When I give presentations on security, especially mobile security, I stress that it’s important for mobile professionals to turn their Bluetooth devices OFF. The reason for this is that hackers can access your mobile devices through their Bluetooth connectivity. Think I’m joking? Symantec writes about it here.
(I know many you think “Bluetooth” is a headset for your cell phone. NO. Bluetooh is a wireless technology that many mobile devices – like wireless headsets use – to connect to other devices).
W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth. It is yet another indicator that W32.Flamer is not only exceptional, but that it is a comprehensive information gathering and espionage tool. The CrySyS laboratory has previously documented the technical details of Bluetooth in W32.Flamer. But, what does this actually mean for potential victims targeted by Flamer? What can an attacker accomplish using Bluetooth?
The Bluetooth functionality in Flamer is encoded in a module called “BeetleJuice”. This module is triggered according to configuration values set by the attacker. When triggered it performs two primary actions:
- The first is to scan for all Bluetooth devices in range. When a device is found, its status is queried and the details of the device recorded—including its ID—presumably to be uploaded to the attacker at some point.
- The second action is to configure itself as a Bluetooth beacon. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. And there is more. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special ‘description’ field.