BSAM: Open-source methodology for Bluetooth security assessment
Many wireless headsets using Bluetooth technology have vulnerabilities that may allow malicious individuals to covertly listen in on private conversations, Tarlogic Security researchers have demonstrated last week at RootedCON in Madrid.
“Many of the examples presented during the conference were real tests on devices that attendees – most of them cybersecurity experts – were carrying with them,” they told Help Net Security. The idea was to show just how widespread the problem – and danger – is.
Insecure wireless headsets as a conduit for espionage
While it certainly does seem that many people in public spaces are not thinking about keeping their phone conversations private, I doubt many would be happy to have active eavesdroppers on their line, or listening in on conversations going on around them.
“More and more people, especially professionals and business managers, are wearing their [headsets] all day long, even when they are not using them. Most headsets remain active all day long, often without the wearer being aware of it,” the company pointed out.
“The ability of malicious actors to access private conversations is a critical threat to businesses because it allows remote entry, turning corporate wireless headsets into microphones for industrial espionage activities.”
In the conference presentation, the researchers stealthily connected to visitors’ wireless headsets via Bluetooth, activated the microphone and listened to the audio – without any user interaction.
They also connected to various other Bluetooth-enabled gadgets – smart bracelets, smart TVs, phones, etc. – after discovering the required pairing codes and associated MAC addresses of the devices.
Facilitating security assessment of Bluetooth-enabled devices
“The problem with the technology lies in the lack of documentation, which does not give visibility to these vulnerabilities around us,” the researchers told Help Net Security.
To help manufacturers, researchers, developers, and cybersecurity professionals, the company has developed the Bluetooth Security Assessment Methodology (BSAM), which can be used to develop tools to audit the security of all types of devices that use Bluetooth and Bluetooth LE technology.
“With this methodology, we have developed common criteria that allow us to compare results and report vulnerabilities previously marked as irrelevant,” they noted.
While the company engages in coordinated vulnerability disclosure, they do not have the capacity to validate all Bluetooth-enabled devices on the market. That’s partly why they decided to create and open-source BSAM, which they hope will become a widely used reference/guide that the cybersecurity community will help complete by proposing new controls, improving existing documentation, and more.
The methodology contains documentation on the Bluetooth standard; 36 controls that must be executed to evaluate the security of Bluetooth communications; and resources to facilitate the execution and evaluation of the controls. The proofs of concept and scripts they have developed will be published steadily on GitHub.
“We do not rule out developing a pentest solution that follows BSAM controls. Still, the most important thing is that, being an open-source methodology, anyone can develop their own auditing tools,” the company said. “We are trying to lower the barrier of entry so that companies become aware and can create more secure devices.”