Armin Hornung and Stefan Ekerfelt, researchers and students at the University of Washington, have recently disclosed findings of a new form of DoS (Denial of Service) attack that can potentially cripple some cellular phones.

“During a course project studying security and privacy related to Bluetooth, we discovered a simple but effective DoS attack using OBEX push,” Hornung said in an emailed release to the Full Disclosure security mailing list. OBEX, an abbreviation of the term “Object Exchange,” is a communications protocol, which facilitates the exchange of binary objects between devices.

Armin, in an interview with Monsters and Critics, said the potential for large-scale attacks were indeed there. “As it seems all devices keep asking the user to accept the file, there is no way to ‘always deny this address’ e.g. possibly, someone equipped with N Bluetooth dongle on any Linux system can DoS about 3*N devices in range.” The attack, which uses a third party tool ‘ussp-push,’ an OBEX pusher for Linux, using the BlueZ Bluetooth stack, sends files quickly to the targeted device. Once the device starts receiving the files, a prompt is shown asking to either accept or deny the file. These prompts come quickly and in huge numbers. The result is a device filled with action prompt windows, which effectively locks up the phone, including the ability to disable Bluetooth.

The phones tested, not because they were targets, but the only phones available at the time said Armin, were the Sony Ericsson K700i, the Nokia N70, the Motorola MOTORAZR V3, Sony Ericsson W810i, and the LG Chocolate KG800. Those phones alone are enough to target a mass amount of users in any given location. However, Monsters and Critics did its own testing and with Bluetooth enabled completed a DoS attack on several phones. Using an office park and some willing test subjects, these phones were also subject to attack.

The testing used the following criteria, a Linux laptop with ussp-push installed, and Bluetooth dongle. Each phone within range had Bluetooth enabled and OBEX was confirmed working with a sample file first before testing. The results were the following phones locked up in a matter of minutes if they were within range of the dongle. The Samsung M610 and the A900M, a Sanyo KATANA (model number unknown), Nokia 6256, 8800, 6680, and N91, Sony Ericsson P910i, W800i, and P800, the PalmOne Treo 650 and 700, also a Motorola V600. The test while hardly scientific did show that sending a stream of packets to a targeted phone, seemingly any phone with Bluetooth enabled, would trigger a DoS attack. Phones that disabled Bluetooth were not subject to attack, and subsequently were immune.

In the past, there have been numerous proven exploits, which can allow an attacker to gain remote access to several Bluetooth devices within range. While useful, it can be disruptive if accessed maliciously. Armin said it was possible to trick a user into accepting a malicious file by using this exploit, and that is reason for caution.
If you have no need for Bluetooth, it is best to disable it on your phone.

Armin and Stefan came across this exploit during research almost completely by accident. While the intent was not to cause harm, because they gave a proof of concept to the list where this was first published, it is possible that code is already in the hands of those who would do harm. While not malicious in nature, their research points out a fact most already know. Bluetooth is flawed, and if used incorrectly, e.g. leaving it on if not needed, the phone, and owner are a willing target for several known exploits.

This entry was posted on Saturday, January 27th, 2007 at 10:36 am and is filed under Service Tools, Tip & Trik, Cell Phone. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.