As balle already pointed out, there is a major Bluetooth Bug in iPhones. The SDP-Service can be exploited to execute arbitrary code. The funny thing with iPhones is, that even when Inquiry Scan is disabled (“hidden Bluetooth device”) it’s easy to find out the Bluetooth Address of an iPhone: The WiFi-address is the Bluetooth address incremented by one. When you know the MAC Address of the iPhone, you also know the Bluetooth address.
Another interesting thing: The Metasploit Framework about to be ported to the iPhone. All the applications seem to run as UID 0 on the iPhone – this is going to be fun!
Camp is over. Unfortunately I did not have enough spare time to write a in depth review, but I can say it was a lot of fun and very interesting. I didn’t enjoy the lectures very much, because the acoustic was lousy and the content of the lectures was not as good as I expected. But the concept of villages with people of same interests was very good. That way it was very easy to meet people with the same interests. One very interesting lecture was about the A5 Cracking Project. The projects goal is to implement a practical attack on the A5 cipher used in GSM networks. The cipher has already been broken in 1998 after the specs leaked into public because someone forgot to sign a NDA. But until now there is no public implementation of the attacks. There is a Wiki where the project is coordinated, check it out. That stuff is at the very top of my agenda. hmm, maybe not at the very top, but at the top ;-).
Anyway, due to the great atmosphere at the camp (especially during the night), I enjoyed it very much. Check out the flickr slideshow. I also made some photos, mostly night shots: Continue reading Camp 2007 Review→
Darkircop have released their tools for reverse engineering CSR Firmware. The tools include a disassembler dis.c for disassembling official firmware. An assembler as.cc for writing your own firmware is also included. With these tools you are now able to write your own firmware for your CSR based Bluetooth Dongle, which might even include raw access for Bluetooth sniffing. The source code for sniffing Bluetooth under Linux included, too.
It might even be possible to port the techniques for finding hidden Bluetooth devices described in this paper onto a CSR dongle. In the paper GNU Radio with USRP was used. The source code used for this attack can be downloaded, too.
This summer I am going to visit the Chaos Communication Camp in Finowfurt near Berlin, Germany (Old Europe). Two years ago i visited a similar camp: What The Hack. I hope the Camp this year will as much fun as WTH, or even more (actually I am pretty sure.). 😉
Besides the many interesting people you can meet there, there are some pretty interesting lectures, too. Just have a look at the Fahrplan.
There will be some WEP-Hacking by Eric, some Fun with NFC Mobile Phones and some other RFID Stuff 1, 2, some oLd 5cHO0l h@cK1n9 and many other interesting things…
I would love to meet some of the visitors and commenter of this blog. As usual there will be a huge phone-network on the campsite, feel free to contact me via eventphone‘s DECT-Network: 4674
If you are interested in Bluetooth hacking you might want to join the channel #bluetooth in the freenode ircnet. Not yet very crowded, but i hope that will change soon.
