Video Screencast Help
Security Response

Demonstration of the Evolving Bluetooth Threat

Created: 01 May 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:50 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

Recently the issue of Bluetooth security raised its head once again. For such a young protocol, Bluetooth has had one rough ride. This time, however, it was for two very separate reasons. The first was a protocol fuzzer (an automated test harness) for the L2CAP protocol that was released by Pierre Betouin [1] (I later helped out with the project adding certain functionality). The author of the tool used this to discover multiple unauthenticated denial of service conditions in common top-tier cellular handsets. (It has always amused me that we have to classify remote device crashes as denial of service only, as we simply don’t have the visibility into a lot of these proprietary devices in order to gain a full understanding as to the degree of exploitability.)

The second reason was the OSX.Inqtana.A worm[2][3]. What I found interesting about this was that it was the first worm to my knowledge that actually exploited a Bluetooth vulnerability to aid in its propagation. Previously, we had only seen worms utilize Bluetooth as a mechanism by which to spread. However, those typically still involved user interaction to allow to do so. In this instance, the worm actually exploited a vulnerability detailed by Kevin Finisterre in order to gain a foothold on the vulnerable Mac OSX host.

On the subject of Bluetooth vulnerability exploitation, at EUSecWest there was an excellent demo by Tim Hurman during his “ARMed Combat” presentation. He exploits a buffer overflow vulnerability [4] in the WidComm Bluetooth stack on a Microsoft Windows Mobile 2003 SE device in order to execute arbitrary code. I believe this is going to be where a rash of new vulnerabilities will emerge in the future. As desktops become harder to exploit (due to improved network and host security) and increasing number of mobile wireless devices centered on Symbian, Windows Mobile, and Linux is going to create an ever more tantalizing target for malicious software authors and attackers alike.

References

[1] http://securitech.homeunix.org/blue/
[2] http://securityresponse.symantec.com/avcenter/venc
/data/osx.inqtana.a.html

[3] http://www.symantec.com/outbreak/macoutbreak.html
[4] http://www.pentest.co.uk/documents/ptl-2004-03.html