Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Bluesnarfing At CeBIT 2004

Posted by timothy on Wed Mar 31, 2004 02:10 PM
from the not-dirty-toothing dept.
Security Bug Wireless Networking Hardware
La^2 writes "The Austrian research company Salzburg Research did a field trial at the CeBIT 2004 that confirms the seriousness of the recently discovered bluetooth security loophole in the firmware of popular mobile phones. In this trial, 1269 unique bluetooth-enabled devices were discovered, and their vulnerability to the so-called SNARF attack checked. The report on this bluesnarfing at large scale has interesting statistics, which may not please some of the vendors." (And the CeBIT version of Knoppix was apparently being used to slurp up and display Bluetooth phone information, too.)
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Bluesnarfing At CeBIT 2004 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Just the good bits from .pdf (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 31 2004, @02:13PM (#8727127)
    Very detailed .pdf file with charts & stuff. Here's just the conclusions (no troll text, I promise!):

    3 Final Remarks

    3.1 Proclaimer

    The information gathered in this field trial will not be disclosed to anybody. Personal information that has been retrieved from vulnerable phones has been deleted. This study has been made for scientific demonstration purposes, only.

    3.2 What has been done

    The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10 entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.

    3.3 What could have been done

    As mentioned in the introduction there could have been done a variety of different things with an unauthorized bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do.

    3.3.1 Sending a SMS

    The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-PDUs there is a tool called PDUSpy in the download section of http://www.nobby.com/.

    Nokia phones allow to issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker?s phone (which includes a phone number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report is generated or not.

    This method to get the victim?s phone number is causing costs to the holder of the phone. That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices). It would also be possible to get the device?s phone number by initiating a phone call to the number of a phone that is able to display the caller?s number. However, this method would disclose the number of the dialed phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed contacts list (DC phone book).

    3.3.2 Initiating a Phone Call

    It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in the phone?s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather unlikely. It would also be very very easy to find out and sue the person being responsible for this premium service.

    3.3.3 Writing a Phone Book Entry

    As mentioned before, every phone call is writing an entry into the ?dialed contacts? or DC phone book of the respective device. By writing a phone book entry into the DC phone book, the traces on the device that evidence that a call has been made can be replaced by any number. Since the operator also stores dialed numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible person.

    Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has ?Darling? as a name and the number of a person you dislike. This owner of the phone could then get into some trouble with his/her spouse ;) In the CeBIT-trial no phone book entries have been done. Such entries would most likely overwrite existing ones.

    3.4 Vendor Reac

  • I found a solution to Snarf (Score:5, Funny)

    by mrbob01 (712724) on Wednesday March 31 2004, @02:15PM (#8727150)
    Raise your mobile phone to your eyes and scream "Thunder, thunder, thunder cats hooooooooooooooo".

  • Retail applications (Score:5, Insightful)

    by Animats (122034) on Wednesday March 31 2004, @02:17PM (#8727172) Homepage
    If someone used this hole to collect information about customers entering a store, there are people who would defend that as legitimate.

    Just post a little disclaimer in tiny print at the entrance.

    • I hear the RFID demons attacking again.

      They're everywhere.....
    • I couldn't disagree more...

      Entering a phone bluetooth enabled phone without permission, regardless of intent, is mostly "wrong".

      Granted, one shouldn't leave a bluetooth wide open ... but If they did, that doesn't mean they are asking to have their privacy invaded for commercial purposes.

      *shrug* hopefully this experiment helps prove enough of a point to manufacturers to shore that up a bit, eh?

      e.

  • this is as opposed to "bluesmurfing" (Score:5, Funny)

    by zephc (225327) on Wednesday March 31 2004, @02:17PM (#8727176)
    which involves two or more Smurfs, a pound of coke, and a strong rope tied into a noose

  • Yeah, but are they "toothing"? (Score:3, Interesting)

    by scorp1us (235526) on Wednesday March 31 2004, @02:19PM (#8727186) Journal
    http://www.wired.com/news/culture/0,1284,62687,00. html

    A rather interesting phenomenon.
    Too bad I can't get into it :-/

  • Bluesnarfing (Score:4, Informative)

    by spellraiser (764337) on Wednesday March 31 2004, @02:20PM (#8727209) Journal

    I had to google for this one ...

    Basically, Bluesnarfing is an exploit of a Bluetooth vulnerability to access data stored on the mobile device.

    A more detailed explanation can be found here [geek.com]

  • Spammers (Score:5, Interesting)

    by DeionXxX (261398) on Wednesday March 31 2004, @02:24PM (#8727250)
    Correct me if I'm wrong, but from the PDF text, it says that you can send out SMS messages from people's cell phones. Couldn't this used by spammers to send spam SMS messages through random people's accounts. I can imagine some guy walking around a mall or various Starbucks and spamming away using people's cell phones.

    Just a thought...

    --D3X

    • Re:Spammers (Score:4, Interesting)

      by markov_chain (202465) on Wednesday March 31 2004, @02:28PM (#8727295) Homepage
      Or even worse, install a bunch of disguised spam "access points" at busy places and let passersby do the spamming for you :)

    • Don't a lot of companies charge something like 10 cents per SMS? This sort of thing could get expensive.

      Is it possible to lock down Nokia and that one other company's Bluetooth phones to behave like the Siemens - ask permission?

      Or better yet, ask for permission when a new device is detected, and subsequent connections from that same device are automatic?

      (Disclaimer - I have never used a Bluetooth phone so I may be completely talking out of my ass.)
      • I think the whole issue is that this is a security flaw - I don't think that random bluetooth devices are supposed to be able to connect to the phone in the first place.

        • Re:Spammers (Score:3, Informative)

          by EricWright (16803)
          I have the SE t68i. You are only supposed to be able to connect to it via bluetooth when the phone is in discoverable mode. The window for discoverable mode is 3 minutes on my phone, and when any device tries to pair with it, I put in a password (ie, it's not a stored password) and the other device has to enter the same password.

          I think the point of bluesnarfing is exploiting a bug in the bluetooth stack that bypasses the discoverable mode requirement and the one time password pairing step.
        • "Random bluetooth devices", of course. But if I own a BT phone, I want it to see my laptop, and ask to connect to it.

          The thing is when a phone I own sees someone else's laptop - I want the phone to make sure it has my permission.

    • Re:Spammers (Score:3, Insightful)

      by Lumpy (12016)
      Better yet, have everyone at a starbucks dial a phone number of a place you are trying to annoy or DDOS their phones.

      The evil cracker use of this is insane.. hell having hundreds of cellphones calling a dial in back door of a place you are trying to crack will hide your attacks quite well. and I am sure you can initiate a data call via bluetooth, so let's start cracking attempts or wardialing from unknowing bystanders.

      All I know is that I am making damn sure my next phone does NOT have bluetooth. I can

    • Re:Spammers (Score:2, Informative)

      by 1337Martin (727300)
      Confirm. SMS-spamming from other people's phones is possible!

  • What about Palm devices? (Score:5, Interesting)

    by doublem (118724) on Wednesday March 31 2004, @02:24PM (#8727253) Homepage Journal
    Does any of this relate to Palm devices that are Bluetooth enabled or have the Bluetooth card?

    And what about the USB Bluetooth devices for adding it to a PC? Are they vulnerable as well?

  • Today's security hacking lesson (Score:5, Insightful)

    by AndroidCat (229562) on Wednesday March 31 2004, @02:29PM (#8727310) Homepage
    Methods:
    Publish vulnerablities with code examples proving it. WRONG!
    Loudly hack everyone's security at a big trade show. CORRECT!

    • Re:Today's security hacking lesson (Score:5, Insightful)

      by Strange Ranger (454494) on Wednesday March 31 2004, @02:38PM (#8727380)
      This is not a Troll you jackass mods. I just came from the YRO: Hacker Indicted In France... and was thinking the exact same thing.

      It's +4 Insightful.

      +5 would be:
      Act as a lone citizen and Publish vulnerablities with code examples proving it. WRONG!
      Make sure you're part of company with a team of lawyers and Loudly hack everyone's security at a big trade show. CORRECT!

      • Re:Today's security hacking lesson (Score:2, Interesting)

        by Anonymous Coward
        What might have been move interesting would have been to quietly hack everyone's phone list and calendar info at CeBIT, then built a social network / FOAF web from the data. Let's see who's sleeping with whom, and how many degrees of seperation you are from sleeping with Steve Ballmer. (Not possible? That's not what I heard! Ha ha ha!)

    • Re:Today's security hacking lesson (Score:5, Interesting)

      by Elwood P Dowd (16933) <judgmentalist@gmail.com> on Wednesday March 31 2004, @02:51PM (#8727495) Journal
      Well, these vulnerabilities have been detected long ago. They told vendors. The vendors *did* respond, by saying that they don't care at all about these vulnerabilities.

      Loudly hacking the security at a trade show honestly seems like the only way to deal with this issue.

  • definition of snarf (Score:5, Funny)

    by sysopd (617656) on Wednesday March 31 2004, @02:39PM (#8727390)
    I hope I'm not the only one here who has gone through life with the definition of a snarf (as explained to me by my father) as:
    "one who goes around sniffing girls bicycle seats after they've ridden them on a hot day"
    Similarly, he had variations such as snarfcicle (on a cold day), snarfbucket (saves the sweat from the seats in buckets), etc... not to mention my personal favorite word he defined, a queebie:
    "one who farts in the bathtub and bites the bubbles"
    I was young when he told me these definitions so it was awkward when I used them in colloquial intercourse and had to define them every time.
    • Wow, really funny you mention this. I always had trouble between snarf and snurf. Snurf was my dads term for what to call a queebie, but actually the action of biting the bubbles, ie to snurf. Snarf, as I know it, is also a verb (He snarfed yesterday and will likely today, that pervert).

      If you hadn't put that in, I would have thought you were my brother posting!

    • Re:definition of snarf (Score:5, Funny)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday March 31 2004, @02:48PM (#8727458) Homepage Journal
      A "snarf" is when you blow something out your nose that wasn't intended to go that way. Beverages are the most common thing to snarf, but I once snarfed yogurt. This is highly inadvisable and I did not do it on purpose.

    • Re:definition of snarf (Score:5, Funny)

      by sammaffei (565627) on Wednesday March 31 2004, @02:49PM (#8727476)
      If this isn't a glowing endorsement for a revamped orphange system, I don't know that is.
    • I've always heard snarf used as a verb to describe the phenomenon, "when someone has just put solid or liquid food into their mouth and then laughs, causing said food to spew out of their mouth and/or nose at high velocity."

      This has been the definition of snarf in the circles I've seen, spanning at least 3 states (SC, MI, and OH) and it never had anything to do with bicycles or the bathtub; unless, of course, those happened to be the topics which caused the snarf.

      Interesting alternate definition though...

    • Er, I don't actually belong in this thread. It just seemed to be where the party was...
    • I was young when he told me these definitions so it was awkward when I used them in colloquial intercourse and had to define them every time.

      I bet this is why you are constantly being told you talk too much while having sex.
    • Funny, my grandfather used the word "whifflesnoofer" for bicycle seat sniffers.

      I've never actually seen anyone do it. Is this what deviants did for fun before hidden webcams were readily available?
        • I was focused more on the webcam-voyeurs that are preferential to hidden cams, rather than those that just like to go to your average girl-cam site and check out the action.

          There's something really creepy about a person getting off watching you use the bathroom from cameras hidden in strange places.

  • well, you see... (Score:3, Funny)

    by abscondment (672321) on Wednesday March 31 2004, @02:45PM (#8727440) Homepage
    if people would brush their blueteeth more, they'd get less cavities.

    obviously bluetooth devices aren't packaged with enough care instructions.

  • foo! (Score:4, Interesting)

    by Anonymous Coward on Wednesday March 31 2004, @02:48PM (#8727459)
    one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone - but if the log of missed/incoming/outgoing calls is available on another snarfed device, why not route the call there and just skim the incoming number from that phone? I guess you'd need to know the number of at least one device to start but with a little social engineering that wouldn't be terribly difficult.

    • Re:foo! (Score:4, Interesting)

      by gnu-generation-one (717590) on Wednesday March 31 2004, @04:12PM (#8728583) Homepage
      "one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone"

      So why not do it when they're in a meeting, and just start listening? Voila, one infinity bug in a mobile phone.

      Make their phone dial a call-box if you like.
  • I don't understand why it's ok to post the vulnerabilities of say, bluetooth, but someone can't post "hacks" or they can get in major trouble, i.e. the France story [slashdot.org]. Why are some exploits OK and others not OK? Where is the line? Is it just like censorship, where on a case-by-case basis the rules are changed? That's dumb.
    In other news, check out my artist interview at Fulcrum gallery [fulcrumgallery.com].

  • What shall we do tomorrow, Brain? (Score:2, Funny)

    by Anonymous Coward
    What are we going to to tomorrow, Brain?

    The same thing we do every night, Pinky, Try to take over the WORLD! [maniacal laughter]

    Snarf!

  • snarfing -- who cares (Score:3, Interesting)

    by blueserker (753173) on Wednesday March 31 2004, @03:28PM (#8727970) Homepage
    bluesnarfing is already dying a slow death as mentioned in the report -- newer phones and old phones with firmware updates aren't susceptible -- i have a feeling this report had more to do with drawing people to his site to sell bluetooth books!

    http://www.blueserker.com [blueserker.com]

  • I was there with my Nokia 6600 (Score:3, Interesting)

    by motown (178312) on Wednesday March 31 2004, @03:53PM (#8728290)
    But I had Bluetooth switched off.

    It consumes too much power to keep it on anyway. Although it would be cool if CeBIT provided wireless internet access through Bluetooth througout the terrain. I know they did have an 802.11b network running last year, which was freely accessible to visitors.

    One cool thing this year was the availibility of the CeBIT Mobile Fair Planner for Symbian-based phones. It was available for download on the CeBIT site [cebit.de] (altough access to it required free registration). No more thick guide to plough through in order to find the exhibitors you're looking for. An exhibitor list (including search functionality), interior maps of the buildings hosting the fair, everything in my phone!

    It was the first time I actually felt myself living in the twentyfirst century. :)

    Now I hope that Nokia will soon release a Bluesnarfing-proof firmware update for my phone.
  • Does anyone know if these attacks can be made on bluetooth keyboards?

    I was considering getting a bluetooth keyboard since bluetooth is encyrpted unlike RF keyboards, but I'm a bit paranoid given all this bluesnarfing stuff.
  • As the author of the bluesnarf report and an important member of the team that did the experiment, I can tell you that Slackware Linux 9.0 [slackware.com] distribution was used as a basis. In addition to this, Bluez [bluez.org] and a recent linux kernel [kernel.org] (linux-2.6.2) has been installed on this system. I like Knoppix very much, though. It gives Microsoft users a fair chance to seriously think about getting rid of their expensive bugware. Linux forever ;)

  • In perspective (Score:3, Informative)

    by SiliconEntity (448450) on Wednesday March 31 2004, @10:48PM (#8733027)
    To put it into perspective, out of 1269 Bluetooth enabled phones detected, only 46 were vulnerable to the attack. And the manufacturers are upgrading the firmware so that newer models are immune.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.