lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu May 12 12:18:37 2005
From: adam.laurie at thebunker.net (Adam Laurie)
Subject: Bluetooth related security problem with Motorola
	E398 GSM phone

Tonu Samuel wrote:
> 
> I got Motorola E398 phone and was trying all known bluetooth exploits on it. 
> None of them worked (which is good of course). But meanwhile I got some ideas 
> and after some modifications to existing exploits I found a way to fool my 
> phone. This is not a very brilliant exploit, so I can post full disclosure 
> here but would be nice if someone can forward it to right people in Motorola.

I will do.

> 
> I was using source code which is available under name btxml.c (easy to find 
> with Google). This code does three steps to exploit older Nokia 6310:

[ snip ]

> After user presses "DENY" question appears again until user gets bored and 
> presses "GRANT". After that bluetooth devices phone is paired and "friendly" 
> attacker stored in Motorola device list and never-ever any questions appear 
> again when AT commands are used over bluetooth to fetch data.
> 
> btxml is not optimized for Motorola, so output is bit poor but this can be 
> fixed. Main idea is to show that mobile phones still have problems:

This is not really the phone having a problem as such - it's social 
engineering. You have tricked the user into allowing the pairing, and 
once paired, you can do anything you like with the phone.

As it happens, there is an attack that does work on some earlier models 
of Motorola and doesn't require interaction from the phone's user, 
whereby just getting yourself onto the device history without pairing is 
enough to allow connections to the headset profile, and, therefore, the 
AT command set. We call this attack 'HeloMoto':

   http://trifinite.org/trifinite_stuff_helomoto.html

cheers,
Adam
-- 
Adam Laurie                         Tel: +44 (20) 7605 7000
The Bunker Secure Hosting Ltd.      Fax: +44 (20) 7605 7099
Shepherds Building                  http://www.thebunker.net
Rockley Road
London W14 0DA                      mailto:adam@...bunker.net
UNITED KINGDOM                      PGP key on keyservers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ