Loo, 2009 - Aaron French
Contents
1. bluetooth htm McMillan R BlueBag PC Sni IDG News Services 2006 ffs Out Bluetooth Flaws ing the Bluetooth PIN Proceedings of 3rd USENIX ACM Conference on Mobile Systems Applications and Services 2005 39 50 Zetter Kim Security cavities ail Bluetooth Wired News 2004 http www wired com news privacy 1 64463 0 html Alfred Loo alfred ln edu hk is an associate professor in the Lingnan University Hong Kong 2009 ACM 0001 0782 09 0300 5 00 152 COMMUNICATIONS OF THE ACM MARCH 2009 VOL 52 NO 3 Copyright of Communications of the ACM is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder s express written permission However users may print download or email articles for individual use2. short seminar could be offered to em ployees and up to date guidelines could be issued The content of these guide lines could change over time Examples of the guidelines include the following e Switch the Bluetooth security set ting to the hidden mode e Activate Bluetooth only when it is needed Do not accept any unsolicited pair ing requests e Minimize pairing operations in public areas e Monitor the numbers and names of the paired devices on the phone to discover any suspicious connections Update the phone s firmware when a new version becomes available Pay attention to whether the phone is consuming power at a rate that is faster than usual and to any other anomalies Use long PINs whenever possible at least 64 bits User Responsibilities It is the duty of phone users to pro tect themselves and the data of their L 52 NO 3 COMMUNICATIONS OF THE ACM 151 technical opinion employers In addition to adhering to these guidelines it would be useful for users to do the following gt Be vigilant and treat a smart phone as a computer Almost all of the precau tionary measures for computers can be applied to phones Bluetooth is not the only threat gt Investin the time to update knowledge for example by attending seminars gt Be aware of social engineering tech niques Conclusion Every technology has its weaknesses The risks of using Bluetooth and smart phones are relativ
3. could find the names of the user s clients or potential clients Hackers could also alter the de tails of a user s calendar As a result the user could miss important appointments with his her clients while competitors approach the clients with another pro posal Hackers could also add entries to a user s phonebook and pretend to be his her clients bank representatives gt Bugging devices Hackers couldinstructthe user s phone to make a phone call without the user s consent They could then eavesdrop on or even record the user s conversa tion and the phone would then have become a horrible bugging device Prudent hackers can even use pre paid phone cards so that it is impossible to trace their identities afterwards gt Sending SMS messages Terrorists could send false bomb threats to airlines using the phones of legitimate users This would consume government resources as the govern ment would investigate false leads while the terrorists carried out real at tacks There would be no way to trace the terrorists and the phone owners could be in serious trouble gt Causing financial losses Hackers could send a large number of MMS messages with a user s phone MMS services are still quite expensive for large files Downloading large files would have the same effect Many ser vice providers will add charges to the phone bills of users if their phones dial a specific number or send an SMS mes sage to
4. the providers gt Revealing passwords As mobile phone users almost always carry their phones with them these devices are convenient places to store account numbers and passwords Ex amples include corporate accounts In ternet banking accounts ATM PINs and the codes to deactivate the alarm systems of the companies or homes of users The disclosure of these pieces of information would not only endanger the phone us ers themselves but also jeopardize the computer systems of their employers gt Identity theft There are black markets in which hackers can buy and sell personal information gt Attacks on telephone networks If a virus infected a large number of phones it could instruct all of them to make phone calls or send SMS or MMS messages simultaneously at a certain time This tactic could paralyze a city s telephone networks and create chaos gt Leaking Corporation Data Employees can download files from the company s computer onto their phones so that they can continue to work at home It would be a disaster if the phones were hacked Improper Implementation There are weaknesses in the current Bluetooth standards Most threats though come from improper imple mentation by manufacturers For example one important Blue tooth security feature is the user s abil ity to switch between the discoverable and hidden modes Every Bluetooth device should have a unique address To co
5. e phones will be the next easy targets for professional hackers Manufacturers incorporate PDA fea tures into mobile phones to make them smart As smart phones can perform the tasks of a computer they are vul nerable to the same kind of hacking attacks However most smart phone owners tend to believe that gt There are enough security features in the phones gt Hackers phones gt There is no such thing as a phone vi rus and gt They have little to lose even if their phones are hacked are not interested in Possible Attacks All of the hacking problems that are re lated to computers are valid for smart phones Furthermore there are unique problems as phones have more func tions Examples of these problems in clude the following gt Hackers can retrieve address books calendars photos or other files from a phone gt SMS or MMS messages can be sent from compromised phones to other phones without any user interaction gt Compromised phones can infect oth er phones that use Bluetooth or MMS gt Hackers can remotely control a phone to make phone calls or connect to the Internet Consequences These attacks seem to be harmless so most users do not recognize their seri ous consequences Some possible con sequences will now be discussed gt Leaking calendars and address books Hackers could sell pieces of information from these sources to a user s competi tors as the competitors
6. ely low compared with those of other technologies pro vided that they are used properly Most of the existing threats come from the ignorance of users improper security implementation by some manufactur ers and the inactive attitude of many corporations There is no silver bullet or panacea in the fight against hacking However it is interesting to note the sad but true tiger theory To survive in the jungle one does not need to run faster than the tiger All one needs to do is to run faster than the other people The tiger is not in terested in chasing the fastest runner If an organization has a reasonable level of security measures rational hackers will attack other weaker organizations where their hacking will be more cost effective It always pays to be the leader in the implementation of proper secu rity measures References 1 Berghel H Phishing Mongers and Posers Commun of the ACM 49 4 2006 Bialoalowv M Bluetooth Security Review Security N w Sa a ep N Shaked Y and Wool A Crac Focus 2005 www security Bluetooth SIG Bluetooth S Experience March 2007 ht ocus com infocus 1830 G Improves User p www bluetooth com Bluetooth Press SIG BLUETOOTH_SIG_IMPROVES_ USER_EXPERIENCE htm Laurie B and Laurie A Serious flaws in bluetooth security lead to disclosure o personal data L A Digital Ltd 2004 http www thebunker net security
7. nnect to a Bluetooth device this ad dress would have to be known Switch ing the device to the hidden mode would provide much better protection However the default setting of some mobile phones is the discover able mode Because most users do not understand Bluetooth technology they do not switch their phones to the hid den mode Furthermore it is difficult in some phones to find the right menu to change the discoverable mode to the hidden mode because of poor hu man computer interface HCI design Another weakness is the pairing pro cess that two Bluetooth devices need to go through before data exchange Both devices need an identical secret PIN A key is then generated and stored in both devices for later communications However the first step of this pairing process is done in plain text and is not encrypted Hackers could intercept the communication messages which would help speed up the hacking process Shaked and Wool have designed three methods to force devices to repeat the pairing process Intercepting the messages during the process they were able to determine a four digit PIN with in 0 07 second on a Pentium computer Improper implementation also in cludes the use of very short PINs instead of longer and more secure PINs Poor HCI design also deters users from chang ing the default PINs in certain devices Manufacturer Responsibilities A new specification Bluetooth
8. technical opinion DOI 10 1145 1467247 1467282 BY ALFRED LOO Security Threats of Smart Phones and Bluetooth IN A RECENT SECURITY EXPERIMENT A COMPUTER WITH a Bluetooth sniffing program was hidden in a suitcase that was wheeled around public places The objective was to ascertain the number of Bluetooth enabled mobile devices that could be infected with viruses wirelessly In less than 23 hours more than 1 400 vulnerable devices were detected most of which were mobile phones Although most mobile phones can only communicate by Bluetooth within a range of 10 meters the attacking distance can be extended greatly with an inexpensive antenna In another high profile experiment researchers were able to attack targets in a taxi stand from the 11 floor ofa hotel in Las Vegas and they successfully retrieved 300 address books from Bluetooth enabled devices These numbers of vulnerable phones reflect the low level of public awareness about the potential security threats of smart phones and Bluetooth Phone users also underestimate the possible damage if their mobile phones are compromised These kinds of security breaches also have serious consequences for corporations and telephone companies However most security teams in corporations believe that mobile phones are for 150 COMMUNICATIONS OF THE ACM MARCH 2009 VOL 52 NO 3 individual use only and that it is not their duty to protect these applications Hence mobil
9. version 2 1 has been proposed to address the above weaknesses However it would be pretty long until devices supporting the new Bluetooth specification are out to the market Till then all devices are vul nerable to the existing attacks Further more hackers will always find new ways to attack Measures should be adopted MARCH 2009 VO technical opinion to make devices safer which include gt Logs of pairing activities should be maintained so that users can detect any intrusion attempts as soon as possible gt The default security setting should be set at the maximum level gt Manufacturers should pay attention to HCI design so that users can fine tune the security settings easily gt Security issues should be discussed in the user s manual gt Devices with fixed PINs should be long enough at least 64 bits Corporate Responsibilities Corporations should take a proactive approach Examples of the counter measures they could take include the following gt Devise a policy for the use of mobile devices by their employees gt Learn and monitor the latest devel opments in phones and other related technologies gt Provide a list of phones with good se curity features and HCI design to their employees If large numbers of corpo rations offer such advice manufactur ers will be forced to develop proper se curity features gt Educate employees to select and use their phones properly For example a
Download Pdf Manuals
Related Search