Wireless Security: Unencumbered and Insecure

If the wireless revolution has taught us anything, perhaps the single most important lesson is that people who design radio systems are notoriously bad at designing systems that are secure.

Remember analog cell phones back in the 1980s and '90s? Those phones transmitted their mobile serial numbers (MSNs) without the use of encryption or even a simple challenge-response system, making it easy for bad guys to clone phones and run up literally billions of dollars in fraudulent cell phone charges.

We've faced different but equally troubling security problems with cordless telephones, Wi-Fi wireless networking and radio frequency identification (RFID) systems, of course. But we've also seen security problems with relatively simple wireless systems like garage door openers and car alarms. In fact, I can't think of a single wireless communications system that hasn't had a significant security problem. Even worse, the problems have almost always been predicted in advance, pooh-poohed by vendors and then acknowledged to be problems after the equipment is widely deployed.

The very nature of wireless communications systems encourages sloppy security thinking on the part of wireless designers. After all, when a new wireless system is under development and not being sold to the general public, the bad guysby definitiondon't have the wireless system either. As a result, designers are lulled into thinking that many possible attacks would be hard, if not impossible, for a typical bad guy to perpetrate. After all, it's hard to build a new wireless system.

But once a system is built and deployed, the bad guys can examine it. They can also purchase one radio and use it to attack a second. Of course, the more radios that are deployed, the more valuable the attack. Perversely, the more radios that are deployed, the bigger the incentive for the manufacturer to cover up or minimize the impact of the vulnerabilityafter all, vulnerabilities are potential liabilities.

All of this, of course, brings us to the subject of Bluetooth, the two-way wireless communications system designed to create "personal area networks" between your cell phone, your cell phone's wireless headset, your laptop, PDA and whatever other devices you're packing.

Bluetooth uses the same part of the radio spectrum as Wi-Fi wireless LANs. But whereas Wi-Fi uses a technique known as "direct sequence" to encode information, Bluetooth uses a different spread spectrum technique known as "frequency hopping." The Bluetooth transmitter hops 1,600 times every second to a different frequency inside unlicensed 2.4GHz radio band. Bluetooth and Wi-Fi are not compatible: If a Wi-Fi system is transmitting a packet when Bluetooth steps through, that packet is lost. For this reason, some businesses have banned the use of Bluetooth on their property for fear of interference with their wireless networks. In practice, though, it's very hard to ban something that's running in a cell phone unless you physically search everybody entering your property and confiscate the phones of visitors. I've worked at places where such precautions are taken, but for most businesses this is probably a losing battle.

Unlike Wi-Fi, Bluetooth was designed for extremely short-range communications. Class 1 Bluetooth devices have a maximum power output of 100mW and a theoretical range of 300 feet in free space. Class 2 devices have a maximum power of 2.5mW and a corresponding range of 30 feet. Class 3 devices have a power of 1mW and a range of 3 feet or less. Naturally, Bluetooth headsets tend to be Class 3 devices: Using less power, they can have correspondingly longer battery life.

Although it was slow to catch on at first, Bluetooth is becoming increasingly popular. It's built into many PalmOne Tungsten PDAs, available on all Macintosh laptops, many ThinkPads and an increasing number of cell phonesespecially GSM cell phones sold in Europe. With Bluetooth, you can wirelessly sync your cell phone with your laptop, or use the cell phone's built-in modem to put your laptop on the Internet. Wireless means no cables to buy, tangle or lose. It's also faster to sync over Bluetooth than over a serial or USB cable. Bluetooth is just cool.

But Bluetooth has many security problemswith more still being discovered.

To be fair, Bluetooth's designers did build a rudimentary security model into the system. For starters, every Bluetooth device has a unique serial number called a BD_ADDR. This serial number is set by the factory when the device is manufactured. Every Bluetooth device also has a database of which other devices it trusts. When it first turns on, every Bluetooth device is supposed to trust nothing. But if you choose, you can explicitly "pair" two devices so that they will trust each other. Once two devices are paired, they can exchange encryption keys and use those keys to scramble all information exchanged between the two of them.

The first problem with this security model is the BD_ADDR itself: Just like an Ethernet media access control (MAC) address, it can be changed. As a result, if an attacker is able to observe the radio communications between two devices, the attacker can clone one of those devices' BD_ADDRs and fool the other.

The second problem is the encryption itself. An attacker who clones a BD_ADDR can't steal a prenegotiated encryption key, but in practice, few Bluetooth devices actually turn encryption on. There's also some concern regarding the Bluetooth encryption algorithm: Rather than using an industry-standard algorithm like RC4 or AES, the Bluetooth designers invented their own. Although the algorithm hasn't been cracked, I suspect that it's only a matter of time.

The third problem with the security model is that there are many functions that are explicitly allowed between untrusted devices. One of the most common of these is the Bluetooth function of sending and receiving business cards. This is an allowed untrusted operation because, in theory, you can always delete somebody's business card. But an attacker can use this feature to fill up your phone's address book with a thousand different cards. Alternatively, somebody interested in promoting a new nightclub, for instance, might just walk around town with a program that searches out Bluetooth phones and transmits an advertisement to each one in the form of a business card. There's even a program called BlueSpam (download it from www.mulliner.org) that does precisely this: It runs on a PalmOne Tungsten.

Bluetooth promoters were quick to defend these vulnerabilities, arguing that the limited range of the Bluetooth signal makes the system more secure than it might otherwise be. If somebody is close enough to you that you can send him a piece of spam, you're close enough to reach out and wring his neck, the theory goes. Lots of hip singles in Europe keep their Bluetooth phones enabled all the time: Using business cards to flirt.

There are two problems with this spatial locality argument. First, it is possible to attack somebody's Bluetooth phone using an automated hacking tool running on a PDA that's hidden in your pocket. Since humans can't see radio waves, it's impossible to tell who the attack is actually coming from. The second problem is that the range of Bluetooth devices I quoted above assumes that the devices are equipped with a pretty cheap antenna and no amplifier. Using a 500mW amplifier and a 19 decibel antenna mounted on the stock of a sniper's rifle, John Hering, a student in Los Angeles, created the "BlueSniper" Bluetooth rifle. This weapon can lock on to an ordinary Bluetooth device at the distance of a mile.

The biggest security problem with Bluetooth today, however, has nothing to do with the underlying security model. The big problem is that many Bluetooth devices have the same sort of bugs and security vulnerabilities as those that have been haunting Microsoft since it started shipping Internet Explorer in the mid-1990s: Poor programming practices, poor quality assurance and a lack of attention to security have resulted in exploitable buffer overflows and other kinds of attacks.

One set of vulnerabilities that has been discovered allows an attacker to reach into a phone's address book and retrieve or modify information. Another vulnerability leaves the database of trusted devices open to attack. To be fair, some cell phone vendors have issued "patches" to fix these vulnerabilities. In practice, of course, many phones won't get patched or otherwise upgraded. You can find an excellent list of which phones are vulnerable to which vulnerabilities at www.thebunker.net/security/bluetooth.htm.

The potential dangers of these vulnerabilities are vast. A Bluetooth virus could be passed from phone-to-phone by people passing each other in the street. After a week, the virus could turn ugly and have everybody's phone dial 911. In Europe, a phone could issue a so-called reverse short message service transaction and actually transfer money from the phone subscriber's bank account to the attacker's.

There are also privacy issues with Bluetooth surrounding the BD_ADDR itself. Because the number usually doesn't change, an attacker with a lot of Bluetooth sensors around the city could use a BD_ADDR to track people's movements. These problems are very similar to the privacy issues raised by RFID.

I like Bluetooth a lot. I like being able to sync my PDA to my laptop without having to take out a cable. I like being able to use my cell phone as a laptop gateway. I applaud the goal of universal interconnectivity. But Bluetooth vendors have got to take security issues more seriously, or else we're going to see a new generation of attacks on the cellular telephone system that will make the worms we've lived with on the Internet look like child's play.

Copyright © 2005 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022