Bluetooth Denial of Service vulnerability in - Nokia 7650 (Symbian 6.0) - Nokia 6600 (Symbian 7.0) - Siemens V55 - Motorola S55 - Conceptronic (CBTU) Bluetooth dongle on Windows 2003 (vulnerable is windows BT stack implemetation...) INTRODUCTION I'm too lazy to explain what bluetooth is... have a look at: Summary: Bluetooth is a "low" range but low power consuming wireless comunication protocol. You can find bluetooth on many devices: mobile phones, laptops, PDA's, printers,... You can also find that bluetooth is used on cars, headset devices, etc. Due to it's low cost, in a few years, we will see BT enableb on almost any electronic device, no matter if they will use it or not. A flaw -or at least, what seems to be a flaw- in the BT protocol, may lead to a Denial of Service on many, many devices... The problem is that this seems to be a design error of BT, and any hardware/software vendor has it's own bluetooth stack implementation, so I can't guess the behaviour of any device in the world, I have tested the D.o.S. a few, just for fun, but you should test your device yourself. STATUS Nokia first contact was on September 09, 2004. Bluetooth SIG first contact was on October 21, 2004. Nokia response and feedback was excellent! Bluetooth SIG responsables had a spoken conversation with me, where they recognized the flaw. We talk about the chance of testing some devices, mainly phone devices. They seemed to be interested on knowing what were my intentions... if I was going to made it public or not. I was not in hurry, and I'm not in hurry at the moment, but I think that six months from our first contact on October 2004 is time enough to have some feedback from them. 14 June 2005-IT SEEMS OTHER PEOPLE NOTICED ABOUT SIMILAR ISSUE LONG TIME AGO. This is the the case of: TRANSIENT (http://www.transient-iss.com). In this site you will find some Bluetooth related security tools like T-BEAR a "Bluetooth Environment Auditor" in author own words. I have tryed it and it works fine as monitoring tool for Bluetooth. The suite of tools include a tool called "tanya" which is supposed to break the BT functionality in BT enabled devices in a similar way l2ping flood does although at the moment of writing this advisory I was unable to make this tool work against my Nokia 7650. It seems the tool needs some tweaks for every device. There are also other very nice tools... I suggest you to check his site. Other people are claiming that during the 21st Chaos Computer Congress there was a l2ping flood demo... (by www.trifinite.org) Please if you have any video, paper or anything talking about exactly this D.o.S. (ping flood) I will be pleased of credit them here. Anyway, If you are interested in Bluetooth insecurity ;-) you should check the amazing work of that people: http://trifinite.org/trifinite_stuff.html Other vendors not contacted... I think this must be done by Bluetooth SIG people. DESCRIPTION The vulnerability is a simple Denial of Service that can be reproduced with the linux tool "l2ping". Due to the nature of "ping" in the bluetooth protocol, where a connection must be established, and the limited amount of connections that (standard) bluetooth stacks can manage, a simple ping flood with l2ping, can inhibit bluetooth on many devices, that is, the device cannot do a device discovery, and also other devices cannot connect to it. In most cases the Denial of Service can't be avoided by rebooting the device, as some people may think. What happens if you test it with l2ping, is that l2ping was not writen to be a D.o.S. tool, and does not expect to loose connection... L2ping can be modified to make D.o.S. more effective. On the other hand, there is a different behaviour of devices to the discovery process. Some devices, can be reached when they are in "non discoverable mode" or "hidden mode". That is, some devices can be connected even if they are in hidden mode (this is the case for Nokia 7650 and 6600,... so Symbian 6 and Symbian 7), so they can be ping-flooded at any time. We only must know the device address... If we know the vendor of the device, it is easy to write a simple tool to scan the range of possible devices. Today's BT dongles, have reached 100m of signal range, so imagine what can be done with a simple laptop and 2 or 3 dongles on an airport, big building, etc... printers, headsets, and speaking in general, the incoming piconets that stop working... even before they can be deployed :-) It does not seem a nice scenario... Below you have some of the e-mails I wrote/get to/from Nokia and the Bluettoth SIG. Some data has been hiden to protect the identity of people talking to me, mainly, from spammers. TIMELINE ------------------------------------------------------------------------------ Subject: Vulnerabilities on Nokia 7650 From: Hugo VU+00E1.zquez CaramU+00E9.s (Infohacking) To: security-alert@nokia.com Date: 06-09-04 15:28 Hi, my name is Hugo Vazquez Carames, and I'm writing from Spain, Barcelona. I've found two security flaws on the nokia 7650. At: http://www.nokia.com/nokia/0,,56221,00.html You say: "Denial-of-Service Attempts Nokia is aware of Denial-of-Service (DoS) laboratory tests against Bluetooth enabled devices and is carefully analyzing these incidents. There is no security threat as a result of DoS attacks. To date, DoS attacks have only been conducted in laboratory tests. They also require a laptop, Bluetooth connectivity and specific software. Even if a DoS attack is successful, there is no harm to the device. The affected device simply reboots itself, and is fully functional again. The DoS attempt does not damage the phone or view or extract any data from the device. In general, the risk of a DoS attempt is minimal. " The next D.o.S. can be reproduced "at home", with a simple laptop. A bluettoth enabled PDA can reach same results. 1) D.o.S. to the bluetooth device The 7650 bluetooth communications can be totally inhibited simply by sending a ping-flood to the device from a linux laptop with bluetooth connectivity. To reproduce: # l2ping -f While flooding , the 7650 will be unable to work with bluetooth. The victim's device will prompt a message, wich says (in Spanish): "Imposible conectar. NU+00BA. mU+00E1.ximo de conexiones Bluetooth en uso" Wich means something like: "Can't connect. Maximun number of Bluetooth connections being used" This vulnerability, is trivial for devices not in "hidden" mode, so with a 100m range bluetooth dongle, an attacker can D.o.S. a lot of devices... You say also: "Tips to Enhance Bluetooth Security To date, Nokia is not aware of any Bluetooth security attacks except for those made in the laboratory or for demonstration purposes. We believe the real security threat is minimal. However, consumers may take the following measures to address the Bluetooth security issues reported during past months. * Set the device to "hidden" mode as instructed in the User's Guide. [Menu>Connectivity (8910i only)>Bluetooth>Bluetooth Setting>Hidden]. Personal devices like headsets can still connect to the phone, but intrusion is much more difficult since the hacker will have to know the Bluetooth address before establishing a connection." 2) "Hidden" devices are not really "hidden" Knowing the bluetooth address is not a pain... 1st method: if the device is not in "hidden" mode, the attacker can save the bluetooth device address in order to have the victim device always reachable in the future, even if the device is in hidden mode. 2nd method (the really dangerous). The 7650 in "hidden" mode respond to pings, that is, it allows connections. It does not seem difficult to make a bluetooth address scanner that looks for specific ranges: - -Nokia 00:60:57 ... 00:02:EE ... 00:02:57 ... So the space address range to scan is only 256*256*256. A mulithreaded scanner can do it in a few hours. (...) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: Vulnerabilities on Nokia 7650 From: XXXXXXXXXXX@nokia.com To: hugo@infohacking.com Date: 08-09-04 07:47 Dear Hugo, We have received your e-mail and will start to analyse the situation. We will get back to you after reproducing the problem. My PGP key is below. Please use it when sending e-mail directly to me. Best Regards, XXXXXXXXXX ---------------------------------------------------------- XXXXXXXXXX Senior Technology Manager, Security Technology and Quality, Multimedia BG ---------------------------------------------------------- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 13-09-04 08:29 Encrypted message Message was signed by XXXXXXXXXXXX (Key ID: 0xXXXXXXXXX). The signature is valid, but the key's validity is unknown. Hello Hugo, We have now made some tests with 7650 and also with other Series 60 devices. The only side affect we have noticed is that the 7650 cannot make device discovery while being flooded. After the flooding, the device works fine - e.g. no rebooting is required. Is this inline with your findings? Best Regards, XXXXXXXXX ---------------------------------------------------------- XXXXXXXXXXXXXXXXX Senior Technology Manager, Security Technology and Quality, Multimedia BG tel. +XXXXXXXXXXXX ---------------------------------------------------------- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 13-09-04 11:40 Encrypted message Message was signed by XXXXXXXXXXXX (Key ID: 0xXXXXXXXXXX). The signature is valid, but the key's validity is unknown. Hi Hugo, About hidden / non-discoverable mode: Bluetooth specification states that non-disvorable device can be connectable. To my understanding most of the devices behave this way. Personally I would not consider this as a vulnerability because the device does not crash - like with some other DoS vulnerabilities reported by other companies - and the Bluetooth is working as specified. Please let me know if you disagree or if you have any further comments etc. Best Regards, XXXXXXXXXX > -----Original Message----- > From: ext Hugo VU+00E1.zquez CaramU+00E9.s [mailto:XXXXXXXXXXXXXXXXXX] > Sent: 13 September, 2004 11:19 > To: XXXXXXXXXXXX (Nokia-M/Tampere) > Subject: Re: FW: Vulnerabilities on Nokia 7650 > > > > > *** PGP Signature Status: good > *** Signer: Hugo Vazquez Carames > *** Signed: 13.09.2004 11:19:28 AM > *** Verified: 13.09.2004 11:55:21 AM > *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** > > Hi XXXXXXXXX, > > your tests are OK, and what you noticed is exactly what I > noticed... > > What about the the fact that a "hidden" device can be found > (with a address > scanner) and directly reached via bluetooth address? Is there > any way to > really "hide" the device without having to turn off the > bluetooth port? > > Regards, > > Hugo >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 11-10-04 08:31 Encrypted message Message was signed by XXXXXXXXXXe (Key ID: 0xXXXXXXXXXXX). The signature is valid, but the key's validity is unknown. Hello Hugo, Sorry for my late response. I've been out of the office for some time. This DoS seems to be a specification issue which should be handled by Bluetooth SIG. I have forwarded the details to our SIG representatives. Thank you, XXXXXXXXXXXXXXX > -----Original Message----- > From: ext Hugo VU+00E1.zquez CaramU+00E9.s [mailto:hugo@infohacking.com] > Sent: 05 October, 2004 08:30 > To: XXXXXXXXXXXXXXX (Nokia-M/Tampere) > Subject: Re: FW: Vulnerabilities on Nokia 7650 > > > > > *** PGP Signature Status: good > *** Signer: Hugo Vazquez Carames > *** Signed: 05.10.2004 8:29:56 AM > *** Verified: 06.10.2004 8:53:08 AM > *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** > > Hi XXXXXXX, > > Subsequents tests with a Symbian 7 (on Nokia 6600) reveals that > it's vulnerable to the same D.o.S. as Symbian 6... > > I'm about to notify this to Securityfocus... Is there > anything I should know > before I made this information public? > > Kind regards, > > Hugo > > > *** END PGP DECRYPTED/VERIFIED MESSAGE *** >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 11-10-04 14:54 Encrypted message Message was signed by XXXXXXXXXXx (Key ID: 0xXXXXXXXXXXX). The signature is valid, but the key's validity is unknown. Hi Hugo, > I'll mention this on my advisory and Ok, but if you want to quote me or get an official company statement, it would require more time due to legal and communications review. Thank you, XXXXXXXXXXXX > -----Original Message----- > From: ext Hugo VU+00E1.zquez CaramU+00E9.s [mailto:hugo@infohacking.com] > Sent: 11 October, 2004 14:54 > To: XXXXXXXXXXXXXX (Nokia-M/Tampere) > Subject: Re: FW: Vulnerabilities on Nokia 7650 > > > > > *** PGP Signature Status: good > *** Signer: Hugo Vazquez Carames > *** Signed: 11.10.2004 2:54:17 PM > *** Verified: 11.10.2004 3:32:48 PM > *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** > > Hi XXXXXXXXXXXXx, > > thanks for your response. > > > This DoS seems to be a specification issue which should be > handled by > > Bluetooth SIG. I have forwarded the details to our SIG > > representatives. > > I'll mention this on my advisory and I will also mention the > nice way you > have attended my dudes. Thanks again for your support, and good > job! > > sincerely, > > Hugo >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 13-10-04 10:59 Encrypted message Message was signed by XXXXXXXXXXXXXX (Key ID: 0xXXXXXXXXXXXx). The signature is valid, but the key's validity is unknown. Hello Hugo, Many thanks for your patience. I have initiated the process. You will receive an official statement from Nokia or Bluetooth SIG. I expect this to happen within a week or so. I'll keep you posted. Best Regards, XXXXXXXXXXXXx > -----Original Message----- > From: ext Hugo VU+00E1.zquez CaramU+00E9.s [mailto:hugo@infohacking.com] > Sent: 11 October, 2004 16:48 > To: XXXXXXXXXXXX (Nokia-M/Tampere) > Subject: Re: FW: Vulnerabilities on Nokia 7650 > > > > > *** PGP Signature Status: good > *** Signer: Hugo Vazquez Carames > *** Signed: 11.10.2004 4:48:02 PM > *** Verified: 12.10.2004 8:19:53 AM > *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** > > > Ok, but if you want to quote me or get an official company > statement, > > it would require more time due to legal and communications > > review. > Ok. It would be interesting to have such official company > statement. I'm not > in hurry, but It would not like to be waiting for three > months from now... > How much time do you estimate to have those legal and > communications review? > > Thanks, > > Hugo >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> RE: FW: Vulnerabilities on Nokia 7650 From: To: Date: 21-10-04 11:31 Encrypted message Message was signed by XXXXXXXXXXXXXXx (Key ID: 0xXXXXXXXXXX). The signature is valid, but the key's validity is unknown. Hello Hugo, Bluetooth SIG comms people will try to contact you. You should receive the statement from SIG directly. If you have a phone number I could pass to SIG comms, please let me know. Thank you, XXXXXXXXXXXXx >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> THEN BLUETOOTH SIG PEOPLE CONTACTED ME... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Subject: DoS From: "XXXXXXXXXXXXX" To: Date: 21-10-04 18:20 Hi Hugo, Regarding the ping flood denial of service. I would like to set up a call with you and XXXXXXXXXXXXXXXXX, marketing manager for the Bluetooth SIG, who would like your views on this. Could we give you a call? Eventually: we are both in Madrid on Sunday evening and Monday, maybe we can even meet? Kind regards! XXXXXXX XXXXXXXXXXXXXXXXX | Account Director | Porter Novelli | o: +32 (0)2 XXX XX XX | m: +32 (0)XXX XX XX XX | XXXXXXXXXXXXXXXX@porternovelli.be | www.porternovelli.be | Bd. Louis Mettewielaan 272, bus 5 B-1080 Brussels | Insights. Ideas. Impact. Porter Novelli International today is one of the top five global brands in public relations, and forms part of the Omnicom group of companies. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Fwd: DoS on bluetooth devices From: Hugo VU+00E1.zquez CaramU+00E9.s (Infohacking) To: XXXXXXXXXXXXXXXXX@porternovelli.be Date: 28-02-05 09:49 Message was signed by XXXXXXXXXXXXXXX (Key ID: 0xXXXXXXXXXx). The signature is valid and the key is ultimately trusted. Hi XXXXXXXXXXx, Firs of all, thanks for the invitation to "LinkedIn". By the way, I sent this mail to you 2 months ago with no response... What about it? Regards, Hugo ---------- Forwarded Message ---------- Subject: DoS on bluetooth devices Date: Wednesday 22 December 2004 17:24 From: Hugo VU+00E1.zquez CaramU+00E9.s To: XXXXXXXXXXXXXXXX@porternovelli.be -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi XXXXXXXXXXX, I'm Hugo Vazquez, from Infohacking (Barcelona). We had a spoken conversation some weeks ago (while you where at Madrid) about a denial of service that I have discovered witch seems to affect bluetooth enabled devices. I have tested the DoS on some other devices and all of them seem to be affected. At the time of this writing, tested devices are: - -Nokia 7650 (Symbian 6.0) - -Nokia 6600 (Symbian 7.0) - -Siemens V55 - -Motorola S55 - -Conceptronic (CBTU) Bluetooth dongle on Windows 2003 (vulnerable is windows BT stack implemetation...) - -Others... 1) ALL the devices tested are affected by DoS. (connection flood) 2) "Hide-mode protection" behaviour is different in any device/customer. Some devices can not be connected while in "hide-mode" while on others you can do it. - - Most affected customer seems to be NOKIA witch is vulnerable to both flaws (1 & 2 Nokia (XXXXXXXXXXXX@nokia.com) seems to agree with me in the fact that DoS exists (they have reproduced it), but they claim that they are following Bluetooth specifications, so maybe this is a Bluetooth design error... Since this affects a wide spread of devices around the world, I would like to know what is your official statement about those issues, before I write the advisorie, and make it public. Kind regards, Hugo VU+00E1.zquez CaramU+00E9.s Infohacking >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> FROM THIS,.... NO MORE NEWS FROM BLUETOOTH SIG...