Full Disclosure mailing list archives
RE: Re: Serious flaws in bluetooth security lead to disclosure of personal data
From: Scott Taylor <security () 303underground com>
Date: Fri, 14 Nov 2003 12:52:25 -0700
On Fri, 2003-11-14 at 11:38, Schmehl, Paul L wrote:
Bluetooth is *supposed* to be very short range - 10 meters is supposed to be the maximum range. It is *not* 802.11b. It's 802.15.1. See bluetooth.org for the details. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
With that short range comes the belief that any lack of security through the air is made up for by physical security (someone would have to be in your house to get data off your bluetooth system). To some degree that holds true. 802.11b is generally thought of as limited to somewhere between a few hundred and about a thousand feet. However, with a decent sector antenna attached to my access point, the card in my laptop is able to associate at 1 mile away with a very good signal still, and even with no additional antenna in my laptop, I've been able to associate (full 2-way communication, not just being aware of the signal in the distance) from as far as 3 miles away on a clear day. Adding an antenna to the client device as well I can associate from over 15 miles away (more noticeable delay and retries required but still quite usable). An 802.11b sniffer has grabbed packets from 20 miles away or more. As bluetooth is not as widely used as 802.11b has become, the benefits from having sniffer tools and such for it are still somewhat limited at the moment. But if someone decided to become a bluetooth wardriver and setup a device plus antenna plus amplifier in their car, I bet it would be quickly discovered that any bluetooth systems that do exist out there are not very well monitored and no access controls are in place on them. It is pretty easy right now to find 802.11b access points that have not been changed from the default plug-n-play configuration they are shipped with which basically allows anyone with a client device to connect and be granted just as complete access as anything plugged directly into their lan. Wireless access that is limited to say, a wireless mouse - well, that is merely an inconvenience if there was outside interference, and eavesdropping on it is rather silly. Wireless access to network resources or filesystems brings about a potential for abuse that can be done by your neighbors or someone just driving by. As such, it should not be deployed before it is fully understood what kind of access it is capable of providing. -- Scott Taylor - <security () 303underground com> Novinson's Revolutionary Discovery: When comes the revolution, things will be different -- not better, just different. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data, (continued)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Pentest Security Advisories (Nov 15)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data fulldisc (Nov 16)
- Re: Re: Serious flaws in bluetooth security leadto disclosure of personal data nosp (Nov 14)
- Re: Serious flaws in bluetooth security lead to disclosure of personal data Adam Laurie (Nov 14)
- Re: Serious flaws in bluetooth security lead to disclosure of personal data Pentest Security Advisories (Nov 15)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Jordan Wiens (Nov 14)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Jordan Wiens (Nov 14)
- RE: Re: Serious flaws in bluetooth security lead to disclosure of personal data Scott Taylor (Nov 14)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Kurt Seifried (Nov 14)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Bob Johnson (Nov 14)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Kurt Seifried (Nov 14)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Ron DuFresne (Nov 16)
- RE: Re: Serious flaws in bluetooth security lead to disclosure of personal data Steve Wray (Nov 16)
- Re: Re: Serious flaws in bluetooth security lead to disclosure of personal data Kurt Seifried (Nov 14)