Tuesday, April 24, 2007
DonkBoy
Internet |
Hacking Mobile Devices.
Hacking Bluetooth
By Carlos A. Soto
GCN Staff
Fact: Having your name and number in Paris Hilton’s cell phone directory is like
openly publishing them on the Web.
Fiction: The miscreants who posted the heiress’ contacts online last winter got them
by hacking into her smart phone through a Bluetooth radio.
Is Bluetooth technology, the underutilized short-range wireless communications you might
currently have in your cell phone, PDA or notebook PC, vulnerable to attack? In short,
yes—but then again, everything is vulnerable to attack. Despite erroneous reports
that Paris’ smart phone was leaking info like a sieve (turns out it didn’t even
have a Bluetooth radio), the good news is that current Bluetooth wireless products
are—for the most part—safe and secure under most conditions. After weeks of
trying to break into Bluetooth devices, the GCN Lab knows. Here’s what we found out.
True blue
Bluetooth, like its equally scrutinized wireless cousin WiFi, uses radio frequencies to
move data. But that’s where the similarities end. WiFi establishes a fixed connection
between a node and a network that relies on an exchange of IP addresses. Bluetooth was
developed to create a simpler, smaller connection between two peripherals. As such,
Bluetooth connections bypass several network protocols and don’t require an exchange
of IP addresses. This characteristic of Bluetooth alone makes it more secure than WiFi
because the connection is ephemeral and independent of IP addresses.
Bluetooth is like a sonar connection between two peripherals. Data hops to and from
devices during each periodic ping. WiFi, on the other hand, represents a constant stream
of data between an access point and a wireless client. Such a steady stream could be
intercepted by a third party.
Bluetooth exploits are well known [see sidebar], but as with other networking
communications, as long as Bluetooth users keep their devices up-to-date with the latest
technologies, including patches and fixes, and follow up with a good dose of common sense,
they can be kept fairly secure.
Admittedly, it hasn’t always been that way. Early versions of Bluetooth, like early
versions of WiFi, had significant vulnerabilities. But that’s changing. Prior to our
Bluetooth hacking binge, we sat down with an expert to understand the current state of
Bluetooth and the nature of attacks.
Spencer Parker, European technical director for AirDefense Inc. of Alpharetta, Ga., said
threats to Bluetooth devices have decreased over the last two years thanks to firmware
redesigns and upgrades. That’s no small admission from an expert whose company
benefits from more Bluetooth security vulnerabilities, not fewer.
Other reasons for the drop in Bluetooth attacks are that the software needed to mount an
attack is often difficult to obtain, the hardware and programs designed to attack devices
are expensive, and sophisticated Bluetooth hacks normally require advanced knowledge of
Linux and command prompt code, Parker said. And when vast quantities of personal data seem
increasingly vulnerable through other means (ChoicePoint, Bank of America, etc.), why
would a hacker bother breaking into a PDA that might or might not yield useful
information?
Of course, no one should take a laissez faire stance on Bluetooth. Many experts still warn
the technology is insecure, and the Bluetooth Special Interest Group (www.bluetooth.com),
the standard’s leading trade association, continues to refine its security models to
stay ahead of the bad guys. At last summer’s most prominent hacker conference, DefCon
in Las Vegas, security experts demonstrated how they could take over Bluetooth-enabled
devices, sending vendors scrambling to update their products.
Last month, two Israeli experts explained how Bluetooth is vulnerable to eavesdropping. No
one has yet exploited the vulnerability, and to do so, they said, would require $2,000
worth of equipment.
Parker said the greatest danger to Bluetooth users today lies in out-of-date software. In
addition, agencies often don’t know what Bluetooth-enabled devices they have. The
list could include not only PDAs and cell phones, but also notebooks, desktops and
peripherals that the IT staff either doesn’t know have Bluetooth radios or
doesn’t know are broadcasting a signal.AirDefense makes software called BlueWatch
($320 for government buyers) that scans offices for rogue Bluetooth signals and reports
information back to the network administrator. BlueWatch can also identify what services,
such as network access, are available on Bluetooth devices so agencies can identify
devices that pose a security risk and shut them down.
Parker and others offer a list of recommendations for securing Bluetooth connections [see
sidebar], chief among which is to make sure your mobile device is running the
vendor’s latest firmware. Even more basic advice: Know if the mobile device you plan
to use has a Bluetooth radio and then immediately learn how to deactivate it. If you must
turn it on, pair up only with other trusted devices.
The National Institute of Standards and Technology also issued Bluetooth guidance. To read
it, go to www.gcn.com and enter 457 in the Quickfind box.
Breaking in
In the early 1990s, network security expert Dan Farmer and a colleague wrote an important
paper that essentially laid out how hackers could break into networks. Shortly after, they
created the Security Administrator’s Tool for Analyzing Networks. The underlying
premise was that you couldn’t protect your networks unless you thought like a hacker.
In that spirit, the GCN Lab set about hacking Bluetooth devices. We pulled together a
variety of systems, including a Hewlett-Packard iPaq, an MPC TransPort X3100 notebook, an
old Nokia 3650 cell phone and a much newer Sony Ericsson P910a smart phone. As Parker and
others suggested, we found that hacking a Bluetooth device grows harder the newer the
product we tried to crack, although launching denial-of-service attacks was fairly easy. A
Bluetooth DOS attack means simply sending requests to another Bluetooth device (provided
you can locate it) until you wear it down, but it doesn’t involve stealing
information.
We also found that you don’t need to hack a device to gain access to its contents. By
merely requesting a hook-up from our iPaq to the Nokia 3650 (and simulating the 3650 user
accepting the link) we were able to access all the contents of the Nokia device. Newer
handhelds offer security measures to restrict access.
We ended up using the iPaq and the TransPort to launch most of our attacks. Both come with
Bluetooth locators for finding nearby devices. The iPaq uses AirDefense’s BlueWatch;
the TransPort comes with BlueSoleil from IVT Corp. We also downloaded a pair of Bluetooth
hacking tools, namely BlueSniffer and RedFang.
We first trained our sights on the Nokia 3650. Legitimately pairing with the phone was
easy, but we wanted to launch a bluesnarf (in which we access contents) or bluebug (in
which we gain control) attack. No luck. None of the software we tried got us access to the
device, which isn’t to say there isn’t software out there that could.
Even when we established a legitimate connection to the 3650, we couldn’t manipulate
its controls.
Bluejacking kills batteries
So we turned to bluejacking (basically sending unwanted data to a target device). It took
us seconds to bluejack the 3650. Once we sent the unwanted message, the hypothetical
recipient could accept or deny it. When we simulated a rational person denying the
bluejack message, we then easily launched a DOS attack by repeatedly sending the same
message. We were able to run down the 3650’s battery in just 15 minutes.
Overall, it was much harder to attack the Sony Ericsson P910a. The BlueSoleil program on
the TransPort notebook was unable to determine the maker of the P910a, and the BlueWatch
software on the iPaq successfully ID’d the smart phone but could not turn up the list
of services running on it. Still, we encountered one interesting vulnerability.
It turned out the P910a did not require personal information number pairing to set up
certain services, such as dial-up networking and file transfer. PIN pairing is a fairly
basic security precaution in Bluetooth devices designed to ensure connections only between
trusted devices.
Using the TransPort notebook, we were able simply to request file transfer services from
the P910a. The hypothetical P910a users still had to tap “accept” on the smart
phone screen, but did not have to use a PIN. If the user didn’t know what he was
doing or accidentally tapped the accept button, a crude bluesnarf attack could ensue.
We were unable to bluebug the P910a. However, as with the 3650, we could bluejack it and
launch a DOS attack that ran down its battery and emptied its memory in 25 minutes. Keep
in mind, though, that bluejacking requires the hacker be within 10 meters of his target.
If you ever think you’re being bluejacked, the best security measure is to walk away.
Yes, Bluetooth is imperfect. Yes, it can be attacked. But in our experience, hacking
Bluetooth is more trouble than it’s worth. If you keep your devices updated and take
fairly simple precautions, you’re unlikely to become a target.
Microsoft ActiveSync Denial of service.
Serious flaws in Bluetooth Security
Tuesday, April 24, 2007
esktop,free,Samples,New,Demo,
Themes,Clipart,Coffee,Hot,Catalogs,Tips,Cosmetics,Pet,Coupons,Contests,Gifts,Java,Games,TShirts,Cool,
Homepages,Sweepstakes,Microsoft,Mac,Mousepad,Stickers,Kids,Sweepstakes,Gifts,Freestuff,Freebies,
Hot,Prize,Coffee,Free,Samples,Freestuff,Gifts,Email,Win95,Freebies,Prizes,Games,Contests,Prizes,
Cool,Contests,$,Software,Freebies,Hot,Demos,Freeware,Prizes,Free,Games,Clipart,Shareware,Webmaster,$,
Contests,Graphics,Fonts,fre,frre,Free,Catalogs,Freeware,Freebies,Screensaver,Accessories,Contests,Cash,Free
Samples,Freeware,
Cool,HTML,WebPromotion,Demos,Wallpaper,Java,Freebies,Games,Contests,Screensavers,Software,Sweepstakes,Midi,
[FÓRUM] powered by vBulletin Online diskussioner Registered Members: Total Threads: |
Total Posts: Welcome to our newest member web forumi, diskusije Unix, Linux, Networking,
C-C++, Perl, Security, Delphi, ASM, Music,Catalogs,Giveaways,Greeting
Cards,New,$,Digest,Digests,Games,WallpapePictures,Performance,Tuning,Parts,Gallery,Modified,Aftermarket,Mods,Specs,Used,Demos,Horoscope,$,Sweepstakes,Cosmetics
Forum Manners 101 Etiquette Public Relations Advice Customs Social Entertaining tradition,
custom iasca sq spl db, convention, manner, telavision practice, observance, ritual,
lifestyle, habit, routine, ordinary, holiday, conventional, accustomed, customary,
holiday, season, gift, delivery MAYA 3DSAmax 3d studio max tutorials tutorial plugins
email mail mailing list lists maillist maillists discussion group groups bulletin board
boards forum forums powered by lumasis, internal Combustion, Chalice, Composer, Cineon,
FlintFlame/Inferno, After Effects, Maya Fusion, Digital Studio, Avid, Sumatra, 2D News,
Artist Gallery, Bookstore, Tutorials, Nothing Real, Silicon Grail, Plugins, Tools,
Contests, Jobs, Digital, Polls, AWGUA, Alias|Wavefront, Tips, Tutorials Maya Fusion,
Chalice, After Effects, Flame free 2d resource and community website with Tips, Tricks,
Tutorials, Scripts, Plugins, Shaders, Tools, Jobs, Contests, Artist Gallery and Listservs
Maya, XSI, Jig, Softimage, Alias, Studio, Renderman, Sumatra, 3D, 3dmax 3dsmax discussion
boards chat forums chat groups rooms message chats chat discussions online lists icq
bulletin support chats of on irc etc gab web the bbs newsgroups chatrooms networking
islamic webchat time line zone sites email real mailing chatting writer's chats chat chats
gift hosts issues edonkey , Filesharing , Neo-Modus , Morpheus , Windows XP , Mpeg Layer
3, r@dio, I-Drive, Idrive, Freedrive, Getright, Flashget, Go!zilla, Gozialla, Brenner,
Clonecd, Nero Burning ROM, Feurio, Rohlinge, CDRWin, WinonCD, Security, Zonealarm,
Firewall, Microsoft Office, Visual Basic, Excel, Outlook, Access, Powerpoint, Formel Eins,
ferrari, Mc Laren, Mercedes, BMW, Schumacher, Digitale Fotografie, DVD, Handys, Software
News, Games, Music, Movies, Cinema, Download Tips und Tricks, Premiere World morpheus
forum xp windows 2000 videos filesharing tips downloads surf-ici.com netusa1.net
skyenet.comWaihopai,
INFOSEC, Information Security, Information Warfare, IW, IS, Priavacy, Information
Terrorism, Terrorism Defensive Information, Defense Information Warfare,
Offensive Information, Offensive Information Warfare, National Information Infrastructure,
InfoSec, Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet Connections, ISS,
Passwords, DefCon V, Hackers, Encryption, Espionage, USDOJ, NSA, CIA, S/Key, SSL, FBI,
Secert Service, USSS, Defcon, Military, White House, Undercover, NCCS, Mayfly, PGP, PEM,
RSA, Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2, BITNET, COSMOS,
DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC, ReMOB, LEETAC, UTU, VNET, BRLO, BZ,
CANSLO, CBNRC, CIDA, JAVA, Active X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?,
Steve Case, Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba, Freeh,
Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook words, Verisign, Secure, ASIO,
Lebed, ICE, NRO, Lexis-Nexis, NSCT, SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI,
CID, BOP, FINCEN, FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA,
AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC, NTIS, SEL, USCODE, CISE,
SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO, CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF,
HALO, HAHO, FKS, 868, GCHQ, DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE,
GEO, Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR, GSG-9, 22nd
SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4, MDA, MYK, 747,777, 767, MI5,
737, MI6, 757, Kh-11, Shayet-13, SADMS, Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress,
RAID, Psyops, grom, D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM,
GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO, TELINT, TEXTA. ELF,
LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel, domestic disruption, smuggle, 15kg, nitrate,
Pretoria, M-14, enigma, Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD,
Counter Terrorism Security, Rapid Reaction, Corporate Security, Police, sniper, PPS, ASIS,
ASLET, TSCM, Security Consulting, High Security, Security Evaluation, Electronic
Surveillance, MI-17, Counterterrorism, spies, eavesdropping, debugging, interception,
COCOT, rhost, rhosts, SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy,
Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower, Daisy, Egret, Iris,
Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx, Stephanie, Reflection, Spoke, Talent,
Trump, FX, FXR, IMF, POCSAG, Covert Video, Intiso, r00t, lock picking, Beyond Hope,
csystems, passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event Security,
Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor, Merlin, NTT, SL-1, Rolm, TIE,
Tie-fighter, PBX, SLI, NTT, MSCJ, MIT, 69, RIT, Time, MSEE, Cable & Wireless, CSE,
Embassy, ETA, Porno, Fax, finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I.,
top secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet Security, Macintosh
Firewalls, Unix Security, VIP Protection, SIG, sweep, Medco, TRD, TDR, sweeping, TELINT,
Audiotel, Harvard, 1080H, SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks,
TRW, remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN, Playboy,
Anonymous, Sex, chaining, codes, Nuclear, 20, subversives, SLIP, toad, fish, data havens,
unix, c, a, b, d, the, Elvis, quiche, DES, 1*, NATIA, NATOA, sneakers,
counterintelligence, industrial espionage, PI, TSCI, industrial intelligence, H.N.P.,
Juiliett Class Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX,
penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib, primacord, RSP, Becker,
Nerd, fangs, Austin, Comirex, GPMG, Speakeasy, humint, GEODSS, SORO, M5, ANC, zone, SBI,
DSS, S.A.I.C., Minox, Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mol,
Hillal, GGL, CTU, botux, Virii, CCC, Blacklisted 411, Internet Underground, XS4ALL,
Retinal Fetish, Fetish, Yobie, CTP, CATO, Phon-e, Chicago Posse, l0ck, spook keywords,
PLA, TDYC, W3, CUD, CdC, Weekly World News, Zen, World Domination, Dead, GRU, M72750,
Salsa, 7, Blowfish, Gorelick, Glock, Ft. Meade, press-release, Indigo, wire transfer,
e-cash, Bubba the Love Sponge, Digicash, zip, SWAT, Ortega, PPP, crypto-anarchy, AT&T,
SGI, SUN, MCI, Blacknet, Middleman, KLM, Blackbird, plutonium, Texas, jihad, SDI, Uzi,
Fort Meade, supercomputer, bullion, 3, Blackmednet, Propaganda, ABC, Satellite phones,
Planet-1, cryptanalysis, nuclear, FBI, Panama, fissionable, Sears Tower, NORAD, Delta
Force, SEAL, virtual, Dolch, secure shell, screws, Black-Ops, Area51, SABC, basement,
data-haven, black-bag, TEMPSET, Goodwin, rebels, ID, MD5, IDEA, garbage, market, beef,
Stego, unclassified, utopia, orthodox, Alica, SHA, Global, gorilla, Bob, Pseudonyms, MITM,
Gray Data, VLSI, mega, Leitrim, Yakima, Sugar Grove, Cowboy, Gist, 8182, Gatt, Platform,
1911, Geraldton, UKUSA, veggie, 3848, Morwenstow, Consul, Oratory, Pine Gap, Menwith,
Mantis, DSD, BVD, 1984, Flintlock, cybercash, government, hate, speedbump, illuminati,
president, freedom, cocaine, $, Roswell, ESN, COS, E.T., credit card, b9, fraud,
assasinate, virus, anarchy, rogue, mailbomb, 888, Chelsea, 1997, Whitewater, MOD, York,
plutonium, William Gates, clone, BATF, SGDN, Nike, Atlas, Delta, TWA, Kiwi, PGP 2.6.2.,
PGP 5.0i, PGP 5.1, siliconpimp, Lynch, 414, Face, Pixar, IRIDF, eternity server, Skytel,
Yukon, Templeton, LUK, Cohiba, Soros, Standford, niche, 51, H&K, USP, ^, sardine,
bank, EUB, USP, PCS, NRO, Red Cell, Glock 26, snuffle, Patel, package, ISI, INR, INS, IRS,
GRU, RUOP, GSS, NSP, SRI, Ronco, Armani, BOSS, Chobetsu, FBIS, BND, SISDE, FSB, BfV, IB,
froglegs, JITEM, SADF, advise, TUSA, HoHoCon, SISMI, FIS, MSW, Spyderco, UOP, SSCI, NIMA,
MOIS, SVR, SIN, advisors, SAP, OAU, PFS, Aladdin, chameleon man, Hutsul, CESID, Bess, rail
gun, Peering, 17, 312, NB, CBM, CTP, Sardine, SBIRS, SGDN, ADIU, DEADBEEF, IDP, IDF,
Halibut, SONANGOL, Flu, &, Loin, PGP 5.53, EG&G, AIEWS, AMW, WORM, MP5K-SD, 1071,
WINGS, cdi, DynCorp, UXO, Ti, THAAD, package, chosen, PRIME, SURVIAC