Marko Rogge

Bluetooth as Achilles' heel

How Bluetooth marketing desensitises users to mobile viruses

More and more businesses are experimenting with Bluetooth advertisements. In doing so they are doing consumers a disservice - because it is almost impossible to tell where a Bluetooth message comes from, they are smoothing the way for the distribution of mobile viruses.

In the age of fast mobile communication, marketing is also becoming ever more flexible, so it comes as no surprise that advertisers are attempting to make use of Bluetooth. After all, Bluetooth opens up new ways of sending advertising messages to mobile phones and PDAs. These adverts can include images, videos, java games or applications, which can be transmitted to passers-by at trade shows, exhibitions, airports and stations or in the vicinity of restaurants or shopping centres.

Bluecell Networks GmbH from Gundelsheim in Germany has developed the Bluetooth hotspot technology - beamzone, which recognises different mobile phone models in order to send suitably tailored applications. There are presently 115 operational Bluetooth hotspots throughout Germany, from which it is possible to receive files via beamzone. Alongside fast food chains, companies such as BMW, Ericsson, Nokia and Volvo are making use of Bluecell Network's services in order to serve mobile phone users with advertisements.

On mobile phones, the source of Bluetooth messages is uncertain.

The hotspots which have already been installed in Cinestar cinemas have a range of around 30 metres, enabling them to reach a substantial group of mobile phones. One of these hotspots is in a small town in Bavaria, and if you have Bluetooth activated on your mobile phone you can try out this new technology at a local fast food joint. Bluecell Networks works on the assumption that 5 to 7 percent of the people frequenting a location with a Bluetooth hotspot receive the advertisements. With an average of just over 1000 visitors per day, for example (source: McDonald's), this represents a potential 50 to 70 recipients. Because the service is free to the recipient, customers are keen to use it, and advertising data, videos, images, applications, games or java applications find their way onto recipients' mobile phones.

The flip side

For a hacker, however, this is manna from heaven! A device claiming to be a Bluetooth hotspot can infect mobile phones with malware via short range radio. Users of smartphones running Symbian operating systems are at particular risk. In the second quarter of 2006, 12.3 million mobile phones with the Symbian OS were sold, with around 90 different mobile phone models. The operating system is thus of considerable interest to virus writers. F-Secure claims to have already seen 316 pieces of malware for this platform, which are able to disable a mobile phone, or, for example, rack up huge costs for the user, by sending MMS messages. In addition many mobile phone viruses are able to spread autonomously via Bluetooth. Cabir and Commwarrior are currently the most widely distributed malware identified in this context.

Once a handset is infected, it becomes extremely difficult to restore. The worm Skulls, destroys even system files.

An infection can take place very quickly - anyone passing by an attacker's Bluetooth device will be offered an SIS file. The SIS extension indicates a Symbian installation file and contains executable programs and installation instructions for the mobile phone. Unfortunately mobile phone viruses also come in this sort of packaging. Whether an SIS file really installs what the name implies may be open to doubt.

Unfortunately it is not possible to check what sort of message it is until the file has been received. Symbian will attempt to install SIS files or Java applications (*.jar, *.jad) immediately. The warning message that the application does not have a valid digital certificate and that it could be malware often won't deter users from clicking on "OK" to continue the installation - if in doubt, curiosity will often get the better of caution. After successful transfer and installation virus infection cannot be averted. At events, in cinemas or in fast food chains in particular, visitors' mobile phones may become infected with a worm more quickly than you might imagine.

To an average user, the difference between beamzone and beamzone-0 might be hardly noticeable.

As well as not knowing what the content of a file is, the fact that the recipient does not know exactly who they have just received something from, also plays into the hands of the attacker. For a normal user, it is not possible to determine whether an incoming message from beamzone is really from the beamzone Bluetooth hotspot. Normally anyone can reject incoming messages from beamzone and will then no longer be bothered by the genuine Bluecell hotspot. An attacker, however, will be a little pushier and will keep on sending the message until the user agrees or leaves the reception area.

It is relatively easy to imitate a Bluetooth hotspot. A mobile phone, in which the Bluetooth name has been changed in the connection settings to beamzone or, where there is a conflict with the real hotspot, to beamzone-0 is sufficient. The suffix "-0" is unlikely to be noticed. The deception works even better with a laptop and a class 3 Bluetooth dongle, for an increased range. This combination should be as powerful as a real hotspot.

Putting it to the test

An in situ test clearly showed that most recipients do not really understand what they are being offered. Young people especially hang out in fast food restaurants for lunch and are happy to utilise this free service. The potential clientele is even larger at cinemas or events. Positioned about 10 metres away with Bluetooth activated on our laptop, we provided passers-by with a second file-sending Bluetooth hotspot. All that can be seen on the phone screen is that a message has been received. It is not clear whether it's an image, a video, an executable file or even a virus.

if the application appears interesting, users will often accept installation after repeated invitations to do so.

In our test, 4 of 10 recipients were prepared to install the software we had sent them, without knowing what it was. None of the mobile phone users who had accepted the file had a problem with the fact that the software did not have a valid certificate. In our test no information on the Bluetooth hotspots was displayed and staff at the location were also unable to give us any information. Naturally the test file we used in the test was not a virus, just a calculator application which had been renamed. However, it permitted us to test whether users were informed about mobile phone viruses and whether the name at least would put users off.

Bluecell Networks state that it is easy for the user to determine who they are receiving stuff from. There is, the company says, clear information on the presence of a beamzone, which has a range of only a few centimetres. A user would therefore have to consciously move into the zone and consent to receive messages. The name of the zone would also be clear and the sent applications would always have a digital certificate from Verisign. Bluecell Network's general manager Rainer Rother admits, however, that as with all security measures it is up to the user to decide whether all necessary conditions are met.

Outlook

In the future, people should pay more attention to security of mobile phones or other Bluetooth devices, because technologies such as beamzone are likely to become established as marketing instruments. Nowadays everyone knows that executable files sent as e-mail attachments on their PC shouldn't be trusted. The same problem applies with mobile phones; however, the level of awareness is, at least at present, much lower. Without a mobile phone virus scanner, currently the only effective means of protecting yourself from Bluetooth attacks is to deactivate the interface. Bluetooth should only be activated when it's needed. Users should also only accept files from senders who are right in front of them. Users should not even open messages which drift in via Bluetooth and whose origins are unclear. The manufacturers of mobile devices such as mobile phones and PDAs should pay more attention to wireless communications security and create technical opportunities for normal users to be able to recognise potential threats.