Disclosure of Bluetooth exploits

| Comments (2) | TrackBacks (2) |
Adam Shostack writes:
Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we're safe? Bluetooth is different from internet vulns, in that you need to be nearby to exploit them. That may well tip the balance against disclosure, but as someone who travels to lots of security conferences attended by hackers and elite attackers, I wish my phone was secure.

I haven't paid much attention to these attacks because el Treo 600 isn't Bluetooth capable (and come to think of it, neither is my computer), but that's not going to stop me from weighing in.

If you're going to engage in this sort of partial disclosure, the general idea is to:

  1. To explain to people whether they're likely to be vulnerable.
  2. To tell them how to protect themselves.

The trick, of course, is to accomplish these goals without giving attackers too much leverage to reproduce the attack. Did Laurie succeed? I guess that depends on whether independent code to exploit the flaws appears before they're generally fixed. Of course, the fact that no POC code is available provides the manufacturers with less incentive to roll-out fixes...

2 TrackBacks

Listed below are links to blogs that reference this entry: Disclosure of Bluetooth exploits.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/71

poker All these are firmly bound by Love, which rules both earth and sea, and has its empire in the heavens too. If Love should slacken its hold, Read More

Free x comic pic Germany erotic movie Fucking indian story Free full movie download nude Read More

2 Comments

This is a great example of why non-disclosure of bugs puts everyone (except the hackers) at a disadvantage.

Well the SNARF attack is easy: download obexftp and use it. Basically a flaw at the protocol design layer rather than the implementation. Someone at work used this to copy the addressbooks out of several phones at an airport last month.

Leave a comment