« TiVoToGo | Main | Who's the best doubles player? »

January 4, 2005

Disclosure of Bluetooth exploits

Adam Shostack writes:
Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we're safe? Bluetooth is different from internet vulns, in that you need to be nearby to exploit them. That may well tip the balance against disclosure, but as someone who travels to lots of security conferences attended by hackers and elite attackers, I wish my phone was secure.

I haven't paid much attention to these attacks because el Treo 600 isn't Bluetooth capable (and come to think of it, neither is my computer), but that's not going to stop me from weighing in.

If you're going to engage in this sort of partial disclosure, the general idea is to:

  1. To explain to people whether they're likely to be vulnerable.
  2. To tell them how to protect themselves.

The trick, of course, is to accomplish these goals without giving attackers too much leverage to reproduce the attack. Did Laurie succeed? I guess that depends on whether independent code to exploit the flaws appears before they're generally fixed. Of course, the fact that no POC code is available provides the manufacturers with less incentive to roll-out fixes...

Posted by ekr at January 4, 2005 10:37 AM | Filed under:

Comments

This is a great example of why non-disclosure of bugs puts everyone (except the hackers) at a disadvantage.

Posted by: Steve Purpura at January 5, 2005 7:54 PM

Well the SNARF attack is easy: download obexftp and use it. Basically a flaw at the protocol design layer rather than the implementation. Someone at work used this to copy the addressbooks out of several phones at an airport last month.

Posted by: Jack Lloyd at January 6, 2005 9:17 PM