Bluetooth Spam

Advertisers are beaming unwanted content to Bluetooth phones at a distance of 100 meters.

Sure, it's annoying, but worse, there are serious security risks. Don't believe this:

Furthermore, there is no risk of downloading viruses or other malware to the phone, says O'Regan: "We don't send applications or executable code." The system uses the phone's native download interface so they should be able to see the kind of file they are downloading before accepting it, he adds.

This company might not send executable code, but someone else certainly could. And what percentage of people who use Bluetooth phones can recognize "the kind of file they are downloading"?

We've already seen two ways to steal data from Bluetooth devices. And we know that more and more sensitive data is being stored on these small devices, increasing the risk. This is almost certainly another avenue for attack.

Posted on August 23, 2005 at 12:24 PM • 38 Comments

Comments

Davi OttenheimerAugust 23, 2005 12:32 PM

I was actually at a dinner reception in Europe recently where some people thought it funny to beam offensive (e.g. pornographic) pics and video to everyone else's bluetooth phone. Noone knew what the file was until they opened it...

LeeAugust 23, 2005 1:46 PM

Maybe someone will catch a bluetooth spammer in the act and give him a severe beating on behalf of the entire web community.

ArikAugust 23, 2005 1:57 PM

There are two mitigating factors to this spam problem:

1. Bluetooth can be disabled, and one can disable discovery on my phone (in fact both my Nokia 6310i and BlackBerry 6210 came with Bluetooth disabled by default). This does not hinder normal phone operations, so if someone wants they CAN avoid the spam, while still enjoying their bluetooth headset.

2. Trojans infecting someone's phone will cost the person a lot of money when they dial out or send SMS or data that infects other phones. It is not like when your PC is just a bit slow when you have a spyware infestation, it will relly hurt. People will tend to be careful once a few incidents have happened IMHO.

Davi OttenheimerAugust 23, 2005 2:59 PM

"Does that mean Bluetooth can be used to share movies?"

Most definitely.

Good point about the RIAA. Even though cell-phones have the ability download and broadcast movies with a one-to-many signal, they are about as small as movies on the Internet in 1994. Thus, historically speaking, it could take four or five years for the movies to become a legit concern to the RIAA and another five for them to start clamping down on the "feature"...or maybe they will move faster due to the larger install-base of cell-phones.

Some expect cell-flicks to become as common as ringtones:

http://www.businessweek.com/technology/content/...

"Eventually, people might even watch new Hollywood releases on their cell phones, says Julie Coppernoll, director of marketing for chipmaker Intel's wireless broadband division."

Davi OttenheimerAugust 23, 2005 3:02 PM

"Maybe someone will catch a bluetooth spammer in the act"

If I remember correctly the "whisperer" is mounted and left behind to broadcast a signal. You could therefore only really destroy/disable the device that was spamming you...much harder to trace the device to the actual spammer(s).

Bill McGonigleAugust 23, 2005 3:14 PM

Can somebody please find a way to measure the bluetooth signal strength and use the phone as a Bluetooth signal finder? IIRC, the source signal should contain a unique ID. If one can pinpoint the source of transmission using a compass-like interface, one has choices about what to do with the transmitter.

Michael MacleanAugust 23, 2005 3:40 PM

I can see another potential problem - if people get used to advertisers sending rubbish at them, some people will get used to accepting it by default. Then, if someone else decides to send something malicious they could end up accepting that as well. I might be underestimating people, but I doubt it!

the other gregAugust 23, 2005 4:38 PM

@Bruce S.

>At least spammers 100 yards away can't be in Nigeria. (At least, not unless I'm also in Nigeria.)

The Bluetooth device could be connected to the Internet at large by any conceivable means. That is, the emitter could be a BAP (Bluetooth Access Point) being controlled from anywhere on the internet.

In fact, I would EXPECT these emitters to be connected to the Internet at large. Something like a TINI server wired up to a Bluetooth module, with the TINI's "server" facing the internet.

[http://www.maxim-ic.com/TINIplatform.cfm]

-- GG

Chung LeongAugust 23, 2005 6:23 PM

Very interesting idea. At this stage I wouldn't call it spam. It's targeted advertising, the type that consumers appreciate. If I'm staring at a movie poster then there's a good chance that I would want to see its trailer, especially if I have nothing else to do (say waiting for a train). The problem with this scheme is that it can be done very cheaply: all you need is a bluetooth phone. Soon enough every merchant will be doing this. Walk past Joe Blow's pizzeria and Mr. Blow will try to beam a picture of his pie into your phone. In no time consumers will get sick of this and start to turn off Bluetooth en masse.

Big Wicked GrinAugust 23, 2005 6:26 PM

Now let me get this right. The guys doing this reckon it's ok to throw unsolicited garbage at your mobile. I guess that must mean that they must be only too happy to receive unsolicited garbage on their own mobiles? How thoughtful of them then to publish their mobile numbers on their corporate website at www.bluecasting.com/en/contact.html - I'm sure they'd like an SMS or two telling them what people think of their service?

WoodyAugust 23, 2005 7:08 PM

@Davi

The higher-speed wireless networks are actually capable of streaming digital-tv quality signals in real-time. Not widely available (if at all) here in the US, but is available in Korea (where you can travel at ~300mph between cities on a bullet train while watching TV on your cellphone).

TV is actually rather low resolution. DVDs are quite a bit higher. HiDef is a completely different ballpark.

RogerAugust 23, 2005 7:45 PM

I see this as a good thing, not a bad one. Consider:

1. The only good thing about Bluetooth--and a point so often raised in its "defense"--is that it can be disabled, however unfortunately the average user can't be trusted to disable it as soon as he receives his new phone;

2. Here is an application that will become so annoying, it will motivate Joe User to disable Bluetooth.

Perhaps this model can be extended to other areas, such as getting users to inspect X 509 certs by sending them lots of annoying spam emails that appear to be from their bank.

Mr SarcasticAugust 23, 2005 9:18 PM

All these posts and no mention of the fact 'terrorists' could potentially use this as a method for setting off bombs....

Hasn't George W taught you anything ?

gregAugust 23, 2005 10:16 PM

@Mr Sarcastic

They could also use cell phones. Or a 20cent timer from the local hobby shop. Or just a simple wind up clock. Or.....

The list is endless.

We don't just ban it cus it can be used in a bad way. Thats silly.......

Hope you are really being sarcastic.

Greg

Thomas SprinkmeierAugust 23, 2005 10:30 PM

"At this stage I wouldn't call it spam. It's targeted advertising"

It just happens to be targeted at anyone within range(*) who has a bluetooth-capable device.

Sort of like email SPAM is targeted at anyone with an email address.

(*) how large an area could an over-powered transmitter cover?

jammitAugust 23, 2005 11:14 PM

@ Davi Ottenheimer: What about finding the whisperer and reprogramming it? If the spammer is supplying the hardware, might as well use it for phun purposes. Perhaps even find two units close enough to each other. Reprogram them both to answer "yes" to each others blue tooth spam (blam?) advertisements. It kind of reminds me of a sheet of paper that has printed on both sides "To find out how to keep an idiot busy for hours, please turn over".

Chung LeongAugust 24, 2005 12:22 AM

"All these posts and no mention of the fact 'terrorists' could potentially use this as a method for setting off bombs."

Well, when you have a inexpensive, robust, secured radio transmission system with highly miniturized antennae, I think it's pretty much a given that some point in the future someone is going to use it in a remote-controlled bomb. You can't stop progress though.

Gopi FlahertyAugust 24, 2005 5:48 AM

"2. Trojans infecting someone's phone will cost the person a lot of money when they dial out or send SMS or data that infects other phones."

There have been Windows trojans for a number of years that switch your dial-up networking to a 900 number, or local equivalent, or even worse to an international 900 number.

With the right enticement, you can get significant numbers of people to do just about anything, sadly.

In the UK, what's even worse is that the companies often get away with it. The small print in the EULA explains that you're paying for access to their top quality pornography. Given how much people do seem to be willing to pay for such services, it is genuinely difficult to come up with an objective standard.

There have actually been legal cases between British Telecom and these companies, when BT has tried to shut them down, and they've sued back.

Gopi FlahertyAugust 24, 2005 6:03 AM

@Roger:
'1. The only good thing about Bluetooth--and a point so often raised in its "defense"--is that it can be disabled, however unfortunately the average user can't be trusted to disable it as soon as he receives his new phone;'

I disagree. I find bluetooth very useful, and use it multiple times a day. It's convenient to not have cables getting in the way. Every single portable device seems to use a unique, proprietary serial connector - so being able to connect my PDA, cellphone, laptop and GPS would require three different cables at a minimum - then I want to plug my PDA in to my laptop and I'm having to add a few adaptors to the mix as well.

I used to use IrDA, but the alignment issues are quite annoying for anything other than very short transmissions - it's good to send a picture or business card, not to dial in to the 'net.

Bluetooth can be reasonably secure:
1. Most of the previous exploits have been implementation flaws, such as buffer overflows, or even having services running secretly on un-announced ports. Those can be fixed.

2. You can leave Bluetooth on, but turn off "discoverable" mode. This means that previously "paired" devices - pairing involves sharing some key information, and entering the same arbitrary number into both devices - can communicate, but you won't be able to actually find a device you haven't already established communications with.

Leaving off discoverable will let you use a BT headset, and any other BT accessories you yourself own and have set up, but will prevent this system from sending you messages.

3. The 100m range is an exaggeration. BT is a bi-directional protocol. There are three power levels for BT transceivers. The lowest, which I have never seen used, gets you a few feet. The middle range is about 10m, line of sight - bodies reduce it enough that a BT phone on your right hip might be at the range limit hitting your left ear.

Very few, if any, phones support the highest level, giving you 100m of range. Laptops often will, because they don't care about power, but even then they often don't. Because BT is a bi-directional protocol, the transmit power of the phone must be strong enough to reach back to the spammer.

Of course they could include better antennas, better RF front ends, etc. but even then it would be quite difficult to extend the range very much. I don't think this device, for the vast majority of phone users, will have a range beyond 5m to maybe 10m.

Ed T.August 24, 2005 6:47 AM

Let's see,...

Bluetooth Spam == BAM!

Sort of like the sound you hear when the Wooden Mallet of Kl00fullness squishes some deserving spammers' 'nads against the anvil.

I wonder if Emeril has trademarked that word yet?

Ed T.August 24, 2005 6:51 AM

@chung,

Until they utilize a directional antenna, and employ mind-reading techniques to discern my intentions in advance, calling it "targeted" advertising is like calling a Nigeria 419 a "legitimate investment opportunity".

Just because I am within 100ft of someone's place of business doesn't mean I have any interest in their wares. What if I was walking through the local red-light district (as happened to me as a kid, when my family got lost while walking in Amsterdam.) Bet that "targeted advertising" would be interesting!

RogerAugust 24, 2005 7:51 AM

@Gopi Flaherty:
"I disagree. I find bluetooth very useful, and use it multiple times a day."

I was exaggerating somewhat to make my point (you may have noticed my whole post was tongue in cheek). However, having said that...

"It's convenient to not have cables getting in the way."

This is the mot common argument offered for its application, and IMHO it's rubbish. I currently have on my desk 8 devices with a total of approx. 24 cables interconnecting them (some of them stiff RG-59), and frankly it's no big deal. It's a very slight inconvenience when I want to get behind the desk to add a whole new device, but that occurs maybe once a month, and by "slight inconvenience" I mean "takes about 90 seconds".

At least around here, the reality is that the number one reason for people getting Bluetooth devices at the moment is because cordless earpieces are currently a yuppie status symbol.

"Every single portable device seems to use a unique, proprietary serial connector - so being able to connect my PDA, cellphone, laptop and GPS would require three different cables at a minimum"

Yep. Three cables, no big deal.

" - then I want to plug my PDA in to my laptop and I'm having to add a few adaptors to the mix as well."

Huh? All my devices with funny serial (or USB) connectors at one end have standard ones at the other end. In any case what you're talking about here is just a bad connector design, it's not really an argument for a whole new technology.

"I used to use IrDA, but the alignment issues are quite annoying for anything other than very short transmissions"

You see that as a bug. I call it a feature! It's MEANT to be short range, that's why it's relatively safe. The fact that you can squeeze out a few more metres through careful alignment is an unavoidable defect; but at least it doesn't go through walls.

" - it's good to send a picture or business card, not to dial in to the 'net."

I connect to the net through some copper wires that transfer my data considerably faster than the upstream link can handle.

"Bluetooth can be reasonably secure:"

This is where we disagree. The idea of replacing a 3 or 4 m copper cable with a wireless protocol is fundamentally crazy. Most people just don't realise how extremely problematic security is as soon as it goes wireless.

"1. Most of the previous exploits have been implementation flaws, such as buffer overflows, or even having services running secretly on un-announced ports. Those can be fixed."

No, they can't be fixed; there will always be more implementation flaws to find -- especially in a protocol that is advertised principally for its convenience.

"2. You can leave Bluetooth on, but turn off "discoverable" mode. This means that previously "paired" devices - pairing involves sharing some key information, and entering the same arbitrary number into both devices - can communicate, but you won't be able to actually find a device you haven't already established communications with."

This is only true of current hacks, which are still manipulating the protocol at a relatively high level. When they start playing with the low level spec, any device that communicates will be "discoverable". To actually connect will require reconstruction of the encryption key, but due to the badly flawed user interface of the security specs, this is usually trivial. (Many of the most popular devices have a fixed factory default PIN, and others have a maximum of 4 decimal digits. Even on those cell phones which can have eight digit alphanumeric keys in principle, in practice entering such a key is extremely clumsy so few users do.)

"Leaving off discoverable will let you use a BT headset, and any other BT accessories you yourself own and have set up, but will prevent this system from sending you messages."

Regrettably this may be true; thereby avoiding the opportunity of getting people to disable it altogether.

"3. The 100m range is an exaggeration. BT is a bi-directional protocol. There are three power levels for BT transceivers. The lowest, which I have never seen used, gets you a few feet. The middle range is about 10m, line of sight - bodies reduce it enough that a BT phone on your right hip might be at the range limit hitting your left ear."

100 metres is just absurd for a so-called "piconet", but even 10 metres is far too much. If Bluetooth is meant to replace serial protocols than a suitable range would be if anyone connecting to it had to be close enough that I could see they were doing something fishy to my stuff. If you ever go in a building with wooden floors, that works out to about 2 ~ 3 metres. 10 metres radius (20 metres diameter) is _far_ too long, that encompasses something like 7 storeys.

"Very few, if any, phones support the highest level, giving you 100m of range. Laptops often will, because they don't care about power, but even then they often don't. Because BT is a bi-directional protocol, the transmit power of the phone must be strong enough to reach back to the spammer."

Signal gain from a directional antenna is bidirectional already.

"Of course they could include better antennas, better RF front ends, etc. but even then it would be quite difficult to extend the range very much. I don't think this device, for the vast majority of phone users, will have a range beyond 5m to maybe 10m."

Nope, sorry, it has already been demonstrated, in front of an audience, that by simply fitting a directional antenna to the snooper's device, a Bluetooth phone can be connected to and Bluesnarfed at a distance of more than a mile:
http://trifinite.org/trifinite_stuff_lds.html
Cost of this project was probably absolute peanuts; antennae of this type are often constructed by radio amateurs from scrap metal.

Ben SmythAugust 24, 2005 8:15 AM

@Roger

>>It's convenient to not have cables getting in the way.
>
>This is the mot common argument offered for its application, and IMHO
>it's rubbish. I currently have on my desk 8 devices with a total of approx.
>24 cables interconnecting them (some of them stiff RG-59), and frankly it's
>no big deal. It's a very slight inconvenience when I want to get
>behind the desk to add a whole new device, but that occurs maybe once a
>month, and by "slight inconvenience" I mean "takes about 90 seconds".

So what about when you are mobile?

Or when you are sharing a bluetooth device between x users?

Or...

Personally I don't like the handsfree headsets... they need batteries.

DarkFireAugust 24, 2005 8:38 AM

@Davi:

{SNIP}
much harder to trace the device to the actual spammer(s).
{SNIP}

Not at all... Good old fashioned forensics. Of course this would only apply is something happened that constituted a criminal offence.

Chung LeongAugust 24, 2005 8:53 AM

'Just because I am within 100ft of someone's place of business doesn't mean I have any interest in their wares."

What it does mean though is that you're within walking distance.

"What if I was walking through the local red-light district (as happened to me as a kid, when my family got lost while walking in Amsterdam.) Bet that "targeted advertising" would be interesting!'"

That is going to happen, you know.

Davi OttenheimerAugust 24, 2005 12:51 PM

"yuppie status symbol"

More like a pro-geek status symbol, which somehow seems mutually exclusive...

"Not at all... Good old fashioned forensics."

I have no idea what "old-fashioned" forensics means with regard to tracing ownership of bluetooth emitters, but I suspect that even modern forensics will have a hard time finding the owner of a simple broadcast device left on a bridge to broadcast advertisements to passers-by (on trains, in cars, etc.). Maybe you meant good old-fashioned surveillance?

darkFireAugust 24, 2005 1:10 PM

Not necessarily. A squirell brush & some powdered aluminium will quickly reveal any tapable fingerprints. A swab will give you any usable DNA for later analysis.

Good old fashioned surveillance would also of course be useful in this case ;-)

Gopi FlahertyAugust 25, 2005 11:42 AM

@Roger:

I'm referring to portable devices, not desktop devices. Carrying three cables in my pocket all the time gets annoying quickly. As to why the serial ports aren't compatible - there are no standard connectors for RS-232 that are suitable. Should there be? Perhaps, but then nobody will put enough serial ports on handhelds anyway.

As to the directional BT antennas...
Great proof of concept, great for targeting once person, but the BT sniper antenna is _way_ too directional to be useful for something like this spam setup.

I'm sure that a better antenna could improve your spamming results somewhat, but 100m is really pushing it. It takes many seconds for a complete BT object push transaction, so you need to have a wide enough angle antenna to deal with people walking past.

"This is only true of current hacks, which are still manipulating the protocol at a relatively high level."

I've been told that SDP buffer overflows are a current point of attack. That's reasonably low level.

As to my complaints about IrDA, you've misunderstood. IrDA is irritating to use for more than short _durations of time_, because even at quite short distances you need a lot of alignment. I used to use it for connecting to the 'net from my PDA to my cellphone. Keeping them pointed unless I was sitting at a table was frustrating. Checking my e-mail while standing on the bus was exceedingly tedious.

You mention that there will always be flaws. Perhaps, you're probably right. If disabling any remote access is how you deal with flaws, I hope that none of your computers are connected to networks right now. You think that 10m or so wireless links open you up to security holes - just imagine if somebody on the other side of the planet could anonymously exploit flaws.

Personally, I think that short range wireless is less concerning to me than anonymous IPs from around the world.

CedricSeptember 6, 2005 2:10 PM

How about simply turning off your bluetooth if you do not want to be spammed? Has anyone thought of that yet.... ? Unlike other messaging, Bluetooth (and infrared) can be turned off, you know....

Cell Phones SuckSeptember 21, 2005 8:29 PM

On the positive side, maybe this will discourage cell phone usage somewhat. One thing that could be done is to place transmitters along the highway that beam a bluetooth message of "hang up and pay attention to traffic" to those annoying ignoramuses that insist on having animated cell phone conversations while driving down the highway.

Blues ClueNovember 19, 2006 6:01 PM

NO it is not possible to get their phone number directly. But you can track the MAC address and know where a phone goes. (ie you know where the owner goes about and build up a profile of how you live.)

It is actually worse than SPAM. For spam it collected up in your email.. and you can highlight a bunch of messages and delete them all at once in your own time. actually with MSN messenger now deliving a pop up message informing me I recieved an email such as "SPECIAL offers" it is annoying. I'm working in word or worse still I am playing a game and I get switched out to recieve a message on a similar terms of "do you want to read a message"

dave January 27, 2009 12:20 AM

well you all say that you can turn off your bluetooth but you are still at risk
as we can brut force your port open with out the owner of the phone knowing that it has bin it is very easy to do and dose not that much work at all this is one big hole in the bluetooth program and it would be hard to fix as old phones would have to reprogramed and some say you can trace them back to the sorce but i have tride that with some of my programs and it is a lot of work how many phones are in you city or town and our system is not able to do that for one or two spam

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..