Blooover

Sep 2004

3 mins read

bluetooth classic security auditing tool JSR-82 J2ME

Since Adam Laurie’s BlueSnarf experiment and the subsequent BlueBug experiment it is proven that some Bluetooth-enabled phones have security issues. Until now, attackers need laptops for the snarfing of other people’s information. Unless attackers do a long-distance-snarf, people would see that there is somebody with a laptop trying to do strange things. Blooover is a proof-of-concept tool that is intended to run on J2ME-enabled cell phones that appear to be comparably seamless. Blooover is a tool that is intended to serve as an audit tool that people can use to check whether their phones and phones of friends and employees are vulnerable.

Since the application runs on handheld devices and sucks information, it has been called Blooover (derived from Bluetooth Hoover).

We had some objections to release a tool that actually does a bluebug-attack before eventual victims were not in the position of doing something against it. Now, that Nokia announced a firmware upgrade for their vulnerable models, these objections are no longer present.

Downloads

Here you find the Blooover tool as a .jar file for download. It is supposed to run on every phone that is equipped with a J2ME MIDP 2.0 VM and an implemented JSR-82 API (important for Bluetooth access). As far as I know, the Nokia 6600, Nokia 7610, Sony Ericsson P900, Siemens S65 (and probably al consequent phones of the mentioned manufacturers) do fulfill these requirements.

By now, Blooover has been downloaded times (figure is updated hourly).

Installation

When you intend to install the application, you should be using a phone that has the Java Bluetooth API implemented. Phones with this feature are listed on this, very useful page.

Once you downloaded the file, make sure that it is called Bloover.jar (not Blooover.zip). After this you can either transfer the application to your phone via (1) the phone software on your pc, or (2) via Obex Push over Bluetooth or (3) via OTA (over-the-air application provisioning) which will use your phone’s data services.

Please use this Proof-of-Concept application responsible !

Blooover - J2ME phone auditing tool
(runs on phones with MIDP 2.0 and JSR-82 (Bluetooth API))
by Martin Herfurt
more information on the Blooover project page

Blooover Theme - a theme for Series60 phones
by Martin Herfurt
Download sis file
created in March 2005

Desktop Background - Blooover iSee Right on time for x-mas and for the upcoming release of the Blooover tool at the 21C3 congress in the end of December 2004. Resolution 800x600
Resolution 1024x768
Resolution 1400x1050
Resolution 1600x1200
created in December 2004

Disclaimer

The Blooover application is a Proof-of-Concept auditing tool that is not intended to exploit eventual victims financially. Therefore, it is not possible to send SMS messages and it is only possible to initiate calls and do call forwards to numbers that are free of charge to the calling device.

People Involved

For questions about the Blooover application, feel free to ask Martin Herfurt.

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.