Bluetooth SIG Denial of Service vulnerability
The next D.o.S. can be reproduced "at home", with a simple laptop. A bluettoth
enabled PDA can reach same results.
1) D.o.S. to the bluetooth device
Many bluetooth device communications can be totally inhibited simply by sending
a ping-flood to the device from a linux laptop with bluetooth connectivity.
To reproduce:
# l2ping -f <bluetooth_address>
At the time of this writing, tested devices are:
- -Nokia 7650 (Symbian 6.0)
- -Nokia 6600 (Symbian 7.0)
- -Siemens V55
- -Motorola S55
- -Conceptronic (CBTU) Bluetooth dongle on Windows 2003 (vulnerable is
windows BT stack implemetation...)
- -Others...
1) ALL the devices tested are affected by DoS. (connection flood)
2) "Hide-mode protection" behaviour is different in any device/customer. Some
devices can not be connected while in "hide-mode" while on others you can do it.
- - Most affected customer seems to be NOKIA witch is vulnerable to denial od
seervice, even in hidden mode...
Nokia seems to agree with me in the fact that DoS
exists (they have reproduced it), but they claim that they are following
Bluetooth specifications, so maybe this is a Bluetooth design error...
Quoting a Nokia guy from security-alert__at__nokia.com:
"This DoS seems to be a specification issue which should be handled by
Bluetooth SIG."
For the complete time-line of ontacts with Nokia and Bluetooth people, check
this URL:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/bt/index.html
Hugo Vázquez Caramés
Infohacking
Barcelona
Spain