I almost forgot about this...

HID Attack is about attacking the Bluetooth Human Interface Device application. The software that runs on the desktop PC that communicates with a Bluetooth keyboard, mouse and joystick. The described attack hijacks the bluetooth keyboard driver on the dektop computer to inject arbitrary keypress sequences.

Full details here: HID Attack Website

Download the Proof-of-Concept here: HID Attack

Today, a good friend sent me this picture of the backside of a british parking ticket. I share this picture with you for two reasons: Entertainment and education.

Yet another non-Bluetooth topic...

Here are the slides from my defcon-14 talk about MMS-based (Multimedia Messaging Service) attacks against PocketPC phones.

The slides are available here and the WiFi proof-of-concept DoS tool can be downloaded here.

I have just been informed by Toshiba that there is a new security update (PC Bluetooth Stack Service Pack 2) that also installs on non-Toshiba PCs.
It is available for download at http://aps.toshiba-tro.de/bluetooth/.

I have just been informed that TOSHIBA published a stable version of the stack. You find it here for download:
aps.toshiba-tro.de/bluetooth
Go for the latest Version (4.00.36) and your problems should be solved.
Special Thanks to Toshiba for letting me know about this.

Earlier this year, members of the trifinite.group discovered an issue with the Toshiba Windows Bluetooth Stack. Strangers can remotely cause a system exception on Windows hosts when they know the address of the internal Bluetooth device of this machine by sending large l2cap echo requests to it (see BlueSmack attack).
Toshiba has been informed about this issue in the middle of February 2006 already but didn't manage to fix the problem. Since Toshiba has been informed once more in April 2006 and the issue still is within the product, we finally decided to publish an advisory addressing the problem so that users of the product are warned and can take countermeasures.

During the last month there have been quite a few events. In the beginning of March, there was the BlackHat Europe in Amsterdam. The list of speakers was quite prominent. Before BlackHat started, I also met Dragos who was on holiday together with the organizing team of the EUSecWest that just took place a week before in London.

A week later, I was invited to speak at a very small, but very nice event in Coimbra, Portugal. This event was called 'Wireless Meeting 2006 (WiMe2006)' and already took place once before in 2005. I was very pleased by the student organizers who also got me a translator so that I could understand the other talks that were mainly held in portuguese. At this event, I also had the pleasure to meet the people of a very ambitious project with the goal to globally share broadband Internet access within a community. Even Google was investing quite
a bit of money in this project. Go to their homepage at www.fon.com and start sharing your Internet connection today. I did it already.

The week after Portugal, I have been invited to participate a meeting of Anti-Virus software manufacturers in Germany where I had the chance to talk to a bunch of interesting people and hear their opinion on Bluetooth.

Finally, Adam, Marcel and I spoke at WebSec 2006 in London.
When coming back from London, I visited Hangar-7 where the Red-Bull Owner Dieter Mateschitz keeps his private aviation and Formula 1 collection. This place is definitely worth seeing. If you ever happen to come to Salzburg, this is a must-see (and is is even for free). Co-incidentally, I met an old friend who happens to work at Hangar-7 as a mechanic. He even gave me the full tour including the garage that the average visitor does not happen to see. It is unbelievable how many expensive toys you find in this place (there are pictures (soon)).

Originally, there was the plan to also speak at MEITSEC in Dubai. This would have been right in between the Portugal and the Germany events and I am honestly glad that this got postponed to December.

The slides of the talks will sooner or later appear in the trifinite.download section and pictures of (most of) the places can be found on the trifinite.album page can be found.

At the very moment, I am on my way to Vancouver where CanSecWest will take place. After a week of partying with the CanSec crowd, I am very happy to kick back and relax in the beautiful city of Vancouver until the beginning of may.

Everyone who is interested in participating a Bluetooth Security workshop could still sign up for the upcoming Bluetooth Technology Security Dojo at CanSecWest in the beginning of April.
We would be happy to meet you there :)

Trifinite.group member Kevin has published a paper detailing the techniques he used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X systems. There has been significant confusion surrounding this worm, so here are some salient points:

• The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
• There is no conspiracy, AV vendors and Apple were notified about Kevin's progress in developing this worm in advance of making details publicly available
• Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
• InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently

Kevin's paper is available at http://www.digitalmunition.com/InqTanaThroughTheEyes.txt. Comments can be directed to the BlueTraq mailing list. Our sympathies to those organizations who were affected by the false-positive signatures published by overzealous AV companies.

Last week, Joshua Wright joined the trifinite.group. Josh brings in a lot of experience with Wi-Fi technology and showed to have the right thinking-patterns for being part of the group :)
Check out Joshua's page for details.