Flame Taps Bluetooth: Security Implications

Flame malware could use Bluetooth to exfiltrate data, record phone conversations, or learn the social network of a target.

Mathew J. Schwartz, Contributor

June 1, 2012

4 Min Read

The Flame malware, detailed publicly for the first time Monday, has been described by security researchers working overtime to unravel its inner workings as "the largest and most complex piece of malicious code they've ever seen."

Since malware writers tend to keep an eye on the competition, expect some of the capabilities built into Flame--a.k.a. Flamer, Skywiper--to become part of not just the next generation of espionage and intelligence-gathering malware, but potentially any updated crimeware or scareware toolkit, provided they can help turn a profit.

One of Flame's most interesting--and unusual--capabilities is its ability to scan for nearby Bluetooth devices, and that capability suggests that whoever built Flamer had deep pockets. "The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities," read a 63-page analysis of the malware, published Monday by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics.

[ It's more difficult--and more important--than ever to be proactive about security. For some best practices, read Security Practices From The Front Lines. ]

CrySyS also helped trace the origins of the Stuxnet and Duqu malware. Security experts believe that whoever commissioned that malware--revealed Friday to be the United States and Israel--also commissioned Flame, but said it appears to have been built by a different group of developers.

Researchers are now working to unravel the capabilities of the malicious Flame application, as well as the approximately 20 modules that give it additional capabilities. The malware's Bluetooth functionality is built into a module known as Beetleuice and is triggered based on rules created by the attacker, according to an analysis published by Symantec.

When triggered, the module first scans for all Bluetooth devices within range. "When a device is found, its status is queried and the details of the device recorded--including its ID--presumably to be uploaded to the attacker at some point," said Symantec's report.

Next, the malware configures itself to serve as a Bluetooth beacon. "This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area," said the Symantec report. "In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer and then stores these details in a special 'description' field."

In other words, the malware not only records the identities of nearby Bluetooth devices, but apparently also whether or not they've been compromised by Flame.

Symantec said that the malware's use of Bluetooth could help its operators learn a target's social network because it would record information about any devices the user encountered during the course of his day. Likewise, the locations of devices could be ascertained--for example, if compromised Bluetooth devices were placed in airports or shopping malls.

But Bluetooth would also allow the attacker behind Flame to target nearby devices and steal any address book entries, SMS messages, or images stored on the device, and then route the information to another nearby device. "An attacker within one mile of the target could use their own Bluetooth-enabled device for this," said Symantec. That means Flame could have been used together with actual physical surveillance of a target.

Furthermore, Flame could use Bluetooth to eavesdrop on infected devices via hands-free communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in by having a PC compromised by Flame connect to the device, according to Symantec.

While the above attack possibilities are only theories, it is possible that there is undiscovered code within W32.Flamer that already achieves some of these goals, according to Symantec. Furthermore, whoever coded Flame would have the required technical chops. "The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled, and such attacks are well within their capabilities," the report said.

Beyond technical teardowns, additional perspective on Flame has also been appearing. Numerous businesses, for example, have been asking whether they're at risk of being exploited. In response, Sean Sullivan, security advisor at F-Secure Labs, wrote in a blog post: "Let's see, are you a systems administrator for a Middle Eastern government? No? Then no ... you aren't at risk."

As Sullivan noted, Flame isn't a worm that propagates on its own, but a malicious application that's targeted only at designated PCs--and researchers think that only about 1,000 PCs have ever been infected by Flame. "There are more than one billion Windows computers in the world," Sullivan said.

So when it comes to risk of infection, "You do the math," Sullivan said. "You're just as likely to win the lottery."

When it comes to regulatory compliance, auditors consider more than how you protect your company's covered assets from external attackers. In the Compliance From The Inside Out report, we show you how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights