-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pentest Limited Security Advisory
Multiple vulnerabilities in Nokia phones.
Advisory Details - ----------------
Title: Multiple vulnerabilities in Nokia phones. Announcement date: 9th February 2004 Advisory Reference: ptl-2004-01 Product: Nokia 6310i Mobile phone. Vulnerability Type : Buffer Overflow Vendor-URL: http://www.nokia.com/nokia/0,,133,00.html Vendor-Status: Vendor notified Remotely Exploitable: Yes Locally Exploitable: N/A Advisory URL: http://www.pentest.co.uk/
Vulnerability Description - -------------------------
The 6310i is a typical Nokia phone supporting both Bluetooth and Infrared connectivity. Both of these connectivity methods support the OBject EXchange (OBEX) protocol to transfer data to and from the phone. By issuing various invalid OBEX message to the phone's protocol handler it is possible to trigger one of several Denial of Service vulnerabilities. This attack results in the phone resetting, terminating any current operations. No device pairing is required therefore anyone in range of the phone could initiate an attack.
Vulnerable Devices - ------------------
The vulnerabilities were tested and confirmed on a Nokia 6310i. Due to the nature of the vulnerability it is suspected that similar Nokia devices are also susceptible to malformed OBEX packets.
We have tested certain other devices and found them to be vulnerable. Currently we are waiting for a fix from their manufacturers, at which point we will release further information.
Any manufacturers of OBEX enabled devices are welcome to contact us and we will provide them with the relevant test cases for them to reproduce the vulnerabilities in thier devices.
Vendor Status - -------------
- - Pentest Notification: 26-11-2003 - - Formally acknowledged by Nokia: 05-01-2004
Vendor Response - ---------------
"Pentest Ltd. has sent new vulnerability research notes about discovering that certain Bluetooth messages will crash the Nokia 6310(i) phone. Attacker will be able to re-boot a victim's phone by sending a malformatted Bluetooth OBEX-message. This can be considered as a Denial-of-Service attack as it can stop phone calling etc. We have recently repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone. After the crash, the phone restarts and returns to normal operation.
In public places, where devices with Bluetooth technology might be targets of malicious attacks at least in theory, the way to prevent hackers is to set the device in non-discoverable mode - "hidden" - or switch off the Bluetooth functionality. This does not affect other functionalities of the phone."
Fix / Workarounds - -----------------
No fix is currently available. However, exposure can be limited only enabling Bluetooth when required. When Bluetooth is enabled, the device should be in non-discoverable mode.
Credit - ------
These vulnerabilities were discovered by Tim Hurman from Pentest Limited.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAJs6H4bMUolR4sycRAgXdAJ4meu9WbyepofpNQ0y4J5wXqQ2jFACdFB26 UcoS99/fURzRpgUK8c+G5Mw= =YqoF -----END PGP SIGNATURE-----
