IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,

Vol. 2, No. 1, 2012

Bluetooth Intrusion Techniques

Jesús Antonio Alvarez-Cedillo, Patricia Perez-Romero
Parallel Computing Laboratory Parallel Computing Laboratory
CIDETEC IPN, México CIDETEC IPN, México

Miguel Hernandez-Bolaños,
Parallel Computing Laboratory
CIDETEC IPN, México

Abstract— Bluetooth technology has grown through the years,

but because of the increase , security has become an issue. In all II. BLUETOOTH
the world the people interacting and use this technology, when Bluetooth technology is designed and optimized for use in
transferring data through devices or when using the computer or
mobile devices, such as mobile computers, cellular handsets,
personal devices, null confidentiality and null authenticity are
factors to remain secure. How this technology are very common, network access points, printers [1,3], PDA’s, desktops,
malicious exploits attack all time searching find access. In this keyboards, joysticks and virtually any other device. The
paper we shown different exploits and vulnerabilities that are technology is relatively robust and inexpensive. It operates in
either in the design already, or have been maliciously exploited. a short range 2.4GHz Industrial-Scientific-Medical (ISM)
Some of these exploits are Bluesnarfing, Bluejacking, band, which can reach distances of 10 to 100 meters. It uses
Bluebugging, etc. By understanding these exploits, one can gain a Frequency Hop (FH) spread spectrum, which divides the
general idea of how vulnerable Bluetooth possibly could be. frequency band into a number of hop channels. A Time-
Division Duplex scheme is used for full duplex transmission.
Keywords – Bluetooth – Bluesnarfing – Bluejacking –
There are tiny radio-frequency transmitters, no larger than 1.0
Bluebugging - SAFER+ - MAC address - DOS attack - Intrusion
Techniques. by 0.5 inches that can run off a watch battery for
months. Power considerations are always important for
battery-powered mobile devices, and Blue-tooth's low power
I. INTRODUCTION modes meet those requirements with less than 0.1 W active
Wireless technology has evolved through the years to facilitate power. Bluetooth is intended to be a standard that works at
the public with ease, convenience and efficiency in accessing two levels:
data. Due to this growing demand, Bluetooth has advanced as
an ubiquitous technology found in many everyday appliances. It provides agreement at the physical level (radio-frequency
standard).
Wireless technology allows use and share computing resources
without physical connections between the client device and It also provides agreement at the next level up, where products
server of resources. This technology has been very important
have to agree on when bits are sent, how many will be sent at
for companies primarily for communication, but its scope is
a time and how the parties in a conversation can be sure that
much greater. The client devices are desktop computers,
palmtops and cell phones, automobiles, refrigerators, and the message received is the same as the message sent.
printers, the days of having a cluster of wires to interface into
different devices are now the past. The Bluetooth protocol uses a combination of circuit and
packet switching to send/receive data [2, 4]. A frequency-
With the growing popularity of this technology, malicious hopping spread spectrum technique is used to make it difficult
exploits also have grown respectively. One can easily locate an to track or intercept transmissions. Each Bluetooth device has
exploit through the Internet, which most of them are trivial to a unique 48 bit hard-wired device address for identity, which
understand and use. There are many exploits to choose from to allows for 248 devices. Bluetooth devices basically form
do one’s bidding. Some of them can eavesdrop on information piconets to communicate. Each piconet [5] comprises of up to
being transferred between two parties. Others can Spam a
eight active devices where one is the 'master' and the rest are
nearby mobile phone. While other software can virtually
control all the processes of a mobile phone, such as editing 'slaves'. The master searches for Bluetooth devices followed
contacts to making a call through the phone. The possibilities by invitations to join the piconet addressed to specific devices.
are astounding. Instead of searching individually for each The 'master' then assigns a member-address to each slave and
exploit software that exists, we’ve decided to conveniently controls their transmissions. Devices can belong to several
bundle them into a pack. A one stop shop for popular piconets. Bluetooth also provides for easy integration of
Bluetooth exploits. TCP/IP for networking.

208
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
A. Bluetooth Protocol Architecture division duplexing (TDD), packet-based polling scheme to
share the air-interface. The master and slave each
First, Bluetooth is designed for communications applications
communicate only in their pre-assigned time slots. Also,
[6] It is designed to support high quality simultaneous voice
defined here are the types of packets, packet processing
and data transfers, with rates reaching up to 721 Kbps. It
procedures and the strategies for error detection and
supports both synchronous and asynchronous services and
correction, signal scrambling (whitening), encryption, packet
easy integration of TCP/IP for networking purposes. The
transmission and retransmissions. The Baseband layer
Bluetooth specification divides the Bluetooth protocol stack
supports two types of links: Synchronous Connection-
into three logical groups. They are the Transport Protocol
Oriented (SCO) and Asynchronous Connection-Less (ACL).
group, the Middleware Protocol group and the Application
SCO links are characterized by a periodic, single-slot packet
group, as shown in Figure 1.
assignment, and are primarily used for voice transmissions
that require fast, consistent data transfer. A device that has
The Transport group protocols allow Bluetooth devices to
established a SCO link has, in essence, reserved certain time
locate each other, and to manage physical and logical links
slots for its use. Its data packets are treated as priority packets,
with higher layer protocols and applications. It is important to
and will be serviced before any ACL packets. A device with
note that the Transport protocol group does not indicate any
an ACL link can send variable length packets of 1, 3 or 5 time-
coincidence with the Transport layer of the Open Systems
slot lengths. But it has no time slots reserved for it.
Interconnection. Rather these protocols correspond to the
Data-Link and Physical layers of the OSI model. The Radio, • Link Manager Layer
Baseband, Link Manager, Logical Link Control and This layer implements the Link Manager Protocol (LMP),
Adaptation (L2CAP) layers and the Host Controller Interface which manages the properties of the air interface link between
(HCI) are included in the Transport Protocol group. These devices. LMP manages bandwidth allocation for general data,
protocols support both asynchronous and synchronous bandwidth reservation for audio traffic, authentication using
transmission. All the protocols in this group are required to challenge response methods, and trust relationships between
support communications between Bluetooth devices. A brief devices, encryption of data and control of power usage. Power
discussion of the layers in the Transport group follows. usage control includes the negotiation of low power activity
modes and the determination of transmission power levels.
• L2CAP Layer
The Logical Link Control and Adaptation Protocol
(L2CAP) layer provides the interface between the higher-
layer protocols and the lower-layer transport protocols.
L2CAP supports multiplexing of several higher layer
protocols, such as RFComm and SDP. This allows multiple
protocols and applications to share the air-interface. L2CAP is
also responsible for packet segmentation and reassembly, and
for maintaining the negotiated service level between devices.
• HCI Layer
The Host Controller Interface (HCI) layer defines a standard
interface for upper level applications to access the lower layers
of the stack. This layer is not a required part of the
specification. Its purpose is to enable interoperability among
devices and the use of existing higher-level protocols and
applications.
Figure 1 : Bluetooth Protocol Architecture The Middleware Protocol group includes third-party and
industry-standard protocols, as well as Bluetooth SIG
developed protocols. These protocols allow existing and new
applications to operate over Bluetooth links. Industry standard
• Radio Layer protocols include Point-to-Point Protocol (PPP), Internet
The specification of the Radio layer is primarily concerned Protocol (IP), Transmission Control Protocol (TCP), wireless
with the design of the Bluetooth transceivers. application protocols (WAP), and object exchange (OBEX)
protocols, adopted from Infrared Data Association (IrDA).
• Baseband Layer
Bluetooth SIG-developed protocols include
This layer defines how Bluetooth devices search for and
connect to other devices. The master and slave roles that a 1) A serial port emulator (RFCOMM) that enables legacy
device may assume are defined here, as are the frequency- applications to operate seamlessly over Bluetooth transport
hopping sequences used by devices. The devices use a time protocols.

209
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
2) A packet based telephony control signaling protocol Bluesnarfing and does not affect all of the same phones as
(TCS) for managing telephony operations. Bluesnarfing
3) A service discovery protocol (SDP) that allows devices
to obtain information about each other’s available services. The seemingly harmless "Bluejacking" is a different style of
attack. It works on the fact that during the initialization
Reuse of existing protocols and seamless interfacing to process, when a device wishes to be paired with you, a
existing applications was a high priority in the development of message containing the device's name and whether you want
the Bluetooth specifications, as shown in Figure 2. to pair with this device is displayed. To many people this is
just an innocent joke to get a reaction out of someone by
The Application group consists of actual applications that use renaming their phone and then sending them a clever
Bluetooth links. They can include legacy applications as well anonymous message and watching their reaction. However, if
as Blue-tooth-aware applications. a malicious individual names their phone something like
"Click accept to win!!" then they can gain access to someone's
Bluetooth device if an owner falls for the trick.

As with computers, there is also the risk of worms and

viruses. One such worm is the Cabir worm, which tries to pair
the Bluetooth device to any other Bluetooth device in the
vicinity, and if successful it will install itself on the paired
device. Once it is there, it will attempt to repeat this process,
and also when the device is switched on, the worm will drain
the battery by scanning for enabled Bluetooth devices.

There is also the possibility for Denial of Service (DOS)

attacks on Bluetooth devices. This works exactly the same
way that traditional DOS attacks work, with a hacker sending
invalid Bluetooth requests and is occupying a device's
Bluetooth channel so it cannot communicate with any other
Figure 2: Interoperability with Existing Protocols and Applications Bluetooth devices.

The first three of these issues are purely faults of the

manufacturers of particular mobile phones, and firmware has
B. Hacking been released since their discovery to correct any faulty
Currently there are a few methods known for bypassing models. These problems illustrate the dangers of using
Blue-tooth's security measures. Bluetooth devices if they are not implemented properly.
One method of hacking Bluetooth has been named Indeed, they can all be solved, for most phones, by switching
"Bluesnarfing", and as with most Bluetooth hacks, the reason the phone into "invisible" mode so that it will not be
for its existence is a fault of the way Bluetooth is implemented recognized by other Bluetooth devices. Switching off the
on certain mobile phones. In this case, is the way in which the Bluetooth capability when you're not using it is another more
object exchange (OBEX) protocol [4] has been implemented. extreme option. The Bluejacking and Cabir worm issues can
What it does is, it silently access these mobile phones contacts, only hack someone’s phone if they agree to be paired with the
calendar and pictures without the owner’s knowledge - a clear device and in the case of the cabir worm if they agree then it
violation of the owner's security expectations. Nokia is one of a also tries to install software. There are also security updates
few mobile phone companies who have acknowledged that and anti-virus software readily available for users. These user
some of their devices have this fault, and have addressed it with security measures show that, as with any technology, there is
updated firmware for their faulty products. responsibility on the user to take care of their devices.
Another method is that of "back-door" hacking. This is
where a device which is no longer trusted can still gain access III. EXPLOITS
to the mobile phone and gain access to data as with There are many exploits that can be easily accessed through
Bluesnarfing, or also use services like WAP, etc. the Internet. Some of these exploits are trivial that just Spam
A third flaw in some mobile phones allows for a hacker to other mobile phones nearby. While other exploits are
use a method called "Bluebugging" in order to hack into the advanced enough to edit mobile phone contacts or make a call
owner's phone. It is possibly the most dangerous of the attacks, through the phone. The following sections individually
and allows hackers to send/read SMS, call numbers, monitor provide general information of existing exploits.
phone calls and also do everything that back-door and
The main reason why most of these exploits can occur is
Bluesnarfing allows. This is a separate vulnerability from
because a Bluetooth device is left on discoverable mode, which
allows it to be discovered by another Bluetooth device. Once

210
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
discovered, the exploit software will have retrieved the radios; the distance of the victim's device to the attacker's
device’s MAC address [7,8] which it can use to issue an attack. device during the attack should not exceed 10-15 meters. A
If the device was never in discoverable mode, this event would directional antenna can be attached to the radio in order to
have never happened. Newer technologies now will only allow increase the range.
devices to remain in discoverable mode for only a limited time. Since the Bluebug security loophole allows to issue AT
For example, if a person wants his device to be discoverable, (modem) commands via a covert channel to the vulnerable
he would have to switch the mode to on, and then after a
phones without prompting the owner of the phone, this
certain time has past it will automatically switch off. This is a
good safety mechanism to make sure the device is never left on security flaw does allow a vast number of things that may be
discoverable mode. In addition, discoverable mode is done when the phone is attacked via Bluetooth. Some
legitimately used for pairing of two Bluetooth devices. This example follows.
process is not time consuming at all. [9] So, having an auto
shutdown of discoverable mode in an arbitrary time will still Initiating Phone Calls
leave ample time for the pairing process to complete.
The Bluebug security loophole allows the attacker to initiate
A. Bluesnarfing phone calls from the victim's device. Things that can be done
Bluesnarfing [10] is an unauthorized access of information. with initiating phone calls include:
The unauthorized access allows the attacker to gain and edit
information on calendar entries, contacts list, and emails. 1) Eavesdropping: When the victim passes, a phone that is
owned by the attacker (e.g. an anonymously used prepaid-
Bluesnarf has been first identified by Marcel Holtmann in card phone) is called. From this moment on, the attacker is
September 2003. Independently, Adam Laurie also able to listen to all the conversations that the victim does
discovered the same vulnerability in November 2003. To be until the victim hangs up the phone
able to perform a Blue snarf attack, the attacker’s device needs 2) Causing financial damage: Since phone calls to any
to connect to the Object Exchange Protocol (OBEX) Push number can be established, it is also possible to call
Profile (OPP). This protocol is primarily responsible for premium service numbers from the victim's device. If the
exchanging information between two devices, including victim does not realize that a phone call is connected to a
business cards and other objects, and is very much similar to premium service number, this would cause important
the known FTP protocol. The OBEX does not usually require financial damage to the victim.
authentication, and if it does require authentication, it will not
be a problem as long as everything is implemented correctly. Sending SMS from the victim's device for
So to execute an attack, the attacker connects to an OBEX
Push target and performs an OBEX Get request for files such 1) Finding out the victim's phone number: The phone
as “telecom/cal.vcs” for the device’s calendar or number of the respective device is not stored at a predefined
“telecom/pb.vcf” for the devices phone book. The OBEX location. The device’s number can be gained by sending an
process that is running does not provide file browsing, the SMS from the victim's device to a phone that is owned by the
names of the previously mentioned files can easily be known attacker.
through the Infrared Mobile Communications, which they 2) Causing financial damage: There are quite a lot of
include specifications of many file names. So due to a device SMS-based services that cost the client about 5 Dolars per
firmware problem, an attacker can easily access those files. SMS. Usually, these services are used to sell ring tones and
Since this problem relates with a firmware problem, only logos. There are also news subscriptions that can be ordered
certain mobile phones are susceptible to this attack. Currently by SMS that continuously cause costs to the victim.
Sony Ericsson and Nokia have a few models that are affected 3) Tracking the victim: As a location-based service, some
by Blue snarf [Table 3]. providers allow other users to locate their customers by the
GSM global cell id which their phone is connected to.
According to the mode the respective GSM cells are
B. Bluebug configured, this information can be very detailed. In order to
do this, the provider must get the permission from the
Bluebug [12] is the name of a Bluetooth security loophole customer. This permission is usually given via SMS (which is
that has been identified by Adam Laurie from A.L. Digital Ltd. sent by the attacker).
on some Blue-tooth-enabled cell phones. Exploiting this 4) Revealing secrets: Often SMS messages are used to
loophole allows the unauthorized downloading phone books silently communicate secret information with other people.
and call lists, the sending and reading of SMS messages, Reading SMS of the attacked device is often touching the
connection to the INTERNET, changing a service provider, victim's privacy. Paparazzi could use this attack in order to
initiating a call through the phone, and many more. Under ideal
find out more about certain celebrities.
conditions, it is possible for a Bluebug attack to only take a few
seconds. Due to the limited transmit power of class 2 Bluetooth

211
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
Reading and writing phone book entries for result in a buffer overflow and cause the device to be
unavailable. This method can be tweaked to create a buffer
1) Finding out callers and called persons: In GSM overflow by injecting malicious code into the device.
handsets, phone books are also used for managing call lists. So
the attacker may find out who the victim called last, who was E. Cracking Bluetooth PIN
trying to reach the victim's device and who reached the
victim's device.
Apart from all the other Bluetooth exploits mentioned in
2) Modifying entries: A nasty phone book entry could be
this section, cracking the Bluetooth PIN is not software that
the name "Darling" and the international emergency number
can be downloaded. Instead, it’s a theoretical process of how
112 :)
one might be able to crack a Bluetooth PIN. It’s still
3) Obfuscating the abuse: After initiating phone calls, the
considered an exploit of course, and a very interesting one
list of dialed numbers could be overwritten.
indeed, so that’s why it’s being included in this section.
Call Forwards
Some reasons why cracking the PIN is possible is because
Setting call forwards on the victim's phone could cause a lot of the PIN number is usually much too short to provide a secure
confusion. So instead of calling the victim, the caller reaches access code. Most people do not want to hassle with a long
the device connected to a random number that has been set. number to have to remember. Another reason is Bluetooth has
incorporated new cryptographic primitives, which possibly has
Internet Abuse not been tested thoroughly and may contain hidden flaws.
Finally, Bluetooth originally was restricted to a range of only
The attacker can use the Bluebug loophole to establish an 10m. This was a main factor into security, since most
Internet connection that could for example be used for the attackers can’t commit to an attack, unless they are within
illegal injection of Mail-Worms like Sasser, Phatbot or range of the victim. However, as wireless technology
NetSky. advanced through the years, range extenders are possible now
and can be built very inexpensively.

Network Provider Pre-selection When two Bluetooth devices establish a channel for
communication, the process where the channel is being
In locations like airports, where many users arrive with their
established is called the pairing or bonding process. This
cell phones, service providers could use the Bluebug loophole
process requires the use of a PIN, so it’s during the paring
in order to register these phones with their networks.
process of two Bluetooth devices when a PIN could be
cracked. However, before the paring process begins, a PIN
C. Bluejack code should have been entered into both Bluetooth devices.

There are some devices that have a fixed PIN which cannot
Bluejacking [12] is a trivial exploit that utilizes a design flaw
be changed (e.g. wireless headphones). In this situation, the
in the OBEX layer. Any random person can easily Spam
fixed PIN is entered into the peer device. This will be a
another person’s mobile phone by sending a text message.
The original designs intentions were for a person to easily problem if both devices have fixed PIN, which those two
send another person their business card via their mobile phone. devices cannot pair with one another.
However, that technology has been exploited by people now
sending random messages to another person when the device The Bluetooth pairing process consists of three steps.
is close enough to detect the other Bluetooth device.
1. Creation of an initialization key (Kinit)
2. Creation of a link key (Kab)
D. Bluesmack 3. Authentication

Bluesmack is a DOS (Denial of Service) attack [13]. This

attack exploits the L2CAP layer, which is responsible for echo After the above steps are completed, the devices have an
requests similar to ICMP (Internet Control Message Protocol) additional option to derive an encryption key to hide all future
ping. Bluesmack sends an enormous amount of ping requests communications.
to another device, which makes the victim’s device
unresponsive to any services. This attack is similar to “Ping of The creation of an initialization key (Kinit) step requires three
Death” and “Smurf Attack”. Since a standard Bluetooth parameters, a MAC address (BD_ADDR), PIN code and its
device cannot handle large amounts of ping requests, this will length and a 128 bit random number (IN_RAND). This step

212
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
generates the Kinit which is a 128 bit word using the E22 1). With the above information obtained, the attacker can use
algorithm (Figure 3). a brute force algorithm to find the PIN used. By iterating
through all possible values of PIN, the attacker can find a
hypothesis for Kinit, since IN_RAND and BD_ADDR is
known and is applied to the E22 algorithm. Now use the
initialization key to decode the messages in 2 and 3 from the
Table 1.

Figure 3 : Generating Kinit using the E22 Algorithm

The BD_ADDR used in the E22 algorithm [14] will be the

device that does not have a fixed PIN. If both devices do not
have a fixed PIN, then the BD_ADDR used will be the slave
Figure 4: Generating the Kab using the E21 Algorithm
device that receives the IN_RAND. The initialization key is
only used during the pairing process and is discarded upon
creation of the link key.
The creation of the link key (Kab) requires the use of the Kinit messages 2 and 3 contain enough information to form a
to exchange two new random 128 bit words, known as hypothesis for Kab. With the hypothesis Kab the attacker can
LK_RANDA and LK_RANDB. The two new random words test it with the last four messages in Table 1. This whole
are used in the E21 algorithm [14] (Figure 4) to generate the
process is described in a flow layout in Figure 5.
Kab.
Once the link key has been generated, mutual authentication
can be performed, which relies on a challenge-response TABLE I. LIST OF MESSAGES SENT DURING THE PAIRING AND
scheme. The two devices have separate roles, where one is AUTHENTICATION PROCESS OF BLUETOOTH DEVICES A AND B
labeled the verifier and the other is the claimant. The
# Src Dst Data Length Notes
verifier’s role is to send a random 128 bit word called the
1 A B IN_RAND 128 bit plaintext
AU_RANDA to the claimant, which the claimant will use to
generate a 32 bit word called the SRES using the algorithm E1
2 A B LK_RANDA 128 bit XOR with Kinit
(Algorithm 16). The claimant will then send the SRES to the
verifier, who verifies the response word by performing the 3 B A LK_RANDB 128 bit XOR with Kinit
same calculation. If the response word is successful, the 4 A B AU_RANDA 128 bit plaintext
verifier and claimant will exchange roles, and the process is 5 B A SRES 32 bit plaintext
repeated. During the mutual authentication process, a 96 bit
6 B A AU_RANDB 128 bit plaintext
word called the ACO will be generated as a side effect. This
word is optional to be used to create an encryption key. 7 A B SRES 32 bit plaintext
Now that we understand how the pairing process works, we
can go over the basics to actually crack the PIN. Assume that
an attacker has eavesdropped on an entire pairing and
authentication process, and have saved all the messages (Table

213
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
This Bluetooth pin crack method is not taking advantage of understanding of the OBEX layer and see if there is any
the design in the Bluetooth pairing process. Instead, as long as vulnerability that might have propagated through from its
an attacker can eavesdrop and save all the messages of the previous versions.
pairing process, and be able to apply guessed Pin's to the E22,
E21 and E1 algorithm, this brute force attack is then definitely
feasible. There are of course computational enhancements
that can be done in this basic method to speed up the PIN
cracking, which is described further in “Cracking the
Bluetooth Pin “ [6]. Table 2 will give an idea of the
performance of this procedure upon different PIN lengths with
an advanced method mentioned in the above paper.

IV. BLUETOOTH EXPLOITS TEST

To give a better understanding of how the Bluetooth
exploits work, a practical example always works best. This
section will give a description of the process that was
developed to test out different Bluetooth exploits, which are
mainly found in the “Exploits” section of this paper.
Unfortunately there are certain Bluetooth exploits that are only
vulnerable on certain devices, which can be referenced in
Table 3.

Figure 5: Flow of messages sent during the pairing and authentication

process of Bluetooth devices A and B

Algorithm 1: Brute force attack

Input: Pin[0]
Output: HackValue.

1: Set PIN=0
2: Calculate a hypothesis for Kinit
3: decode LKRANDA and LKRANDB
4: Calculate a hypothesis for Kab
5: SET SRES=AUNRANDA
6: IF SRES=SRES' THEN
7: SET SRES'=AUNRANDB
8: ELSE TRY ANOTHER PIN
9: IF SRESB = SRES' THEN
10: HACKVALUE=PIN
11: ELSE TRY ANOTHER PIN

Algorithm 1: Brute force attack on Bluetooth PIN algorithm

The part on cracking Bluetooth PIN is another very interesting

Figure 2 : Authentication using the E1 Algorithm topic which would be educational to understand further and
possibly implement. Some problems that hindered this project
from doing such an exploit are the necessary
appliances/software needed to do the exploit. The exploit
V. FUTURE WORK
requires an eavesdrop device, which is not available.
It would be ideal if the exploits would work for any current Nonetheless, this exploit possibly could be applicable for a
mobile phone. The Blue snarf and Bluebug attacks are among future work.
the most interesting. However, as stated in the paper, only
certain mobile phones are vulnerable to them, and that’s a
result of the old OBEX design in those mobile phones.
Possibly for a future work would be to obtain a better

214
 IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249-9555,
Vol. 2, No. 1, 2012
TABLE 1 : RESULTS RUNNING AN ENHANCED VERSION ON A PENTIUM REFERENCES
CELERON , CORE DUO USING UBUNTU 10.04
[1] [1] Bluetooth SIG. Specification of the Bluetooth System. Version 1.1,
Feb. 2001.
[2] [2] Bluetooth SIG. Bluetooth Network Encapsulation Protocol (BNEP)
Specification. Technical report, Revision 0.95a, June 2001.
[3] [3] Bluetooth Special Interest Group, “Specification of the Bluetooth
System 1.0b, Volume 1: Core,” http://www.bluetooth.com, Dec. 1999.
[4] [4] J. Haartsen, “The Bluetooth Radio System,” IEEE Personal
Communications, Vol. 7, No. 1, pp. 28-36, Feb. 2000.
[5] [5] Vojislav B. Mišić, Eric W. S. Ko, Jelena Mišić, "Load and QoS-
Adaptive Scheduling in Bluetooth Piconets," hicss, vol. 9, pp.90294c,
Proceedings of the 37th Annual Hawaii International Conference on
System Sciences (HICSS'04) - Track 9, 2004
[6] [6] Rudi Latuske, ARS Software GmbH, OBEX performance
evaluation and parameter optimization for high speed IrDA,2004
TABLE 2 : LIST OF MOBILE PHONES THAT MIGHT BE VULNERABLE TO BLUE [7] [7] A. Das, A. Ghose, A. Razdan, H. Saran, and R. Shorey. Enhancing
SNARF AND BLUEBUG ATTACKS performance of asynchronous data traffic over the Bluetooth wireless ad-
hoc network. In Proceedings Twentieth Annual Joint Conference of the
IEEE Computer and Communications Societies IEEE INFOCOM 2001.,
volume 1, pages 591–600, Anchorage, AK, Apr. 2001.
[8] [8] M. Kalia, D. Bansal, and R. Shorey. Data scheduling and SAR for
Bluetooth MAC. In Proceedings VTC2000-Spring IEEE 51st Vehicular
Technology Conference, volume 2, pages 716–720, Tokyo, Japan, May
2000.
[9] [9] B. A. Miller and C. Bisdikian. Bluetooth Revealed: The Insider’s
Guide to an Open Specification for Global Wireless Communications.
Prentice-Hall, Upper Saddle River, NJ, 2000.
[10] [10] Martin Herfurt, Bluesnarfing, @ CeBIT 2004–Detecting and
Attacking bluetoothenabled Cellphones at the Hannover Fairground
[11] [11] Adam Laurie, Marcel Holtmann , Martin Herfurt, Hacking
Bluetooth enabled mobile phones and beyond , 21st Chaos
Communication Congress December 27th to 29th, 2004, Berliner
Congress Center, Berlin, Germany.
[12] [12] L Owens, First Bluejacking, Now Bluesnarfing, 2004.
[13] [13] Timothy K. Buennemeyer, Battery Polling and Trace
Determination for
[14] bluetooth Attack Detection in Mobile Devices, proceedings of the 2007
IEEE.
[15] [14] Yanik Shaked, Avishai,Battery Polling and Trace Determination
for bluetooth Attack Detection in Mobile Devices, Proceedings of the
2007 IEEE, Workshop on Information Assurance United States Military
Academy, West Point, NY 20-22 June 2007.

215