lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Feb  9 12:56:10 2006
From: adam.laurie at thebunker.net (Adam Laurie)
Subject: Bluetooth Activesync - requesting test

Greg wrote:
> OK this sounds screwy but if someone has the equipment, can you test and let
> us all know please?
> 
> A PDA I was working on that had to be Activesync'd to one computer had the
> PDA name "John" rather than the standard name that comes with the PDA.
> Another PDA was already working Activesync. Both were over bluetooth
> encrypted. The other one was named "Cheryl" just for info's sake. 
> 
> Anyway, "John" was a new PDA of exactly the same make and model as "Cheryl"
> (Mortein syndrome) but what I didn't know and didn't look for, initially,
> was that the computer had been set up by someone else to ONLY allow
> connections from "Cheryl" and no other device and it was set in "non
> discovery" mode, that is, no other bluetooth device supposed to be able to
> find it. When I set John up, it autosync'd for 24 hours and stopped syncing
> again. I went back and did a thorough look and found that "Cheryl" was the
> only one allowed to connect bluetooth to the computer but "John" had,
> anyway.
> 
> So this makes me wonder - and this is what I am asking help with - is it
> possible that bluetooth pairing, connection in total and autosync are all at
> risk if the same model PDA is used even though they are set up with
> different PDA names and even if settings are correct and are NOT supposed to
> allow connection from anything else? If it is, this is a worry.

I'm not clear on what you mean when you say "When I set John up", but 
Bluetooth encrypted session are based on keys exchanged during pairing, 
and since you've stated that both "John" and "Cheryl" were "over 
Bluetooth encrypted", that means they must have both exchanged keys with 
the PC to be able to establish an encrypted session.

It's certainly possible that both the PDA and the PC have apps on them 
that perform pairing without user interaction (i.e. by having a default 
PIN known to both sides), but *extremely* unlikely as this goes against 
all standard industry practices, and it's not something I've ever seen 
in that class of device.

> 
> Of course, the alternative is that I stuffed something up, I know but for
> the life of me, I cant see what it is. If data is encrypted and only paired
> devices that are NAMED are allowed to connect, I would have thought that
> meant I shouldn't have been able to set the other PDA up but I did. 

OK, so what steps did you go through to "set up the other PDA"?

cheers,
Adam
-- 
Adam Laurie                         Tel: +44 (0) 20 7605 7000
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 20 7605 7099
Shepherds Building                  http://www.thebunker.net
Rockley Road
London W14 0DA                      mailto:adam@...bunker.net
UNITED KINGDOM                      PGP key on keyservers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ