Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bluesnarfing At CeBIT 2004

Posted by timothy on from the not-dirty-toothing dept.

La^2 writes "The Austrian research company Salzburg Research did a field trial at the CeBIT 2004 that confirms the seriousness of the recently discovered bluetooth security loophole in the firmware of popular mobile phones. In this trial, 1269 unique bluetooth-enabled devices were discovered, and their vulnerability to the so-called SNARF attack checked. The report on this bluesnarfing at large scale has interesting statistics, which may not please some of the vendors." (And the CeBIT version of Knoppix was apparently being used to slurp up and display Bluetooth phone information, too.)

11 of 104 comments (clear)

  1. Just the good bits from .pdf by Anonymous Coward · · Score: 5, Interesting

    Very detailed .pdf file with charts & stuff. Here's just the conclusions (no troll text, I promise!):

    3 Final Remarks

    3.1 Proclaimer

    The information gathered in this field trial will not be disclosed to anybody. Personal information that has been retrieved from vulnerable phones has been deleted. This study has been made for scientific demonstration purposes, only.

    3.2 What has been done

    The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10 entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.

    3.3 What could have been done

    As mentioned in the introduction there could have been done a variety of different things with an unauthorized bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do.

    3.3.1 Sending a SMS

    The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-PDUs there is a tool called PDUSpy in the download section of http://www.nobby.com/.

    Nokia phones allow to issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker?s phone (which includes a phone number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report is generated or not.

    This method to get the victim?s phone number is causing costs to the holder of the phone. That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices). It would also be possible to get the device?s phone number by initiating a phone call to the number of a phone that is able to display the caller?s number. However, this method would disclose the number of the dialed phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed contacts list (DC phone book).

    3.3.2 Initiating a Phone Call

    It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in the phone?s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather unlikely. It would also be very very easy to find out and sue the person being responsible for this premium service.

    3.3.3 Writing a Phone Book Entry

    As mentioned before, every phone call is writing an entry into the ?dialed contacts? or DC phone book of the respective device. By writing a phone book entry into the DC phone book, the traces on the device that evidence that a call has been made can be replaced by any number. Since the operator also stores dialed numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible person.

    Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has ?Darling? as a name and the number of a person you dislike. This owner of the phone could then get into some trouble with his/her spouse ;) In the CeBIT-trial no phone book entries have been done. Such entries would most likely overwrite existing ones.

    3.4 Vendor Reac

  2. Yeah, but are they "toothing"? by scorp1us · · Score: 2, Interesting

    http://www.wired.com/news/culture/0,1284,62687,00. html

    A rather interesting phenomenon.
    Too bad I can't get into it :-/

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  3. Spammers by DeionXxX · · Score: 5, Interesting

    Correct me if I'm wrong, but from the PDF text, it says that you can send out SMS messages from people's cell phones. Couldn't this used by spammers to send spam SMS messages through random people's accounts. I can imagine some guy walking around a mall or various Starbucks and spamming away using people's cell phones.

    Just a thought...

    --D3X

    1. Re:Spammers by markov_chain · · Score: 4, Interesting

      Or even worse, install a bunch of disguised spam "access points" at busy places and let passersby do the spamming for you :)

      --
      Tsunami -- You can't bring a good wave down!
  4. What about Palm devices? by doublem · · Score: 4, Interesting

    Does any of this relate to Palm devices that are Bluetooth enabled or have the Bluetooth card?

    And what about the USB Bluetooth devices for adding it to a PC? Are they vulnerable as well?

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  5. foo! by Anonymous Coward · · Score: 4, Interesting

    one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone - but if the log of missed/incoming/outgoing calls is available on another snarfed device, why not route the call there and just skim the incoming number from that phone? I guess you'd need to know the number of at least one device to start but with a little social engineering that wouldn't be terribly difficult.

    1. Re:foo! by gnu-generation-one · · Score: 3, Interesting

      "one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone"

      So why not do it when they're in a meeting, and just start listening? Voila, one infinity bug in a mobile phone.

      Make their phone dial a call-box if you like.

  6. Re:Today's security hacking lesson by Anonymous Coward · · Score: 2, Interesting

    What might have been move interesting would have been to quietly hack everyone's phone list and calendar info at CeBIT, then built a social network / FOAF web from the data. Let's see who's sleeping with whom, and how many degrees of seperation you are from sleeping with Steve Ballmer. (Not possible? That's not what I heard! Ha ha ha!)

  7. Re:Today's security hacking lesson by Elwood+P+Dowd · · Score: 4, Interesting

    Well, these vulnerabilities have been detected long ago. They told vendors. The vendors *did* respond, by saying that they don't care at all about these vulnerabilities.

    Loudly hacking the security at a trade show honestly seems like the only way to deal with this issue.

    --

    There are no trails. There are no trees out here.
  8. snarfing -- who cares by blueserker · · Score: 3, Interesting

    bluesnarfing is already dying a slow death as mentioned in the report -- newer phones and old phones with firmware updates aren't susceptible -- i have a feeling this report had more to do with drawing people to his site to sell bluetooth books!

    http://www.blueserker.com

    --
    http://www.blueserker.com
  9. I was there with my Nokia 6600 by motown · · Score: 2, Interesting

    But I had Bluetooth switched off.

    It consumes too much power to keep it on anyway. Although it would be cool if CeBIT provided wireless internet access through Bluetooth througout the terrain. I know they did have an 802.11b network running last year, which was freely accessible to visitors.

    One cool thing this year was the availibility of the CeBIT Mobile Fair Planner for Symbian-based phones. It was available for download on the CeBIT site (altough access to it required free registration). No more thick guide to plough through in order to find the exhibitors you're looking for. An exhibitor list (including search functionality), interior maps of the buildings hosting the fair, everything in my phone!

    It was the first time I actually felt myself living in the twentyfirst century. :)

    Now I hope that Nokia will soon release a Bluesnarfing-proof firmware update for my phone.

    --
    "Oooh, does that mean we get to kick some puffy white mad zionist butt?"