Summary. ========
A recent posting from A.L. Digital suggests that security flaws exist in
Bluetooth, while not describing the vulnerabilities in any technical detail. This email concerns itself specifically with the vulnerabilities related to retrieval of personal information from devices.
Some of the attacks described have been known about for some time and discussed (or hinted at) in public before, at BlackHat/Defcon (Las Vegas) by FX of Phenoelit (More Embedded Systems), at Defcon by Bruce Potter of Shmoo and most recently by Alexander Grimm, Marcel Holtmann and Andreas Vedral at the Wireless Technologies Congress.
Detail. =======
It is incorrect to assume that these vulnerabilities exist because of a lack of security in Bluetooth itself. These vulnerabilities are purely the result of design errors in the host devices, and Bluetooth is simply the transport mechanism over which the attacks can be carried out. The vulnerabilities occur in some of the OBEX profiles used by manufacturers to transfer arbitrary information via Bluetooth.
In particular the OBEX Push Profile is often unprotected whereas the OBEX FTP profile is not. The name of the profile is also misleading as you would believe that the OBEX Push would only allow files to be uploaded. However the profile also allows information retrieval.
The OBEX vulnerabilities can be divided into two categories, PUT and GET. As is implied from the names, they refer to information being sent to or returned by the host device. Both PUT and GET actions can be restricted by the need to pair, however some manufacturers have chosen to remove this restriction to add extra features, such as vCard exchanging.
It should be noted here that OBEX is protocol independent and it is possible to exploit the vulnerabilities via IrDA and even via serial connection. It should also be noted that OBEX does have the ability to manage authentication. However, this is not used by any of the devices we have tested over the past three months.
The rest of the information contained here will be based on un-paired and un-trusted devices attacking a target device.
Much more information can be obtained from many devices by physical contact or social engineering, however this is not a deficiency in Bluetooth or the host device. Due to the prompt given by some devices, it is possible to trick the user into pairing. However this is a form of social engineering.
These vulnerabilities exist whether the Bluetooth device is in discoverable mode or not.
Vulnerabilities. =================
OBEX PUT vulnerabilities. -------------------------
This series of attacks relates to the movement of information towards the target device. These attacks are based upon information extracted from the IrMC specification, which describes several interesting files.
The IrMC specification can be found at: http://www.irda.org/standards/pubs/IrMC_v1p1Specs_Errata001024.zip
These files are often accessible via unprotected Bluetooth profiles. While they can be viewed on protected profiles, some manufacturers choose to also enable this via un-protected profiles such as "OBEX Push". OBEX also has a DELETE action, which is a PUT with an empty body, by pushing to each of the phone book entries it would be possible to overwrite or delete all of the phone book entries. A solution for manufacturers would be to separate the PUT functions into specific profiles and not allow the same actions via all profiles.
OBEX GET vulnerabilities. -------------------------
While similar to the PUT vulnerabilities, these present a much more of a serious threat including invasion of privacy. All vulnerable files are mentioned in the IrMC specification.
Once again these files are usually only accessible via protected Bluetooth profiles, however, it appears that some manufacturers have used the same code to implement the un-protected services and thus the files are visible.
Fixes. ======
1) Only enable Bluetooth when absolutely necessary.
2) Place the device in non-discoverable mode. While this does not correct the fault, it is harder to find the target device. There can be problems with this, some Nokia devices fail will to connect properly when hidden.
3) Refuse any pair attempt or content transfer unless it is from a known and trusted device/source.
The ultimate fix is for manufacturers to provide a greater separation of services, an attitude that seems to have been taken with the Ericsson T610.
Current state of alerts. ========================
The information relating to these vulnerabilities has been in the public domain for some time. However, until the recent bugtraq and full disclosure posts, the consequences of these issues was not widely advertised. A number of affected vendors have already been contacted with varied degrees of response.
Researchers. ============
Mark Rowe, Pentest Limited. Tim Hurman, Pentest Limited. Contact: bluetooth at pentest.co.uk
