.: Security hole in Widcomm's Bluetooth stack

Author - Filip Norrgard :: User rating -   (23 votes) :: Views - 18892 August 19, 2004 :: Bluetooth has been touted for it's focus on security and until recently, it was quite secure. Now, a company called Pentest released an advisory that the Widcomm Bluetooth stack has a vunerability that can allow access to one's PC or Pocket PC. Taking into account that Widcomm has a large number of customers, including many Pocket PC manufacturers, this doesn't look good. The fact that Widcomm will not release a patch, doesn't help either.

Holy Swiss cheese, Batman!

Widcomm produces Bluetooth software for a number of devices including: PDA, PCs, cellphones and headsets and also allows manufacturer to customize the software. As such, it will be hard to see which devices and software versions are affected.

The vunerability doesn't require the attacker to be bonded or authenicated with the exposed device. The attack itself is performed by sending malformed service requests via Bluetooth to the device. The malformed request then causes a buffer overflow in the Bluetooth software which allows the attacker to run simple commands and/or programs on that device.

Am I affected?

It is hard to say without more extensive testing. Pentest had determined that these versions were at risk:

• On Windows desktop PCs: Widcomm Bluetooth Stack Server versions 1.3.2.7 and 1.4.2.10.
• HP iPaq 5450 running Pocket PC 2002: Bluetooth software version 1.4.1.03

It is safe to assume that all prior versions are affected by this vunerability and care should be excersiced. Pentest has not yet tested this vunerability on newer Pocket PC 2003, Pocket PC Phone Editions, Microsoft Smartphones nor with other devices. However, this problem might not affect the XDA II / MDA II / iMate Pocket PC Phone Editions since they use the Microsoft Bluetooth stack and not Widcomm's.

The threats are many

How is this threatening to you and your Pocket PC? Well, if you sometimes use Bluetooth on your Pocket PC and intentionally or unintentionally leave it on, some attacker could use it to gain access to your Pocket PC (or PC for that matter). Don't think that anyone will come within the 10 meter range of your Bluetooth device? Consider that withing that 10 meter radius, you can have in a minute:

• thousands of people passing you by in an airport
  
• hundreds of persons walking you by in a store
  
• multiple persons sitting beside you in a café

Considering that anyone can utilize any type of Bluetooth device to attack your Bluetooth devices, it will be hard to prevent such an attack. Until Widcomm or the OEMs release a patch for this problem, the ways to prevent or avoid this vunerability are:

• you disable Bluetooth after each use
• set the device to be non-discoverable or hidden

According to Pentest, Widcomm had informed that they will not release a patch for older versions of their Bluetooth software which doesn't sound comforting. Taking into account that Pentest has already managed to write a proof of concept exploit for Windows XP, I wonder how long it is before the use of this exploit becomes mainstream. I can't say that I will stay awake at night, but I certainly will start to turn off Bluetooth radio more often in public masses.

Related third party links

• Pentest's article "WIDCOMM Bluetooth Connectivity Software Buffer Overflows"
• Source : F-Secure Weblog

Related links

• First virus for Pocket PC unleashed

.: Rate this article

How helpful did you find this article? ::   (23 votes)   ::                [Rate]

Do you have some notes or comments to this article? [0 comments] :: Print article