Bluetooth developmentsAdam Laurie and Martin Herfurt pre-sented their latest Bluetooth securityresearch. In November 2003, Laurieannounced a series of vulnerabilities in avariety of cell phones. The vulnerabilitieswere the result of poor Bluetooth imple-mentations on the phones. They allowedattackers access to personal informationand core functions of the phones.

In their Black Hat presentation, Laurieand Herfurt expanded on their originalfindings. They announced that Nokia hadfixed some of the vulnerabilities discov-ered in their phones, and other vendorswere beginning to follow suit. They alsodemonstrated the BLUEBUG exploit;this allows an attacker to issue AT com-mands directly to a vulnerable phonewithout authentication. In the demon-stration, Herfurt caused a volunteer’s cellphone to dial Laurie’s phone without anyuser interaction. This effectively “bugged”the volunteer and allowed Laurie to listenclandestinely to his conversation.

Also at Black Hat, Brian Wotring and Idemonstrated a way to track users at theconference through the Bluetooth radiosin their phones. Inspired by Steinhauser’sBluetooth Location Tracker (BLT)demonstrated at CCC 2003, we created atool called braces.1,2 Unlike BLT, bracesdoes not use GPS to determine location.GPS reception is nearly impossible in ahotel, so we chose to develop a systemwhere the Bluetooth sensors would knowtheir position in advance.

Over the course of the conference, wediscovered over 60 devices and tracked

them. Attendees of the conference couldgo to the braces website to find the loca-tion of any discovered Bluetooth device.The code used for tracking and the dataitself is available on the braces website.

802.11There were also a number of 802.11developments. Paul Wouters demon-strated WaveSEC, a mechanism forsecuring wireless networks.3 WaveSEC’score assumption is that wireless Ether-net will always have security vulnerabili-ties. Rather than attempt to solve thesecurity issues of the wireless networkitself, WaveSEC sidesteps the problemby forcing all wireless traffic throughIPSEC.

While this is not a new idea, WaveSECuses a novel approach. Generally, IPSECrequires a user to have some pre-existingrelationship with the wireless network toshare keys or obtain a certificate.WaveSEC solves this problem by control-ling the IPSEC tunnel creation throughdata from the DHCP process. When awireless client requests a DHCP lease, thedynamic DNS records created containthe gateway IP address and public key.The WaveSEC client automatically pullsthis information from DNS and uses it toconfigure the IPSEC tunnel.

The WaveSEC client works on Linux,OS X, FreeBSD, and now Windows.Wouters demonstrated the new Windowsclient at the conference, in conjunctionwith the rest of the WaveSEC infrastruc-ture. Wouters also described how toinstall the WaveSEC server on a Linksys

WRT54g, a USD80 wireless access point.Using an existing Linux installation forthe Linksys device, WaveSEC was portedto the Linksys architecture. Woutersachieved 1Mbyte/s throughput on theWRT54g using AES encryption for thewireless traffic.

The ability to run Linux on an inex-pensive consumer wireless access point isan important development in WiFi secu-rity. Now users can have all the securityand functionality of Linux on their accesspoint without devoting a relativelyexpensive and bulky desktop machine tohandle the wireless traffic. Be it 802.1xauthentication, a captive Web portal, oradvanced auditing and IDS capability,these low-cost products are becoming the Swiss army knife of secure wirelessnetworks. WaveSEC is now anotheroption for those choosing to ‘roll theirown’ access point on Linksys’s popularhardware.

The Shmoo Group announced a vari-ety of wireless tools at DefCon.4 Of par-ticular interest was 802.11 Bounce, amechanism for defeating wireless intru-sion detection systems that rely on clientlocation to determine malicious activity.The system is meant to be concealed inlocation in or near a building with wire-less IDS. An attacker outside the secureperimeter can relay packets through the802.11 Bounce device, tricking the IDSinto allowing the wireless traffic into thenetwork.

4

wireless security

W

W I RE LESSW I RE LESS SECURITYSECURITYWireless updates fromBlack Hat and DefConBruce Potter

In late July, hackers and security professionals from around the world flocked toLas Vegas for the Black Hat and DefCon security conferences. As has been thecase for the last several years, there were a number of interesting wireless securitydevelopments.

W

W I RE LESSW I RE LESS SECURITYSECURITY

Wireless security is finally maturing out

of the hype

Smartphones represent a small propor-tion of the worldwide mobile phonemarket, but the number is significantbecause of who uses them. Marketresearcher IDC’s Worldwide MobilePhone report predicts more than 20 mil-lion converged mobile units(Smartphones) out of over 595 millionmobile devices will be shipped in 2004.This is an increase of 85.8% in year-on-

year sales. In contrast PDA sales are indecline.

The Symbian operating system domi-nates the world Smartphone market witha 65% share. Microsoft and Palm eachhave 14%. The results are skewed bySymbian’s dominance in the European,Middle East and African markets (94%market share), says the Canalys EMEAreport. The Symbian OS is used in

devices from many handset manufactur-ers, including Nokia (78% market share),Sony-Ericsson (8%) and Motorola (6%).

The hardware in current devices run-ning Symbian and Microsoft operatingsystems is very similar. Both designs haveseparate PDA and radio components.The PDA usually runs on an ARM orStrongARM processor with the radiocomponent (usually GSM) handling allcommunication over a serial line.Information on the radio components isscarce; access to their functions is largelyabstracted by programming interfaces.

SymbianThe Symbian OS, formerly known asEPOC, was written for the Psion Series 5PDA. In 1996 Psion split into PsionSoftware and later merged with manymobile phone manufacturers to formSymbian.

The latest Symbian OS releases aredesigned for ARM and StrongARMprocessors, with vendors opting forARM9 processors running at over100MHz. Program storage is provided byflash memory and the operating system isstored in flash ROM (read only memory).

802.11 Bounce consists of a SharpZarius PDA, configured as a WiFi client,with a 100mW amplifier to boost the sig-nal into the internal network. To avoiddetection of the attacker’s signal, 802.11Bounce uses a 900Mhz radio to relaypackets to and from the attacker. Notonly does 900Mhz make the attackerimpossible to detect with a WiFi-basedIDS, it allows for very long range com-munications (in excess of 20 miles/32km). The entire system can run for hourson the built-in battery and can be hiddenin a tissue box.

Wall of shameAlso at DefCon, the wireless ‘wall ofshame’ automatically displayed user-names and passwords (slightly obscured)on a wall in the common area. The user-names and passwords had been sniffed in

cleartext form the conference’s wirelessnetwork.

While it may seem obvious that users ofa wireless network at a hacker conventionsuch as DefCon should exercise extremecaution and excessive encryption, therewere many individuals who used cleartextauthentication. The wall of shame moti-vated many simply to turn off their wire-less interface rather than secure theiroutbound connections.

Parting shotsWireless security is finally maturing outof the hype from the past two years. It isno longer an esoteric discipline that onlya few experts understand. Knowledge ofwireless security is now a core aspect ofmany security and networking profes-sionals. Black Hat and DefCon have beenimportant conferences with respect to

wireless security over the last few years. This year, no single vulnerability stood

out, unlike years past. However, theattacks and defenses presented were moreadvanced than before. Also, greater inter-action with vendors and standards bodiesby the security and hacker communitywas evident. While wireless networks maystill have security risks, at least the indus-try has reached a point where the fear,uncertainty and doubt is diminishing andthere is a broad understanding of thetopic.

References1 BLT - http://www.betaversion.net/

blt/2 braces – http://braces.shmoo.com/3 WaveSEC – http://www.wavesec.org/4 http://www.shmoo.com/

5

smartphone risk

Gareth James, senior security consultant, NGS Software Ltd

The integration of the Personal Digital Assistant (PDA) and the cellular phoneinto the Smartphone presents a considerable security risk. Many Smartphones aresold to corporate users who use them for business and personal tasks. The threatis serious that malicious code could destroy the device, gain access to sensitiveinformation or access corporate networks illegally. In addition, packetized services, such as GPRS (General Packet Radio Service),and the move to 3G systems open up more vulnerabilities to hackers. With moreopen systems with rich content and applications accessible over the air, bettersecurity is needed to protect handsets. This article explores malicious code threatson the Symbian and Microsoft Smartphone platforms.

Malicious threats toSmartphones