[ISN] Red-M's Bluetooth Server Vulnerable

From: InfoSec News (isnat_private)
Date: Thu Jun 06 2002 - 02:28:53 PDT

  • Next message: InfoSec News: "[ISN] Dead Men Tell No Passwords"

    June 5, 2002 
    By Dennis Fisher 
    Security researchers have identified numerous flaws in the Bluetooth
    short-range wireless access points sold by Red-M Communications Ltd.,
    the most serious of which could compromise the administration
    @stake Inc., a security research and consultant firm in Cambridge,
    Mass., discovered the six vulnerabilities in Red-M's 1050AP, which is
    the only server on the market that supports access by multiple
    Bluetooth clients.
    Although Bluetooth has been in existence for several years, vendors
    have been slow to produce devices that support it. Designed mainly for
    linking desktop and notebook computers to peripherals such as cell
    phones and headsets, some advocates have touted the protocol as a more
    secure alternative to 802.11b.
    But, security experts say, Bluetooth gear is not immune from many of
    the same design flaws that have resulted in security problems for
    wired and other wireless networks.
    "The design and implementation issues haven't been resolved because
    [Bluetooth networks] rely on corporate networks to be secure," said
    Ollie Whitehouse, director of security architecture and team leader of
    @stake's Wireless Security Center of Excellence, which discovered the
    flaws. "We suffer from the same problems in the wireless world as in
    the wired world. They're common programming issues as opposed to
    Bluetooth issues."
    The company's advisory is due to be published Wednesday.
    Red-M, based in Bucks, England, responded to @stake's discoveries by
    saying that the attacks and vulnerabilities the researchers identified
    would result from the access point being installed on a poorly secured
    wired network. However, Red-M has fixed the denial-of-service flaws in
    a recent firmware upgrade and plans to address the others in its next
    update, due in August.
    Whitehouse said that none of the vulnerabilities or attacks his team
    identified was very difficult to find or execute.
    "It's not going to take someone with a high level of intellect to
    exploit these," he said. "We spent a total of two weeks on this."
    Potentially the most damaging vulnerability is a flaw in the TFTP
    server that ships with the 1050AP. The server, which is used for
    configuration backups and firmware updates, cannot be disabled and an
    attacker could use it to launch a UDP-based attack to crack the
    administrative password, according to Whitehouse. Combined with the
    fact that the device's password is case insensitive and can be no
    longer than 16 characters, this vulnerability gives an attacker an
    effective way of cracking the administrative password.
    The 1050AP also has a vulnerability in its management session state
    storage capability that is susceptible to several different attacks.  
    When a user logs into the Web interface with the administrative
    password, the device does not send a cookie, session ID or any
    authentication data to the client, nor does the client send any to the
    server. Instead, the server remembers until the session times out or
    the user logs out that that particular IP address has been
    As a result, a second user coming via the same proxy server can
    connect to the administrative interface without having to authenticate
    himself. Or, if the first user connects to the 1050AP through a
    firewall that does network address translation, any other user behind
    the same IP address can access the administrative interface as well.
    Also, because the device does not ask for the current password when a
    user tries to change the administrator's password, once he's logged
    on, an attacker could lock the administrator out of the device, @stake
    The Red-M device also broadcasts its name via UDP to a specific
    broadcast IP address about once a minute, Whitehouse said. Anyone
    looking to find an access point on a given network would need simply
    to listen on port 8887, and could easily determine the 1050 AP's name,
    IP address, netmask, serial number and aerial address.
    @stake also identified two separate denial-of-service vulnerabilities
    in the access point. The flaw in the management Web server simply
    requires an attacker to enter a long string of characters in the
    administrative password field, which will generate a connection error
    and cause the server to die until it is manually restarted. The second
    such flaw results from an attacker entering an overly long string in
    the PPP (point to point protocol) username field.
    Red-M officials said they don't see these issues as problems with the
    "The current design philosophy for the 1050AP is that it would be used
    on a corporate network already secured by implementation of a
    corporate security policy," the company wrote in an e-mail response to
    @stake's advisory. "This should mitigate the risk of attacks from the
    wired network. We believe that [@stake's advisory] does not
    demonstrate a practical vulnerability over the wireless interface, as
    the 1050AP's wireless security mechanisms has not been shown to be
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 05:19:45 PDT