Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Vulnerabilities in certain mobile phone Bluetooth implementations
Posted on 17-Nov-2003 23:49 | Filed under: News


Vulnerabilities in certain mobile phone Bluetooth implementations
ALD, a company specialising in consultancy and security, identified a couple of vulnerabilities in the way Bluetooth is implemented in some popular mobile phone models.

The company put togheter a page with an explanation in general lines of two possible different attacks to certain Bluetooth enabled mobile phone models. The authors are Adam Laurie (Managing Director and Chief Security Officer of A.L. Digital Ltd.) and Ben Laurie (Technical Director of A.L. Digital, author of Apache-SSL).

SNARF attack:

Also called Bluesnarf. "It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, realtime clock, business card, properties, change log etc. This is normally only possible if the device is in "discoverable" or "visible" mode, but there are tools available on the Internet that allow even this safety net to be bypassed [the article refers to bluesniff, btscanner and redfang]."

BACKDOOR attack:

"The backdoor attack involves establishing a trust relationship through the "pairing" mechanism, but ensuring that it no longer appears in the target's register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner's knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also."

With the latest craze about Bluejacking, the company expects that unaware users could allow attackers to establish a partnership without realising the implications of this, and be susceptible to these attacks.

The company did not disclose the proof-of-concept tools developed to demonstrated these flaws, but accepts contacts from handset manufacturers to transfer these programs.


More information: http://www.bluestumbler.org/...







Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Trending now »

Hot discussions in our forums right now:

Help, someone else was driving my car and had an accident, am I liable?
Created by MzAliceD, last reply by driller2000 on 17-Oct-2019 22:01 (49 replies)
Pages... 2 3 4


SKY announce Rugby rights to 2025
Created by JPNZ, last reply by rugrat on 17-Oct-2019 01:12 (82 replies)
Pages... 4 5 6


NZ Cricket to Spark Sport
Created by JPNZ, last reply by tdgeek on 17-Oct-2019 13:21 (136 replies)
Pages... 8 9 10


PBTech and Education computers
Created by kiwifidget, last reply by gzt on 15-Oct-2019 21:46 (14 replies)

Jesse Mulligan says Three 'could close down entire station'
Created by JaseNZ, last reply by tdgeek on 18-Oct-2019 07:51 (27 replies)
Pages... 2


ASB Bank Cheque clearance times !!
Created by maxeon, last reply by Handle9 on 16-Oct-2019 01:25 (41 replies)
Pages... 2 3


Google Pixel 4 announcement and owners thread
Created by ShinyChrome, last reply by lNomNoml on 17-Oct-2019 22:30 (24 replies)
Pages... 2


Mercury Energy - 2 year fixed price
Created by Dulouz, last reply by driller2000 on 17-Oct-2019 21:56 (25 replies)
Pages... 2