What is Bluetooth Technology
Bluetooth is a wireless radio technology. This technology allows devices to use a Bluetooth transmitter and Bluetooth radio receiver to communicate over relatively short distances. It enables devices that are communicating using this technology to communicate without wires or cords.
The Bluetooth technology was initiated in 1989 by Nils Rydbeck, CTO of Ericsson Mobile in Lund, Sweden. He tasked several Ericsson engineers with the responsibility of creating a technology to develop wireless headsets. Approached by IBM to integrate Ericsson phone technology into the IBM Thinkpad, the two instead decided to use the wireless technology they’d been discussing to allow an Ericsson phone and the Thinkpad to communicate. In 1998, five participants launched the Bluetooth SIG.
The name was taken from a 10th century Danish King, Harald Bluetooth, a nod to Bluetooth’s Nordic heritage. Harald Bluetooth united many of the warring Danish tribes into a single kingdom. The implication that Bluetooth unites communications.
A Primer on How Bluetooth Works
Each device has a small radio transmitter/receiver component that allows a computing device like a laptop, tablet, or smartphone to transmit data to different peripheral devices like a Bluetooth speaker, Bluetooth headphones, or other wireless devices.
Bluetooth transmitters send/receive radio waves at frequencies between 2.402 and 2.4835 GHz with 79 different channels. These Bluetooth frequencies and the 2.4 GHz band, are set apart from mobile phones, radio, and television. Bluetooth transmitters use low power and are designed for short-range transmissions.
When Bluetooth is turned on, devices can be configured to detect and connect automatically. Up to 8 different devices can use Bluetooth connectivity to communicate at once – one being the master, while the rest are connected as slaves. Since each pair of devices uses one of the 79 available channels, they don’t interfere with each other’s wireless communications.
What’s a Skimmer Device?
Credit card skimmers steal people’s credit card numbers and details. They work by intercepting a person’s credit card number, PIN, and details so that the thief either clones the credit card and uses it or sells it on the Dark Web.
There are many different types of credit card skimmers. Chip-enabled credit cards were created to help eliminate skimming but they don’t prevent a technique cybercriminals use called shimming.
We’ll introduce the different types of credit card skimmers and provide a brief description of what they do.
Skimming – a thief places the card on a card reader – it intercepts the magnetic stripe information when a customer slides their card through the skimmer.
Shims or shimming – this is when a device is attached directly to a card reader. It is connected to the part of the terminal where the card has already been decrypted to defeat the protection provided by “chip and pin” technology. So, in essence, it sits between the chip on the card and the chip reader. It is then able to read and copy the information from the credit card stripe when the card is swiped through the shim; just like skimming. Sometimes these devices are paper-thin and simply inserted into the card slot.
Deep insert skimmer or shim – these devices are positioned deep inside the card reader. They can reside hidden for days or weeks, undiscovered, harvesting information from the magnetic stripe before being detected and removed.
Keyboard overlays – these are simply devices placed over the pin pad that intercept the input as a person types in their PIN.
Video overlays – similar to the keyboard overlay, these are devices that record a person’s hand movements as they type a PIN with video as someone uses the entry pad. Sometimes they use audio to record the sounds as someone enters their PIN.
Network sniffers – these devices are on the same physical network as the target device. Instead of stealing data from the magnetic stripe, they’re designed to steal information as it’s transmitted across the network.
Card reader interceptor – these are devices that look like the front of a card reader but they’re not. Like a skimmer or shim device, they read the information off of the magnetic stripe. Unlike a shim, they’re not able to defeat chip and PIN technology.
Why Do Some Skimmers Use Bluetooth?
There are multiple ways for a shim or skimmer to store information. They can use on-chip storage retrieved via a serial communications port, a USB key drive, or a Bluetooth adapter.
The “old fashioned” way of retrieving card data from the skimmers might be to remove the device from a gas pump, ATM, or Point-of-Sales device and either connect to it through the serial port or remove the USB storage device. Physical retrieval isn’t difficult but impacts the ability of a criminal to safely scale a card harvesting operation.
If a device requires a criminal to physically uninstall it in order to gather their stolen credit card data, it means that they could get caught in the act. Physical retrieval is clearly possible but introduces the risk of detection if they’re operating large numbers of skimmers.
Thieves operating these devices are looking for ways to make their operations more efficient, scalable, and safer. This brings us to Bluetooth radio chipsets. Using Bluetooth saves a criminal time and that adds up when they’ve got multiple card skimmers in operation.
Considering that some thieves likely pull the data from their card skimmers daily, it’s easy to see how using Bluetooth would save them time and help them avoid getting caught. If they use the Bluetooth technology, they can sit in a car and remotely pull card data off the skimmer.
Bluetooth chips are cheap to obtain because they’re mass-produced in large quantities. Amazon sells them for less than $10. Manufacturing a custom PCB or board design is inexpensive. Therefore, adding a Bluetooth radio to a card skimmer device is cheap and relatively easy. Our research indicates that most US credit card skimmers are using Bluetooth Classic and not the newer Bluetooth Low Energy standard. That may be different in Europe.
How Do You Detect Bluetooth Skimmers?
Before we discuss Bluetooth enabled credit card skimmer detection, we have to state what we think is obvious: if the credit card skimmer doesn’t use Bluetooth to communicate, you won’t be able to detect it with Signils, your smart device, or any other card skimmer detector.
That being said, we’ve read complaints on Nextdoor and Facebook about mysterious credit card transactions after people visited specific gas stations in our area. There are also reports of credit card skimmers being found on gas station pumps, ATMs, and Point-of-Sale devices. Brian Krebs, an investigative reporter has also written about Bluetooth enabled card skimmers.
The processes we’re using to detect Bluetooth enabled credit card skimmers are largely based on two detailed and highly technical research papers with our own take on the process:
- “Kiss from a Rogue: Evaluating Detectability of Pay-at-the-Pump Card Skimmers“. Researched and written by Nolen Scaife, Jasmine Bowers, Christian Peeters, Grant Hernandez, Imani N. Sherman, Patrick Traynor, and Lisa Anthony from the University of Florida.
- “Please Pay Inside: Evaluating Bluetooth-based Detection of Gas Pump Skimmers“. Researchers: Nishant Bhaskar, Maxwell Bland, Kirill Levchenko†, and Aaron Schulman from the University of California, San Diego.
Detecting Bluetooth enabled credit card skimmers includes techniques to profile the “signature” of the devices. A signature is a set of information used to identify other skimmers that share that same signature or characteristics. This is the same approach used by Antivirus software and Vulnerability Management software.
There are three major pieces of information that can be used to detect Bluetooth enabled credit card skimmers: Class-of-Device, Device Name, and MAC Address.
According to Bluetooth.com, “the Major Device Class segment is the highest level of granularity for defining a Bluetooth device. A device’s main function determines its Major Class assignment. There are 32 major classes”. See our definitions: here.
Class-of-device is what’s used by the Bluetooth protocol to identify if it’s communicating via a Bluetooth speaker, Bluetooth headset, a car infotainment system, a network, or a peripheral device. Class-of-Device tells the Bluetooth transmitter what profile it needs to load in order to successfully communicate with a device. Profiles are analogous to a device Category.
Many Bluetooth enabled credit card skimmers use an uncategorized Class-of-Device. Meaning that the Bluetooth protocol doesn’t load a particular profile to enable communications.
Mobile device operating systems and most apps are designed not to attempt to pair to a device when the Class-of-Device is ‘uncategorized’. This means that ‘uncategorized’ Class-of-Device won’t even show up in your “available devices” list.
In some cases, Bluetooth skimmers use radios that default to the Device Name “HC-05”, “HC-06”, “HC-08”, or “FREE2MOVE”. The problem is that there are many other devices that use the same Bluetooth modules and they aren’t card skimming devices.
There are also skimmers that have a custom name that would look normal at first glance. So, we can’t only rely on Device Name alone to identify card skimmers. A crafty criminal can rename the device to broadcast what would otherwise be a commonly found name, like Sync or Beats. Using only the Device Name could result in false positives that would likely cause people to misidentify skimmers.
Lastly, because criminals are using commercial-off-the-shelf Bluetooth chips, law enforcement and researchers have narrowed down the list of chips to a specific set of manufacturers.
As previously discussed, these chipsets are widely available. Meaning that a scan of a gas station is just as likely to detect a legitimate device as it is a credit card skimmer. That being said, some of the skimming devices recovered by law enforcement use a fictitious MAC address that looks like a date. For example, 20:18:11.
How We Detect Nefarious Devices
Signils uses a combination of these three characteristics to profile devices. We use our technique to compare devices we find broadcasting Bluetooth wireless signals to known Bluetooth Card Skimmers using each piece of information we’ve discussed: Class-of-Device, Device Name, and MAC Address. We use these pieces of information to create, store, and use a signature to identify other devices.
Signils is used to manage known “good” devices. During our scanning process, we compare characteristics of devices we find to both known good, and known bad. Any unidentified device is suspect – it could either be a good device or a skimmer. As people add more devices to Signils, we profile them and improve our database of known good and therefore our ability to potentially detect Bluetooth enabled card skimmers.
You should try to be careful about where you buy your gas, where you shop, and where you bank.
Here in the United States, each state has a Department of Measures responsible for the accuracy of gas pumps. Most of those are also responsible for the identification and removal of credit card skimmers. While that improves the security at certain gas pumps, it doesn’t mean that all gas pumps are safe. Depending on the gas station in question, thieves could have access to the insides of the pumps using easily attainable skeleton keys.
There are videos available on YouTube where thieves install skimmers on retail Point-of-Sales systems in literally seconds or less. There are other YouTube videos of thieves installing video skimmers in less than 15 seconds.
We’re certainly not the only people trying to solve this problem and help consumers. Try to reduce your usage of ATMs and if possible, watch social media and news reports for your gas station. It may be difficult to detect card skimmers but you should learn what they look like and how they operate in the event you come across one. Stay safe!