<<< Date Index >>>     <<< Thread Index >>>

Bluetooth SIG Denial of Service vulnerability



The next D.o.S. can be reproduced "at home", with a simple laptop. A bluettoth 
enabled PDA can reach same results.

1) D.o.S. to the bluetooth device

Many bluetooth device communications can be totally inhibited simply by sending 
a ping-flood to the device from a linux laptop with bluetooth connectivity.

To reproduce:

# l2ping -f <bluetooth_address>


At the time of this writing, tested devices are:

- -Nokia 7650 (Symbian 6.0)
- -Nokia 6600        (Symbian 7.0)
- -Siemens  V55
- -Motorola  S55
- -Conceptronic (CBTU) Bluetooth dongle on Windows 2003 (vulnerable is
 windows BT stack implemetation...)
- -Others...

1) ALL the devices tested are affected by DoS. (connection flood)
2) "Hide-mode protection" behaviour is different in any device/customer. Some
devices can not be connected while in "hide-mode" while on others you can do it.

- - Most affected customer seems to be NOKIA witch is vulnerable to denial od 
seervice, even in hidden mode...

Nokia seems to agree with me in the fact that DoS
exists (they have reproduced it), but they claim that they are following
Bluetooth specifications, so maybe this is a Bluetooth design error...

Quoting a Nokia guy from security-alert__at__nokia.com:

"This DoS seems to be a specification issue which should be handled by 
Bluetooth SIG."

For the complete time-line of ontacts with Nokia and Bluetooth people, check 
this URL:

http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/bt/index.html

Hugo Vázquez Caramés
Infohacking
Barcelona
Spain