In the last week, Network Chemistry and Airmagnet both released free Windows utilities that scan for Bluetooth devices. Several years ago, NetStumbler, a free 802.11 wireless scanning utility, ushered in the "wardriving" era. With the release of these easy-to-use utilities, are we now on the verge of a "BlueDriving" age? I interviewed Andrew Lockhart, BlueScanner's author and lead security analyst for Network Chemistry, to find out how he made the program and if we should worry about Bluetooth vulnerabilities.
Lockhart was hired three months ago by Network Chemistry as their lead security analyst. In addition to writing BlueScanner, he has written a white paper on Bluetooth vulnerabilities and was the author of the O'Reilly book "Network Security Hacks" (opens in new tab). He told us that BlueScanner wasn't that hard to write, with the program coded from scratch in C++ and most of the Bluetooth scanning handled by Microsoft's Bluetooth API and drivers (opens in new tab). He told us that Bluetooth functionality is already there in Windows, adding, "We just provide the interface to make it more friendly."
Bluetooth scanning is nothing new, as Linux scanners have been available for a few years. Earlier in the year, TomsNetworking brought you a two part series on how to build a "BlueSniper" long-range Bluetooth gun. But this the first time that someone has written a "Netstumbler like" program for finding Bluetooth devices with Windows-based systems.
BlueScanner easily finds Bluetooth devices that have been placed in "discoverable" mode and displays the device name, physical address, device type (such as cellphone or computer) and available services. Unlike NetStumbler, BlueScanner does not have GPS tracking, but you can type in the location that you are scanning from. For example, if you were using BlueScanner to search for devices in a multiple story building, you would start at the first floor and type in location of "First Floor".
In inital testing of BlueScanner, Lockhart found Bluetooth devices in places that he expected and some that he didn't, saying, "I initially didn't expect to find many devices. Sure there were many in the airports, where you have a lot of business people, but I didn't expect them to be in restaurants. I also found large amounts in just random places." Lockhart even used BlueScanner at the Defcon computer security convention in Las Vegas and found quite a few devices. While you could assume that Defcon attendees would not have vulnerable Bluetooth devices, Lockhart says, "I found quite a few phones that would appear to vulnerable and some people didn't bother to rename the model number."
I played with BlueScanner in the TG Publishing office and also in the press room of Blizzcon - Blizzard's recent gaming convention focusing on World of Warcraft. In our office, BlueScanner immediately found several devices including my Blackberry and another editor's T610 phone. Surprisingly, it also picked up a hands-free Bluetooth headset in a BMW car parked about 75 feet away. I didn't expect a Bluetooth signal to go that far and penetrate several walls. At Blizzcon, BlueScanner found six devices in thirty seconds.
So why release such a program to the public? Back in the NetStumbler days there were some people who believed the Wi-Fi-scanning program could help hackers break into their computers. Lockhart isn't concerned about ill-intentioned people using BlueScanner, saying, "We are only here to increase awareness and the nefarious people already knew about this stuff way way long ago." He also told us that he wants people to realize just how many devices are in the environment.
Lockhart also said that he has found many Bluetooth devices in conference rooms and around the office. He has even sent messages to people's phones telling them that their Bluetooth is on. Some people were shocked and Lockhart adds, "They didn't know where this message was coming from. The phone beeps and they pull it out and see something on the screen."
What's next for Lockhart? He is pretty tight-lipped about future improvements of BlueScanner, but he has been playing around with a $17,000 Bluetooth sniffer that can pull raw Bluetooth data from the air. While the price tag may seem high, Lockhart told us that he has seen the sniffers sell for as low as $1600 on Ebay. With the sniffer, he has discovered that a popular brand of phone / PDA syncs via Bluetooth in clear text. Lockhart told us the model, but said, "Please don't tell anyone because I want to call the company first."
So is it time to start worrying about Bluetooth? "The normal person doesn't have to worry much, but it could be a concern for high-profile people," says Lockhart. He explained that it might be possible to monitor a person by tracking their phone, but the average person is probably OK if they keep the phone in non-discoverable mode. Lockhart summed it up simply by saying, "If you carry sensitive data, you may want to check if you have Bluetooth in discoverable mode and if you don't need Bluetooth, just turn it off. Just use common sense."