In a recent security experiment, a computer with a Bluetooth sniffing program5 was hidden in a suitcase that was wheeled around public places. The objective was to ascertain the number of Bluetooth-enabled mobile devices that could be infected with viruses wirelessly. In less than 23 hours, more than 1,400 vulnerable devices were detected, most of which were mobile phones.
Although most mobile phones can only communicate by Bluetooth within a range of 10 meters, the attacking distance can be extended greatly with an inexpensive antenna. In another high-profile experiment,7 researchers were able to attack targets in a taxi stand from the 11th floor of a hotel in Las Vegas, and they successfully retrieved 300 address books from Bluetooth-enabled devices.
These numbers of vulnerable phones reflect the low level of public awareness about the potential security threats of smart phones and Bluetooth. Phone users also underestimate the possible damage if their mobile phones are compromised. These kinds of security breaches also have serious consequences for corporations and telephone companies. However, most security teams in corporations believe that mobile phones are for individual use only, and that it is not their duty to protect these applications. Hence, mobile phones will be the next easy targets for professional hackers.
Manufacturers incorporate PDA features into mobile phones to make them "smart". As smart phones can perform the tasks of a computer, they are vulnerable to the same kind of hacking attacks. However, most smart phone owners tend to believe that:
All of the hacking problems that are related to computers are valid for smart phones. Furthermore, there are unique problems, as phones have more functions. Examples of these problems include the following.
These attacks seem to be harmless, so most users do not recognize their serious consequences. Some possible consequences will now be discussed.
Leaking calendars and address books.
Hackers could sell pieces of information from these sources to a user's competitors as the competitors could find the names of the user's clients (or potential clients). Hackers could also alter the details of a user's calendar. As a result, the user could miss important appointments with his/her clients, while competitors approach the clients with another proposal. Hackers could also add entries to a user's phonebook and pretend to be his/her clients/bank representatives.
Hackers could instruct the user's phone to make a phone call without the user's consent. They could then eavesdrop on (or even record) the user's conversation and the phone would then have become a horrible bugging device. Prudent hackers can even use pre-paid phone cards, so that it is impossible to trace their identities afterwards.
Sending SMS messages.
Terrorists could send false bomb threats to airlines using the phones of legitimate users. This would consume government resources as the government would investigate false leads while the terrorists carried out real attacks. There would be no way to trace the terrorists, and the phone owners could be in serious trouble.
Causing financial losses.
Hackers could send a large number of MMS messages with a user's phone. MMS services are still quite expensive for large files. Downloading large files would have the same effect. Many service providers will add charges to the phone bills of users if their phones dial a specific number or send an SMS message to the providers.
As mobile phone users almost always carry their phones with them, these devices are convenient places to store account numbers and passwords. Examples include corporate accounts, Internet banking accounts, ATM PINs, and the codes to deactivate the alarm systems of the companies or homes of users. The disclosure of these pieces of information would not only endanger the phone users themselves, but also jeopardize the computer systems of their employers.
There are black markets in which hackers can buy and sell personal information.
Attacks on telephone networks.
If a virus infected a large number of phones, it could instruct all of them to make phone calls (or send SMS or MMS messages) simultaneously at a certain time. This tactic could paralyze a city's telephone networks and create chaos.
Leaking Corporation Data.
Employees can download files from the company's computer onto their phones so that they can continue to work at home. It would be a disaster if the phones were hacked.
For example, one important Bluetooth security feature is the user's ability to switch between the "discoverable" and "hidden" modes. Every Bluetooth device should have a unique address. To connect to a Bluetooth device, this address would have to be known. Switching the device to the "hidden" mode would provide much better protection.
However, the default setting of some mobile phones is the "discoverable" mode. Because most users do not understand Bluetooth technology, they do not switch their phones to the "hidden" mode. Furthermore, it is difficult in some phones to find the right menu to change the "discoverable" mode to the "hidden" mode because of poor human-computer interface (HCI) design.
Another weakness is the pairing process that two Bluetooth devices need to go through before data exchange. Both devices need an identical secret PIN. A key is then generated and stored in both devices for later communications. However, the first step6 of this pairing process is done in plain text and is not encrypted. Hackers could intercept the communication messages, which would help speed up the hacking process.
Shaked and Wool6 have designed three methods to force devices to repeat the pairing process. Intercepting the messages during the process, they were able to determine a four-digit PIN within 0.07 second on a Pentium computer.
Improper implementation also includes the use of very short PINs instead of longer and more secure PINs. Poor HCI design also deters users from changing the default PINs in certain devices.
A new specification,3 Bluetooth version 2.1, has been proposed to address the above weaknesses. However, it would be pretty long until devices supporting the new Bluetooth specification are out to the market. Till then, all devices are vulnerable to the existing attacks. Furthermore, hackers will always find new ways to attack. Measures should be adopted to make devices safer which include:
Corporations should take a proactive approach. Examples of the counter-measures they could take include the following.
It is the duty of phone users to protect themselves and the data of their employers. In addition to adhering to these guidelines, it would be useful for users to do the following.
Every technology has its weaknesses. The risks of using Bluetooth and smart phones are relatively low compared with those of other technologies, provided that they are used properly. Most of the existing threats come from the ignorance of users, improper security implementation by some manufacturers, and the inactive attitude of many corporations.
There is no silver bullet or panacea in the fight against hacking. However, it is interesting to note the sad but true "tiger" theory: "To survive in the jungle, one does not need to run faster than the tiger. All one needs to do is to run faster than the other people. The tiger is not interested in chasing the fastest runner." If an organization has a reasonable level of security measures, rational hackers will attack other, weaker organizations, where their hacking will be more cost effective. It always pays to be the leader in the implementation of proper security measures.
©2009 ACM 0001-0782/09/0300 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found