RE: Re: Serious flaws in bluetooth security lead to disclosure of personal data

[Scott Taylor <security () 303underground com>]

On Fri, 2003-11-14 at 11:38, Schmehl, Paul L wrote:
> Bluetooth is *supposed* to be very short range - 10 meters is supposed
> to be the maximum range.  It is *not* 802.11b.  It's 802.15.1.  See
> bluetooth.org for the details.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/

With that short range comes the belief that any lack of security through
the air is made up for by physical security (someone would have to be in
your house to get data off your bluetooth system). To some degree that
holds true.

802.11b is generally thought of as limited to somewhere between a few
hundred and about a thousand feet.  However, with a decent sector
antenna attached to my access point, the card in my laptop is able to
associate at 1 mile away with a very good signal still, and even with no
additional antenna in my laptop, I've been able to associate (full 2-way
communication, not just being aware of the signal in the distance) from
as far as 3 miles away on a clear day. Adding an antenna to the client
device as well I can associate from over 15 miles away (more noticeable
delay and retries required but still quite usable). An 802.11b sniffer
has grabbed packets from 20 miles away or more.

As bluetooth  is not as widely used as 802.11b has become,  the 
benefits from having sniffer tools and such for it are still somewhat
limited at the moment.  But if someone decided to become a bluetooth
wardriver and setup a device plus antenna plus amplifier in their car, 
I bet it would be quickly discovered that  any bluetooth systems that do
exist out there are not very well monitored and no access controls are
in place on them. It is pretty easy right now to find 802.11b access
points that have not been changed from the default plug-n-play
configuration they are shipped with which basically allows anyone with a
client device to connect and be granted just as complete access as
anything plugged directly into their lan.  Wireless access that is
limited to say, a wireless mouse - well,   that is merely an
inconvenience if there was outside interference, and eavesdropping on it
is rather silly.  Wireless access to network resources or filesystems 
brings about a potential for abuse that can be done by your neighbors or
someone just driving by. As such, it should not be deployed before it is
fully understood what kind of access it is capable of providing. 

--
Scott Taylor - <security () 303underground com> 

Novinson's Revolutionary Discovery:
        When comes the revolution, things will be different --
        not better, just different.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html