It’s a beautiful afternoon in Shepherd’s Bush, a bustling neighborhood on the outskirts of London, and Adam Laurie is feeling peckish. Heading out of the office, he’s about to pick up more than a sandwich. As he walks, he’ll be probing every cell phone that comes within range of a hidden antenna he has connected to the laptop in his bag. We stroll past a park near the Tube station, then wander into a supermarket. Laurie contemplates which sort of crisps to buy while his laptop quietly scans the 2.4-GHz frequency range used by Bluetooth devices, probing the cell phones nestled in other shoppers’ pockets and purses.
Laurie, 42, the CSO of boutique security firm the Bunker, isn’t going to mess with anyone’s phone, although he could: With just a few tweaks to the scanning program his computer is running, Laurie could be crashing cell phones all around him, cutting a little swath of telecommunications destruction down the deli aisle. But today Laurie is just gathering data. We are counting how many phones he can hack using Bluetooth, a wireless protocol for syncing cell phones with headsets, computers, and other devices.
We review the results of the expedition in a nearby pub. In the 17 minutes we wandered around, Laurie’s computer picked up signals from 39 phones. He peers at his monitor for a while. “It takes only 15 seconds to suck down somebody’s address book, so we could have had a lot of those,” he says at last. “And at least five of these phones were vulnerable to an attack.”
The “attack” Laurie mentions so casually could mean almost anything – a person using another person’s cell to make long distance calls or changing every phone number in his address book or even bugging his conversations. There are, he says, “a whole range of new powers” available to the intrepid phone marauder, including nasty viral attacks. A benign Bluetooth worm has already been discovered circulating in Singapore, and Laurie thinks future variants could be something really scary. Especially vulnerable are Europeans who use their mobile phone to make micropayments – small purchases that show up as charges on cell phone bills. A malicious virus maker bent on a get-rich-quick scheme could take advantage of this feature by issuing “reverse SMS” orders.
Bluetooth security has become a pressing issue in Europe, where the technology is ubiquitous. The problem will migrate to American shores as the protocol catches on here, too. But in the long run, Bluetooth vulnerabilities are manageable: Handset manufacturers can rewrite faulty implementations, and cell phone users will learn to be more careful. A far bigger security nightmare for the US is Internet telephony, which is fast being adopted for large corporations and is available to consumers through many broadband providers. Voice over IP is, by design, hacker-friendly. No enterprising criminals have dreamed up a million-dollar scam exploiting VoIP technology yet. But when they do, it likely won’t be something a simple patch can fix.
Bluetooth hacking is technically very different from VoIP hacking, but they’re both surging for the same basic reason. Increasingly, telephones have become indistinguishable from computers, which makes them more useful, but also more vulnerable. VoIP, which routes calls over the Internet, gives users the power to port their phone number anywhere, package voice messages into MP3s and receive them as emails, and make cheap international calls. Yet VoIP, like Bluetooth, exposes your telephone to the same ills that regularly befall a desktop box – worms, spam, crashes.
“It’s not like we’ve fixed the vulnerabilities on computers,” says security expert Bruce Schneier, author of Secrets and Lies: Digital Security in a Networked World. “The phone network used to get its security from being closed, but VoIP phones will be just as bad as computers.”
Many of today’s hacks work because the traditional phone system was built on the premise that only large, monopolistic phone companies would be using it, and they would all play by the same rules. But the network isn’t the telcos’ private sandbox anymore; it can be manipulated and controlled by anybody who understands basic computer networking. The people who know this best are a new generation of phone hackers – aka phreakers – who aren’t interested in following the rules. They’re busy ripping apart the latest phones to discover what can make them turn against their owners. As the phone companies and handset makers lumber along, we can only hope that the phreaks in white hats figure out some fixes before the blackhats move in for the kill.
Laurie, whose laptop is now packed with information from vulnerable cell phones in the Shepherd’s Bush, has become infamous in Britain for conducting a similar experiment in the House of Parliament, where he had the opportunity (which he didn’t take) to copy the address books and calendars of several prominent politicians. That excursion resulted in a mandate that all Bluetooth devices be turned off in the House of Parliament.
As the inventor of “bluesnarfing,” a hack that uses Bluetooth to peek at data stored on cell phones, Laurie is dedicated to publicizing the danger of a wide-open Bluetooth connection. A bluesnarf attack can identify an unprotected phone and copy its entire address book, calendar, photos, and any other information that happens to be inside. Using a bluesnarf program, a phreak can also crash any phone within range by using Bluetooth to broadcast what Laurie calls “a corrupted message.”
Bluesnarf was born after Laurie scrutinized the code running some Bluetooth headsets his staff was using. He wasn’t happy with what he found. “Gaping security holes,” he says with a frown. Rebuffed by the cell phone companies to which he reported the problems, he conceived of bluesnarf as a publicity stunt, a tool that would dramatize the danger of owning these phones.
Compounding Bluetooth’s technical vulnerabilities are problems with the way people use it. Most folks leave Bluetooth on all the time, often because they don’t bother to learn how to turn it off. Even tech-savvy types tend to keep their connections open. “People have heard about ‘toothing,’ where strangers send each other flirtatious messages via Bluetooth,” he says. Hoping to get toothed, they risk an entirely different kind of penetration.
The risk doesn’t end with snarfing. Another way to use Bluetooth to hijack a phone completely is bluebugging, and Laurie gives me a quick demo. He runs the bluebug software on his laptop, and it quickly locates an Ericsson t610 phone he’s set on the table between us (not all phones can be bluebugged, but this model can). His computer connects to the phone and takes it over, remotely. Tapping the keyboard, Laurie sends the t610 a command to ring up the phone on his belt. It bleeps. He answers. We’ve got a bluebug.
Invented by Austrian researcher Martin Herfurt earlier this year, bluebugging is the perfect weapon for corporate spies. Let’s say you and I are competing for a big contract with an oil company. I want to hear everything that happens in your meeting with the VP of Massive Oil Inc., so I hire a blackhat phreak to take over your cell phone. Once he’s bluebugged it, I tell him to have your mobile call mine. The phone that’s sitting in your jacket pocket is now picking up everything you and the VP say during your conversation, and I can hear the prices you’re quoting as clear as a bell on my own phone. “A cell phone is the ultimate well-engineered bugging device,” Laurie says.
Unlike bluesnarfers, who need only some gear and know-how, the bluebugger first has to get your cell phone to pair with his computer, establishing a “trusted” data link. Laurie explains one crafty way to make this happen. “You just say, ‘Gee, that’s a cool phone, can I see it?’Punch a few buttons to establish the pairing, and hand it back.” As soon as the pairing is complete, the bluebugger can commandeer every aspect of the phone. He can initiate calls, send SMS messages, even overwrite the address book and contacts list.
Laurie’s revelation is disturbing, but the fact that phreakers need to approach and interact with their intended targets significantly cuts down on the number of victims. Yet British security consultant Ollie Whitehouse, whose Bluetooth-hunting program Redfang has made him a celebrity among phreakers, describes another a way to bluebug – a method that doesn’t demand the eavesdropper come into physical contact with the target’s phone. In this case, the trick is to sniff the data traffic traveling to and from a Bluetooth phone when it’s pairing with another device, like a headset. Armed with this information, an attacker can bluebug the phone by pretending to be the trusted device with which it regularly networks.
Cell phone companies argue that bluesnarfing and bluebugging are minor threats because Bluetooth is designed to work only over short distances, 20 feet or less, requiring attackers to be close to their targets.
Enter the Bluetooth sniper rifle. Made from $200 worth of off-the-shelf parts, the sniper is a Bluetooth antenna optimized for long-distance use. It can send and receive faint signals at more than a thousand yards. With the sniper – or a wireless weapon like it – bluesnarfers and bluebuggers no longer have to be in the same room as their targets. “By smashing any notion that distance is an issue,” says 24-year-old inventor Jon Hering, a student at the University of Southern California, “we showed that bluebugging is a real-world threat.”
Surely the phone companies must be doing something to protect us from all this. Keith Nowak, a spokesperson at Nokia, suggests “just turning off Bluetooth – or switching into hidden mode.”
Whitehouse laughs at that advice. Redfang, his signature phreak tool, is specifically designed to find Bluetooth devices in hidden mode. And given that so few people actually do turn off Bluetooth, their phones are susceptible to countless hacks – ones that Hering’s sniper rifle could launch from half a mile away.
The Default Radio boys, rock stars in the phreak underground, are onstage at DefCon, the venerable hacker conference that’s sort of a cross between the Ozzfest mosh pit and an after-hours party for NSA agents. Wearing baseball caps, T-shirts, and baggy jeans, the boys are doing a live version of their phreak-friendly streaming-audio talk show. The long table in front of them is covered with telephone equipment and computers.
A Defaulter using the nom de phreak Lucky225 steps up to the mike. With a phone tucked between his ear and shoulder and the keyboard under his fingers, he looks like a cross between a DJ and a telephone line repairman.
Lucky regales the audience with a tale about his favorite VoIP hack: He can make a VoIP phone display whatever caller ID number he chooses. To prove his point, he tells us he can impersonate “Jenny,” the girl from the pop song by Tommy Tutone.
Earsplitting static issues from the speakers, and suddenly we hear a thunderous dial tone. Lucky has routed his VoIP phone through the sound system. He dials MCI’s caller ID readback line, a service that identifies whatever number you’re calling from. A robotic voice slowly intones Lucky’s number: “eight-six-seven-five” – the crowd erupts, screams of laughter mingling with groans – “three-zero-nine.”
Having demonstrated his power over caller ID, Lucky proceeds to tell the phreak-packed auditorium how he spoofed the number. Turns out the whole thing is a social hack. A few days before, he called his service provider, Vonage, and told them he wanted to port all his cell phone calls to the Internet phone connected to his computer. His cell number is 867 5309, he lied, and Vonage believed him. Now it’s rerouting all calls made to Jenny on the Vonage network to Lucky.
Naturally, Vonage also set the caller ID on Lucky’s VoIP phone to Jenny’s number – so any time he dials out, it looks like he’s calling from 867 5309. A lot of systems depend on receiving accurate caller ID – credit card-activation lines, voicemail systems, even 911. So being able to control what a called party sees after you dial can be a potent weapon. Armed with your caller ID, an identity thief could order a new ATM card, activate it over the phone, and use it to empty your bank account. And, given that many voicemail boxes will play their contents to any phone with the right caller ID, you could be opening up your private life to anyone with a Vonage phone.
After the show, I ask Lucky why he got into the phreak scene. “Well,” Lucky deadpans, sketching out plans for a network of cans and rubber bands, “I wanted to start this elastic-based phone system ” He’s a prankster, but with a purpose – to make clear to the public that VoIP is a privacy nightmare. “Yup,” he concludes, still pondering voice over elastic, “I think this tin can shit is really going to take off.”
Steve Wozniak, the Apple computer pioneer whose phreak days began in the 1970s, says pranks are what it’s all about. “Those of us who have the phreaker mentality see playing with the world as fun, but in these times it’s hard for people to see us as harmless.”
Maybe so, but Vonage doesn’t seem too concerned. When I contact the company later to find out whether they know about Lucky’s caller ID trick and what they are doing to stop it, executive VP Louis Holder admits they’re not doing anything. “We allow people to do what he did,” Holder says. “We give people a temporary phone number before we verify it with the phone company, and verification takes a couple of weeks. Somebody could pick the White House number and pretend to be the president.”
Today’s phreaks have the power to crash the phone system – but they also have the power to rebuild it. Lucky’s joke about creating his own network out of tin cans and rubber bands isn’t that far from the truth. Slestak, Da Beave, and GiD are the crew behind Florida-based Telephreak.org, a free VoIP service that they’ve built to run on a roll-your-own, open source private branch exchange (PBX) system called Asterisk.
Typically used by businesses, a PBX consists of computers that route calls between what amounts to a phone intranet and the public telephone system. A company using a PBX might pay for 100 lines that service 500 employees, linking callers to the outside world, voicemail, or conferences by dynamically connecting phone calls using whichever landlines are open. In the past, all these connections would be managed by the phone company or a proprietary, closed black box in the server room. But with Asterisk, there’s no need for the phone company to manage your lines anymore. You can do it yourself.
The Telephreak crew has created its own private phone company for themselves and their friends – one that never sends a bill. Dial an access line to check voicemail, create conference calls, forward calls to other phones, even get a new number. And never pay a cent.
Currently, there are several hundred voicemail accounts, and the system can handle a hundred simultaneous calls. Although the Telephreak crew has to pay for connectivity to Ma Bell, the amount is so negligible that they’re willing to eat the money. It’s a small price to pay for freedom.
I’m talking to them on a Telephreak conference call, and the sound is a little fuzzy. Beave, identifiable by his slight southern twang, tells me he’s working on ironing out the bugs. It’s a little strange to know someone is manipulating your phone connection while talking to you. Suddenly, the sound is perfect. We’ve been rerouted. Slestak’s voice comes in loud and clear: “My connection to you guys right now is going across a cordless phone with a box to the server, then to Telephreak. My dial tone is coming from the West Coast.”
One of the best things about building your own PBX is that you can do what Slestak calls “chemistry experiments” with the phone system. Some PBX phreakers, like Telediablo, even provide a caller ID spoofing service: With it, there’s no need to lie to Vonage – you simply call up Telediablo’s PBX, plug in the number you want to use as your caller ID, then dial the party you want to trick. When I try out his little hack, I pick the number 666 6666. Next, I key in a nearby friend’s number. It rings. My friend shows me his caller ID window: Now I feel like a phreak. Instead of displaying my number, his phone is displaying the devil’s digits.
There are other PBX tricks – like caller ID unmasking, which can sometimes reveal the actual phone number of a caller, regardless of whether they’ve paid to have their number blocked. So if you think you’re anonymous on the telephone system, think again.
Probably the most unsettling discovery made by whitehat phreakers is that VoIP providers and wireless companies are willing to peddle phones and services that they know perfectly well are vulnerable to all kinds of attacks. After several months of bad publicity in the UK, where Laurie and Whitehouse are based, the cell phone companies are responding. Nokia and Sony Ericsson have issued patches, and Motorola says that its security flaws have been fixed in the newer models. And upstart VoIP provider Skype is marketing built-in encryption. Meanwhile, the Bluetooth Consortium – a group of industry leaders, including Nokia and Sony Ericsson, whose products incorporate Bluetooth – focused explicitly on security at its UnPlugFest in Germany last month. At the meeting, security experts (including Laurie) rated each company’s phones in terms of their resistance to common attacks. Still, nobody is tracking bluesnarf or bluebug attacks to measure the extent of the problem – nobody but the whitehat phreaks themselves.
Whitehouse has written a program he calls Sweet Tooth that can detect the signature radio signals sent by bluesnarfers. Modeled on honeypot programs that law enforcement and security analysts use to detect hackers on the Internet, Sweet Tooth could provide accurate statistics on how prevalent bluesnarf attacks really are. The program is ready for action, says Whitehouse. The question now is whether law enforcement and the phone companies will actually deploy it, however. Ignoring the problem is not going to make it better – especially because phone hacking is only going to get easier.
Bluetooth phreaking is just the beginning. The holes will get patched, but the problem won’t go away, because all the tools that hackers have spent decades developing will now be repurposed to hijack your phone. Next-generation handsets will have three entry points for the blackhats: If a snarfer can’t suck down your data with Bluetooth, he’ll try your Wi-Fi port, and if that doesn’t work, infrared.
“I guess that’s the price you pay for convergence,” Whitehouse says.
The Great Cell Phone Robbery How security flaws in today’s mobile phones could add up to tomorrow’s perfect crime
Step 1: Approach
A virus-spreader enters Heathrow Airport toting a briefcase with a laptop and an external antenna. The rig can sniff Bluetooth signals from up to 20 feet away – and with just a bit of hacking, it can be modified to send and receive signals over much greater distances.
Step 2: Discover
Step 3: Take over
The laptop sends a program to all the vulnerable phones. Disguised as a game or a marketing promotion, the program is really a Trojan horse hiding a nasty virus. Once the user launches it, the virus hijacks the phone’s operating system, taking over basic functions like dialing and messaging.
Step 4: Propagate
Step 5: Steal
Commandeering the phones’ SMS system, the virus uses a popular European micropayment system called reverse SMS to transfer 10 euros from each phone to a temporary account in Estonia. The virus requests the transfer and stays in control until it can confirm the order. The account is closed long before any user sees the charge reflected on the monthly bill.