Year-old Bluetooth vulnerability invites mobile worm

Mobile phone manufacturers are addressing a security vulnerability that could allow an MSBlast-type worm to spread between Bluetooth devices
Written by Munir Kotadia, Contributor

For the past year, mobile phone vendors have been trying to fix several Bluetooth security vulnerabilities that could allow hackers to create an MSBlast-type worm that spreads from handset to handset without any user intervention.

Bluetooth has suffered a number of security alerts over the past year ranging from the relatively harmless to the incredibly serious. The first known Bluetooth vulnerability was the Cabir worm, which was discovered a month ago. The security problems do not seem to stem from the Bluetooth standard itself, but rather the way in which handset manufacturers have implemented the technology.

Mikko Hyppönen, director of antivirus research at Finnish firm F-Secure, said an MSBlast or Sasser-style worm spreading between Bluetooth devices becomes possible if handsets can be made to accept and execute a file without first asking the user for permission.

"If you can get Bluetooth file transfers to be accepted automatically, that would end up with an automatic Bluetooth worm. They could combine the bluesnarfing technique to automatically accept a Bluetooth file offering," said Hyppönen.

Just making a handset accept a file does not guaranteed it will be executed, said Mark Rowe, an IT security consultant at Pentest, which was one of the first companies to discover the Blusnarfing vulnerability. However, Rowe said that Pentest is working with an unnamed Bluetooth product vendor to help it resolve vulnerabilities in a Bluetooth implementation that makes it possible for just such a worm to thrive.

"We are aware of a number of vulnerabilities that are not public domain yet that would allow a worm to be uploaded and executed without any user intervention," said Rowe.

To make matters worse for users, Rowe said another myth about Bluetooth attacks is that devices are only vulnerable if they are within 10 metres of the attacker. This may be true for standard Bluetooth devices, but if an attacker wanted to, they could use antenna attachments and other methods to make it possible to attack a device that is "hundreds of metres" away.

"We have been testing with various antennas and we get ranges well into the hundreds of metres. If a Bluetooth worm did come out and if someone was malicious enough, they could infect a lot of people fairly easily," said Rowe.

According to Rowe, handset manufacturers have been very slow to react to the security issues because, unlike computer software developers, they are relatively innocent about security vulnerabilities and don't have the people or processes in place to tackle them.

"The problem is that a lot of the Bluetooth vendors -- like the phone manufacturers -- are used to dealing with a small and specific bit of software, like the Bluetooth stack. They are not like Microsoft or IBM that have got used to people reporting security vulnerabilities and have teams of people specifically to deal with them," said Rowe.

Richard Starnes, president of security industry group ISSA UK, agreed with Rowe. He said that mobile phone operators have been slow to react because they are in a different "threat environment".

"They are operating in a more insular environment with a lower threat profile than a business operating on the Internet. As a result, mobile phone operators have relatively little experience in dealing with these types of issues. Over the past few years, several of the larger operators have been slowly ramping up their staff and skills in these areas," said Starnes.

Another reason that the mobile phone industry has been slow to react to Bluetooth security issues is that they expected the initial threats to come from a combination of SMS and WAP, said F-Secure's Hyppönen

"When we were thinking about mobile viruses, we never thought Bluetooth would be the method used. We were looking at SMS messages containing links or buffer overflows," said Hyppönen.

Neither Nokia nor Sony Ericsson were available for comment.

Editorial standards