Let’s look in this section at the most common types of attacks.
Blue Snarfing The first type of attack we will discuss is SNARF. This kind of attack consists of an OBEX PULL request; the request in question will not be visible to the receiver, and the attacker can therefore steal information in a “limited” data area, which unfortunately includes Phonebook, Videos, Photos, SMS, call log, calendar, IMEI code, and much more. The attack is feasible both for visible Bluetooth and for “hidden” Bluetooth devices, and many Nokia, Ericsson, and other models are vulnerable. Not all smartphone models can fall victim to a Snarfing attack because the vulnerability mainly depends on the implementation of the OBEX inquiry type in the protocol stack by the manufacturers. This bodes well for overcoming the problem in the fairly near future. In fact, if we recall, manufacturers are associated in the study of improving Bluetooth technology (S.I.G.), which should facilitate the exchange of information regarding the security protocols of devices. Currently, the situation is critical, so much so that a simple search via a search engine was enough for me to find software specifically designed to launch bluesnarfing attacks on Bluetooth devices: a drastically valid tool for the occasion was created to try to extract as much information as possible from a victim Bluetooth device. Phone Backdoor The attack aims to obtain a “trusted” connection on the victim’s phone using the “pairing” mechanism. A Pairing occurs when 2 Bluetooth devices agree to communicate together and thus enter a Trusted Pair Connection; what happens is divided into 5 steps: 1. Device A searches for other ‘discoverable’ devices in the area 2. A finds device B and initiates the connection 3. A asks to enter a PIN (anything goes) 4. A sends the PIN to B 5. B sends the PIN to A If these 5 steps succeed, a trusted pair connection will be established, and no authentication will even be needed; the only precautions to take would be to make yourself invisible in the victim device’s “trusted” list and ensure that at the moment of connection, the victim does not have the phone in sight. If the attack succeeds, the attacker would have complete access to the phone’s resources, including services like WAP and GPRS. Bluebug Attack A Bluebug attack is carried out by exploiting a well-known bug in the service in question, so as to obtain a Serial Port Profile connection that will give complete access to AT commands: once inside, the attacker will be able to perform several actions; among many, we find: making calls, sending or reading SMS, using the GPRS connection, viewing videos, photos, the phonebook, and much more, all with read and write permissions… Advanced Bluejacking This type of attack is not, as many documents claim, the “least dangerous” attack. It’s true that it can be practiced easily and is widely used to exchange anonymous messages and play pranks, but behind it lies a mechanism that would easily allow abusing the service and obtaining a pairing with the attacked device. Bluejacking is indeed practiced by requesting a pairing connection; the recipient will see the NAME field during the connection handshake and will respond by accepting or refusing. The NAME field can be up to 248 characters long, so it is possible to display to the victim a real message up to 248 characters long instead of the device name, trying to persuade them to accept the connection. What would you do if during a subway trip you were contacted by the Bluetooth device of the so-called “Selen : want to do Toothing with me?” Probably, you would accept, trusting that it really is the attractive young lady requesting a trusted connection with your smartphone. Well, so far nothing alarming, but try to think… If the handshake succeeded, the attacker would obtain a paired connection and would have access to many resources offered by the victim. PIN Cracking This is the last attack technique analyzed; it is considered by Bluetooth device crackers the most interesting from the point of view of the personal “challenge” against smartphone security measures. It involves cracking the PIN, not by using the usual brute force attack—because there is a not too short time interval between one PIN request and another—but by trying to crack the PIN with a single request. The key is to “sniff” (steal) the data passed from one device to another during the authentication process and then try thousands of combinations based on the obtained data. Once the data is obtained, the attacker feeds it to a program (also incredibly easy to find on the WEB), and depending on the PIN length, the cracking process will return the cracked phone PIN in a time varying from a few seconds to dozens and dozens of years.
Pubblicato in Digital Tools
Be the first to comment