In association with heise online

15 January 2007, 13:30

Marko Rogge

Bluetooth as Achilles' heel

How Bluetooth marketing desensitises users to mobile viruses

More and more businesses are experimenting with Bluetooth advertisements. In doing so they are doing consumers a disservice - because it is almost impossible to tell where a Bluetooth message comes from, they are smoothing the way for the distribution of mobile viruses.

In the age of fast mobile communication, marketing is also becoming ever more flexible, so it comes as no surprise that advertisers are attempting to make use of Bluetooth. After all, Bluetooth opens up new ways of sending advertising messages to mobile phones and PDAs. These adverts can include images, videos, java games or applications, which can be transmitted to passers-by at trade shows, exhibitions, airports and stations or in the vicinity of restaurants or shopping centres.

Bluecell Networks GmbH from Gundelsheim in Germany has developed the Bluetooth hotspot technology - beamzone, which recognises different mobile phone models in order to send suitably tailored applications. There are presently 115 operational Bluetooth hotspots throughout Germany, from which it is possible to receive files via beamzone. Alongside fast food chains, companies such as BMW, Ericsson, Nokia and Volvo are making use of Bluecell Network's services in order to serve mobile phone users with advertisements.

Bild 1 [176 x 208 Pixel @ 26 KB]
On mobile phones, the source of Bluetooth messages is uncertain.

The hotspots which have already been installed in Cinestar cinemas have a range of around 30 metres, enabling them to reach a substantial group of mobile phones. One of these hotspots is in a small town in Bavaria, and if you have Bluetooth activated on your mobile phone you can try out this new technology at a local fast food joint. Bluecell Networks works on the assumption that 5 to 7 percent of the people frequenting a location with a Bluetooth hotspot receive the advertisements. With an average of just over 1000 visitors per day, for example (source: McDonald's), this represents a potential 50 to 70 recipients. Because the service is free to the recipient, customers are keen to use it, and advertising data, videos, images, applications, games or java applications find their way onto recipients' mobile phones.

The flip side

For a hacker, however, this is manna from heaven! A device claiming to be a Bluetooth hotspot can infect mobile phones with malware via short range radio. Users of smartphones running Symbian operating systems are at particular risk. In the second quarter of 2006, 12.3 million mobile phones with the Symbian OS were sold, with around 90 different mobile phone models. The operating system is thus of considerable interest to virus writers. F-Secure claims to have already seen 316 pieces of malware for this platform, which are able to disable a mobile phone, or, for example, rack up huge costs for the user, by sending MMS messages. In addition many mobile phone viruses are able to spread autonomously via Bluetooth. Cabir and Commwarrior are currently the most widely distributed malware identified in this context.

image 3 [243 x 282 Pixel @ 17,5 KB]
Once a handset is infected, it becomes extremely difficult to restore. The worm Skulls, destroys even system files.

An infection can take place very quickly - anyone passing by an attacker's Bluetooth device will be offered an SIS file. The SIS extension indicates a Symbian installation file and contains executable programs and installation instructions for the mobile phone. Unfortunately mobile phone viruses also come in this sort of packaging. Whether an SIS file really installs what the name implies may be open to doubt.

Unfortunately it is not possible to check what sort of message it is until the file has been received. Symbian will attempt to install SIS files or Java applications (*.jar, *.jad) immediately. The warning message that the application does not have a valid digital certificate and that it could be malware often won't deter users from clicking on "OK" to continue the installation - if in doubt, curiosity will often get the better of caution. After successful transfer and installation virus infection cannot be averted. At events, in cinemas or in fast food chains in particular, visitors' mobile phones may become infected with a worm more quickly than you might imagine.

Bild 4 [176 x 208 Pixel @ 26,5 KB]
To an average user, the difference between beamzone and beamzone-0 might be hardly noticeable.

As well as not knowing what the content of a file is, the fact that the recipient does not know exactly who they have just received something from, also plays into the hands of the attacker. For a normal user, it is not possible to determine whether an incoming message from beamzone is really from the beamzone Bluetooth hotspot. Normally anyone can reject incoming messages from beamzone and will then no longer be bothered by the genuine Bluecell hotspot. An attacker, however, will be a little pushier and will keep on sending the message until the user agrees or leaves the reception area.

It is relatively easy to imitate a Bluetooth hotspot. A mobile phone, in which the Bluetooth name has been changed in the connection settings to beamzone or, where there is a conflict with the real hotspot, to beamzone-0 is sufficient. The suffix "-0" is unlikely to be noticed. The deception works even better with a laptop and a class 3 Bluetooth dongle, for an increased range. This combination should be as powerful as a real hotspot.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit