Bluetooth security vulnerabilities ignored
Former White House cybersecurity adviser Howard Schmidt has warned of the dangers of flaws in Bluetooth protocols, claiming these vulnerabilities are unrecognised.
Schmidt, who is a board member for protocol-testing company Codenomicon, told ZDNet.com.au's sister site, ZDNet.co.uk at the Infosecurity Europe 2008 conference on Tuesday that protocols used in Bluetooth communications are vulnerable to attack and that device manufacturers and security professionals do not give enough credence to the problem.
"Bluetooth has been compromised," said Schmidt. "Fifteen of the [27] different protocols have vulnerabilities. Anything with multiple ports out there is looming for someone to use it."
Schmidt said that individual protocols, as well as the way protocols interact with each other, introduce security holes.
"It's like the 'whack a mole' game," said Schmidt. "The [flaws] pop up, you hit them with a hammer, and they pop up somewhere else. It's a constantly moving target."
While these flaws are only accessible by technically proficient hackers, Schmidt said the vulnerabilities are widespread and difficult to address, as standards cannot be updated in the same way as other software. Many protocols are apparently affected, included 802.11n and ASN.1, a protocol used by the military and emergency services.
Flaws in communications protocols such as ASN.1 can be exploited to send malformed packets to crash systems and, depending on the implementation, can be subject to buffer overflow attacks which can lead to arbitrary code being executed, Schmidt warned.
Adam Laurie, an RFID and communications protocol security researcher and consultant, agreed that communications protocols implementations in the main do not have adequate security, because the protocols are being used outside of the specifications for which they were originally intended.
"A lot of what I look at is about unexpected interactions between different protocols," Laurie said. "There are a lot of Bluetooth hacks. Bluetooth is a good example. It started out as serial cable profile, then infrared, then became Bluetooth without anyone taking into account the change in the overall attack surface. Anyone within 100 metres can now connect to a Bluetooth device and device manufacturers haven't taken a step back and changed the protocols."
Laurie is notable for cracking RFID communications in UK passport chips, and also for managing to access a hotel Web server and back-end system through the infrared TV remote in his hotel room. At the conference Laurie also took the opportunity to call for the Oyster smartcards used in London's transport system to be replaced, in light of recent hacks to similar cards in the Netherlands that are based on the same Mifare technology from NXP.
"My understanding is there are now three [Mifare] cracks at least," Laurie said in his keynote speech on RFID flaws. Speaking to ZDNet.co.uk after his speech, Laurie said he thought Transport for London (TfL), the body that runs the Oyster card scheme, "ought to think about upgrading as soon as possible".
Laurie said the Dutch government had been right to announce it was replacing the Mifare-based cards. "I applaud the Dutch government for jumping straight on it," he said. "It would be better if TfL just got on with it. It's a bit of an arms race — once you know it can be done, that's enough of an impetus to say: 'We will get on and do it.'" He added that he thought it unlikely that this would happen until someone specifically demonstrated an Oyster card being cracked.
A spokesperson for TfL told ZDNet.co.uk on Wednesday that the Oyster system incorporates additional security systems in addition to what is already built into Mifare. "We wouldn't go into what security systems we've got, but we do have extra layers within the whole Oyster system," the spokesperson claimed. "We run daily tests for any cloned cards or rogue devices and none have been discovered. We are aware of the situation in Holland but, at this stage, there's no reason to migrate to a different system due to any security concerns."