Friday, December 09, 2011

Bluetooth for Bad Guys

Criminals have been skimming debit and credit card information by tampering with point of sale terminals, PIN pads, gasoline pumps, and ATMs for quite a while now. The first time I heard of Bluetooth being used in such cases was from this SparkFun Electronics news blurb a couple years ago. Malicious hardware installed in a Canada retailer's PIN pad intercepted customer data and transmitted it via Bluetooth to the attacker's device, perhaps a laptop in a nearby parking lot. At the time it seemed like a clever use of the technology by a Canadian ne'er-do-well but probably not the start of a trend. I was wrong.

As Joshua Wright recently pointed out, Visa is informing merchants about similar crimes that took place around the same time in Utah. Skimmers have also been found in Florida and elsewhere. Just this week, customers of Lucky Supermarkets in California found out that a similar attack was the reason their bank accounts were recently drained. This isn't just one clever crook; this is a criminal industry at work.

The technical reasons that Bluetooth is an attractive technology for this application are nicely outlined in Joshua's article, but we wouldn't see so many actual attacks were it not for commercial availability of Bluetooth skimmers sold on the criminal underground. There is an industry producing hardware for crime just as there is an industry producing software for crime.

How can you protect yourself as a customer? The best advice I can think of is to consider the liability of payment methods. There is a reason I like to carry some cash. There is also a reason I strongly prefer to use a credit card over a bank debit card. With a credit card (in the US, at least), the financial institutions and merchants bear most of the burden of liability. As long as I check for unauthorized transactions before paying my bill every month, I don't have much to worry about. Once, many years ago, someone emptied my checking account. I figured out what had happened and managed to convince my bank that the bank's own misguided security practice had allowed it to happen, but guess who bore the burden of a zero balance until that was resolved?

How can you protect yourself if you are a retailer or financial institution? This is a much more difficult problem. For starters, you should read Joshua Wright's article and the Visa bulletin. Josh has some nice things to say about my Project Ubertooth, but he also has some criticisms, mostly pointing out features yet to be developed. The first item on his wish list is frequency hopping, something I am working on now. He also points out the need to improve Bluetooth device fingerprinting, an area of research that has been advanced in recent years primarily by JP Dunning.

When I read about real life attacks on retailers and customers, sometimes I imagine how I could use technology to catch the crooks. Frankly, it would be hard, and it would be especially hard to deploy tools that would allow more investigators to do the same. Bad guys are using Bluetooth (and potentially other wireless technologies). We need Bluetooth tools for the good guys too.

I guess, if there is a lesson to be learned from all this, it is that hardware security matters. If an attacker can get in between a user and a system, the security of the system will fail in almost any case. Advocates of the Bring Your Pwn Device (BYOD) trend might want to pay attention. (That was an honest typo, but I decided to keep it!)

30 comments:

bluetooth said...

yes, even better for the bad guys is good for us.

0845 numbers said...

Bluetooth was invented for the convenience of many, not for the sake of few. Let's just be vigilant with our accounts.

Poker Online said...

This is a nice and informative, containing all information and also has a great impact on the new technology. Thanks for sharing it

Poker Online Terpercaya said...

Please visit guys. thanx you guys

Agen Poker said...

Nice post guys.

Judi Poker said...

have a nice days guys

Poker Online Indonesia said...

Happy Munday guys.

Agen Bola Terpercaya said...

nice posting Agen bola terpercaya

Agen Bola said...

nice article thank you.Agen Bola

bandar ceme online said...

Fantastic post.Really looking forward to read more. Much obliged.
bandar ceme
bandar ceme online
ceme online
situs bandar ceme
bandar ceme terpercaya

bandar ceme said...

bandar ceme
bandar ceme online
ceme online
situs bandar ceme
bandar ceme terpercaya

poker online
judi poker online
poker indonesia
situs judi poker
poker online terpercaya

dominohp said...

bandar q bandar qiu bandar kiu bandar ceme agen ceme agen bandar q bandar q online

Unknown said...

Agen Bandar Ceme Online - Permainan Ceme online adalah permainan yang menggunakan kartu domino.Bandar Ceme Online

DominoQiu said...

Domino Qiu Qiu gaming online Indonesia

bandar ceme ceme online

Unknown said...

Good Job Thanks For Your support,,Good article


Poker Online

Judi Poker

Judi Poker Online

QQOnline2019

bandar domino99
poker online terpercaya
daftar domino
Berita Terhot

Raja ID PRO

boyaqq said...

BoyaQQ adalah salah satu situs agen judi bandar poker domino qq online terpercaya dengan beberapa bonus menarik yang bisa kamu dapatkan serta memiliki banyaknya permainan judi poker online atau judi qq online server pokerv diantaranya : Poker Online. agen poker

Jangkrik bgpitter said...

Cara Main domino88 Terpercaya

Anonymous said...

If some one desires to be updated with latest technologies after that he must be pay
a quick visit this website and be up to date all the time.

Anonymous said...

If some one desires to be updated with latest technologies after that
he must be pay a quick visit this website and be up to date all the time.

bgpitter said...

Teknik Bermain dominobet Terpercaya

Anonymous said...

Greetings! I've been reading your blog for a
long time now and finally got the bravery to go ahead and give you a shout out from
Lubbock Texas! Just wanted to tell yyou keep up thee great work!

Anonymous said...

You really make it seem really easy with your presentaton but I to find
this topic to bbe really onee thing which I think I would
by no means understand. It kind of feels too complicated and extremely wide
for me. I'm looking forward iin your next put
up, I will try to get the hang of it!

Anonymous said...

Appreciate it! This is definitely an awesome internet site.

FEBBY FEBIOLA said...

Daftar kumpulan Agen Situs Poker Online Terpercaya di tahun 2021. Situs dengan pelayangan tebaik 24jam dan menyediakan 9 permainan menarik dengan winrate kemenangan 99%. Daftar segera dan raih jackpot ratusan juta di situs pilihan anda.
CHAMPIONQQ
SITUS BANDARQ 2021
SITUS POKER ONLINE GAMPANG MENANG
AHLICASINO
SITUS POKER ONLINE GAMPANG MENANG
AHLIQQ
JURUSQQ
MAINDOMINO99
SITUS JUDI MUDAH MENANG

Anonymous said...

Thanbkfulness to my father who informed me on the topic of this
web site, thiis webpage is truly awesome.

Anonymous said...

Just desire to saay your article is as amazing. The clearness in your post is simply
excellent and i can assume you are an expert on this
subject. Fine withh your permission allow me
to grab your feed to keeep updated with forthcoming post.
Thanks a million and please carry on the enjoyable work.

Anonymous said...

Heello there! Do you know if they make any plugins to assist with SEO?
I'm trying to get my blog to rank for slme targeted keyqords
but I'm not seeing very good results. If you know off any
please share. Cheers!

Anonymous said...

Asking questions are truly good thing iif you are noot understanding something entirely,
however this pioece of writing presents nice understanding yet.

Anonymous said...

QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
CC with CVV Fullz (USA, UK, CANADA)
Tutorials & E-Books For Ethical Hacking
Tools For Everything You Need

I'm On Telegram = @killhacks & I C Q = 752822040

Stuff available for
(Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
Availability 24/7
FASTEST DELIVERY

Build Your Own Business with proper guide & Legit Tools
Always glad to serve

GOOD LUCK
Here I'm:
I C Q = 752822040
Tele-gram = @killhacks

Unknown said...

I was scammed over $93,100. I talked with this guy for 8 months. I sent him money via Bitcoin atm and bank account, I almost lost everything. But for the timely intervention of the Wizard Wierzbicki Programmer, who just in kick-off on time got back my $93,100. He is really good at what he does, I have recommended him to friends and co-workers who all became satisfied customers. He has helped me a lot in the trading industry, you can reach him for Everything. Hacking and Funds Recovering he is the best and has different skills in funds recovering and exposing scammers. Am glad and happy to recover my money, there is no shame in becoming a scam victim of one of these sophisticated and predatory operations. By reporting you may be able to recover some or all of your lost funds and prevent the scammers from targeting others. To recover your Bitcoin Scammed funds, Scammed funds, Clear or Erase Criminal Records, Mobile spy remote control assess, Bitcoin Mining Contact this Genius Recovery Advocate Website: https://wizardwierzbicki.com WhatsApp: +49 1575 8718600 Email: WIZARDWIERZBICKIPROGRAMMER@GMAIL.COM