52 chapter 3 Bluetooth Attacks "Madame Whipsalot fun time party line" that he or she will just pay the charge to make the issue go away. TIp Some phones have open RFCOMM ports but are not advertised via SDP. These ports are leftovers from diagnostics used by the manufacturer and can be accessed by connecting to the channel directly. Depending on the phone, there are 60 channels available for simultaneous use. An attacker can just step through all ports to see if any respond. This is a time-consuming process, and it is more likely that he or she already knows which phones have these back channels open. If you are working to assess a Bluetooth device, it is worth stepping through all RFCOMM channels, just to be sure. It is worth noting that a direct RFCOMM connection is not required to extract or abuse a target device. Other Bluetooth profiles can be abused to read information from devices. Profiles like OBEX push, typically used to push contacts from one device to another, can be exploited since the connection is actually two-way. Instead of pushing a contact, an OBEX GET request is made for a known filename. Files such as telecom/pb.vcf, which is the device's phone book, would be most useful to extract. This type of connection often does not require authentication. Some devices also can be caused to crash by pushing a vcard (a contact) with a very long file name, causing a buffer overflow and, possibly, crashing the phone. At this point, it must be pointed out that many of these attacks have been miti- gated through firmware upgrades and improved UI design. From about 2003 to 2007, these attacks were widespread as the technologies were new, and the user base was unaware of the risks. Many phones now are not discoverable, and most manufactur- ers have improved their implementations so as to not expose users to such risks. That being said, there are always new devices coming on the market with Bluetooth capability. There may be an occasion where a manufacturer slips up and exposes a vulnerability. From the perspective of an IT or security manager, it would be a good idea to evaluate all Bluetooth devices and their peripherals for obvious vulnerabilities before allowing them in production environments. From an auditing standpoint, tools like Bluetooth Stack Smasher (www. secuobs. com/news/05022006-bluetooth10.shtml) are invaluable as they have fuzzing capabil- ities to allow for discovery of previously unknown issues of security and stability. WHOLesaLe snIFFIng In 2007, n.runs released Btcrack, a Windows program to crack Bluetooth link keys (www.nruns.com/_en/security_tools_btcrack.php). While this would seem to be a death sentence for Bluetooth, there is a problem. Sniffing the packets necessary to enable the crack to occur is a lot harder to catch than you would think.