Flame Taps Bluetooth: Security Implications - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Flame Taps Bluetooth: Security Implications

Flame malware could use Bluetooth to exfiltrate data, record phone conversations, or learn the social network of a target.

The Flame malware, detailed publicly for the first time Monday, has been described by security researchers working overtime to unravel its inner workings as "the largest and most complex piece of malicious code they've ever seen."

Since malware writers tend to keep an eye on the competition, expect some of the capabilities built into Flame--a.k.a. Flamer, Skywiper--to become part of not just the next generation of espionage and intelligence-gathering malware, but potentially any updated crimeware or scareware toolkit, provided they can help turn a profit.

One of Flame's most interesting--and unusual--capabilities is its ability to scan for nearby Bluetooth devices, and that capability suggests that whoever built Flamer had deep pockets. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," read a 63-page analysis of the malware, published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.

[ It's more difficult--and more important--than ever to be proactive about security. For some best practices, read Security Practices From The Front Lines. ]

CrySyS also helped trace the origins of the Stuxnet and Duqu malware. Security experts believe that whoever commissioned that malware--revealed Friday to be the United States and Israel--also commissioned Flame, but said it appears to have been built by a different group of developers.

Researchers are now working to unravel the capabilities of the malicious Flame application, as well as the approximately 20 modules that give it additional capabilities. The malware's Bluetooth functionality is built into a module known as Beetleuice and is triggered based on rules created by the attacker, according to an analysis published by Symantec.

When triggered, the module first scans for all Bluetooth devices within range. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point," said Symantec's report.

Next, the malware configures itself to serve as a Bluetooth beacon. "This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area," said the Symantec report. "In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field."

In other words, the malware not only records the identities of nearby Bluetooth devices, but apparently also whether or not they've been compromised by Flame.

Symantec said that the malware's use of Bluetooth could help its operators learn a target's social network because it would record information about any devices the user encountered during the course of his day. Likewise, the locations of devices could be ascertained--for example, if compromised Bluetooth devices were placed in airports or shopping malls.

But Bluetooth would also allow the attacker behind Flame to target nearby devices and steal any address book entries, SMS messages, or images stored on the device, and then route the information to another nearby device. "An attacker within one mile of the target could use their own Bluetooth-enabled device for this," said Symantec. That means Flame could have been used together with actual physical surveillance of a target.

Furthermore, Flame could use Bluetooth to eavesdrop on infected devices via hands-free communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in by having a PC compromised by Flame connect to the device, according to Symantec.

While the above attack possibilities are only theories, it is possible that there is undiscovered code within W32.Flamer that already achieves some of these goals, according to Symantec. Furthermore, whoever coded Flame would have the required technical chops. "The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled, and such attacks are well within their capabilities," the report said.

Beyond technical teardowns, additional perspective on Flame has also been appearing. Numerous businesses, for example, have been asking whether they're at risk of being exploited. In response, Sean Sullivan, security advisor at F-Secure Labs, wrote in a blog post: "Let's see, are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."

As Sullivan noted, Flame isn't a worm that propagates on its own, but a malicious application that's targeted only at designated PCs--and researchers think that only about 1,000 PCs have ever been infected by Flame. "There are more than one billion Windows computers in the world," Sullivan said.

So when it comes to risk of infection, "You do the math," Sullivan said. "You're just as likely to win the lottery."

When it comes to regulatory compliance, auditors consider more than how you protect your company's covered assets from external attackers. In the Compliance From The Inside Out report, we show you how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll