Full Disclosure mailing list archives
Re: Bluetooth related security problem with Motorola E398 GSM phone
From: Adam Laurie <adam.laurie () thebunker net>
Date: Thu, 12 May 2005 11:23:02 +0100
Tonu Samuel wrote:
I got Motorola E398 phone and was trying all known bluetooth exploits on it. None of them worked (which is good of course). But meanwhile I got some ideas and after some modifications to existing exploits I found a way to fool my phone. This is not a very brilliant exploit, so I can post full disclosure here but would be nice if someone can forward it to right people in Motorola.
I will do.
I was using source code which is available under name btxml.c (easy to find with Google). This code does three steps to exploit older Nokia 6310:
[ snip ]
After user presses "DENY" question appears again until user gets bored and presses "GRANT". After that bluetooth devices phone is paired and "friendly" attacker stored in Motorola device list and never-ever any questions appear again when AT commands are used over bluetooth to fetch data.btxml is not optimized for Motorola, so output is bit poor but this can be fixed. Main idea is to show that mobile phones still have problems:
This is not really the phone having a problem as such - it's social engineering. You have tricked the user into allowing the pairing, and once paired, you can do anything you like with the phone.
As it happens, there is an attack that does work on some earlier models of Motorola and doesn't require interaction from the phone's user, whereby just getting yourself onto the device history without pairing is enough to allow connections to the headset profile, and, therefore, the AT command set. We call this attack 'HeloMoto':
http://trifinite.org/trifinite_stuff_helomoto.html cheers, Adam -- Adam Laurie Tel: +44 (20) 7605 7000 The Bunker Secure Hosting Ltd. Fax: +44 (20) 7605 7099 Shepherds Building http://www.thebunker.net Rockley Road London W14 0DA mailto:adam () thebunker net UNITED KINGDOM PGP key on keyservers _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Bluetooth related security problem with Motorola E398 GSM phone Tonu Samuel (May 07)
- Re: Bluetooth related security problem with Motorola E398 GSM phone Thierry Zoller (May 07)
- Re: Bluetooth related security problem with Motorola E398 GSM phone Adam Laurie (May 12)