Black-handed Bluetooth mobile phone security attack and defense for mobile phones

Source: Computer newspaper

Nowadays, there are more and more problems with mobile phones with Bluetooth features: clearly, I don't like to send text messages, but I find that my text message fee suddenly increases, and my photos taken with my friends are posted on the Internet by people I don't know, and my mobile phone is inexplicably dialing out ...... What are the causes of these problems? Next we will tell you a story about Bluetooth Security. Through this story, you will know the cause of these problems.

Zhou Li is a technical expert engaged in wireless security research. To study the security of Bluetooth devices, Zhou Li decided to perform some attack tests at the entrance of a large supermarket, to verify the security and common social impact of Bluetooth mobile phones. Another main character of the story is a user of the T610 mobile phone. Now let's call him Joey. We hope that Joey or users with the same problems as Joey can see this story and learn the skills introduced in the story to protect their Bluetooth phones. Let's give the first suggestion before you start telling the story.

Bluetooth Security Suggestion 1: disabled if not used

To protect the security of Bluetooth, the first principle is to disable it when you do not need to use Bluetooth. For mobile phones, you can disable Bluetooth on the Bluetooth settings page, the Bluetooth adapter on the computer can be set to unconnected through the tool software or the Bluetooth Software of the operating system itself.

Nearby bluetooth devices found

Zhou Li sat down in a corner and opened his laptop with a USB Bluetooth stick, in this case, SuSE Linux 9.3 with built-in Bluetooth support is run (most of the current Bluetooth security tools, including the tools mentioned in the story, are running on Linux ). There are many ways to find the surrounding bluetooth device. Zhou Li first used the simplest method to use the hcitool tool set provided by Linux for testing. Type hcitool scan on the command line to perform a quick scan on the surrounding environment. Zhou Li's luck was good, and it didn't take long to find a bluetooth device named T610-Phone.

Invisible bluetooth device found

You can set three modes for a bluetooth device: visible, invisible, and limited. These modes determine under which circumstances the bluetooth device can be discovered by other Bluetooth devices.

Since hcitool can only find Bluetooth devices in the visible state, Zhou Li decided to use the btool scan program to detect whether there is a bluetooth device in the invisible state. In the command line, enter the directory where btsag is located and execute the btsag command. Btute provides a brute force scan mode called brute force, in which you can find Bluetooth devices that are invisible. In this round of detection, Zhou Li had a new harvest, named MESSI.

AH and a bluetooth device named Redwolf were found.
Bluetooth Security suggestion 2: security risks in visible mode

In fact, setting the device to invisible does not affect the authentication of trusted devices, and can reduce unnecessary security threats. Although it is still possible to detect a device that is not visible, the attacker must perform a much higher scan, and it is difficult to attack a bluetooth device that is relatively invisible. Take the case in the story as an example. If the device named T610 is not set to visible, it cannot be found in such a short period of time, especially when the average flow of people changes every 5 minutes.

Smart identification of Bluetooth Models

Detected Device Name Recognition

After discovering the target, you can first determine the device model from the device name. According to information obtained from the target discovery phase, the bluetooth device named T610-Phone is likely to be the T610 mobile phone produced by Sony Ericsson, a product with a high market share. However, a device named MESSIAH and Redwolf cannot identify the device from its name.

Identify manufacturer by address

In addition to the device name, Zhou Li also obtains the device address information, which is unique to the bluetooth device and similar to the MAC address of the network card. The manufacturer of the device can be determined based on the first three bytes of the address to further determine the device model. For example, Nokia uses an address prefix of 00: 02: EE, 00: 60: 57, 00: E0: 03, while Sony Ericsson uses an address prefix of 00: 0A: D9, Siemens is 00: 01: E3. The address ranges allocated by each vendor can be queried from the ieee oui database at http://standards.ieee.org/regauth/oui/index.shtml. According to the address specification, devices named T610 are indeed manufactured by Sony Ericsson, while Redwolf is a Nokia device, and MESSIAH uses an uncommon address prefix.

Verify bluetooth device fingerprint

Although some information has been obtained, it is not enough to confirm the actual model of the device. Therefore, Zhou Li used the method on the PC platform to identify the fingerprint of these detected Bluetooth devices. This recognition is performed because the services provided by each bluetooth device and the methods for querying the response service are different. Therefore, you can confirm the device model by matching the information returned by the target device, this method is similar to that of NMAP programs to identify computer operating systems.

On the page to which the btdsd project belongs. Zhou Li entered the directory where the BluePrint program is located and executed the following command: sdp browse -- tree 00: 13: EF: F0: D5: 06 |. /bp. pl 00: 13: EF: F0: D5: 06. Here, sdp is the SDP (Service Discovery Protocol) tool in Linux, which can be used to query the service status of Bluetooth devices. After fingerprint recognition is performed on all the detected targets, Zhou Li came to the conclusion that the fingerprint returned by the target device T610 is 00: 0A: D9 @ 4063698, this indicates that the device is indeed a Sony Ericsson T610 mobile phone, and the fingerprint of the target device Redwolf is 00: 11: 9F @ 3408116, indicating that this is a Nokia 7610 mobile phone.

Bluetooth Security Suggestion 3: Use Security Settings

Three Security modes are defined in the Bluetooth specification. There is no security mode protected, service-level security protected by verification codes, and device-level security that can be encrypted by applications, apply a higher security mode as much as possible when applicable. In fact, on average, about one hundred to 10% of every 20% Bluetooth mobile phones are configured with a 1111 or 1234 password, which is easy to guess, bluetooth phones with strong passwords can prevent unauthorized access and some brute-force cracking attacks to a large extent.

Bluetooth mobile phone attack

After confirming the model of the target device, Zhou Li decided to attack the T610-Phone. Because Sony Ericsson's T610 has a security defect, this model may be attacked by BlueSnarf, the most common attack method against Bluetooth devices. This attack is based on the principle that, by connecting to the bluetooth device's OPP (Object Exchange transmission specification), various types of information can be exchanged between devices, such as phone book, etc, due to vendor reasons, some models of Bluetooth devices are vulnerable, so that attackers can connect to these devices without authentication to download information from these devices.

Zhou Li uses the obexftp tool in Linux to connect to T610 to download the information. obexftp is a tool program used to access mobile device memory. Run the following command on the Linux console:

# Obexftp-B 00: 0A: D9: 15: 0B: 1C-B 10-g telecom/pb. vcf

This command allows Zhou Li to get the phone book file from the target T610 mobile phone. Among them, option-B means to connect with the bluetooth device, and the option is followed by the address of the target T610. -Option B specifies the channel used. In addition, the parameter after the-g option is the obtained file path and name. replace this parameter with telecom/cal. vcs to get the schedule information on T610. In fact, this attack can also obtain images and other data files, as long as you know the location and name of the file storage.

Like BlueSnarf, problematic mobile phones may be manipulated by attackers through AT commands. In addition to downloading information on mobile phones, attackers can also, it can also manipulate mobile phones for dialing, text message sending, Internet access, and other activities. Such attacks are called BlueBug attacks.

Attackers can also use some social engineering techniques to leave backdoors in certain types of mobile phones, provided that the attacker establishes a legitimate connection with the target. Attackers can then tell the target mobile phone that the connection has been closed but can still access the target mobile phone through this link without the knowledge of the target mobile phone user. This attack is usually classified as a BACKDOOR attack.

There are also some low-security-risk harassment attacks, such as the Bluejacking attack that sends messages anonymously between bluetooth devices. Now we have formed some community dedicated research and summary techniques for Bluejacking attacks. It is worth mentioning that the Nokia 7610 may be vulnerable to DoS attacks, because files with special characters such as colons may fail to be sent to some 7610 mobile phones through the OBEX Object Exchange Protocol, the Bluetooth function can be restored after the phone is restarted.

On the left side is a vulnerability lookup table for Bluetooth mobile phones sold in China. You can use this table to check whether your Bluetooth mobile phone has security vulnerabilities.

Bluetooth Security suggestion 4: keep track of Security Updates

Security Vulnerabilities are one of the major causes of Bluetooth mobile phone security problems. Fortunately, most mobile phones with security vulnerabilities can be solved through updates provided by manufacturers. Therefore, Bluetooth mobile phone users should know whether their devices have security vulnerabilities and obtain updates from the manufacturer in a timely manner. In addition, you can learn more about Bluetooth Security and apply some free Bluetooth security tools to effectively reduce the possibility of attacks.

Found the target named T610-Phone

Target MESSIAH in invisible Mode

Redwolf fingerprint matches Nokia 7610

Execute BlueSnarf attack on T610-Phone

Note: The option marked with "*" means that the mobile phone will be attacked even if its Bluetooth settings are invisible.