Flame’s Bluetooth Functionality Could Help Spies Extract Data Locally, Researchers Say

The Bluetooth functionality of the Flame cyberespionage malware could potentially be used to pinpoint the physical location of infected devices and allow local attackers to extract data if they get in close proximity to the victims, according to security researchers from antivirus vendors Symantec and Kaspersky Lab.

Flame can leverage an infected computer’s Bluetooth capability, to scan for other nearby Bluetooth-enabled devices like mobile phones, Kaspersky Lab researchers said in their initial Flame report published on Monday.

This functionality is present in a Flame module called BeetleJuice, security researchers from Symantec said in a blog post on Thursday. “When a device is found, its status is queried and the details of the device recorded–including its ID–presumably to be uploaded to the attacker at some point.”

This information could be used to determine the social and professional circles of victims over time by looking at what Bluetooth devices their computers detect on a regular basis, the Symantec researchers said.

Flame-infected computers can also act as Bluetooth beacons, allowing other Bluetooth devices to discover them. When acting as beacons, the infected computers indicate that they have the Flame malware installed on them through a special description field.

This feature could potentially help local attackers physically locate Flame-infected computers inside a building in order to directly extract information from them if, for some reason, that information cannot be obtained over the network, Vitaly Kamluk, chief malware expert at Kaspersky Lab, said on Tuesday.

There might even be a Flame feature that allows such data extraction to occur over Bluetooth, but no technical evidence of this functionality has been found yet, Kamluk said. Such an attack would have the benefit of bypassing any network-level firewalls and security controls, the Symantec researchers said.

“It is possible that there is undiscovered code within W32.Flamer which already achieves some of these goals,” the Symantec researchers said. “For example, although we have not found network code near the ‘beacon’ code, one compromised computer may connect to another computer using Bluetooth.”

Most security researchers agree that Flame was likely created by a nation state for espionage purposes and that its primary targets were organizations and individuals from Iran and other countries in the Middle East.

If that theory is correct, it would be fairly reasonable to assume that such a nation state could also have intelligence assets or operatives in those regions, who could get physically close to the victims in order to interact with their Flame-infected laptops via Bluetooth.

There are precedents for nation states’ involvement in malware attacks on Middle East countries. A report in The New York Times Friday said that U.S. President Barack Obama ordered the Stuxnet cyberattacks on Iran in order to damage the country’s nuclear program.

Some Bluetooth attacks don’t even require close proximity to the target. Back in 2004, at the Defcon hacker conference, researchers showcased a sniper-rifle-like device that could connect to regular Bluetooth-enabled mobile phones from over one kilometer away.

Another use for the Bluetooth functionality in Flame could be to eavesdrop on private conversations, the Symantec researchers said. “Connect a compromised computer to a nearby device and enable handsfree communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in.”

All of these theories describe practical attacks that would be well within the capabilities of skilled attackers, like the ones who created Flame, the Symantec researchers said. “W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth.”