 I'm stuck. And the bunker. This is Martin Herfoot, who will introduce himself. Hi, my name is Martin. I'm with Salzburg Research Austria, and I'm mainly concerned about the presentation and demonstration today. So it would be nice if you switched on your Bluetooth if you have it. So we have a little more statistics to show you in the end. We won't have you on this. Okay, today I'm going to go through some definitions of terms. I'm not sure Bluetooth is taken off in the same way over here as it has in the UK. And then we'll look at the devices and the various attacks we came up with. The responses and defences from the industry, and by defences I mean not how they defended against the attacks, but their defensive position. Some legal issues are rising out of this whole stuff. It's not as simple as, you know, that it's illegal. It's quite interesting some of the legal stuff that comes along. So we'll just go straight into that. I'm sorry. Is that better? Okay, so Bluetooth is basically a wireless replacement, or wire replacement technology. It's designed to get rid of all the crap that you need to connect all your devices together. It's low power, short range. It uses the same frequencies as Wi-Fi, and the data rates about one megabit. It's owned that the trademark Bluetooth is owned by the Bluetooth Special Interest Group, who are a trade association, and they basically license the IP and the trademark. Now, what's nice about that is you can go and join as an individual at the SIG, and that gives you the right to use the logos and the trademarks, so if you were to release some kind of useful tool, for example, you could have the SIG stamp of approval on it, which is nice. Other people get to pay, you know, the bigger members who are actually making Bluetooth devices have to pay various fees to get their devices qualified. There's two websites. The Bluetooth.com is the consumer site, and Bluetooth.org is the technical site where you can go and sign up as a member. So the three issues that have come up recently are bluejacking, blue snarling, and blue bugging. Bluejacking is a bit of a misnomer. I mean, it sounds like someone's hijacking a phone, taking it over. What they're actually doing is just sending you harmless messages. Of course, like any good new technology, it's immediately used for the pursuit of sex. So this thing called Toothing has come along, which is basically setting up casual liaisons via Bluetooth messaging. People sitting on trains or in airports waiting, they're bored waiting for a plane. They'll send each other a message, and if they like the other guy or whatever, they'll go and do something. Yeah. So because of bluejacking, the fact that you're visible makes you vulnerable to blue snarling, which is the thing we discovered back in November. And basically, we just took the sort of geek slang SNAF to steal or take an unauthorized copy of some data, stuck it with blue, so you get blue snarling. And what that gives you the capability of doing is copying data, your phone book, calendar, IMEI, which the GSM networks doesn't mean very much anymore. It's the unique identity of your phone, but I guess on networks where you don't have a SIM card, it might still be useful for cloning. If you've got images associated with entries in your phone book or your calendar, then we get those too. Bluebugging was discovered by Martin when he was trying to reproduce my work at CBIT. And basically, he wanted to see how big a threat this was in the real world. But because I hadn't published any of my data, he had to independently discover it. So he discovered how to do it, but actually found some more problems as well. And then we teamed up and have done some interesting things since then. Now, using his attacks, we're able to actually take full control of the telephone, make calls, read and write your SMSes, your text messages, as well as the calendar and phone book entries, and send SMSes and set diverts. Okay, so the devices we've looked at on the whole are mobile phones. And the reason we looked at those is because, well, my job as security officer for the bunker, my job is to protect my perimeters. And what I was finding is those perimeters were actually becoming wider and they were leaving my building because the network or gateway of last resort for my CIS admins, for example, they have GSM mobile phones. They want to be able to dial in from anywhere, so they have potentially set up gateways into the network. The sales teams have all of their contacts in their calendar entries, business appointments and so on. So there are potentially a lot of issues with allowing staff to use network-enabled phones. And in particular, it was becoming something they needed to do because the law changed in the UK to do with using mobile phones while driving. It's now no longer legal to actually hold the phone to your ear while you're driving. You have to use a headset of some kind, so Bluetooth is a good solution for that. Now over in Europe, it's absolutely massive take-up. There's two million devices per week worldwide, but I think most are entering the market and I think most of those are over in Europe. And in fact, if I go out in London, it's pretty much impossible to get out a range of a Bluetooth device. If I scan for Bluetooth, I will find something no matter where I am. And Bluetooth seagulls are claiming that by next year 30% of all new phones released in the States will have Bluetooth. So when we first publicise this, the responses, or when I talk to people about it, the general public response was, usually, well, I don't care, there's nothing special in my phone, you can have my address book. But in practice, if you go and look at what's in your phone, you'll probably find there's a few entries in there that you might not want the whole world to see. And everyone I've challenged on that, I've actually gone and they've let me pull data off their phone. We have found stuff like that. So a friend of mine who's a coffee shop manager, I read her phone book and I found the full-street addresses of three coffee shops, plus the door codes and the alarm codes. So, you know, she didn't care when I first told her. It wasn't a problem, but actually it probably is a problem. And Bruce and I's comment on this was the people that are treating their phones as kind of data wallets now, believe that they're secure, so they put a lot of stuff in there. And they believe that, you know, it's a device you carry around with you. If you don't lose it, you can't lose your data. So, clearly with this technology, you can. Second response is, well, you're supposed to enter a password or something. So, yeah, well, that's the whole point. You are supposed to, but we're bypassing that. But people kind of dismiss it because they believe the industry claim that it's secure. You're telling me you can get in, but I know you can't because I have to pair, so I'm not going to listen. And finally, you're selling a fix. Okay, well, we can't fix it. The mobile phone companies need to fix it. This is closed-source proprietary technology. We can't just go in with a fix and say, okay, we've taken your stack and we've fixed it, so this is something they have to do. But even if that were true, you know, you can be as cynical as you like, you still have a problem. Okay, the specific attacks which Martin will demonstrate. It's an offing. We can steal the calendar appointments. Some images, we won't do that now because it's too slow. Your phone book names, addresses, numbers, as I've said, you can get pins and other codes out of there if people have put them in there and SMS text messages. The other attack is actually probably more serious is turning a phone into a bug. Because we can initiate a call, what we can do is connect to your phone, tell it to call us back, and then we have an open mic on your person. So you're walking around doing your thing and we're listening to everything you say. And that's now coming over the network, so we don't even have to stay in range anymore because it's a GSM call. The other method of bugging is we could set up a man in the middle attack where we change an entry in your phone book, so your office entry no longer phones directly to your office. What it does is it phones my gateway, which then phones your office, and we have both sides of the conversation. So what I'm going to do, the organisers here suck, so we're going to have to change cables. I'm supposed to have the video switch. Now when we tried to do this over at Black Hat, somebody dosed the phone we were going to attack and was bluejacking it. I don't want to worry on duty, but I think there might be a hacker in town. Maybe. Have you broken it? No, it's fine. So as always, some of you already attacked our Nokia. Thanks. So what you see in the right hand corner of the screen, is a secure phone. But what which is ours, it's totally untouched so far we didn't modify anything. But we have to do that for legal reasons just bugging a phone which is ours. Which we had for this and hopefully it's working. So we try that. You know, this is not how it is supposed to be in the wild. People are passing by. I'll try it again. So if this move on to the next demonstration we have about the Nokia phone book and SNS, so we move on and try this again later. So we have another script on there which is called GSNARFI. It's both using the Gnaki application which is for Nokia phones and it's even having front-end which makes it even nicer to work with. So it said connecting to Charger. Charger is the name of our machine. We called it this way because people would get maybe some funny ideas of what is going on if there is something else than Charger. So the only indication we see there is a little headset symbol on the display. It has not made any sound so far so people won't know if it's in the pocket and even if it's not in the pocket they won't know what's going on. So what happens next is that I open up the contacts reading them out from the phone. So it's reading the phone memory and the sim memory. In fact there are some more phone books to read out. It's about the dialed contacts and missed contacts and stuff like that just to start homework information which is enough to play with in the end. So what you see here is just a list of the phone which has kind of obfuscated the numbers so you won't have anything of them. And I'm looking for a specific entry called Honey so this is supposed to be the girlfriend of the boyfriend of the owner and I'm sure you know those. You can't see it anyway. So that's what we're going to do. So taking that out modifying the entry which is done with that little icon so we have the Honey and we just modify the number which we have on here other way around 702 so maybe you want to copy that number only 47 bucks probably yeah it's cheap oh thanks don't forget the one so it's a plus one or one I think it should how do you know it's right this is used to save it to the phone again so we changed that number of the Honey so anybody calling Honey will probably call somebody else you know if that number would call the person Honey would show up if the person is intending to call the entry with Honey the person will call this number on here but yeah if you examine the entry you will see that number so another thing to do is next don't leave the room please phone's still there yeah our bug is still here stay there it's okay see you later so whatever SMS messages we can read them out of the phone you probably could have your own application doing that but it's PDA encoding of the messages so we use G Gnaki again for reading that so what you see here are the stored or the received SMS messages and we could also use the phone in order to send SMS messages without even knowing of the owner the only time the owner gets to know that this happened is when he receives the bill and maybe there's some premium service numbers also on it right so when we disconnect from the phone you see it again in the display we disconnected from the charger and you didn't hear that the phone so people probably would look to the display and would see okay I disconnected from the charger so what I'll try now is again to blue bug our test device which has nothing to do with the Nokia phone here so it didn't work out so far that's what happened so no bad response it's supposed to be dialing a number you know what we did is just calling the phone which is here in the table but it's not ringing so I'll try it again this is a little embarrassing so no reaction on the display so it's supposed to work usually anyway we could bug this phone haven't got the voice channel on that okay well with the Nokia the attack profile is slightly different we would have to set up the Bluetooth to capture the set profile on the Sony Ericsons we just get a straight open mic back through to this phone but basically if this had worked what you would get is the goon that's holding that phone would be walking around with an open mic and he could go out and leave the room get in a cab go to the other side of town and that GSM connection would keep working and we would hear everything that's going on around him and in fact that connection could be anywhere so we could just be local operative setting up the bug but the actual connection is going back to Tokyo or somewhere because it's across the GSM network and of course he's paying for it because he made the call so yeah he will have a record that he made a call to my throw away pay as you go phone you would have to take care to obfuscate your phone number yeah so what you see here is an application I used for the seabed and also for several TV demonstrations so you were nice and switched on your bluetooth so what you see here is basically a listing of all the bluetooth devices on the left there's a manufacturer which is guest from the MAC address or the hardware address of the phone so sometimes I don't have an entry but mostly it's Nokia at least in Europe we have some strange I never saw a T-con so far IPACs are here you know you get pretty much guest which device is vulnerable by having the manufacturer and sometimes in this case the T610 we know it's sometimes vulnerable didn't even change the name so this is still set to the default and you could pretty much guest it's vulnerable so on the right side of this table there's a red dot the application is not set to attack any of this device of these devices now because of legal issues so what usually happens is that it turns green this spot and if it turned green we would have gotten an SMS from this phone including the number and the phone book of the respective device and not only the SIM and the telecom the phone device phone book but also the dial context and stuff like that which is pretty interesting to know you know who did the person call last that would be kind of interesting for any spouses to know well we try the blue book once more somebody connected again I switch blue to thought better okay we have to skip that demonstration we're sorry but yesterday and all the people who attended Black Hat would know it right anyway that was the demonstration for there's a question when the phone is turned off and the battery is still in I don't believe it's vulnerable because the Bluetooth stack is part of the operating system which has to be up at the time of the attack so I don't believe it's vulnerable at that point doesn't make sense we're not going to share that at this time until the phone companies have actually got a mechanism for dealing with the issue which Nokia announced last week that they are actually rolling out an upgrade program where you'll be able to walk in and get your firmware upgraded what models are affected if you go to the bluesnaft.org site you'll find a list of models there oh by the way the presentation is not done maybe we shift the questions to the end okay so if we move on so the potential attacks you've got with the calling, voice calls you can call premium rates you don't care where the voice is going you just want to establish a call initiate a call from the phone and you're charging per minute for the outgoing call in the UK at least the costs per minute are completely open-ended there is no regulation you can set up a company that charges £10 for the first second of the call and that will be charged to your bill and you only need access as I say for the initial call setup you don't have to stick around long distance calls you do need the voice channel basically you want to use somebody else's phone to make a phone call yourself so you need the voice channel so if you're doing it with the voice channel over bluetooth you basically need to act as a headset so you have to stay within range the alternative is you set up a call forward so that the phone you're calling actually calls the number you want when you dial it and connects you onwards and that's only worth doing if your local call is cheaper than the long distance which it probably is and if you're on the network where you get free calls in the evening whatever you can listen to voice mail because most voice mail systems accept the CLI of the incoming call as authentication it doesn't require a pin if it recognises the incoming call so if I use bluetooth to connect to the phone and then dial your voice mail it will just send me straight into voice mail and I'll hear your messages can delete your messages and so on with SMS you've got again the same problem with premium rate which is to cost per drop systems where you actually just send in a message and it charges you you could potentially use the phone as a spam gateway so you're sending unsolicited SMS spam from someone else's phone you can impersonate the victim so a message arriving on someone else's phone appears to have come from you so clearly from that victim so they may act on that message because they feel it's authenticated because of where it's come from probably one of the most scariest that the access to authentication secrets or being able to actually complete an authentication process in the UK we have some services where you can type a phone number into a website and it will then track that phone wherever you go and you can look it up any time day or night and if that phone is switched on it will draw you a nice little map of where the phone is and the way they authenticate is you type in the number they send a text message to the phone you respond from the phone with another text message to their center and then you're in so if I can connect my Bluetooth to your phone I can actually complete that process for you and this is one I did earlier so I don't know how good the writing is but basically for the civilian market they reduce the accuracy down to about 800 meters and if you can see just by the vertical bar where the avenue is there's a little number one and that's where I thought I was where I actually was is just above the tube station at Turnham Green where there's a little cross that distance is about 100 meters so it's much more accurate than it claims to be and that's certainly close enough that you could then drive to that location and find me with Bluetooth okay so other potential losses are service theft using the phone as a gateway to dial into the internet or as I said with the perimeters if you have a properly set up network that authenticates incoming calls with CLI then I can bypass at least that first stage of authentication because I'm coming in from a recognized number which I found in your phone book of course just again another kind of gateway free internet and potentially could be used as an end point for cracking or spamming okay so we found these problems and we posted to the industry and the first way we did that was we posted to the Bluetooth SIG on the technical website they actually have a security expert group and they have a forum where you can just go and post messages describing the outline and I expected various phone manufacturers to get in touch and find out what the problem was a couple of weeks later nothing had happened and I looked back at the forum and basically anyone else who had posted had also had no response whatsoever there were no replies in the forums to any of the messages or issues that people had raised so we posted to Bugtrap within 24 hours Nokia got in touch and their chief of security basically discussed the issue with us we shared the code with them they reproduced the problem in their labs they verified that it was a real problem and management decided that they weren't going to do anything about it because it only affected a few models of phone we'll come on to that later TDK published a very long explanation of why we were wrong and this couldn't possibly happen Sony Ericsson released a press release saying they had fixed the problems when we tried to get in touch with them they actually refused to talk to us we emailed them, we phoned them we wrote to them the only response we ever got was a letter saying we have our own security department thanks very much and good night six months on they were still taking that stance in response to any press that came along they were publishing that they had fixed the problems but they had never spoken to us so I'm not sure how they could be sure they'd fixed the problems when I finally got through to someone suggested that they actually send me a phone so that I could test it because we were working on old phones with older firmware at six months on they said if I want to test it I should go to the shop and buy one like I need a broken phone so they then got the idea that maybe there was a further problem and they finally allowed me to tell them what the problem was and sure enough they hadn't fixed it they had fixed Martin's problem but not mine so phones were still vulnerable and when they believed they had actually corrected the issue Siemens and Motorola on the other hand came to us unsolicited we hadn't looked to their devices they reported any problems with their devices they came along and said here are some new Bluetooth phones we're about to launch can you have a look at them tell us if there's any issues Siemens came up clean Motorola v600 actually established that something we believed may be true which was an escalation of privilege attack using one profile to attack another was possible and so we combined our attacks and actually managed to get into the Motorola so the industry then responded with a bunch of defences as to why this really wasn't an issue and they cited these things distance limited number of models but it's an implementation issue it's not an issue with Bluetooth per se you need specialist equipment you're going to look really suspicious doing it devices aren't vulnerable anyway you can change the name and then we won't be able to attack you because we won't know you're vulnerable you can steal or find a phone and it's far fetched and no risk so distance the actual published distance of Bluetooth is 10 meters so we have to be close well 10 meters is 30 feet that's from here to these guys here to you probably yes and it's a sphere it goes all around me behind me, beside me, above me, below me so if I'm sitting in a bus I've got everyone on the bus I'm in an office building I've got people on the floor above and the floor below and in practice actually just with a normal dongle you get a range of about 40 meters well I found with a class 1 device I get a range of about 90 meters now this gentleman sitting here from Flexilis they have a really cool toy with them which is a Bluetooth sniper rifle and do you have it with you while they're getting a range of half a mile pointing at a normal phone and they've done copies of data from a phone half a mile away by pointing this device at so get a look at that if you can it's really cool okay so a limited number of models well yeah I put my hands up here they were right there are only a limited number of models affected unfortunately they are by far the most popular models on the market if you go out in London 70% of all the phones you see will be one of these models the Nokia 6310 and 8910 series are the standard businessmen's phone so corporate contracts will have thousands of these things Sony Ericsson T610 is the sort of trendy lifestyle phone those two models are pretty much the main models on the market as far as implementation issues go you don't care whether it's Bluetooth is the problem or it's the actual implementation on that model of phone and in fact at stake have probably found some fundamental flaws which would lay a lot more devices open to attack anyway and there's more detail on their website that we need specialist equipment advanced knowledge of Bluetooth technology well again that's not the case we used black box research we didn't know anything about Bluetooth and we just poked around with the protocols that were available information we could find on the internet standard laptop generic dongles which you can see on the table software stacks downloaded from the internet and slightly modified and even if this is all too bulky in theory there is software available on PDA's and mobile phones in development but in practice you just have a laptop in a bag that's fine which brings us onto suspicious behaviour I can do it from my laptop in a bag hung over my shoulder reading a newspaper in fact I entered the house of parliament went through the security handed in all my crap they sent it through the x-ray machine they let me in I spent 15 minutes walking around with my bag over my shoulder looking at the nice paintings statues seeing some MPs milling around and I left the attack was running all the time I was in there not actually attacking of course just gathering statistics devices are not always in vulnerable mode well they have to be discoverable that's not necessarily true some devices are actually vulnerable to attack even if they're not discoverable if you know their MAC address or BD address