UKWebsite: www.cs.york.ac.uk/security/spc-2006.html

25-27 April 2006Infosecurity EuropeLocation: London, UKWebsite: www.infosec.co.uk

1-6 May 2006DallasCon Information &Wireless Security conferenceLocation: Dallas, Texas, USAWebsite: www.dallascon.com

22-24 May 2006IFIP AND SEC 2006Location: Karlstad, SwedenWebsite: www.sec2006.org

14-16 June 2006Infosecurity CanadaLocation: Toronto, CanadaWebsite: www.infosecuritycanada.com

16-21 July 2006IEEE CEC 2006 Special Sessionon Evolutionary Computationin Cryptology and ComputerSecurityLocation: Vancouver BC, CanadaWebsite:http://163.117.149.137/cec2006ss.html

EVENTSCALENDAR

Parting shotsBluetooth continues to gain in popularityand the security space around it continuesto mature. While not to the maturation ofthe Wi-Fi security practice, Bluetoothsecurity is becoming more visible andadministrators have more choice in thetools they use. However there is still along way to go; attackers still have a legup as without a large degree of publicattention, they will continue to be able topush the envelope of the existing deviceswithout being noticed.

However if the current trend continues, in afew years time the tables may be turned andusers will finally have tools and methods toprotect themselves from Bluetooth attacks.

Resources[1] Bluescanner - www.bluescanner.org/[2] Bluesweep - www.airmagnet.com/prod-

ucts/bluesweep.htm[3] Frontline - http://www.fte.com/[4] Cognio - http://www.cognio.com/ [5] iStumbler - http://www.istumbler.net[6] btscanner - www.pentest.co.uk/cgi-bin/

viewcat.cgi?cat=downloads&section=01_bluetooth

...continued from page 2

ISS's CTO on security services online spam guy in Russia who was assassinated –was that someone tired of getting spam? Orwas it because the spammer did not pay hisbotnet bill? My money’s on the latter. In2006, bot armies will replace the worm.

Would you say that this change is of realconcern to your enterprise customers?

The fact that cyber crime has moved to amore ‘for-profit’ model, is absolutely ofconcern to them. The top concern in 1998was “my web page will be defaced”; theconcern today is that “my intellectual prop-erty will be stolen and sold”.

So there is a shift to data protection?Yes, and less concern about the latest bug.

They are also concerned about web applica-tion security and global device security.

What makes ISS stand out in 2006?If you look at the security space, we contin-

ue to see point players emerge to solve pointproblems. The challenge is, when you talk tothe customer, they don’t want that.

So, the days of point products to solvepoint problems are over. Smaller vendorscoming up from the bottom will have tocome up and learn how to integrate andleverage security architectures.

The bigger players, including ISS, can’texpect to deliver a suite-type solution; we’vegot to address the newer problems. A key todo that is to develop a platform where newsecurity problems can be solved in an on-demand fashion.

So, our offerings begin to mix a blend ofservices and traditional software and hard-ware, to solve problems but that line willbecome transparent to the user.

So, we continue to have new problems tobe solved with technology and one of theways of ISS is adapting to it is by openingup our own platform, so that smaller ven-dors can interface with our technology, andthe customers will only be required to use asingle management interface with a portal,and we do that by publishing our inter-faces, our API’s: we don’t want to be aclosed system.

2006 is an inflection point year for ISS.Why is that?

The big change is linked to this open archi-tecture, and online services delivery.Historically, I think online efforts were slowto gain traction because customers were con-cerned about outsourcing of security. I havenot heard that argument in 2005. Most com-panies now are opening up to the idea of out-sourcing their security.

If bigger companies are more comfortablewith outsourcing security, is that because thecustomer is changing?

There are a couple of shifts. One of theshifts is that the security buyer in manycases is the recommender in the network-ing shop of the buyer. A lot of securitytechnologies have moved into the core ofthe network. A lot of security is beingdelivered as appliances, for example. Andsome of our recent announcements havebeen for that, to appeal to the networkingbuyer.

But again the solution sell is at the C-level.One of the additional upsides to deliveringonline as services is that you can add newfunctionalities without having to release soft-ware per se. So if you want to add a new typeof Sox report, it's not a service pack that wehave to issue. You can just deliver thatthrough a portal. So you can add more solu-tions more quickly through this method.Software-as-a-service is strategic to us, todeliver online.

BLUETOOTH

...continued from page 19