The most recent copy of the Bluetooth specification was published in March of 2005. In order to qualify as Bluetooth, products must comply with SIG’s Bluetooth Program Reference Document. Vendors must apply for this qualification.

Vulnerabilities

Bluejacking
When users send an unsolicited message to a Bluetooth phone, this is known as Bluejacking. While it is primarily an annoyance, it can also be alarming. For example, if you are sitting in a coffee shop, and a message that said, “I am watching you and plan on following you home,” you may become concerned about your personal safety.

Essentially, Bluejacking is Bluetooth spam.

With a Bluetooth device, other Bluetooth enabled devices that are in the range of your device show up on your screen. Once your Bluetooth device is visible to other Bluetooth devices, they can send messages to you whether you want them to or not.

Bluetooth was designed so that you could trade contact information with another Bluetooth user. Bluejackers send the unsolicited message from their contacts list but instead of putting in a contact name, they type in the message.

Bluesnarfing
Bluesnarfing also exploits the contacts list. When a Bluetooth device is in visible mode (or discoverable mode), actively searching other Bluetooth devices, there exists the capability to obtain the other devices entire contact list. Not only can you copy another person’s contact list without them knowing it, you can modify their phone numbers and e-mail addresses on the contact list, essentially destroying it.

Chances are the exploited device has a backup of the contact last on a PC somewhere, but it might not. Because of Bluesnarfing, yo may might not have the right phone numbers in a time sensitive situation.

Private identity information is not the only item at risk from your contacts list, as many people store other kinds of information as well. If credit card numbers are stored in your contacts database, for example, they can be pilfered by other Bluetooth users without you knowing it.

Any information in your contacts list is vulnerable.

More Holes
Bluetooth devices are vulnerable to battery degradation Denial of Service attacks too. If other Bluetooth devices continually connect with your Bluetooth device, it will wear down the battery very quickly and you may not even realize this is happening. If you are in an emergency situation, the last thing you want is to find out you can’t make a phone call.

Imagine the crimes against children that could be committed if a pedophile starts Bluejacking a teenager’s cell phone with inappropriate messages, and then destroys the pre-programmed phone numbers preventing the child from calling his parent’s for help. While most kids know their home phone number, it’s often the case that they don’t know their parents’ work phone numbers from memory.

Bluetooth devices are also vulnerable to viruses and worms. The Cabir mobile worm infects Bluetooth devices by passing a file from one Bluetooth device to another through the Bluetooth connection. Though your phone has to be in visible (or discoverable) mode to be affected by this virus, many users leave their Bluetooth device in visible mode unknowingly.

When this worm infects your phone, it drains the battery life from it by incessantly trying to infect other Bluetooth devices through the Bluetooth port.

Plug Bluetooth Holes

If you configure your Bluetooth device to remain in invisible mode (with discoverable mode turned off) and leave it in this mode until you actually need to use Bluetooth for something, you will reduce your risks considerably. However, even when your Bluetooth device is operating in invisible mode, certain brute force attacks that make use of device’s MAC address are still possible.

Therefore, if you are not using your Bluetooth device, you should keep it turned off.

Bluetooth operates in three different security modes:

Even with this exploit window, you are still better off using Bluetooth in Mode 3 than either of the other two modes.

Bluetooth devices allow you to establish a PIN for key exchanges. You should always select a PIN that does not spell a word and one that consists of both letters and numbers. In the event that a Bluetooth sniffer obtains your key length, it will make it more cumbersome for the intruder to perform a brute force dictionary attack. Sometimes increasing the time it takes to exploit a vulnerability creates enough trouble to a hacker that is dissuades an attack altogether.

Some Bluetooth devices are more vulnerable than others. Before purchasing a Bluetooth enabled phone, do some research and find out what Bluetooth vulnerabilities have been reported for the particular model you are considering.

Third Parties
There are some products to help protect Bluetooth devices listed in Table 1. All of them should be fully tested using an evaluation copy before purchase.

Table 1: Tools to Reduce Bluetooth Threats

Product Name	Vendor Name	Vendor Website
AirDefense Bluewatch	Conqwest	http://www.conqwest.com/solutions-airdefense.html
Mobile Security Suite	Bluefire Security	http://www.bluefiresecurity.com/products.html
F-Secure Mobile Anti-Virus	F-Secure	http://www.f-secure.com/wireless/
mCloak	Mobile Cloak	http://www.mobilecloak.com/
Pointsec for < platform >	Pointsec	http://www.pointsec.com/core/default.asp
Trust Digital Mobile Edition	TrustDigital	http://www.trustdigital.com/

Additional Resources

Useful information on Bluetooth can be found at the following URLs:

Bluetooth Program Reference document
http://qualweb.bluetooth.org/Content2/DownloadExecute.cfm?RevisionHistoryID=692&FileName=PRD_10_And_Addendum_1.zip

Special Publication 800-48, National Institute of Standards and Technology
Wireless Network Security – 802.11, Bluetooth and Handheld Devices
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

Hacking Bluetooth Enabled Phones and Beyond
http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf

Bluetooth and Linux
http://www.holtmann.org/linux/bluetooth/