Bluetooth Study Raw Data

Questions we asked the survey takers on video:

1. What do you think about cellphone security?
2. Do you know what bluetooth is?
3. Are you able to distinguish whether your device is accessible to others via bluetooth?
4. Did you know that bluetooth can be a security risk?
****SHOW THEM THE DEVICES****
5. What are your thoughts on bluetooth security?

“Partner Project- Bluetooth Vulnerability” Final Draft



Mobile phones and Laptops are more apart of are world today then ever. A survey by CTIA of wireless carriers revealed that over 285 million Americans are mobile subscribers, about 91 percent of the total population. We want to take a look at how secure mobile phones really are. If so many citizens use mobile phones, what could happen if cell phone’s data wasn’t as secure as we once thought. Our research shows that bluetooth technology is the most used means of attempting mobile phone security breaches. Bluetooth is an open wireless technology standard for exchanging data over short distances (using short wavelength radio transmissions) from fixed and mobile devices. One of the essential elements of ensuring widespread uses was the having low expectations of users technical ability and minimum levels of user setup and configuration. Each bluetooth device will creating a personal area networks (PANs) with high levels of security.

Despite this security, the wireless nature of bluetooth means that the signals being sent through the air can be intercepted by others. During the communication the address itself isn’t enrypted although the message maybe encrypted. When that signal is caught out of the air it can be analysed and decoded. A would-be attacker could also connect a bluetooth monitor and mouse to your pc to take control and steal your data, or someone could hack into the connection between your mobile phone and bluetooth headset to listen in on your conversation. In addition a hacker could use Brute Force address discovery process to record the MAC address and hack the device with software called RedFang. This software is widely available for download (http://www.net-security.org/software.php?id=519).

There are also ways that attackers can spoof the identity of a particular device, to take its place in a bluetooth connection. To combat these risks, bluetooth was designed with several security measures in place. Generally when you connect two devices, you need to input a PIN on both. This sets up a secured connection between the two. One other hacking technique that gets around this is called “bluesnarfing” which can apparently allow hackers to silently access a mobile phone’s contacts, calendars, and pictures. There is at least one worm that attempts to spread itself via bluetooth, and DoS (Denial of Service) attacks are also possible. So in short, there are a lot of vulnerabilities of the bluetooth architecture. (Source- http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group15/index.html)

To start our study we went to three locations and attempted to see which of these bluetooth PAN networks were accessible. In each location there at least 20 or so students (most with phones and laptops) with visible and accessible PANs. We then wanted to conduct a survey to poll people’s knowledge of bluetooth technology and mobile phone security. In our survey we found that most subjects barely even knew what bluetooth technology was. Most had seen the bluetooth symbol on their wireless devices but didn’t know much about how to turn it off or what implications it had. After we informed the subjects that bluetooth technology could possibly lead to a security breach most felt they would be more careful in the future.

The faculty of engineering at University of Ulster did a case study very similar to ours but on a much larger scale. They first researched bluetooth vulnerabilities and learned about the different means of hacking bluetooth enabled devices. Like us, they did this to gauge the overall lack of awareness in the area and to identify the percentage of popular devices susceptible to security breaches. They found that over 340 devices were detected during the five day period of their study. They were able to see that over 50 of the 340 devices could be at risk for attack. Companies such as Nokia and Sony Ericsson have since acknowledged the existence of bluetooth vulnerabilities and recommend users “to set their bluetooth devices to undiscoverable” and that they wouldn’t be releasing a fix for these vulnerabilities because the potential for attacks are limited. http://www.scribd.com/doc/2682865/Case-Study-on-the-Bluetooth-Vulnerabilities-in-Mobile-Devices

In addition to Nokia’s tip to make your device “undiscoverable” here are a are a few additional steps that will help ensure that your mobile phone isn’t breached. Firstly don’t accept any request to pair your device if you’re not facilitating this. Secondly use atypical patters as PIN keys when you are attempting to pair your device. Thirdly delete devices that you aren’t using but are still paired with. Lastly enable encryption when establishing connections and make sure to get the latest security updates installed. These tips should help prevent unauthorized connections to your device.
http://www.brighthub.com/computing/smb-security/articles/30045.aspx

“Partner Project- Bluetooth Vulnerability”

Mobile phones and Laptops are more apart of are world today then ever. A survey by CTIA of wireless carriers revealed that over 285 million Americans are mobile subscribers, about 91 percent of the total population. We want to take a look at how secure mobile phones really are. If so many citizens use mobile phones what could happen if cell phone’s data wasn’t as secure as we once thought. Our research shows that bluetooth technology is the most used means of attempting security breaches. Bluetooth is an open wireless technology standard for exchanging data over short distances (using short wavelength radio transmissions) from fixed and mobile devices, creating personal area networks (PANs) with high levels of security.

Despite this security, the wireless nature of bluetooth means that the signals being sent through the air can be intercepted by others. A would-be attacker could connect a bluetooth monitor and mouse to your pc to take control and steal your data, or someone could hack into the connection between your mobile phone and bluetooth headset to listen in on your conversation. There are also ways that attackers can spoof the identity of a particular device, to take its place in a bluetooth connection. To combat these risks, bluetooth was designed with several security measures in place. Generally when you connect two devices, you need to input a PIN on both. This sets up a secured connection between the two. One other hacking technique that gets around this is called “bluesnarfing” which can apparently allow hackers to silently access a mobile phone’s contacts, calendars, and pictures. There is at least one worm that attempts to spread itself via bluetooth, and DoS (Denial of Service) attacks are also possible. So in short, there are a lot of vulnerabilities of the bluetooth architecture. (Source- http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group15/index.html)

To start are study we went to three location and attempted to see which of these PAN networks were accessible to use given that we knew there password. In each location with at least 20 or so students (most with phones and laptops) that we could see there PAN network was visible and assisible. We then wanted to conduct a survey to poll people’s knowledge of bluetooth technology and mobile phone security. In are survey we found that most subjects barely even knew what bluetooth technology was. Most had seen the bluetooth symbol on there wireless devices but didn’t know much about how to turn it off or what implications it had. After we informed the subjets that bluetooth technology could possibly lead to a security break most felt they would be more careful in the future.

Privacy and Consumer Electronics

Consumer electronics can do all sorts of wonderful things for us. My android phone for example lets me check email, manage my calendar, search the internet, and has a gps receiver so I can get directions for wherever I need to go. All of these great things require some pretty significant back end work on Google's part. They have to host servers to store and deliver my gmail and google calendar to me, they have to provide me with google maps over my phone's data connection on the fly for my gps navigation, and deliver me search results whenever I ask for them. Besides the initial cost of the phone, this is all free (I still have to pay my wireless provider for service of course). Exactly what does Google stand to gain from all of this work they are doing? One word- information.

Google has made its money from web advertising, and specifically, targeted ads based on what users search for, or in the case of gmail, what is written in their email messages. They are pushing really hard into the cell phone market with android phones because they realize the potential to make even more money from more users and more advertising. This isn't necessarily an evil thing, and we have all been using Google for searching for years, but there are some serious potential privacy issues possible here. Before continuing, I want to state that I am personally a HUGE Google fan and absolutely LOVE my android phone (and have no idea how I would get through my daily life without it). So when I am saying that I have privacy concerns about the android operating system, it is not just a thinly veiled attack on Google.

My concern with android is just how much information they have about me. It is one thing for google to keep track of your searches on a computer. Oh sure, they may find out over time that you really have a thing for woodcarving and classic American muscle cars, and deliver you appropriate ads. But let's consider for a moment the sort of data that is used as part of a smart phone. First of all, there are your searches, just like on a computer. Same for email, which if you use gmail, they also have access too. Oh and your calendar and contacts, aka, where you will be at various times of the day and the people you will see. But now you are going to get directions from the phone to get somewhere. That search for the location you want, stored on google's servers. The route they send back to you, ditto. And finally, your exact location courtesy of the gps reciever, is constantly sent to google throughout the experience, so they can update the maps they are sending back to you. If you want to use google's "voice" service, they will store your voicemails for you.

Those things I just described are just what google for sure is legally collecting now. In reality, if they wanted, they could also see your call and text message history, and listen in on google voice conversations or play back your voicemails. So in all, google (or someone else who could somehow get their hands on this information) could know who you've talked to, what you have said, where you are going to be at a particular time, and track you as you travel there. Here is google's android privacy policy, which sort of says that these things won't happen, but still, it is uncomfortable, at least to me, that so much of my information is sent to one place.

I described here just one example of privacy concerns about one particular gadget, but these questions are important to consider regardless of what product it is. Any time you have a device that is sending your data off across the internet, someone else out there has it, and while they may say that they will protect it appropriately, who is to say that this will actually happen. I will continue to use my android phone for the time being, because it really is a very convenient device, but I am always going to wary about my digital privacy.