Security advisor Kaspersky Lab reported last week that Russia had earned the dubious distinction of becoming the ninth country with a confirmed infection of a virus targeted at Bluetooth devices. The Cabir.a virus had already stricken handhelds in the Philippines, Singapore, the United Arab Emirates, China, India, Finland, Turkey, and Vietnam.
These attacks represent the next wave of security problems for consumers and businesses, security experts say. “Whenever a new technology gains acceptance, the risks associated with it become clear to users,” noted Peter Lindstrom, Research Director at Spire Security LLC, a market research firm focusing on security issues.
Bluetooth use is becoming more common because the networking technology makes it easy for mobile devices to exchange information. In addition to being the foundation for handset and Personal Digital Assistant (PDA) communications, the technology is popular in wireless headsets as well.
This networking option includes a discovery mechanism where Bluetooth products poll the local area to determine if another such device is nearby. Hackers are taking advantage of this feature for “Bluejacking,” or secretly connecting to another user’s device and sending bogus messages or rendering the product inoperable.
Bluejacking is a fairly simple; in fact, users often regularly send non-malicious images and text messages to one another. Bluesnarfing, which is more difficult, relies on the same technique but focuses on accessing information stored on the device.
Once hackers have data, such as user contact lists or e-mail address books, they can steal confidential information, delete important data, make long distance calls from the device, or use the information to launch denial of service attacks against other systems.
New Game for Hackers
Hackers are becoming increasingly interested in attacking Bluetooth devices. Incidents involving the devices first occurred in the summer of 2004 and became more common by year’s end. Bob Egan, president of consulting firm Mobile Competency Inc., said that no Bluetooth-specific malicious code was known at the beginning of 2004 but eight such viruses had been developed by the end of the year. More than a dozen types of cell phones, PDAs and wireless head sets are said to be vulnerable to the attacks.
The discovery mode function means that Bluetooth attacks usually occur in crowded public spaces where many people are using mobile phones simultaneously. Hotels, conference centers and airports are a few locations where the likelihood is high that unsuspecting users may find their Bluetooth devices compromised.
“A friend of mine turns on the discovery mode in his Bluetooth system whenever he is in an airport,” Mobile Competency’s Egan told TechNewsWorld.
“Regularly, he comes across at least a couple of individuals whose systems could easily be hacked.” Egan added that such attacks are not necessarily limited to short distances: Bluetooth transmits information at distances up to about 30 feet, but the use of special antennas can increase that transmission range to 1 kilometer.
The attackers can also do more than simply disrupt one user’s system. They can load virus software onto handhelds, wait for the devices to be synced up with laptop or desktop computers, and then attack corporate networks from behind their firewalls.
Analysts are split on how significant a challenge the new attacks represent. “Hackers seem more focused on traditional systems, such as PCs and servers, than on Bluetooth devices,” said Neil Strother, a senior industry analyst at In-Stat/MDR, a division of Reed Elsevier PLC.
Mobile Competency’s Egan noted that mobile devices, such as phones and PDAs, are more common than PCs and laptops, and as mobile workers store more data on these devices, their appeal to hackers increases.
There are steps users and IT departments can take to minimize the impact of Bluetooth attacks. The first is to make their devices “undiscoverable,” which requires only a simple switch in the device setting. If they need to keep their systems out in the open, then they should not download or install files from unknown or suspicious sources.
IT departments should complete an inventory of Bluetooth devices. Because they are inexpensive (usually $100 or less), executives often purchase and begin using them without corporate approval.
“In some cases, IT departments think there are maybe a few hundred Bluetooth devices in their organization, and then they find out that there are a thousand, or more,” Mobile Competency’s Egan told TechNewsWorld. Vendors like F-Secure Inc. and Trust Digital Inc. sell software that alerts corporations when users rely on Bluetooth devices to access corporate data.
User education is also needed. Many individuals purchase a head set, a cell phone or a PDA and do not realize that it is a Bluetooth device since that feature is often bundled in the system.
Vendors are taking steps to assuage customer concerns. “Companies like Symbian that make mobile device operating systems and handset vendors, such as Nokia, are aware of the Bluetooth security vulnerabilities,” In-Stat/MDR’s Strother said. “By the end of the year, they expect to deliver products with tighter security features.”
Until then, users are urged to be especially careful so as to contain further Bluejacking or Bluesnarfing threats.