Flame's Bluetooth functionality could help spies extract data locally, researchers say

Attackers could pinpoint the physical location of infected computers using Flame's Bluetooth functionality

The Bluetooth functionality of the Flame cyberespionage malware could potentially be used to pinpoint the physical location of infected devices and allow local attackers to extract data if they get in close proximity to the victims, according to security researchers from antivirus vendors Symantec and Kaspersky Lab.

Flame can leverage an infected computer's Bluetooth capability, to scan for other nearby Bluetooth-enabled devices like mobile phones, Kaspersky Lab researchers said in their initial Flame report published on Monday.

This functionality is present in a Flame module called BeetleJuice, security researchers from Symantec said in a blog post on Thursday. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point."

This information could be used to determine the social and professional circles of victims over time by looking at what Bluetooth devices their computers detect on a regular basis, the Symantec researchers said.

Flame-infected computers can also act as Bluetooth beacons, allowing other Bluetooth devices to discover them. When acting as beacons, the infected computers indicate that they have the Flame malware installed on them through a special description field.

This feature could potentially help local attackers physically locate Flame-infected computers inside a building in order to directly extract information from them if, for some reason, that information cannot be obtained over the network, Vitaly Kamluk, chief malware expert at Kaspersky Lab, said on Tuesday.

There might even be a Flame feature that allows such data extraction to occur over Bluetooth, but no technical evidence of this functionality has been found yet, Kamluk said. Such an attack would have the benefit of bypassing any network-level firewalls and security controls, the Symantec researchers said.

"It is possible that there is undiscovered code within W32.Flamer which already achieves some of these goals," the Symantec researchers said. "For example, although we have not found network code near the 'beacon' code, one compromised computer may connect to another computer using Bluetooth."

Most security researchers agree that Flame was likely created by a nation state for espionage purposes and that its primary targets were organizations and individuals from Iran and other countries in the Middle East.

If that theory is correct, it would be fairly reasonable to assume that such a nation state could also have intelligence assets or operatives in those regions, who could get physically close to the victims in order to interact with their Flame-infected laptops via Bluetooth.

There are precedents for nation states' involvement in malware attacks on Middle East countries. A report in The New York Times Friday said that U.S. President Barack Obama ordered the Stuxnet cyberattacks on Iran in order to damage the country's nuclear program.

Some Bluetooth attacks don't even require close proximity to the target. Back in 2004, at the Defcon hacker conference, researchers showcased a sniper-rifle-like device that could connect to regular Bluetooth-enabled mobile phones from over one kilometer away.

Another use for the Bluetooth functionality in Flame could be to eavesdrop on private conversations, the Symantec researchers said. "Connect a compromised computer to a nearby device and enable handsfree communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in."

All of these theories describe practical attacks that would be well within the capabilities of skilled attackers, like the ones who created Flame, the Symantec researchers said. "W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?