- Bluetooth Denial of Service vulnerability
-
INTRODUCTION
I'm too lazy to explain what bluetooth is... have a look at:
Summary: Bluetooth is a "low" range but low power consuming wireless comunication protocol.
You can find bluetooth on many devices: mobile phones, laptops, PDA's, printers,...
You can also find that bluetooth is used on cars, headset devices, etc. Due to
it's low cost, in a few years, we will see BT enableb on almost any electronic device, no
matter if they will use it or not.
A flaw -or at least, what seems to be a flaw- in the BT protocol, may lead to a Denial of Service
on many, many devices... The problem is that this seems to be a design error of BT, and any
hardware/software vendor has it's own bluetooth stack implementation, so I can't guess the
behaviour of any device in the world, I have tested the D.o.S. a few, just for fun, but you should
test your device yourself.
STATUS
Nokia first contact was on September 09, 2004. Bluetooth SIG first contact was on October 21, 2004.
Nokia response and feedback was excellent!
Bluetooth SIG responsables had a spoken conversation with me, where they recognized the flaw.
We talk about the chance of testing some devices, mainly phone devices.
They seemed to be interested on knowing what were my intentions... if I was going to
made it public or not. I was not in hurry, and I'm not in hurry at the moment, but I think that
six months from our first contact on October 2004 is time enough to have some feedback from them.
14 June 2005-IT SEEMS OTHER PEOPLE NOTICED ABOUT SIMILAR ISSUE LONG TIME AGO. This is the the case of:
TRANSIENT (http://www.transient-iss.com).
In this site you will find some Bluetooth related security tools like T-BEAR a "Bluetooth Environment
Auditor" in author own words. I have tryed it and it works fine as monitoring tool for Bluetooth. The suite
of tools include a tool called "tanya" which is supposed to break the BT functionality in BT enabled
devices in a similar way l2ping flood does although at the moment of writing this advisory I was
unable to make this tool work against my Nokia 7650. It seems the tool needs some tweaks for every device.
There are also other very nice tools... I suggest you to check his site.
Other people are claiming that during the 21st Chaos Computer Congress there was a l2ping flood demo...
(by www.trifinite.org) Please if you have any video, paper or anything talking about exactly this D.o.S.
(ping flood). I will be pleased of credit them here. Anyway, If you are interested in Bluetooth insecurity ;-)
you should check the amazing work of that people: http://trifinite.org/trifinite_stuff.html
Other vendors not contacted... I think this must be done by Bluetooth SIG people.
DESCRIPTION
The vulnerability is a simple Denial of Service that can be reproduced with the linux tool "l2ping".
Due to the nature of "ping" in the bluetooth protocol, where a connection must be established,
and the limited amount of connections that (standard) bluetooth stacks can manage, a simple ping
flood with l2ping, can inhibit bluetooth on many devices, that is, the device cannot do a device discovery,
and also other devices cannot connect to it. In most cases the Denial of Service can't be avoided
by rebooting the device, as some people may think. What happens if you test it with l2ping, is that l2ping
was not writen to be a D.o.S. tool, and does not expect to loose connection... L2ping can be modified to
make D.o.S. more effective.
On the other hand, there is a different behaviour of devices to the discovery process. Some devices, can be
reached when they are in "non discoverable mode" or "hidden mode". That is, some devices can be connected
even if they are in hidden mode (this is the case for Nokia 7650 and 6600,... so Symbian 6 and Symbian 7),
so they can be ping-flooded at any time. We only must know the device address... If we know the vendor of
the device, it is easy to write a simple tool to scan the range of possible devices. Today's BT dongles,
have reached 100m of signal range, so imagine what can be done with a simple laptop and 2 or 3 dongles on
an airport, big building, etc... printers, headsets, and speaking in general, the incoming piconets that stop
working... even before they can be deployed :-)
It does not seem a nice scenario...
Below you have some of the e-mails I wrote/get to/from Nokia and the Bluettoth SIG. Some data has been
hiden to protect the identity of people talking to me, mainly, from spammers.
TIMELINE
------------------------------------------------------------------------------
Subject: Vulnerabilities on Nokia 7650
From: Hugo Vázquez Caramés <hugo@infohacking.com> (Infohacking)
To: security-alert@nokia.com
Date: 06-09-04 15:28
Hi,
my name is Hugo Vazquez Carames, and I'm writing from Spain, Barcelona.
I've found two security flaws on the nokia 7650.
At: http://www.nokia.com/nokia/0,,56221,00.html
You say:
"Denial-of-Service Attempts
Nokia is aware of Denial-of-Service (DoS) laboratory tests against
Bluetooth
enabled devices and is carefully analyzing these incidents.
There is no security threat as a result of DoS attacks. To date, DoS
attacks
have only been conducted in laboratory tests. They also require a laptop,
Bluetooth connectivity and specific software. Even if a DoS attack is
successful, there is no harm to the device. The affected device simply
reboots itself, and is fully functional again. The DoS attempt does
not
damage the phone or view or extract any data from the device. In general,
the
risk of a DoS attempt is minimal. "
The next D.o.S. can be reproduced "at home", with a simple
laptop. A bluettoth
enabled PDA can reach same results.
1) D.o.S. to the bluetooth device
The 7650 bluetooth communications can be totally inhibited simply
by sending
a ping-flood to the device from a linux laptop with bluetooth
connectivity.
To reproduce:
# l2ping -f <bluetooth_address>
While flooding , the 7650 will be unable to work with bluetooth. The
victim's
device will prompt a message, wich says (in Spanish):
"Imposible conectar. Nº máximo de conexiones Bluetooth
en uso"
Wich means something like: "Can't connect. Maximun number of Bluetooth
connections being used"
This vulnerability, is trivial for devices not in "hidden"
mode, so with a
100m range bluetooth dongle, an attacker can D.o.S. a lot of devices...
You say also:
"Tips to Enhance Bluetooth Security
To date, Nokia is not aware of any Bluetooth security attacks except
for
those made in the laboratory or for demonstration purposes. We
believe the
real security threat is minimal. However, consumers may take the
following
measures to address the Bluetooth security issues reported during
past
months.
* Set the device to "hidden" mode as instructed
in the User's Guide.
[Menu>Connectivity (8910i only)>Bluetooth>Bluetooth Setting>Hidden].
Personal
devices like headsets can still connect to the phone, but intrusion
is much
more difficult since the hacker will have to know the Bluetooth address
before establishing a connection."
2) "Hidden" devices are not really "hidden"
Knowing the bluetooth address is not a pain...
1st method: if the device is not in "hidden" mode, the
attacker can save
the bluetooth device address in order to have the victim device always
reachable in the future, even if the device is in hidden mode.
2nd method (the really dangerous). The 7650 in "hidden"
mode respond to pings,
that is, it allows connections. It does not seem difficult to make
a
bluetooth address scanner that looks for specific ranges:
- -Nokia
00:60:57 ...
00:02:EE ...
00:02:57 ...
So the space address range to scan is only 256*256*256. A mulithreaded
scanner can do it in a few hours.
(...)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: Vulnerabilities on Nokia 7650
From: XXXXXXXXXXX@nokia.com
To: hugo@infohacking.com
Date: 08-09-04 07:47
Dear Hugo,
We have received your e-mail and will start to analyse the situation.
We will get back to you after reproducing the problem. My PGP key is
below. Please use it when sending e-mail directly to me.
Best Regards,
XXXXXXXXXX
----------------------------------------------------------
XXXXXXXXXX
Senior Technology Manager, Security
Technology and Quality, Multimedia BG
----------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 13-09-04 08:29
Encrypted message
Message was signed by XXXXXXXXXXXX <XXXXXXXXXXXXX@nokia.com>
(Key ID: 0xXXXXXXXXX).
The signature is valid, but the key's validity is unknown.
Hello Hugo,
We have now made some tests with 7650 and also with other Series
60
devices. The only side affect we have noticed is that the 7650
cannot
make device discovery while being flooded. After the flooding, the
device works fine - e.g. no rebooting is required. Is this inline
with your findings?
Best Regards,
XXXXXXXXX
----------------------------------------------------------
XXXXXXXXXXXXXXXXX
Senior Technology Manager, Security
Technology and Quality, Multimedia BG
tel. +XXXXXXXXXXXX
----------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 13-09-04 11:40
Encrypted message
Message was signed by XXXXXXXXXXXX <XXXXXXXXXXXX@nokia.com> (Key
ID: 0xXXXXXXXXXX).
The signature is valid, but the key's validity is unknown.
Hi Hugo,
About hidden / non-discoverable mode: Bluetooth specification states
that non-disvorable device can be connectable. To my understanding
most of the devices behave this way.
Personally I would not consider this as a vulnerability because the
device does not crash - like with some other DoS vulnerabilities
reported by other companies - and the Bluetooth is working as
specified.
Please let me know if you disagree or if you have any further
comments etc.
Best Regards,
XXXXXXXXXX
> -----Original Message-----
> From: ext Hugo Vázquez Caramés [mailto:XXXXXXXXXXXXXXXXXX]
> Sent: 13 September, 2004 11:19
> To: XXXXXXXXXXXX (Nokia-M/Tampere)
> Subject: Re: FW: Vulnerabilities on Nokia 7650
>
>
>
>
> *** PGP Signature Status: good
> *** Signer: Hugo Vazquez Carames <XXXXXXXXXXXXXXXXXXX>
> *** Signed: 13.09.2004 11:19:28 AM
> *** Verified: 13.09.2004 11:55:21 AM
> *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
>
> Hi XXXXXXXXX,
>
> your tests are OK, and what you noticed is exactly what I
> noticed...
>
> What about the the fact that a "hidden" device can be
found
> (with a address
> scanner) and directly reached via bluetooth address? Is there
> any way to
> really "hide" the device without having to turn off the
> bluetooth port?
>
> Regards,
>
> Hugo
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 11-10-04 08:31
Encrypted message
Message was signed by XXXXXXXXXXe <XXXXXXXXXXXXX@nokia.com> (Key
ID: 0xXXXXXXXXXXX).
The signature is valid, but the key's validity is unknown.
Hello Hugo,
Sorry for my late response. I've been out of the office for some
time.
This DoS seems to be a specification issue which should be handled
by
Bluetooth SIG. I have forwarded the details to our SIG
representatives.
Thank you,
XXXXXXXXXXXXXXX
> -----Original Message-----
> From: ext Hugo Vázquez Caramés [mailto:hugo@infohacking.com]
> Sent: 05 October, 2004 08:30
> To: XXXXXXXXXXXXXXX (Nokia-M/Tampere)
> Subject: Re: FW: Vulnerabilities on Nokia 7650
>
>
>
>
> *** PGP Signature Status: good
> *** Signer: Hugo Vazquez Carames <XXXXXXXXXXXXXXXXXXXXx>
> *** Signed: 05.10.2004 8:29:56 AM
> *** Verified: 06.10.2004 8:53:08 AM
> *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
>
> Hi XXXXXXX,
>
> Subsequents tests with a Symbian 7 (on Nokia 6600) reveals that
> it's vulnerable to the same D.o.S. as Symbian 6...
>
> I'm about to notify this to Securityfocus... Is there
> anything I should know
> before I made this information public?
>
> Kind regards,
>
> Hugo
>
>
> *** END PGP DECRYPTED/VERIFIED MESSAGE ***
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 11-10-04 14:54
Encrypted message
Message was signed by XXXXXXXXXXx <XXXXXXXXXXXXXx@nokia.com>
(Key ID: 0xXXXXXXXXXXX).
The signature is valid, but the key's validity is unknown.
Hi Hugo,
> I'll mention this on my advisory and
Ok, but if you want to quote me or get an official company statement,
it would require more time due to legal and communications review.
Thank you,
XXXXXXXXXXXX
> -----Original Message-----
> From: ext Hugo Vázquez Caramés [mailto:hugo@infohacking.com]
> Sent: 11 October, 2004 14:54
> To: XXXXXXXXXXXXXX (Nokia-M/Tampere)
> Subject: Re: FW: Vulnerabilities on Nokia 7650
>
>
>
>
> *** PGP Signature Status: good
> *** Signer: Hugo Vazquez Carames <XXXXXXXXXXXXXXXx>
> *** Signed: 11.10.2004 2:54:17 PM
> *** Verified: 11.10.2004 3:32:48 PM
> *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
>
> Hi XXXXXXXXXXXXx,
>
> thanks for your response.
>
> > This DoS seems to be a specification issue which should be
> handled by
> > Bluetooth SIG. I have forwarded the details to our SIG
> > representatives.
>
> I'll mention this on my advisory and I will also mention
the
> nice way you
> have attended my dudes. Thanks again for your support, and
good
> job!
>
> sincerely,
>
> Hugo
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 13-10-04 10:59
Encrypted message
Message was signed by XXXXXXXXXXXXXX <XXXXXXXXXXXXXXX@nokia.com>
(Key ID: 0xXXXXXXXXXXXx).
The signature is valid, but the key's validity is unknown.
Hello Hugo,
Many thanks for your patience. I have initiated the process. You will
receive an official statement from Nokia or Bluetooth SIG. I expect
this to happen within a week or so. I'll keep you posted.
Best Regards,
XXXXXXXXXXXXx
> -----Original Message-----
> From: ext Hugo Vázquez Caramés [mailto:hugo@infohacking.com]
> Sent: 11 October, 2004 16:48
> To: XXXXXXXXXXXX (Nokia-M/Tampere)
> Subject: Re: FW: Vulnerabilities on Nokia 7650
>
>
>
>
> *** PGP Signature Status: good
> *** Signer: Hugo Vazquez Carames <XXXXXXXXXXXXXXXx>
> *** Signed: 11.10.2004 4:48:02 PM
> *** Verified: 12.10.2004 8:19:53 AM
> *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
>
> > Ok, but if you want to quote me or get an official company
> statement,
> > it would require more time due to legal and communications
> > review.
> Ok. It would be interesting to have such official company
> statement. I'm not
> in hurry, but It would not like to be waiting for three
> months from now...
> How much time do you estimate to have those legal and
> communications review?
>
> Thanks,
>
> Hugo
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RE: FW: Vulnerabilities on Nokia 7650
From: <XXXXXXXXXXXXXXXX@nokia.com>
To: <hugo@infohacking.com>
Date: 21-10-04 11:31
Encrypted message
Message was signed by XXXXXXXXXXXXXXx <XXXXXXXXXXXXXXXX@nokia.com>
(Key ID: 0xXXXXXXXXXX).
The signature is valid, but the key's validity is unknown.
Hello Hugo,
Bluetooth SIG comms people will try to contact you. You should
receive the statement from SIG directly. If you have a phone number
I
could pass to SIG comms, please let me know.
Thank you,
XXXXXXXXXXXXx
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
THEN BLUETOOTH SIG PEOPLE CONTACTED ME...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Subject: DoS
From: "XXXXXXXXXXXXX" <XXXXXXXXXXXXXXXX@porternovelli.be>
To: <hugo@infohacking.com>
Date: 21-10-04 18:20
Hi Hugo,
Regarding the ping flood denial of service.
I would like to set up a call with you and XXXXXXXXXXXXXXXXX, marketing
manager
for the Bluetooth SIG, who would like your views on this.
Could we give you a call?
Eventually: we are both in Madrid on Sunday evening and Monday, maybe
we can
even meet?
Kind regards!
XXXXXXX
XXXXXXXXXXXXXXXXX
| Account Director | Porter Novelli | o: +32 (0)2 XXX XX XX | m: +32
(0)XXX
XX XX XX | XXXXXXXXXXXXXXXX@porternovelli.be | www.porternovelli.be
|
Bd. Louis Mettewielaan 272, bus 5 B-1080 Brussels |
Insights. Ideas. Impact.
Porter Novelli International today is one of the top five global brands
in
public relations, and forms part of the Omnicom group of companies.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Fwd: DoS on bluetooth devices
From: Hugo Vázquez Caramés <hugo@infohacking.com> (Infohacking)
To: XXXXXXXXXXXXXXXXX@porternovelli.be
Date: 28-02-05 09:49
Message was signed by XXXXXXXXXXXXXXX <XXXXXXXXXXXXXX> (Key ID:
0xXXXXXXXXXx).
The signature is valid and the key is ultimately trusted.
Hi XXXXXXXXXXx,
Firs of all, thanks for the invitation to "LinkedIn".
By the way, I sent this mail to you 2 months ago with no response...
What about it?
Regards,
Hugo
---------- Forwarded Message ----------
Subject: DoS on bluetooth devices
Date: Wednesday 22 December 2004 17:24
From: Hugo Vázquez Caramés <hugo@infohacking.com>
To: XXXXXXXXXXXXXXXX@porternovelli.be
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi XXXXXXXXXXX,
I'm Hugo Vazquez, from Infohacking (Barcelona).
We had a spoken conversation some weeks ago (while you where at Madrid)
about
a denial of service that I have discovered witch seems to affect bluetooth
enabled devices. I have tested the DoS on some other devices
and all of them
seem to be affected. At the time of this writing, tested devices
are:
- -Nokia 7650 (Symbian 6.0)
- -Nokia 6600 (Symbian 7.0)
- -Siemens V55
- -Motorola S55
- -Conceptronic (CBTU) Bluetooth dongle on Windows 2003 (vulnerable
is
windows BT stack implemetation...)
- -Others...
1) ALL the devices tested are affected by DoS. (connection flood)
2) "Hide-mode protection" behaviour is different in any device/customer.
Some
devices can not be connected while in "hide-mode" while on
others you can do
it.
- - Most affected customer seems to be NOKIA witch is vulnerable
to both
flaws (1 & 2
Nokia (XXXXXXXXXXXX@nokia.com) seems to agree with me in the fact
that DoS
exists (they have reproduced it), but they claim that they are following
Bluetooth specifications, so maybe this is a Bluetooth design error...
Since
this affects a wide spread of devices around the world, I would like
to know
what is your official statement about those issues, before I write the
advisorie, and make it public.
Kind regards,
Hugo Vázquez Caramés
Infohacking
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
FROM THIS,.... NO MORE NEWS FROM BLUETOOTH SIG...