Pentest Security Advisory : PTL-2004-01
Multiple vulnerabilities in Nokia phones
|Title:||Multiple vulnerabilities in Nokia phones.|
|Announcement date:||9th February 2004|
|Product:||Nokia 6310i Mobile phone.|
|Vulnerability Type:||Buffer Overflow|
The 6310i is a typical Nokia phone supporting both Bluetooth and Infrared connectivity. Both of these connectivity methods support the OBject EXchange (OBEX) protocol to transfer data to and from the phone. By issuing various invalid OBEX messages to the phone's protocol handler it is possible to trigger one of several Denial of Service vulnerabilities. This attack results in the phone resetting, terminating any current operations. No device pairing is required therefore anyone in range of the phone could initiate an attack.
The vulnerabilities were tested and confirmed on a Nokia 6310i. Due to the nature of the vulnerability it is suspected that similar Nokia devices are also susceptible to malformed OBEX packets.
We have tested certain other devices and found them to be vulnerable. Currently we are waiting for a fix from their manufacturers, at which point we will release further information.
Any manufacturers of OBEX enabled devices are welcome to contact us and we will provide them with the relevant test cases for them to reproduce the vulnerabilities in their devices.
|Formally acknowledged by Nokia:||05-01-2004|
"Pentest Ltd. has sent new vulnerability research notes about discovering that certain Bluetooth messages will crash the Nokia 6310(i) phone. Attacker will be able to re-boot a victim's phone by sending a malformatted Bluetooth OBEX-message. This can be considered as a Denial-of-Service attack as it can stop phone calling etc. We have recently repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone. After the crash, the phone restarts and returns to normal operation.
In public places, where devices with Bluetooth technology might be targets of malicious attacks at least in theory, the way to prevent hackers is to set the device in non-discoverable mode - "hidden" - or switch off the Bluetooth functionality. This does not affect other functionalities of the phone."
Fix / Workarounds
No fix is currently available. However, exposure can be limited by only enabling Bluetooth when required. When Bluetooth is enabled, the device should be in non-discoverable mode.
These vulnerabilities were discovered by Tim Hurman from Pentest Limited.
Penetration Testing as a service has grown into a business in its own right, providing numerous corporations with a valuable weapon in their growing arsenal of security counter measures. Pentest Limited was set up in June 2001 to provide specialist security services to businesses across the UK, North America and Europe.
Pentest Limited offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these databases.