[TOOL] Blooover - J2ME Phone Auditing Tool

• Previous message: SecuriTeam: "[TOOL] Bluesnarfer - A Bluesnarfing Utility"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Mar 2005 19:11:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Blooover - J2ME Phone Auditing Tool
------------------------------------------------------------------------

SUMMARY

DETAILS

Since <http://www.thebunker.net/release-bluestumbler.htm> Adam Laurie's
BlueSnarf experiment and the subsequent
<http://trifinite.org/trifinite_stuff_bluebug.html> BlueBug experiment
proved that some Bluetooth-enabled phones have security issues. Until now,
attackers need laptops for the snarfing of other people's information.
Unless attackers do a <http://trifinite.org/trifinite_stuff_lds.html>
long-distance-snarf, people would see that there is somebody with a laptop
trying to do strange things. Blooover is a proof-of-concept tool that is
intended to run on J2ME-enabled cell phones that appear to be comparably
seamless. Blooover is a tool that is intended to serve as an audit tool
that people can use to check whether their phones and phones of friends
and employees are vulnerable.

Since the application runs on hand held devices and sucks information, it
has been called Blooover (derived from Bluetooth Hoover).

There were some objections to release a tool that actually does a
bluebug-attack before eventual victims were not in the position of doing
something against it. Now, that Nokia announced
<http://trifinite.org/blog/archives/2004/09/story_on_long_d.html> a
firmware upgrade for their vulnerable models, these objections are no
longer present.

 <Download Information:> Download Information:
Here you find the Blooover tool as a .jar file for download. It is
supposed to run on every phone that is equipped with a J2ME MIDP 2.0 VM
and an implemented JSR-82 API (important for Bluetooth access). Nokia
6600, Nokia 7610, Sony Ericsson P900, Siemens S65 (and probably all
consequent phones of the mentioned manufacturers) fulfill these
requirements.

 <http://trifinite.org/Downloads/Blooover.jar> Blooover - J2ME phone
auditing tool (runs on phones with MIDP 2.0 and JSR-82 (Bluetooth API))

Installation:
When you intend to install the application, you should be using a phone
that has the Java Bluetooth API implemented. Phones with this feature are
listed here: <http://www.j2mepolish.org/devices/devices-btapi.html>
http://www.j2mepolish.org/devices/devices-btapi.html
Once you downloaded the file, make sure that it is called Bloover.jar (not
Blooover.zip). After this you can either transfer the application to your
phone via (1) the phone software on your PC, or (2) via Obex Push over
Bluetooth or (3) via OTA (over-the-air application provisioning) which
will use your phone's data services.

ADDITIONAL INFORMATION

To keep updated with the tool visit the project's homepage at:
<http://trifinite.org/trifinite_stuff_blooover.html>
http://trifinite.org/trifinite_stuff_blooover.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] Bluesnarfer - A Bluesnarfing Utility"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]