Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Wireless Networking Hardware

Bluesnarfing At CeBIT 2004 104

La^2 writes "The Austrian research company Salzburg Research did a field trial at the CeBIT 2004 that confirms the seriousness of the recently discovered bluetooth security loophole in the firmware of popular mobile phones. In this trial, 1269 unique bluetooth-enabled devices were discovered, and their vulnerability to the so-called SNARF attack checked. The report on this bluesnarfing at large scale has interesting statistics, which may not please some of the vendors." (And the CeBIT version of Knoppix was apparently being used to slurp up and display Bluetooth phone information, too.)
This discussion has been archived. No new comments can be posted.

Bluesnarfing At CeBIT 2004

Comments Filter:
  • by Anonymous Coward on Wednesday March 31, 2004 @01:13PM (#8727127)
    Very detailed .pdf file with charts & stuff. Here's just the conclusions (no troll text, I promise!):

    3 Final Remarks

    3.1 Proclaimer

    The information gathered in this field trial will not be disclosed to anybody. Personal information that has been retrieved from vulnerable phones has been deleted. This study has been made for scientific demonstration purposes, only.

    3.2 What has been done

    The SNARF attack used at the CeBIT was intended to finish as fast as possible. That is why only the first 10 entries of each phone book were read out. About 50 numbers from each snarfed phone have been retrieved.

    3.3 What could have been done

    As mentioned in the introduction there could have been done a variety of different things with an unauthorized bluetooth connection to the phone. The following paragraphs give some ideas on the things this security flaw would also allow the attacker to do.

    3.3.1 Sending a SMS

    The only good way to get to know the number of the snarfed phone is to send an SMS from the attacked phone to another device. Depending on the manufacturer of the phone, SMS messages can either be provided in 7bit encoded ASCII-text and/or have to be provided as a SMS-PDU which is rather tricky to generate. For the creation of SMS-PDUs there is a tool called PDUSpy in the download section of http://www.nobby.com/.

    Nokia phones allow to issue text-mode and PDU-mode messages to the device, while SonyEricsson phones (and also Siemens phones) only accept PDU-encoded SMS messages. The sending of an SMS is not visible to the user. Usually, the issued SMS is not stored in the sent-box of the snarfed phone. In rare cases, the SMS settings of the snarfed phone are set to require a report that is generated at the receiving phone. In this case the sender that was not aware of having sent a message would receive a reception-report from the attacker?s phone (which includes a phone number). By sending PDU encoded messages, it can be controlled by setting a flag whether a reception report is generated or not.

    This method to get the victim?s phone number is causing costs to the holder of the phone. That is why it has not been done in the CeBIT field-trial. But it works for sure (at least on Nokia devices). It would also be possible to get the device?s phone number by initiating a phone call to the number of a phone that is able to display the caller?s number. However, this method would disclose the number of the dialed phone to the owner of the attacked phone, because every call initiation is writing an entry into the dialed contacts list (DC phone book).

    3.3.2 Initiating a Phone Call

    It is possible to initiate phone calls to virtually any other number. It would be very lucrative to initiate calls to a premium service number that is ran by the attacker. As mentioned before, dialed numbers are usually stored in the phone?s calling lists and are also stored at the provider-site for billing purposes. Therefore, this kind of abuse is rather unlikely. It would also be very very easy to find out and sue the person being responsible for this premium service.

    3.3.3 Writing a Phone Book Entry

    As mentioned before, every phone call is writing an entry into the ?dialed contacts? or DC phone book of the respective device. By writing a phone book entry into the DC phone book, the traces on the device that evidence that a call has been made can be replaced by any number. Since the operator also stores dialed numbers for billing purposes, this kind of obfuscation would only delay the process of finding the responsible person.

    Of course it is also possible to do some nasty phone book entries. Just imagine an entry that has ?Darling? as a name and the number of a person you dislike. This owner of the phone could then get into some trouble with his/her spouse ;) In the CeBIT-trial no phone book entries have been done. Such entries would most likely overwrite existing ones.

    3.4 Vendor Reac
  • by mrbob01 ( 712724 ) on Wednesday March 31, 2004 @01:15PM (#8727150)
    Raise your mobile phone to your eyes and scream "Thunder, thunder, thunder cats hooooooooooooooo".
  • by Animats ( 122034 ) on Wednesday March 31, 2004 @01:17PM (#8727172) Homepage
    If someone used this hole to collect information about customers entering a store, there are people who would defend that as legitimate.

    Just post a little disclaimer in tiny print at the entrance.

    • I hear the RFID demons attacking again.

      They're everywhere.....
    • I couldn't disagree more...

      Entering a phone bluetooth enabled phone without permission, regardless of intent, is mostly "wrong".

      Granted, one shouldn't leave a bluetooth wide open ... but If they did, that doesn't mean they are asking to have their privacy invaded for commercial purposes.

      *shrug* hopefully this experiment helps prove enough of a point to manufacturers to shore that up a bit, eh?

      e.
  • by zephc ( 225327 ) on Wednesday March 31, 2004 @01:17PM (#8727176)
    which involves two or more Smurfs, a pound of coke, and a strong rope tied into a noose
  • by scorp1us ( 235526 ) on Wednesday March 31, 2004 @01:19PM (#8727186) Journal
    http://www.wired.com/news/culture/0,1284,62687,00. html

    A rather interesting phenomenon.
    Too bad I can't get into it :-/
  • Bluesnarfing (Score:4, Informative)

    by spellraiser ( 764337 ) on Wednesday March 31, 2004 @01:20PM (#8727209) Journal

    I had to google for this one ...

    Basically, Bluesnarfing is an exploit of a Bluetooth vulnerability to access data stored on the mobile device.

    A more detailed explanation can be found here [geek.com]

    • Similar to driving next to someone transmitting on same freqency on their iPod iTrip FM Transmitter. Which especially sucks driving out of Chicago during rush hour.
  • Spammers (Score:5, Interesting)

    by DeionXxX ( 261398 ) on Wednesday March 31, 2004 @01:24PM (#8727250)
    Correct me if I'm wrong, but from the PDF text, it says that you can send out SMS messages from people's cell phones. Couldn't this used by spammers to send spam SMS messages through random people's accounts. I can imagine some guy walking around a mall or various Starbucks and spamming away using people's cell phones.

    Just a thought...

    --D3X
    • Re:Spammers (Score:4, Interesting)

      by markov_chain ( 202465 ) on Wednesday March 31, 2004 @01:28PM (#8727295)
      Or even worse, install a bunch of disguised spam "access points" at busy places and let passersby do the spamming for you :)

    • Don't a lot of companies charge something like 10 cents per SMS? This sort of thing could get expensive.

      Is it possible to lock down Nokia and that one other company's Bluetooth phones to behave like the Siemens - ask permission?

      Or better yet, ask for permission when a new device is detected, and subsequent connections from that same device are automatic?

      (Disclaimer - I have never used a Bluetooth phone so I may be completely talking out of my ass.)
      • I think the whole issue is that this is a security flaw - I don't think that random bluetooth devices are supposed to be able to connect to the phone in the first place.
        • Re:Spammers (Score:3, Informative)

          by EricWright ( 16803 )
          I have the SE t68i. You are only supposed to be able to connect to it via bluetooth when the phone is in discoverable mode. The window for discoverable mode is 3 minutes on my phone, and when any device tries to pair with it, I put in a password (ie, it's not a stored password) and the other device has to enter the same password.

          I think the point of bluesnarfing is exploiting a bug in the bluetooth stack that bypasses the discoverable mode requirement and the one time password pairing step.
        • "Random bluetooth devices", of course. But if I own a BT phone, I want it to see my laptop, and ask to connect to it.

          The thing is when a phone I own sees someone else's laptop - I want the phone to make sure it has my permission.
    • Re:Spammers (Score:3, Insightful)

      by Lumpy ( 12016 )
      Better yet, have everyone at a starbucks dial a phone number of a place you are trying to annoy or DDOS their phones.

      The evil cracker use of this is insane.. hell having hundreds of cellphones calling a dial in back door of a place you are trying to crack will hide your attacks quite well. and I am sure you can initiate a data call via bluetooth, so let's start cracking attempts or wardialing from unknowing bystanders.

      All I know is that I am making damn sure my next phone does NOT have bluetooth. I can
    • Re:Spammers (Score:2, Informative)

      by 1337Martin ( 727300 )
      Confirm. SMS-spamming from other people's phones is possible!
  • by doublem ( 118724 ) on Wednesday March 31, 2004 @01:24PM (#8727253) Homepage Journal
    Does any of this relate to Palm devices that are Bluetooth enabled or have the Bluetooth card?

    And what about the USB Bluetooth devices for adding it to a PC? Are they vulnerable as well?
  • by AndroidCat ( 229562 ) on Wednesday March 31, 2004 @01:29PM (#8727310) Homepage
    Methods:
    Publish vulnerablities with code examples proving it. WRONG!
    Loudly hack everyone's security at a big trade show. CORRECT!
    • by Strange Ranger ( 454494 ) on Wednesday March 31, 2004 @01:38PM (#8727380)
      This is not a Troll you jackass mods. I just came from the YRO: Hacker Indicted In France... and was thinking the exact same thing.

      It's +4 Insightful.

      +5 would be:
      Act as a lone citizen and Publish vulnerablities with code examples proving it. WRONG!
      Make sure you're part of company with a team of lawyers and Loudly hack everyone's security at a big trade show. CORRECT!
      • by Anonymous Coward
        What might have been move interesting would have been to quietly hack everyone's phone list and calendar info at CeBIT, then built a social network / FOAF web from the data. Let's see who's sleeping with whom, and how many degrees of seperation you are from sleeping with Steve Ballmer. (Not possible? That's not what I heard! Ha ha ha!)
      • Agreed.

        The author of that article is involved in www.moveon.org. In case you didn't already know about it: maybe you're interested in signing up or volunteering?

    • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday March 31, 2004 @01:51PM (#8727495) Journal
      Well, these vulnerabilities have been detected long ago. They told vendors. The vendors *did* respond, by saying that they don't care at all about these vulnerabilities.

      Loudly hacking the security at a trade show honestly seems like the only way to deal with this issue.
  • by sysopd ( 617656 ) on Wednesday March 31, 2004 @01:39PM (#8727390)
    I hope I'm not the only one here who has gone through life with the definition of a snarf (as explained to me by my father) as:
    "one who goes around sniffing girls bicycle seats after they've ridden them on a hot day"
    Similarly, he had variations such as snarfcicle (on a cold day), snarfbucket (saves the sweat from the seats in buckets), etc... not to mention my personal favorite word he defined, a queebie:
    "one who farts in the bathtub and bites the bubbles"
    I was young when he told me these definitions so it was awkward when I used them in colloquial intercourse and had to define them every time.
  • by abscondment ( 672321 ) on Wednesday March 31, 2004 @01:45PM (#8727440) Homepage
    if people would brush their blueteeth more, they'd get less cavities.

    obviously bluetooth devices aren't packaged with enough care instructions.
  • foo! (Score:4, Interesting)

    by Anonymous Coward on Wednesday March 31, 2004 @01:48PM (#8727459)
    one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone - but if the log of missed/incoming/outgoing calls is available on another snarfed device, why not route the call there and just skim the incoming number from that phone? I guess you'd need to know the number of at least one device to start but with a little social engineering that wouldn't be terribly difficult.
    • Re:foo! (Score:4, Interesting)

      by gnu-generation-one ( 717590 ) on Wednesday March 31, 2004 @03:12PM (#8728583) Homepage
      "one of the tricks mentioned to find the phone number of a snarfed device is to initiate a call to your own phone"

      So why not do it when they're in a meeting, and just start listening? Voila, one infinity bug in a mobile phone.

      Make their phone dial a call-box if you like.
  • I don't understand why it's ok to post the vulnerabilities of say, bluetooth, but someone can't post "hacks" or they can get in major trouble, i.e. the France story [slashdot.org]. Why are some exploits OK and others not OK? Where is the line? Is it just like censorship, where on a case-by-case basis the rules are changed? That's dumb.
    In other news, check out my artist interview at Fulcrum gallery [fulcrumgallery.com].
  • by Anonymous Coward
    What are we going to to tomorrow, Brain?

    The same thing we do every night, Pinky, Try to take over the WORLD! [maniacal laughter]

    Snarf!

  • by blueserker ( 753173 ) on Wednesday March 31, 2004 @02:28PM (#8727970) Homepage
    bluesnarfing is already dying a slow death as mentioned in the report -- newer phones and old phones with firmware updates aren't susceptible -- i have a feeling this report had more to do with drawing people to his site to sell bluetooth books!

    http://www.blueserker.com [blueserker.com]
  • by motown ( 178312 ) on Wednesday March 31, 2004 @02:53PM (#8728290)
    But I had Bluetooth switched off.

    It consumes too much power to keep it on anyway. Although it would be cool if CeBIT provided wireless internet access through Bluetooth througout the terrain. I know they did have an 802.11b network running last year, which was freely accessible to visitors.

    One cool thing this year was the availibility of the CeBIT Mobile Fair Planner for Symbian-based phones. It was available for download on the CeBIT site [cebit.de] (altough access to it required free registration). No more thick guide to plough through in order to find the exhibitors you're looking for. An exhibitor list (including search functionality), interior maps of the buildings hosting the fair, everything in my phone!

    It was the first time I actually felt myself living in the twentyfirst century. :)

    Now I hope that Nokia will soon release a Bluesnarfing-proof firmware update for my phone.
  • by Anonymous Coward
    Knoppix 3.4 is out, (but not yet on mirrors).

    Anyone have a torrent
    • As a member of the team that was doing the measurements at the CeBIT and author of the Bluesnarfing paper I know, that Slackware 9.0 [slackware.com] has been used as a basis system. The Bluez [sourceforge.net] bluetooth implementation and a recent linux-kernel [kernel.org] (linux-2.6.2) have been installed on the system separately. I am not saying that KOPPIX is a bad thing (I saw Klaus Knopper here in Salzburg, recently)! Knoppix absolutely rules!
  • Does anyone know if these attacks can be made on bluetooth keyboards?

    I was considering getting a bluetooth keyboard since bluetooth is encyrpted unlike RF keyboards, but I'm a bit paranoid given all this bluesnarfing stuff.
  • As the author of the bluesnarf report and an important member of the team that did the experiment, I can tell you that Slackware Linux 9.0 [slackware.com] distribution was used as a basis. In addition to this, Bluez [bluez.org] and a recent linux kernel [kernel.org] (linux-2.6.2) has been installed on this system. I like Knoppix very much, though. It gives Microsoft users a fair chance to seriously think about getting rid of their expensive bugware. Linux forever ;)
  • Somebody mentioned using this in somewhere where a number of phones are gathered, like a cafe or railway station to send SMS spam.

    Even better idea. If you can get a connection to a couple of phones in the area, make the guy at table A's phone SMS the guy at table B's phone. Wait for the guy at table B to call A depending on the message, the results could be hilarious.
  • The article talked about sending a possibly traceable SMS to a device you own to discover the number of the snarfed phone. An untraceable way to discover the number would be to use a Bluetooth headset to make a call to one of those phone numbers that read back your phone number.

    What fun you could have with a Linux PDA with Bluetooth combined with a Bluetooth headset. A nice and portable way to make unlimited free calls via any vulnerable phone that is close enough to you.

    When will vendors learn that vul

  • In perspective (Score:3, Informative)

    by SiliconEntity ( 448450 ) on Wednesday March 31, 2004 @09:48PM (#8733027)
    To put it into perspective, out of 1269 Bluetooth enabled phones detected, only 46 were vulnerable to the attack. And the manufacturers are upgrading the firmware so that newer models are immune.
    • To put it into the right perspective, 33% of all discovered phones that belong to a certain model were vulnerable to the SNARF attack.
      It is also stated that if these phones would have been longer within bt-coverage, the success-rate would have higher than 33%.
      And you are right: Hopefully, the manufacturers are upgrading to a newer firmware version that is not vulnerable.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...