Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Bluetooth: BlueSnarf and BlueBug Full Disclusore

from [Adam Laurie] Network Security [Permanent Link]
Subject: Bluetooth: BlueSnarf and BlueBug Full Disclusore
Date: Fri, 31 Dec 2004 09:53:09 +0000 
BlueSnarf, BlueBug & HeloMoto Full Disclosure, December 2004
------------------------------------------------------------

In November 2003, various vulnerabilities on Bluetooth enabled mobile phones emerged, as published here:

  http://www.thebunker.net/security/bluetooth.htm

Details of the attacks were disclosed at the Chaos Computer Club's annual congress in Berlin - 21C3:

  http://www.ccc.de/congress/2004/fahrplan/event/66.en.html

Slides from the talk can be found here:

  http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf

Video of the talk will be on the CCC site in due course.

It was felt, as the industry had been given a full 13 months to react to the original threat discovery, and responsible manufacturers had engineered and released firmware upgrades, that the time had come for full disclosure. This became increasingly urgent as it was clear that the techniques used were becoming realtively widely known within the security community, and it could therefore be assumed that the same was true for criminal and/or malicious users.

Vendor Responses
----------------

Nokia's response page is here:

  http://www.nokia.com/nokia/0,,56221,0.html

It emerged at the conference that Nokia have created a special warranty code for the Bluetooth security issues, and any affected phone, regardless of age or origin, can be upgraded under that code free of charge. This was stated by a member of the audience during the presentation, and has not yet been verified.

Known affected devices: 6310, 6310i, 8910, 8910i

Sony Ericsson have not responded directly to the author, but have stated publicly that the problem has been fixed in all affected phones. This has not been verified, and availability of firmware upgrades is unknown.

Known affected devices: T68, T68i, R520m, T610, Z1010, Z600

Motorola stated that they are committed to fixing the problem, but further details are unknown.

Known affected devices: V80, V5xx, V6xx and E398.

I hope this is useful, and I wish you all a safe, happy and secure New Year!

cheers,
Adam
--
Adam Laurie                         Tel: +44 (20) 7605 7000
The Bunker Secure Hosting Ltd.      Fax: +44 (20) 7605 7099
Shepherds Building                  http://www.thebunker.net
Rockley Road
London W14 0DA                      mailto:adam@thebunker.net
UNITED KINGDOM                      PGP key on keyservers

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Bluetooth: BlueSnarf and BlueBug Full Disclusore, Adam Laurie <=
Previous by Date:  ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks, steven
Next by Date:  Re: [EXPL] (MS04-031) NetDDE buffer overflow vulnerability PoC, Alberto Garcia Hierro
Previous by Thread:  ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks, steven
Next by Thread:  Cross Site Scripting DOS (Zyxel B-420 Ethernet Bridge), beniwiedmer
Indexes:  [Date] [Thread] [Top] [All Lists]