The US National Institute of Standards and Technology releases guidelines on blue tooth security…as an 11 year old boy demonstrates on how to hack into the internet of things

May 17, 2017 |

The National Institute of Standards and Technology (the NIST) has issued an excellent guide to Blue Tooth Security. It should be mandatory reading for anybody interested in cyber security.

Bluetooth wireless technology is a ubiquitous technology used in linking devices.  It is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs). It allows users to form ad hoc networks between devices to transfer voice and data. It is now integrated into business and consumer devices, including cellphones, laptops, automobiles, medical devices, printers, keyboards, mice and headsets.  It has recently been used in medical devices and personal devices such as smart watches, home appliances, fitness monitors, and trackers. Those devices hold and transfer large amounts of personal information.  Security is critical.

Bluetooth devices are susceptible to general wireless networking threats beyond the traditional threats such as  denial of service attacks, eavesdropping, MITM attacks, message modification, and resource misappropriation.  But there are specific threats through using Blue Tooth advices which the NIST describes as:

  • Bluesnarfing. Bluesnarfing enables attackers to gain access to a Bluetooth -enabled device by exploiting a firmware flaw in older (circa 2003) devices. This attack forces a connection to a Bluetooth device, allowing access to data stored on the device including the device’s international mobile equipment identity (IMEI). The IMEI is a unique identifier for each device that an attacker could potentially use to route all incoming calls from the user’s device to the attacker’s device.
  • Bluejacking. Bluejacking is an attack conducted on Bluetooth-enabled mobile devices, such as cell phones. An attacker initiates bluejacking by sending unsolicited messages to the user of a Bluetooth-enabled device. The actual messages do not cause harm to the user’s device, but they may entice the user to respond in some fashion or add the new contact to the device’s address book. This message- sending attack resembles spam and phishing attacks conducted against email users. Bluejacking can cause harm when a user initiates a response to a bluejacking message sent with a harmful intent.
  • Bluebugging. Blue bugging exploits a security flaw in the firmware of some older (circa 2004) Bluetooth devices to gain access to the device and its commands. This attack uses the commands of the device without informing the user, allowing the attacker to access data, place phone calls, eavesdrop on phone calls, send messages, and exploit other services or features offered by the device.
  • Car Whisperer. Car Whisperer is a software tool developed by European security researchers that exploits the use of a standard (non-random) passkey in hands-free Bluetooth car kits installed in automobiles. The Car Whisperer software allows an attacker to send to or receive audio from the car kit. An attacker could transmit audio to the car’s speakers or receive audio (eavesdrop) from the microphone in the car.
  • Denial of Service. Like other wireless technologies, Bluetooth is susceptible to DoS attacks. Impacts include making a device’s Bluetooth interface unusable and draining the device’s battery. These types of attacks are not significant and, because of the proximity required for Bluetooth use, can usually be easily averted by simply moving out of range.
  • Fuzzing Attacks. Bluetooth fuzzing attacks consist of sending malformed or otherwise non-standard data to a device’s Bluetooth radio and observing how the device reacts. If a device’s operation is slowed or stopped by these attacks, a serious vulnerability potentially exists in the protocol stack.
  • Pairing Eavesdropping. PIN/Legacy Pairing (Bluetooth 2.0 and earlier) and low energy Legacy Pairing are susceptible to eavesdropping attacks. The successful eavesdropper who collects all pairing frames can determine the secret key(s) given sufficient time, which allows trusted device impersonation and active/passive data decryption.
  • Secure Simple Pairing Attacks. A number of techniques can force a remote device to use Just Works SSP and then exploit its lack of MITM protection (e.g., the attack device claims that it has no input/output capabilities). Further, fixed passkeys could allow an attacker to perform MITM attacks as well.

The guidelines are very detailed but fall under the broad general recommendations:

  • Organizations should use the strongest Bluetooth security mode that is available for their Bluetooth devices
  • Organizations should address Bluetooth wireless technology in their security policies and change default settings of Bluetooth devices to reflect the policies.
  • Organizations should ensure that their Bluetooth users are made aware of their security- related responsibilities regarding Bluetooth use
In Boy, 11, hacks cyber-security audience to give lesson on ‘weaponisation’ of toys the Guardian highlights how connected many toys and household items are and how hackable they can be.  The story is dramatic because the hacker was an 11 year old and he hacked a toy, a robotic teddy bear.  But that is nothing all that new.  The internet of things means that most devices involving even basic electronic components are likely to have either wi fi or blue tooth capability and have some form of computer enclosed.  In 2015 Wired did a now classic piece on how hackers remotely took over a jeep.  And earlier this month Wired reported on how hackers sabotaged an industrial robot arm.  Poor app security, easy to crack factory settings and a general lack of understanding of what threats are present are typical of devices being sold.   I have written on this about baby cams that can be hijacked.  Part of the problem is poor regulation.
The Guardian article provides:

An 11-year-old “cyber ninja” has stunned an audience of security experts by hacking into their Bluetooth devices to manipulate a robotic teddy bear, showing in the process how interconnected smart toys “can be weaponised”.

Reuben Paul, who is in sixth grade at school in Austin, Texas, and his teddy bear Bob wowed hundreds at a cyber-security conference in the Netherlands.

“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things (IOT),” said the small figure pacing the huge stage at the World Forum in The Hague.

“From terminators to teddy bears, anything or any toy can be weaponised.”

To demonstrate he deployed his cuddly bear, which connects to the cloud via wifi and Bluetooth to receive and transmit messages.

Plugging into his laptop a device known as a “Raspberry Pi” – a small credit-card size computer – Reuben scanned the hall for available Bluetooth devices, and to everyone’s amazement including his own, suddenly downloaded dozens of numbers, including some of top officials.

Then using a computer language called Python he hacked into his bear via one of the numbers to turn on one of its lights and record a message from the audience.

“Most internet-connected things have a Bluetooth functionality … I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” he told AFP later.

“IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected can be used and weaponised to spy on us or harm us.”

They could be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ GPS to find out where a person is, he said. More chillingly, a toy could say “meet me at this location and I will pick you up”, Reuben said.

His father, information technology expert Mano Paul, told how aged about six Reuben had revealed early IT skills.

Using a simple explanation from dad on how one smartphone game worked, Reuben then figured out it was the same kind of algorithm behind the popular video game Angry Birds.

“He has always surprised us. Every moment when we teach him something he’s usually the one who ends up teaching us,” Mano Paul told AFP.

But Paul said he been “shocked” by the vulnerabilities discovered in kids’ toys, after Reuben first hacked a toy car, before moving on to more complicated things.

“It means that my kids are playing with timebombs, that over time somebody who is bad or malicious can exploit.”

Now the family has helped Reuben, who is also the youngest American to have become a Shaolin Kung Fu black belt, to set up his CyberShaolin non-profit organisation.

Its aim is “to inform kids and adults about the dangers of cyber-insecurity”, Reuben said, adding he also wants to press home the message that manufacturers, security researchers and the government have to work together.

Reuben also has ambitious plans for the future, aiming to study cyber-security at either CalTech or MIT universities and then use his skills for good.

Leave a Reply