[Full-Disclosure] Re: Serious flaws in bluetooth security lead to disclosure of personal data

From: Pentest Security Advisories (alerts_at_pentest.co.uk)
Date: 11/13/03

  • Next message: Rachael Treu: "Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES" 
    To: bugtraq@securityfocus.com
Date: Thu, 13 Nov 2003 22:11:54 +0000

    Summary.
    ========

    A recent posting from A.L. Digital suggests that security flaws exist in
    Bluetooth, while not describing the vulnerabilities in any technical
    detail. This email concerns itself specifically with the vulnerabilities
    related to retrieval of personal information from devices.

    Some of the attacks described have been known about for some time and
    discussed (or hinted at) in public before, at BlackHat/Defcon (Las Vegas)
    by FX of Phenoelit (More Embedded Systems), at Defcon by Bruce Potter of
    Shmoo and most recently by Alexander Grimm, Marcel Holtmann and Andreas
    Vedral at the Wireless Technologies Congress.

    Detail.
    =======

    It is incorrect to assume that these vulnerabilities exist because of a
    lack of security in Bluetooth itself. These vulnerabilities are purely the
    result of design errors in the host devices, and Bluetooth is simply the
    transport mechanism over which the attacks can be carried out. The
    vulnerabilities occur in some of the OBEX profiles used by manufacturers
    to transfer arbitrary information via Bluetooth.

    In particular the OBEX Push Profile is often unprotected whereas the OBEX
    FTP profile is not. The name of the profile is also misleading as you
    would believe that the OBEX Push would only allow files to be uploaded.
    However the profile also allows information retrieval.

    The OBEX vulnerabilities can be divided into two categories, PUT and GET.
    As is implied from the names, they refer to information being sent to or
    returned by the host device. Both PUT and GET actions can be restricted by
    the need to pair, however some manufacturers have chosen to remove this
    restriction to add extra features, such as vCard exchanging.

    It should be noted here that OBEX is protocol independent and it is
    possible to exploit the vulnerabilities via IrDA and even via serial
    connection. It should also be noted that OBEX does have the ability to
    manage authentication. However, this is not used by any of the devices
    we have tested over the past three months.

    The rest of the information contained here will be based on un-paired and
    un-trusted devices attacking a target device.

    Much more information can be obtained from many devices by physical
    contact or social engineering, however this is not a deficiency in
    Bluetooth or the host device. Due to the prompt given by some devices, it
    is possible to trick the user into pairing. However this is a form of
    social engineering.

    These vulnerabilities exist whether the Bluetooth device is in
    discoverable mode or not.

    Vulnerabilities.
    =================

    OBEX PUT vulnerabilities.
    -------------------------

    This series of attacks relates to the movement of information towards the
    target device. These attacks are based upon information extracted from the
    IrMC specification, which describes several interesting files.

    The IrMC specification can be found at:
    http://www.irda.org/standards/pubs/IrMC_v1p1Specs_Errata001024.zip

    These files are often accessible via unprotected Bluetooth profiles. While
    they can be viewed on protected profiles, some manufacturers choose to
    also enable this via un-protected profiles such as "OBEX Push". OBEX also
    has a DELETE action, which is a PUT with an empty body, by pushing to each
    of the phone book entries it would be possible to overwrite or delete all
    of the phone book entries. A solution for manufacturers would be to
    separate the PUT functions into specific profiles and not allow the same
    actions via all profiles.

    OBEX GET vulnerabilities.
    -------------------------

    While similar to the PUT vulnerabilities, these present a much more of a
    serious threat including invasion of privacy. All vulnerable files are
    mentioned in the IrMC specification.

    Once again these files are usually only accessible via protected Bluetooth
    profiles, however, it appears that some manufacturers have used the same
    code to implement the un-protected services and thus the files are
    visible.

    Fixes.
    ======

    1) Only enable Bluetooth when absolutely necessary.

    2) Place the device in non-discoverable mode. While this does not correct
        the fault, it is harder to find the target device. There can be problems
        with this, some Nokia devices fail will to connect properly when hidden.

    3) Refuse any pair attempt or content transfer unless it is from a known
        and trusted device/source.

    The ultimate fix is for manufacturers to provide a greater separation of
    services, an attitude that seems to have been taken with the Ericsson T610.

    Current state of alerts.
    ========================

    The information relating to these vulnerabilities has been in the public
    domain for some time. However, until the recent bugtraq and full
    disclosure posts, the consequences of these issues was not widely
    advertised. A number of affected vendors have already been contacted with
    varied degrees of response.

    Researchers.
    ============

    Mark Rowe, Pentest Limited.
    Tim Hurman, Pentest Limited.
    Contact: bluetooth at pentest.co.uk

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Rachael Treu: "Re: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES"

    Relevant Pages