Slashdot Mirror
Bluesnarfing At CeBIT 2004
La^2 writes "The Austrian research company Salzburg Research did a field trial at the CeBIT 2004 that confirms the seriousness of the recently discovered bluetooth security loophole in the firmware of popular mobile phones. In this trial, 1269 unique bluetooth-enabled devices were discovered, and their vulnerability to the so-called SNARF attack checked. The report on this bluesnarfing at large scale has interesting statistics, which may not please some of the vendors." (And the CeBIT version of Knoppix was apparently being used to slurp up and display Bluetooth phone information, too.)
Very detailed .pdf file with charts & stuff. Here's just the conclusions (no troll text, I promise!):
;) In the CeBIT-trial no phone book entries have been done. Such entries would most likely overwrite existing ones.
3 Final Remarks
3.1 Proclaimer
The information gathered in this field trial will not be disclosed to anybody. Personal information that has been retrieved from vulnerable phones has been deleted. This study has been made for scientific demonstration purposes, only.
3.2 What has been done
The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10 entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.
3.3 What could have been done
As mentioned in the introduction there could have been done a variety of different things with an unauthorized bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do.
3.3.1 Sending a SMS
The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-PDUs there is a tool called PDUSpy in the download section of http://www.nobby.com/.
Nokia phones allow to issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker?s phone (which includes a phone number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report is generated or not.
This method to get the victim?s phone number is causing costs to the holder of the phone. That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices). It would also be possible to get the device?s phone number by initiating a phone call to the number of a phone that is able to display the caller?s number. However, this method would disclose the number of the dialed phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed contacts list (DC phone book).
3.3.2 Initiating a Phone Call
It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in the phone?s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather unlikely. It would also be very very easy to find out and sue the person being responsible for this premium service.
3.3.3 Writing a Phone Book Entry
As mentioned before, every phone call is writing an entry into the ?dialed contacts? or DC phone book of the respective device. By writing a phone book entry into the DC phone book, the traces on the device that evidence that a call has been made can be replaced by any number. Since the operator also stores dialed numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible person.
Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has ?Darling? as a name and the number of a person you dislike. This owner of the phone could then get into some trouble with his/her spouse
3.4 Vendor Reac
Raise your mobile phone to your eyes and scream "Thunder, thunder, thunder cats hooooooooooooooo".
Just post a little disclaimer in tiny print at the entrance.
which involves two or more Smurfs, a pound of coke, and a strong rope tied into a noose
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
http://www.wired.com/news/culture/0,1284,62687,00. html
:-/
A rather interesting phenomenon.
Too bad I can't get into it
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I had to google for this one ...
Basically, Bluesnarfing is an exploit of a Bluetooth vulnerability to access data stored on the mobile device.
A more detailed explanation can be found here
I hear there's rumors on the Slashdots
Correct me if I'm wrong, but from the PDF text, it says that you can send out SMS messages from people's cell phones. Couldn't this used by spammers to send spam SMS messages through random people's accounts. I can imagine some guy walking around a mall or various Starbucks and spamming away using people's cell phones.
Just a thought...
--D3X
Does any of this relate to Palm devices that are Bluetooth enabled or have the Bluetooth card?
And what about the USB Bluetooth devices for adding it to a PC? Are they vulnerable as well?
"Live Free or Die." Don't like it? Then keep out of the USA
Methods:
Publish vulnerablities with code examples proving it. WRONG!
Loudly hack everyone's security at a big trade show. CORRECT!
One line blog. I hear that they're called Twitters now.
Similar to driving next to someone transmitting on same freqency on their iPod iTrip FM Transmitter. Which especially sucks driving out of Chicago during rush hour.
if people would brush their blueteeth more, they'd get less cavities.
obviously bluetooth devices aren't packaged with enough care instructions.
one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone - but if the log of missed/incoming/outgoing calls is available on another snarfed device, why not route the call there and just skim the incoming number from that phone? I guess you'd need to know the number of at least one device to start but with a little social engineering that wouldn't be terribly difficult.
I hear the RFID demons attacking again.
They're everywhere.....
I've got more mod points and GMail invi
I don't understand why it's ok to post the vulnerabilities of say, bluetooth, but someone can't post "hacks" or they can get in major trouble, i.e. the France story. Why are some exploits OK and others not OK? Where is the line? Is it just like censorship, where on a case-by-case basis the rules are changed? That's dumb.
In other news, check out my artist interview at Fulcrum gallery.
stuff |
or you could just RTFA! Or even just RTF story submission!
It's been around a while.
What are we going to to tomorrow, Brain?
The same thing we do every night, Pinky, Try to take over the WORLD! [maniacal laughter]
Snarf!
*grumble* fucking furries.
bluesnarfing is already dying a slow death as mentioned in the report -- newer phones and old phones with firmware updates aren't susceptible -- i have a feeling this report had more to do with drawing people to his site to sell bluetooth books!
http://www.blueserker.com
http://www.blueserker.com
But I had Bluetooth switched off.
:)
It consumes too much power to keep it on anyway. Although it would be cool if CeBIT provided wireless internet access through Bluetooth througout the terrain. I know they did have an 802.11b network running last year, which was freely accessible to visitors.
One cool thing this year was the availibility of the CeBIT Mobile Fair Planner for Symbian-based phones. It was available for download on the CeBIT site (altough access to it required free registration). No more thick guide to plough through in order to find the exhibitors you're looking for. An exhibitor list (including search functionality), interior maps of the buildings hosting the fair, everything in my phone!
It was the first time I actually felt myself living in the twentyfirst century.
Now I hope that Nokia will soon release a Bluesnarfing-proof firmware update for my phone.
"Oooh, does that mean we get to kick some puffy white mad zionist butt?"
Knoppix 3.4 is out, (but not yet on mirrors).
Anyone have a torrent
The author of that article is involved in www.moveon.org. In case you didn't already know about it: maybe you're interested in signing up or volunteering?
Does anyone know if these attacks can be made on bluetooth keyboards?
I was considering getting a bluetooth keyboard since bluetooth is encyrpted unlike RF keyboards, but I'm a bit paranoid given all this bluesnarfing stuff.
anybody got their hands it, or have a torrent?
n ter.php ?menu_id=25&n_id=84
the weeks old c't knoppix didn't work for me and I'd really like to run knoppix with a 2.6 kernel.
or, anyone have a working torrent for the BitDefender remaster?
The torrent on this page seems to not work:
http://www.bitdefender.com/bd/site/pressce
mod parent up, where can this be found
As the author of the bluesnarf report and an important member of the team that did the experiment, I can tell you that Slackware Linux 9.0 distribution was used as a basis. In addition to this, Bluez and a recent linux kernel (linux-2.6.2) has been installed on this system. I like Knoppix very much, though. It gives Microsoft users a fair chance to seriously think about getting rid of their expensive bugware. Linux forever ;)
Somebody mentioned using this in somewhere where a number of phones are gathered, like a cafe or railway station to send SMS spam.
Even better idea. If you can get a connection to a couple of phones in the area, make the guy at table A's phone SMS the guy at table B's phone. Wait for the guy at table B to call A depending on the message, the results could be hilarious.
The article talked about sending a possibly traceable SMS to a device you own to discover the number of the snarfed phone. An untraceable way to discover the number would be to use a Bluetooth headset to make a call to one of those phone numbers that read back your phone number.
What fun you could have with a Linux PDA with Bluetooth combined with a Bluetooth headset. A nice and portable way to make unlimited free calls via any vulnerable phone that is close enough to you.
When will vendors learn that vulnerabilities need to be fixed right away, even if they can't think of anything nasty that can be done with them?
To put it into perspective, out of 1269 Bluetooth enabled phones detected, only 46 were vulnerable to the attack. And the manufacturers are upgrading the firmware so that newer models are immune.
get rid of their expensive bugware. Linux forever ;)
s/\./,/
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The CeBIT test doc is a fancy bunch of nothingness. You may want to read this instead...
t ml
http://www.theregister.co.uk/content/69/34139.h