Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bluesnarfing At CeBIT 2004

Posted by timothy on from the not-dirty-toothing dept.

La^2 writes "The Austrian research company Salzburg Research did a field trial at the CeBIT 2004 that confirms the seriousness of the recently discovered bluetooth security loophole in the firmware of popular mobile phones. In this trial, 1269 unique bluetooth-enabled devices were discovered, and their vulnerability to the so-called SNARF attack checked. The report on this bluesnarfing at large scale has interesting statistics, which may not please some of the vendors." (And the CeBIT version of Knoppix was apparently being used to slurp up and display Bluetooth phone information, too.)

16 of 104 comments (clear)

  1. Just the good bits from .pdf by Anonymous Coward · · Score: 5, Interesting

    Very detailed .pdf file with charts & stuff. Here's just the conclusions (no troll text, I promise!):

    3 Final Remarks

    3.1 Proclaimer

    The information gathered in this field trial will not be disclosed to anybody. Personal information that has been retrieved from vulnerable phones has been deleted. This study has been made for scientific demonstration purposes, only.

    3.2 What has been done

    The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10 entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.

    3.3 What could have been done

    As mentioned in the introduction there could have been done a variety of different things with an unauthorized bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do.

    3.3.1 Sending a SMS

    The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-PDUs there is a tool called PDUSpy in the download section of http://www.nobby.com/.

    Nokia phones allow to issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker?s phone (which includes a phone number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report is generated or not.

    This method to get the victim?s phone number is causing costs to the holder of the phone. That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices). It would also be possible to get the device?s phone number by initiating a phone call to the number of a phone that is able to display the caller?s number. However, this method would disclose the number of the dialed phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed contacts list (DC phone book).

    3.3.2 Initiating a Phone Call

    It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in the phone?s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather unlikely. It would also be very very easy to find out and sue the person being responsible for this premium service.

    3.3.3 Writing a Phone Book Entry

    As mentioned before, every phone call is writing an entry into the ?dialed contacts? or DC phone book of the respective device. By writing a phone book entry into the DC phone book, the traces on the device that evidence that a call has been made can be replaced by any number. Since the operator also stores dialed numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible person.

    Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has ?Darling? as a name and the number of a person you dislike. This owner of the phone could then get into some trouble with his/her spouse ;) In the CeBIT-trial no phone book entries have been done. Such entries would most likely overwrite existing ones.

    3.4 Vendor Reac

  2. I found a solution to Snarf by mrbob01 · · Score: 5, Funny

    Raise your mobile phone to your eyes and scream "Thunder, thunder, thunder cats hooooooooooooooo".

  3. Retail applications by Animats · · Score: 5, Insightful
    If someone used this hole to collect information about customers entering a store, there are people who would defend that as legitimate.

    Just post a little disclaimer in tiny print at the entrance.

  4. this is as opposed to "bluesmurfing" by zephc · · Score: 5, Funny

    which involves two or more Smurfs, a pound of coke, and a strong rope tied into a noose

    --
    "I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
  5. Bluesnarfing by spellraiser · · Score: 4, Informative

    I had to google for this one ...

    Basically, Bluesnarfing is an exploit of a Bluetooth vulnerability to access data stored on the mobile device.

    A more detailed explanation can be found here

    --
    I hear there's rumors on the Slashdots
  6. Spammers by DeionXxX · · Score: 5, Interesting

    Correct me if I'm wrong, but from the PDF text, it says that you can send out SMS messages from people's cell phones. Couldn't this used by spammers to send spam SMS messages through random people's accounts. I can imagine some guy walking around a mall or various Starbucks and spamming away using people's cell phones.

    Just a thought...

    --D3X

    1. Re:Spammers by markov_chain · · Score: 4, Interesting

      Or even worse, install a bunch of disguised spam "access points" at busy places and let passersby do the spamming for you :)

      --
      Tsunami -- You can't bring a good wave down!
  7. What about Palm devices? by doublem · · Score: 4, Interesting

    Does any of this relate to Palm devices that are Bluetooth enabled or have the Bluetooth card?

    And what about the USB Bluetooth devices for adding it to a PC? Are they vulnerable as well?

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  8. Today's security hacking lesson by AndroidCat · · Score: 5, Insightful

    Methods:
    Publish vulnerablities with code examples proving it. WRONG!
    Loudly hack everyone's security at a big trade show. CORRECT!

    --
    One line blog. I hear that they're called Twitters now.
    1. Re:Today's security hacking lesson by Strange+Ranger · · Score: 5, Insightful

      This is not a Troll you jackass mods. I just came from the YRO: Hacker Indicted In France... and was thinking the exact same thing.

      It's +4 Insightful.

      +5 would be:
      Act as a lone citizen and Publish vulnerablities with code examples proving it. WRONG!
      Make sure you're part of company with a team of lawyers and Loudly hack everyone's security at a big trade show. CORRECT!

      --

      Operator, give me the number for 911!
    2. Re:Today's security hacking lesson by Elwood+P+Dowd · · Score: 4, Interesting

      Well, these vulnerabilities have been detected long ago. They told vendors. The vendors *did* respond, by saying that they don't care at all about these vulnerabilities.

      Loudly hacking the security at a trade show honestly seems like the only way to deal with this issue.

      --

      There are no trails. There are no trees out here.
  9. definition of snarf by sysopd · · Score: 5, Funny
    I hope I'm not the only one here who has gone through life with the definition of a snarf (as explained to me by my father) as:
    "one who goes around sniffing girls bicycle seats after they've ridden them on a hot day"
    Similarly, he had variations such as snarfcicle (on a cold day), snarfbucket (saves the sweat from the seats in buckets), etc... not to mention my personal favorite word he defined, a queebie:
    "one who farts in the bathtub and bites the bubbles"
    I was young when he told me these definitions so it was awkward when I used them in colloquial intercourse and had to define them every time.
    1. Re:definition of snarf by drinkypoo · · Score: 5, Funny

      A "snarf" is when you blow something out your nose that wasn't intended to go that way. Beverages are the most common thing to snarf, but I once snarfed yogurt. This is highly inadvisable and I did not do it on purpose.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:definition of snarf by sammaffei · · Score: 5, Funny

      If this isn't a glowing endorsement for a revamped orphange system, I don't know that is.

      --

      Political correctness is the newest form of slavery.

    3. Re:definition of snarf by That's+Unpossible! · · Score: 4, Funny

      Can you guys get a room or something.

      Bring your dads along while you're at it.

      --
      Ironically, the word ironically is often used incorrectly.
  10. foo! by Anonymous Coward · · Score: 4, Interesting

    one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone - but if the log of missed/incoming/outgoing calls is available on another snarfed device, why not route the call there and just skim the incoming number from that phone? I guess you'd need to know the number of at least one device to start but with a little social engineering that wouldn't be terribly difficult.