Equipment:
Hardware:
Dell Inspirion Laptop
USB Class 1 Bluetooth Adapter
 
Software:
Slackware Linux 9.1 (kernel 2.4.26)
BlueZ Linux Bluetooth protocol stack (bluez-libs-2.7, bluez-utils-2.7)
Custom Bluetooth Address analysis tool written by Kevin Mahaffey

 
Procedure:
For approximately 90 minutes, all Bluetooth devices broadcasting their address within range (up to 100 m) were recorded by our software as we walked throughout all three halls and the main concourse of the last Electronic Entertainment Expo. This is not a complete count of all Bluetooth devices in E3, but an analysis of the number of vulnerable devices a malicious individual could encounter in a densely populated environment. 

 
Device Identification:
In order to identify specific phones based on their Bluetooth addresses, the initial three octets are referenced against a manufacturer database. Next, the remaining nodes are matched against production data provided by each manufacturer.

 
Example Data:
 
00:0A:D9:ED:7A:01
\              /
00:0A:D9                 Sony Ericsson Mobile Communications AB
                               Nya Vattentornet
                               Lund SE 221 88
                               SWEDEN
 
Source: http://standards.ieee.org/regauth/oui/oui.txt
 
 
The rest identifies the specific device, and, if needed, a specific model number. It is not generally a good practice to identify devices based on their broadcast name because an end user can easily change the device name to that of his or her choosing (e.g. "BluePhone¨).
 
When the entire dataset is run through our analysis tool, we can determine the relative distributions of Bluetooth devices. Non mobile-phone devices such as PDAs and Bluetooth-enabled laptop computers are not counted in the final dataset.   
 

Collected Data:
Over 700 Bluetooth enabled phones were detected within only 90 minutes and nearly 20 percent being vulnerable to some form of exploit or another. The majority of the phones were Nokia, Sony Ericsson, and Siemens and surprisingly most were in discoverable mode. This may have been due to the nature of the industry professionals and contact sharing features utilized while at E3.
 

Possible Attacks:
Once a phone is positively identified by its Bluetooth address, there are several vulnerability databases available on the Internet which may be used to determine exactly what attack a given phone is susceptible to.  From here, a malicious user may decide to exploit the OBEX stack in the target phone with a SNARF attack or gain direct serial access to the device via a BLUEBUG attack.  With the latter, virtually anything can be done to the target device remotely that could be done by the owner of the device.  With a backdoor attack, a malicious user can gain access to the phone¡¦s network resources such as internet access, etc.
 
Technical Ramifications:
* Full AT access to phone
* Full file system access to phone
* Full access to phone¡¦s TCP/IP network
 

Social Ramifications:
* Make toll calls
* Change any/all phonebook entries to a record&forward number to monitor conversations
* Hack/Send spam e-mail from a target's phone
* Having someone's phonebook would allow an attacker to namedrop and socially engineer the target to disclose sensitive information.
* Turn phone into a surveillance device by dialing a phone number of the attacker's choice without intervention on the target's part
* Listen to the target's voicemail
* Read or send text messages to or from the target, respectively
* All of the above can be automated and done in as little as a few seconds by simply walking by an attacker.
 

Suspicious Behavior:
Currently, exploits are only working on laptops running special software; however, it would be trivial for an expert to port these tools to a PDA or even a malicious cell phone.
 
Possible Risk Situations:
* Someone on a laptop within close proximity running a Linux shell
* Someone within close proximity using a laptop with a USB Bluetooth dongle sticking out
* Someone up to 1000 ft away with a large antenna
* Someone on a PDA within close proximity
*  In a crowd, especially one with a recognizable technology connection (Conventions such as E3, Comdex, DefCon, CEBit, etc.).
* On a subway with many people using mobile devices
 
In our research, we found that charter buses tend to have a large amount of Bluetooth mobile devices onboard, a phenomenon that provides a perfect situation for an attacker seeking to maintain close proximity to a target without garnering suspicion. 

 
Solutions:
All of the major cell phone vendors have been contacted regarding this problem.  Please contact them with questions and concerns regarding updates to your mobile phone.
 
Right now, the best solution is to turn Bluetooth OFF when it is not necessary.
When it is necessary, it is much more difficult to find a phone when it is switched into non-discoverable mode.