Pentest Security Advisory : PTL-2004-01
Multiple vulnerabilities in Nokia phones

Advisory Details

Title: Multiple vulnerabilities in Nokia phones.
CVE Name: CAN-2004-0143
Announcement date: 9th February 2004
Advisory Reference: PTL-2004-01
Product: Nokia 6310i Mobile phone.
Vulnerability Type: Buffer Overflow
Vendor-URL: http://www.nokia.com/nokia/0,,133,00.html
Vendor-Status: Vendor notified
Remotely Exploitable: Yes
Locally Exploitable: N/A
Advisory URL: http://www.pentest.co.uk/

Vulnerability Description

The 6310i is a typical Nokia phone supporting both Bluetooth and Infrared connectivity. Both of these connectivity methods support the OBject EXchange (OBEX) protocol to transfer data to and from the phone. By issuing various invalid OBEX messages to the phone's protocol handler it is possible to trigger one of several Denial of Service vulnerabilities. This attack results in the phone resetting, terminating any current operations. No device pairing is required therefore anyone in range of the phone could initiate an attack.

Vulnerable Devices

The vulnerabilities were tested and confirmed on a Nokia 6310i. Due to the nature of the vulnerability it is suspected that similar Nokia devices are also susceptible to malformed OBEX packets.

We have tested certain other devices and found them to be vulnerable. Currently we are waiting for a fix from their manufacturers, at which point we will release further information.

Any manufacturers of OBEX enabled devices are welcome to contact us and we will provide them with the relevant test cases for them to reproduce the vulnerabilities in their devices.

Vendor Status

Pentest Notification: 26-11-2003
Formally acknowledged by Nokia: 05-01-2004

Vendor Response

"Pentest Ltd. has sent new vulnerability research notes about discovering that certain Bluetooth messages will crash the Nokia 6310(i) phone. Attacker will be able to re-boot a victim's phone by sending a malformatted Bluetooth OBEX-message. This can be considered as a Denial-of-Service attack as it can stop phone calling etc. We have recently repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone. After the crash, the phone restarts and returns to normal operation.

In public places, where devices with Bluetooth technology might be targets of malicious attacks at least in theory, the way to prevent hackers is to set the device in non-discoverable mode - "hidden" - or switch off the Bluetooth functionality. This does not affect other functionalities of the phone."

Fix / Workarounds

No fix is currently available. However, exposure can be limited by only enabling Bluetooth when required. When Bluetooth is enabled, the device should be in non-discoverable mode.

Credit

These vulnerabilities were discovered by Tim Hurman from Pentest Limited.

arrow morePTL-2004-02

PTL-2003-02arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2014 All Rights Reserved. Privacy statement Design: Jalee Design