Bluetooth primer and phone information
03-06-2004, 06:47 AM
#401
Racer
Nokia 6820
I see that AT&T Wireless as of yesterday has the above phone for sale on its website for $229.99 with a plan. With Rogers AT&T in Canada we still only have the S/E T68i and T616 and the Nokia 3600.
03-06-2004, 11:08 AM
#402
Intermediate
Join Date: Feb 2004
Location: Flower Mound, TX
Posts: 29
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by pgriherd
Seabee:
Anyone had trouble with their phone jamming "IN USE" so that you can't use the stereo? My dealer called me last night -- cause she knew I had this happen -- to talk to another guy who did. We had to disconnect his battery............
Seabee:
Anyone had trouble with their phone jamming "IN USE" so that you can't use the stereo? My dealer called me last night -- cause she knew I had this happen -- to talk to another guy who did. We had to disconnect his battery............
I've had this happen once. Even with the car turned off, it still displayed "in use" and you could hear white noise from the speakers. I had to disconnect the battery as well (and then reset everything). Another time the computer froze up when I was trying to edit a number. Luckily turning the car off reset the computer.
I took it to the dealer and they were baffled by it. They called Acura to find out if there was a service bulletin on it and there wasn't. So they don't what to do other than replace the computer. Since it's working fine now, I told them to forget it and I'll wait to see if it happens again.
Let me know if you find out anything.
03-06-2004, 05:29 PM
#403
5th Gear
Join Date: Dec 2003
Location: Troy, NY
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
Re: A new and happy user
Originally posted by Seabee
I picked-up my new TL w/NAVI last Wednesday and have had great luck so far. I programmed the phonebook with my common used # and have had no problems to date.
I am using a Siemens S56 with AT&T as my provider. The reception and quality has been excellent. The only “quirk”
I have noticed is when I answer the phone I have to pause a second before I say hello. I assume this is a small delay in the HFL and the phone connecting. As for getting VM I have programmed an entry called password into the phonebook and use that to receive my mail instead of using one long string to dial and enter the password.
I picked-up my new TL w/NAVI last Wednesday and have had great luck so far. I programmed the phonebook with my common used # and have had no problems to date.
I am using a Siemens S56 with AT&T as my provider. The reception and quality has been excellent. The only “quirk”
I have noticed is when I answer the phone I have to pause a second before I say hello. I assume this is a small delay in the HFL and the phone connecting. As for getting VM I have programmed an entry called password into the phonebook and use that to receive my mail instead of using one long string to dial and enter the password.
03-07-2004, 09:17 AM
#404
4th Gear
Join Date: Mar 2004
Location: florida
Posts: 4
Likes: 0
Received 0 Likes
on
0 Posts
i also use siemens s56 and it works great. i use cingular. only problem is the battery does not last long at all with the bluetooth on. i need to charge it every day. anyone know where to get a battery that lasts longer?
03-07-2004, 09:59 AM
#405
Burning Brakes
Join Date: Mar 2002
Location: Anaheim Hills, CA
Age: 59
Posts: 846
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by cestan
i also use siemens s56 and it works great. i use cingular. only problem is the battery does not last long at all with the bluetooth on. i need to charge it every day. anyone know where to get a battery that lasts longer?
i also use siemens s56 and it works great. i use cingular. only problem is the battery does not last long at all with the bluetooth on. i need to charge it every day. anyone know where to get a battery that lasts longer?
03-08-2004, 12:54 PM
#407
Originally posted by kleck
I've had this happen once. Even with the car turned off, it still displayed "in use" and you could hear white noise from the speakers. I had to disconnect the battery as well (and then reset everything). Another time the computer froze up when I was trying to edit a number. Luckily turning the car off reset the computer.
I took it to the dealer and they were baffled by it. They called Acura to find out if there was a service bulletin on it and there wasn't. So they don't what to do other than replace the computer. Since it's working fine now, I told them to forget it and I'll wait to see if it happens again.
Let me know if you find out anything.
I've had this happen once. Even with the car turned off, it still displayed "in use" and you could hear white noise from the speakers. I had to disconnect the battery as well (and then reset everything). Another time the computer froze up when I was trying to edit a number. Luckily turning the car off reset the computer.
I took it to the dealer and they were baffled by it. They called Acura to find out if there was a service bulletin on it and there wasn't. So they don't what to do other than replace the computer. Since it's working fine now, I told them to forget it and I'll wait to see if it happens again.
Let me know if you find out anything.
What I have done when the HFL is acting up is turn the car off and wait about a half hour. When I come back the Handsfreelink says BOOTING UP and it is OK. You do NOT lose your numbers.. you do NOT have to re-pair your phone, however you do need to put your phone in CONNECT mode or the equivalent so it will again connect to the car (do it once).
This was only a problem once.
Mike
03-09-2004, 12:09 AM
#408
Intermediate
Join Date: Nov 2003
Location: San Bruno, CA
Posts: 29
Likes: 0
Received 0 Likes
on
0 Posts
The "in use" being stuck happened to my TL today. It would not release from this state. Even with the key removed the HFL stay lid "in use". After 12 hours of this madness. I disconnect the battery and reconnect. Everything started working fine again.
So, we get the good news the memory seat has a fix.
But just when you think things are going right with the car.
It goes nut and something else goes wrong...
Thanks to my TL, it let me share stories on this forum.
Thanks www.acura-tl.com
So, we get the good news the memory seat has a fix.
But just when you think things are going right with the car.
It goes nut and something else goes wrong...
Thanks to my TL, it let me share stories on this forum.
Thanks www.acura-tl.com
03-09-2004, 09:38 AM
#409
Originally posted by chiy
The "in use" being stuck happened to my TL today. It would not release from this state. Even with the key removed the HFL stay lid "in use". After 12 hours of this madness. I disconnect the battery and reconnect. Everything started working fine again.
So, we get the good news the memory seat has a fix.
But just when you think things are going right with the car.
It goes nut and something else goes wrong...
Thanks to my TL, it let me share stories on this forum.
Thanks www.acura-tl.com
The "in use" being stuck happened to my TL today. It would not release from this state. Even with the key removed the HFL stay lid "in use". After 12 hours of this madness. I disconnect the battery and reconnect. Everything started working fine again.
So, we get the good news the memory seat has a fix.
But just when you think things are going right with the car.
It goes nut and something else goes wrong...
Thanks to my TL, it let me share stories on this forum.
Thanks www.acura-tl.com
03-09-2004, 01:47 PM
#410
Intermediate
Join Date: Nov 2003
Location: San Bruno, CA
Posts: 29
Likes: 0
Received 0 Likes
on
0 Posts
MikeRadio,
The system would not let me cancel out.
I've tried holding down the cancel button, enter diag mode, hang-up.
I hate sounding like this but, "NOTHING was working!!!"
The system would not let me cancel out.
I've tried holding down the cancel button, enter diag mode, hang-up.
I hate sounding like this but, "NOTHING was working!!!"
03-11-2004, 02:37 PM
#411
Intermediate
Join Date: Feb 2004
Location: Flower Mound, TX
Posts: 29
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by MikeRadio
I have had a similar issue. REMEMBER the HandsFreeLink stays in use AFTER the car is shut off for 10 mins or so.
What I have done when the HFL is acting up is turn the car off and wait about a half hour. When I come back the Handsfreelink says BOOTING UP and it is OK. You do NOT lose your numbers.. you do NOT have to re-pair your phone, however you do need to put your phone in CONNECT mode or the equivalent so it will again connect to the car (do it once).
This was only a problem once.
Mike
I have had a similar issue. REMEMBER the HandsFreeLink stays in use AFTER the car is shut off for 10 mins or so.
What I have done when the HFL is acting up is turn the car off and wait about a half hour. When I come back the Handsfreelink says BOOTING UP and it is OK. You do NOT lose your numbers.. you do NOT have to re-pair your phone, however you do need to put your phone in CONNECT mode or the equivalent so it will again connect to the car (do it once).
This was only a problem once.
Mike
03-11-2004, 08:11 PM
#412
Intermediate
Join Date: Dec 2003
Location: Los Angeles, CA
Age: 54
Posts: 37
Likes: 0
Received 0 Likes
on
0 Posts
RE: JAMMING IN USE MODE
This problem needs to be addressed with Acura. I took mine to the dealer, disconnected the battery...etc....I have contacted Acura and they are aware, but they put it on the dealer to fix it -- not Acura factory. Letter campaign? nothing big, just to make sure that this is a known problem.
This problem needs to be addressed with Acura. I took mine to the dealer, disconnected the battery...etc....I have contacted Acura and they are aware, but they put it on the dealer to fix it -- not Acura factory. Letter campaign? nothing big, just to make sure that this is a known problem.
03-11-2004, 11:23 PM
#415
Drifting
Join Date: Mar 2004
Location: Dallas, TX
Posts: 2,440
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by nitrotiger
I cant wait for the motorola v600
should be this month. i hope it works flawless with the tl
I cant wait for the motorola v600
should be this month. i hope it works flawless with the tl
The V400/V5xxx/V600 are very solid motorolas. I have never liked them but I think this is definitely a strong turning point!
03-12-2004, 04:44 PM
#417
Originally posted by snoopy20
If anyone with a Sony Ericsson phone is having problems pairing up with the HFL, contact me for a firmware upgrade.
If anyone with a Sony Ericsson phone is having problems pairing up with the HFL, contact me for a firmware upgrade.
03-12-2004, 04:56 PM
#418
Drifting
Join Date: Mar 2004
Location: Dallas, TX
Posts: 2,440
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by umbl0
Do you know if the firmware upgrade will fix the crackling poor sound quality that some of us are experiencing?
Do you know if the firmware upgrade will fix the crackling poor sound quality that some of us are experiencing?
* Lousy Reception (Firmware upgrade would definitely help, I have done 4 T610 and 1 T616)
* Bluetooth Crackling (this is hardware related)
* Hissing sound from phone's earpiece (hardware)
I imagine these problems have been addressed with the T616 as well since they are within the same series. Only difference is the T616 supports 850mhz frequency whereas the T610 is 900mhz and both have 1800/1900mhz.
03-13-2004, 11:21 AM
#420
TL-SHAWD 6MT Rocks!
For people who like to program at low level (pro's only).
I found on the web several Developer's kit for programming devices with Bluetooth Spec 1.2 (and 1.1) in different protocols,
including
Hands Free profile (HFP)
Headset profile (HSP)
Generic access profile (GAP)
Serial port profile (SPP)
Generic object exchange profile (GOEP)
Object push profile (OPP)
LAN access profile (LAP/PPP)
Fax profile (FAX)
Service discovery application profile (SDAP)
Intercom profile (ICP)
File transfer profile (FTP)
Dial-up networking profile (DUN)
RF Communications Protocol (RFCOMM)
Service Discovery Protocol (SDP)
Telephony Control Specification (TCS)
Logical Link Control and Adaptation Protocol (L2CAP)
Bluetooth Management Entity (BTM)
Cordless telephony profile (CTP)
phew! - got tired there... now you know why NOT ALL Bluetooth phones will work with the TL, they need to have the right profile! (HFP).
link: http://www.widcomm.com/Products/blue...ftware_bte.asp
the one I would be interested would be the:
BTE-Mobile DEVELOPMENT KIT
it's pretty interesting all you can do with the puny little phone.!
I found on the web several Developer's kit for programming devices with Bluetooth Spec 1.2 (and 1.1) in different protocols,
including
Hands Free profile (HFP)
Headset profile (HSP)
Generic access profile (GAP)
Serial port profile (SPP)
Generic object exchange profile (GOEP)
Object push profile (OPP)
LAN access profile (LAP/PPP)
Fax profile (FAX)
Service discovery application profile (SDAP)
Intercom profile (ICP)
File transfer profile (FTP)
Dial-up networking profile (DUN)
RF Communications Protocol (RFCOMM)
Service Discovery Protocol (SDP)
Telephony Control Specification (TCS)
Logical Link Control and Adaptation Protocol (L2CAP)
Bluetooth Management Entity (BTM)
Cordless telephony profile (CTP)
phew! - got tired there... now you know why NOT ALL Bluetooth phones will work with the TL, they need to have the right profile! (HFP).
link: http://www.widcomm.com/Products/blue...ftware_bte.asp
the one I would be interested would be the:
BTE-Mobile DEVELOPMENT KIT
it's pretty interesting all you can do with the puny little phone.!
03-13-2004, 02:31 PM
#421
Racer
NitroRoger
Someone in Ottawa already has the V600 (I think he ordered it from Europe). As I recall, he liked the phone but it did not show battery or signal strength on the MID.
I got my silver/ebony navi on Tuesday (2 weeks early because the car it was replacing needed an engine rebuild 2 weeks before the end of its lease).
I was told that no new bluetooth phones were going to be introduced by Rogers until May at the latest so I picked up two T616s for my wife and myself. They paired easily and I am not having problems with crackling or echos so far. My 85 year old dad can hear me just fine so the sound must be ok. I haven't yet determined if I am going to have reception problems.
So far I am loving the car. I suspect my gas mileage is poor but I haven't tried to convert the litres/100 km to mpg yet.
I got my silver/ebony navi on Tuesday (2 weeks early because the car it was replacing needed an engine rebuild 2 weeks before the end of its lease).
I was told that no new bluetooth phones were going to be introduced by Rogers until May at the latest so I picked up two T616s for my wife and myself. They paired easily and I am not having problems with crackling or echos so far. My 85 year old dad can hear me just fine so the sound must be ok. I haven't yet determined if I am going to have reception problems.
So far I am loving the car. I suspect my gas mileage is poor but I haven't tried to convert the litres/100 km to mpg yet.
Unfortunately mine is W04 of this year and it is crackling...
03-13-2004, 07:29 PM
#423
Drifting
Join Date: Mar 2004
Location: Dallas, TX
Posts: 2,440
Likes: 0
Received 0 Likes
on
0 Posts
Received another PM from stintel. From a technical point of view, the frequency output can be changed via flashing the ROM therefore reducing or increasing certain sounds. I will either be meeting up with stintel or having him send me his T616 and doing the upgrade and I'll be updating shortly on the progress.
03-14-2004, 08:37 PM
#425
4th Gear
Join Date: Mar 2004
Location: ocala, FL
Posts: 4
Likes: 0
Received 0 Likes
on
0 Posts
se t616
Got the SE T616 phone today and paired it with my 10 day old TL.
It works great. The phone is very small and fits nicely in the top of the center console. the hands free works fine and the voice recognition on the hands free is amazing. If you don't have a blue tooth phone, you are really missing out.
It works great. The phone is very small and fits nicely in the top of the center console. the hands free works fine and the voice recognition on the hands free is amazing. If you don't have a blue tooth phone, you are really missing out.
03-14-2004, 09:29 PM
#426
Intermediate
Join Date: Dec 2003
Location: Las Vegas, NV
Age: 52
Posts: 39
Likes: 0
Received 0 Likes
on
0 Posts
Bluetooth security issues
I saw this while looking for some information on Bluetooth that I thought you all would be interested in if you are planning on making that purchase. I know it has delayed me getting mine. Any feedback or clarifying information is appreciated. Thanks.
Summary
There are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, two vulnerabilities have been found:
Firstly, confidential data can be obtained, anonymously, and without the owner's knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the phone's IMEI.
Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted ("paired") device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be "backed up" to an attacker's own system.
Finally, the current trend for "Bluejacking" is promoting an environment which puts consumer devices at greater risk from the above attacks.
Vulnerabilities
The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, realtime clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone 'cloning'). This is normally only possible if the device is in "discoverable" or "visible" mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.
The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the "pairing" mechanism, but ensuring that it no longer appears in the target's register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner's knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.
Bluejacking:
Although known to the technical community and early adopters for some time, the process now known as "Bluejacking"[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The technique involves abusing the bluetooth "pairing"[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during the initial "handshake" phase. This is possible because the "name" of the initiating bluetooth device is displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user defined name field - up to 248 characters - the field itself can be used to pass the message. This is all well and good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential security problem with this, and the more the practice grows and is accepted by the user community, and leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the protocol being abused is designed for information exchange. The ability to interface with other devices and exchange, update and synchronise data, is the raison d'être of bluetooth. The bluejacking technique is using the first part of a process that allows that exchange to take place, and is therefore open to further abuse if the handshake completes and the "bluejacker" successfully pairs with the target device. If such an event occurs, then all data on the target device bacomes available to the initiator, including such things as phone books, calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the volume and quality of such data will increase with the devices' capabilities, leading to far more serious potential compromise. Given the furore that errupted when a second-hand Blackberry PDA was sold without the previous owner's data having been wiped[3], it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff's contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are not the only potential targets - a bluejacking expedition to, say, The House of Commons, or The US Senate, could provide some interesting, valuable and, who's to say, potentially damaging or compromising data.
The above may sound alarmist and far fetched, and the general reaction would probably be that most users would not be duped into allowing the connection to complete, so the risk is small. However, in today's society of instant messaging, the average consumer is under a constant barrage of unsolicted messages in one form or another, whether it be by SPAM email, or "You have won!" style SMS text messages, and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). Another message popping up on their 'phone saying something along the lines of "You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your prize!" is unlikely to cause much alarm, and is more than likely to succeed in many cases.
Workarounds and fixes
We are not aware of any fixes for the SNARF attack at this time other than to switch off bluetooth.
To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform a factory reset, but this will, of course, erase all your personal data.
To avoid Bluejacking, "just say no".
The above methods work to the best of our knowledge, but, as the devices affected are running closed-source proprietory software, it not possible to verify that without the collaboration of the manufacturers. We therefore make no claims as to the level of protection they provide, and you must continue to use bluetooth at your own risk.
Who's Vulnerable
To date the quantity of devices tested is not great. However, due to the fact that they are amongst the most popular brands, we still consider the affected group to be large. It is also assumed that there are shared implementations of the bluetooth stack, so what affects one model is likely to affect others.
The devices known to be vulnerable at this time are:
Vulnerability Matrix
Make Model BACKDOOR SNARF when Visible SNARF when NOT Visible
Ericsson T68 ? Yes No
Sony Ericsson R520m ? Yes No
Sony Ericsson T68i ? Yes ?
Sony Ericsson T610 ? Yes No
Sony Ericsson Z1010 ? Yes ?
Sony Ericsson Z600 ? Yes ?
Nokia 6310 ? Yes Yes
Nokia 6310i Yes Yes Yes
Nokia 7650 Yes Yes ?
Nokia 8910 ? Yes Yes
Nokia 8910i ? Yes Yes
Disclosure
What is the Philosophy of Full Disclosure, and why are we providing the tools and detailing the methods that allow this to be done? The reasoning is simple - by exposing the problem we are achieving two goals: firstly, to alert users that the dangers exist, in order that they can take their own precautions against compromise, and secondly, to put pressure on manufacturers to rectify the situation. Consumers have a right to expect that their confidential data is treated as such, and is not subject to simple compromise by poorly implemented protocols on consumer devices. Manufacturers have a duty of care to ensure that such protection is provided, but, in practice, commercial considerations will often take precedence, and, given the choice, they may choose to simply supress or hide the problem, or, even worse, push for laws that prevent the discovery and/or disclosure of such flaws[5]. In our humble opinion, laws provide scant consumer protection against the lawless.
However, having said that, in this particular case, we do not feel it is appropriate to follow the normal procedure of liaising with manufacturers and giving them an opportunity to rectify the problem before disclosing to the general public (this is not to say we haven't contacted them - we have), as there are simply too many of them, and the problem is too widespread to realistically believe that they could either adhere to the strict levels of confidentiality required until the problem has been rectified, or that there is even the possibilty that the problem can be rectified in a reasonable timescale. Also, the volume of data currently at risk is too great to allow the situation to continue unchecked.
Instead, we feel it is more important to achieve our primary goal, and alert the general public to the fact that the problem exists, and to give them the information required to adequetely defend themselves. Fortunately, the defence is relatively simple, and is detailed above. To date we do not have a large selection of phones or other devices to test, so the advice is somewhat generic, but we will publish more detailed information as and when it becomes available.
Tools
Proof of concept utilities have been developed, but are not yet available in the wild. They are:
bluestumbler - Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup.
bluebrowse - Display available services on a selected device (FAX, Voice, OBEX etc).
bluejack - Send anoymous message to a target device (and optionally broadcast to all visible devices).
bluesnarf - Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message).
Tools will not be released at this time, so please do not ask. However, if you are a bona-fide manufacturer of bluetooth devices that we have been otherwise unable to contact, please feel free to get in touch for more details on how you can identify your device status.
Credits
The above vulnerabilities were discovered by Adam Laurie, during the course of his work with A.L. Digital, in November 2003, and this announcement was prepared thereafter by Adam and Ben Laurie for immediate release.
Adam Laurie is Managing Director and Chief Security Officer of A.L. Digital Ltd.
Ben Laurie is Technical Director of A.L. Digital, and author of Apache-SSL and contributor to many other open source projects, too numerous to expand on here.
A.L. Digital Ltd. are the owner operators of The Bunker, the world's most secure data centre(s).
e: adam@algroup.co.uk w: http://www.aldigital.co.uk w: http://www.thebunker.net
e: ben@algroup.co.uk w: http://www.apache-ssl.org/ben.html
Further information relating to this disclosure will be updated at http://www.bluestumbler.org
References:
[1]
http://www.bluejackq.com/
http://www.theregister.co.uk/content/6/33781.html
http://news.bbc.co.uk/1/hi/technology/3237755.stm
[2]
http://www.palowireless.com/infotooth/tutorial/lmp.asp
[3]
http://www.out-law.com/php/page.php?...sale1061969777
[4]
bluesniff
btscanner
redfang
[5]
http://www.eff.org/
[6]
http://www.babt.com/gsm-imei-number-allocation.asp
http://www.mobiledia.com/glossary/68.html
In the news
BBC News Technology Page
The Register
ZDNet UK (Original Coverage)
ZDNet UK (Nokia response)
ZDNet (Sony Ericsson response)
Slashdot
Other related links
The Bluetooth SIG: http://www.bluetooth.org/
Bruce Potter's Defcon-11 presentation: http://www.shmoo.com/~gdead/dc-11-brucepotter.ppt
@Stake's Bluetooth Discovery Paper: http://www.atstake.com/research/repo...r_nibbling.pdf
Marcel Holtmann's German papers: http://www.holtmann.org/papers/bluetooth/
Bluetooth Device Security Database: http://www.betaversion.net/btdsd/
Copyright (c) 2003,4; Adam Laurie, Ben Laurie, A.L. Digital Ltd., all rights reserved.
Last updated 13th Feb, 2004
Summary
There are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, two vulnerabilities have been found:
Firstly, confidential data can be obtained, anonymously, and without the owner's knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the phone's IMEI.
Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted ("paired") device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be "backed up" to an attacker's own system.
Finally, the current trend for "Bluejacking" is promoting an environment which puts consumer devices at greater risk from the above attacks.
Vulnerabilities
The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, realtime clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone 'cloning'). This is normally only possible if the device is in "discoverable" or "visible" mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.
The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the "pairing" mechanism, but ensuring that it no longer appears in the target's register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner's knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.
Bluejacking:
Although known to the technical community and early adopters for some time, the process now known as "Bluejacking"[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The technique involves abusing the bluetooth "pairing"[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during the initial "handshake" phase. This is possible because the "name" of the initiating bluetooth device is displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user defined name field - up to 248 characters - the field itself can be used to pass the message. This is all well and good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential security problem with this, and the more the practice grows and is accepted by the user community, and leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the protocol being abused is designed for information exchange. The ability to interface with other devices and exchange, update and synchronise data, is the raison d'être of bluetooth. The bluejacking technique is using the first part of a process that allows that exchange to take place, and is therefore open to further abuse if the handshake completes and the "bluejacker" successfully pairs with the target device. If such an event occurs, then all data on the target device bacomes available to the initiator, including such things as phone books, calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the volume and quality of such data will increase with the devices' capabilities, leading to far more serious potential compromise. Given the furore that errupted when a second-hand Blackberry PDA was sold without the previous owner's data having been wiped[3], it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff's contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are not the only potential targets - a bluejacking expedition to, say, The House of Commons, or The US Senate, could provide some interesting, valuable and, who's to say, potentially damaging or compromising data.
The above may sound alarmist and far fetched, and the general reaction would probably be that most users would not be duped into allowing the connection to complete, so the risk is small. However, in today's society of instant messaging, the average consumer is under a constant barrage of unsolicted messages in one form or another, whether it be by SPAM email, or "You have won!" style SMS text messages, and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). Another message popping up on their 'phone saying something along the lines of "You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your prize!" is unlikely to cause much alarm, and is more than likely to succeed in many cases.
Workarounds and fixes
We are not aware of any fixes for the SNARF attack at this time other than to switch off bluetooth.
To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform a factory reset, but this will, of course, erase all your personal data.
To avoid Bluejacking, "just say no".
The above methods work to the best of our knowledge, but, as the devices affected are running closed-source proprietory software, it not possible to verify that without the collaboration of the manufacturers. We therefore make no claims as to the level of protection they provide, and you must continue to use bluetooth at your own risk.
Who's Vulnerable
To date the quantity of devices tested is not great. However, due to the fact that they are amongst the most popular brands, we still consider the affected group to be large. It is also assumed that there are shared implementations of the bluetooth stack, so what affects one model is likely to affect others.
The devices known to be vulnerable at this time are:
Vulnerability Matrix
Make Model BACKDOOR SNARF when Visible SNARF when NOT Visible
Ericsson T68 ? Yes No
Sony Ericsson R520m ? Yes No
Sony Ericsson T68i ? Yes ?
Sony Ericsson T610 ? Yes No
Sony Ericsson Z1010 ? Yes ?
Sony Ericsson Z600 ? Yes ?
Nokia 6310 ? Yes Yes
Nokia 6310i Yes Yes Yes
Nokia 7650 Yes Yes ?
Nokia 8910 ? Yes Yes
Nokia 8910i ? Yes Yes
Disclosure
What is the Philosophy of Full Disclosure, and why are we providing the tools and detailing the methods that allow this to be done? The reasoning is simple - by exposing the problem we are achieving two goals: firstly, to alert users that the dangers exist, in order that they can take their own precautions against compromise, and secondly, to put pressure on manufacturers to rectify the situation. Consumers have a right to expect that their confidential data is treated as such, and is not subject to simple compromise by poorly implemented protocols on consumer devices. Manufacturers have a duty of care to ensure that such protection is provided, but, in practice, commercial considerations will often take precedence, and, given the choice, they may choose to simply supress or hide the problem, or, even worse, push for laws that prevent the discovery and/or disclosure of such flaws[5]. In our humble opinion, laws provide scant consumer protection against the lawless.
However, having said that, in this particular case, we do not feel it is appropriate to follow the normal procedure of liaising with manufacturers and giving them an opportunity to rectify the problem before disclosing to the general public (this is not to say we haven't contacted them - we have), as there are simply too many of them, and the problem is too widespread to realistically believe that they could either adhere to the strict levels of confidentiality required until the problem has been rectified, or that there is even the possibilty that the problem can be rectified in a reasonable timescale. Also, the volume of data currently at risk is too great to allow the situation to continue unchecked.
Instead, we feel it is more important to achieve our primary goal, and alert the general public to the fact that the problem exists, and to give them the information required to adequetely defend themselves. Fortunately, the defence is relatively simple, and is detailed above. To date we do not have a large selection of phones or other devices to test, so the advice is somewhat generic, but we will publish more detailed information as and when it becomes available.
Tools
Proof of concept utilities have been developed, but are not yet available in the wild. They are:
bluestumbler - Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup.
bluebrowse - Display available services on a selected device (FAX, Voice, OBEX etc).
bluejack - Send anoymous message to a target device (and optionally broadcast to all visible devices).
bluesnarf - Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message).
Tools will not be released at this time, so please do not ask. However, if you are a bona-fide manufacturer of bluetooth devices that we have been otherwise unable to contact, please feel free to get in touch for more details on how you can identify your device status.
Credits
The above vulnerabilities were discovered by Adam Laurie, during the course of his work with A.L. Digital, in November 2003, and this announcement was prepared thereafter by Adam and Ben Laurie for immediate release.
Adam Laurie is Managing Director and Chief Security Officer of A.L. Digital Ltd.
Ben Laurie is Technical Director of A.L. Digital, and author of Apache-SSL and contributor to many other open source projects, too numerous to expand on here.
A.L. Digital Ltd. are the owner operators of The Bunker, the world's most secure data centre(s).
e: adam@algroup.co.uk w: http://www.aldigital.co.uk w: http://www.thebunker.net
e: ben@algroup.co.uk w: http://www.apache-ssl.org/ben.html
Further information relating to this disclosure will be updated at http://www.bluestumbler.org
References:
[1]
http://www.bluejackq.com/
http://www.theregister.co.uk/content/6/33781.html
http://news.bbc.co.uk/1/hi/technology/3237755.stm
[2]
http://www.palowireless.com/infotooth/tutorial/lmp.asp
[3]
http://www.out-law.com/php/page.php?...sale1061969777
[4]
bluesniff
btscanner
redfang
[5]
http://www.eff.org/
[6]
http://www.babt.com/gsm-imei-number-allocation.asp
http://www.mobiledia.com/glossary/68.html
In the news
BBC News Technology Page
The Register
ZDNet UK (Original Coverage)
ZDNet UK (Nokia response)
ZDNet (Sony Ericsson response)
Slashdot
Other related links
The Bluetooth SIG: http://www.bluetooth.org/
Bruce Potter's Defcon-11 presentation: http://www.shmoo.com/~gdead/dc-11-brucepotter.ppt
@Stake's Bluetooth Discovery Paper: http://www.atstake.com/research/repo...r_nibbling.pdf
Marcel Holtmann's German papers: http://www.holtmann.org/papers/bluetooth/
Bluetooth Device Security Database: http://www.betaversion.net/btdsd/
Copyright (c) 2003,4; Adam Laurie, Ben Laurie, A.L. Digital Ltd., all rights reserved.
Last updated 13th Feb, 2004
03-15-2004, 11:51 AM
#427
CEO of IMHO
The more information is shared, the more opportunities there will be to steal and mislead via this process.
For every security measure there is a counter to it. It's a fact of life. Measure out the risks of some stranger getting access to your contact list and calendar vs. the risk of getting into a car accident due to non-bluetooth cell phone usage in a car.
...and make a decision based upon your priorities.
Jon
For every security measure there is a counter to it. It's a fact of life. Measure out the risks of some stranger getting access to your contact list and calendar vs. the risk of getting into a car accident due to non-bluetooth cell phone usage in a car.
...and make a decision based upon your priorities.
Jon
03-15-2004, 09:21 PM
#428
TL-SHAWD 6MT Rocks!
very good info, thanks...
for now, just turn off your phones when not in use.
it will help to prevent further problems if not always on.
And don't share important priviledge information on a cell phone, everything can be decrypted given enough time and effort.
for now, just turn off your phones when not in use.
it will help to prevent further problems if not always on.
And don't share important priviledge information on a cell phone, everything can be decrypted given enough time and effort.
03-20-2004, 06:05 PM
#430
3rd Gear
Join Date: Mar 2004
Location: Atlanta, GA
Age: 60
Posts: 3
Likes: 0
Received 0 Likes
on
0 Posts
I have tried using my t68i with my TL with no luck. I can get the units paired, but I get no cell phones found when I try to initiate a call from the phone. Any suggestions? I am pulling my hair out.
03-21-2004, 07:26 AM
#431
Racer
You should try sending an e mail to Mobilezen. He has posts all over the site (see page 17) indicating that he can upgrade your phone's firmware and this usually solves pairing problems. I know I have read posts from others on this site who have had no trouble getting their t68is to work with the TL.
03-21-2004, 11:44 AM
#432
Instructor
Join Date: Aug 2003
Location: Bay Area, CA
Posts: 213
Likes: 0
Received 0 Likes
on
0 Posts
Originally posted by nruscitti
Anyone have a V500 or V525? I'm thinking of buying one on E-Bay.
Anyone have a V500 or V525? I'm thinking of buying one on E-Bay.
Yes, I have a v525. It was easily paired with the car. When not in a call, I only see the antenna meter on the car display not the battery info. I wonder if I should upgrade the flash of the phone?
03-30-2004, 05:52 PM
#435
Community Architect
robb m.
robb m.
03-31-2004, 03:16 AM
#436
1st Gear
Join Date: Mar 2004
Location: Mill Valley, California
Age: 71
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
In terms of Verizon, I have heard that there is a bluetooth card that will work with their Kyocera and Samsung smartphones and wonder if this would work with the new TL? Anybody have any experience or info on this?
04-16-2004, 06:26 PM
#437
2nd Gear
Join Date: Apr 2003
Location: Atlanta, GA
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
I haven't been able to find the T630 either -- my other choice is the z600. There were a couple of posts from others that already had the T630, but I'm guessing those are the super-expensive, non-subsidized, unlocked phones from the manufacturers.
Anyone know where I can get either of these phones?
Anyone know where I can get either of these phones?
04-17-2004, 03:15 PM
#439
3rd Gear
Join Date: Apr 2004
Location: Midlothian, Texas
Age: 63
Posts: 3
Likes: 0
Received 0 Likes
on
0 Posts
I have a P900 that does the exact same thing. I have been told that it does not have the Handsfree Profile that it needs. Still researching for a solution.
04-22-2004, 06:54 PM
#440
3rd Gear
Join Date: Apr 2004
Location: Kansas City, KS
Age: 54
Posts: 3
Likes: 0
Received 0 Likes
on
0 Posts
BlueTooth Sprint
At this time Sprint does not have a flip phone that is Bluetooth in the works. I am hoping that sometime later this year we will see one come out by Samsung or possibly Sanyo.
I am having an issue with my Sony Ericsson T608 and my TL. I can make a call but 50% of the time it immediately gives me the disconnect "beeps" over the stereo, however the call is still connected on the phone and I have to hurry and pick up my phone and start talking.. Anyone know why this is happening?
I am having an issue with my Sony Ericsson T608 and my TL. I can make a call but 50% of the time it immediately gives me the disconnect "beeps" over the stereo, however the call is still connected on the phone and I have to hurry and pick up my phone and start talking.. Anyone know why this is happening?