[ISN] Hackers "shoot" the security pros at the RSA Convention

InfoSec News isn at c4i.org
Fri Feb 18 04:29:26 EST 2005


By Humphrey Cheung 
February 17, 2005

San Francisco (CA) - From the second floor of the Moscone Convention
Center, a trio of hackers points their Bluetooth Sniper Rifle at the
show attendees below. Bluetooth devices have become commonplace,
especially with the technical crowd at the RSA Convention. Maybe
thousands of Bluetooth devices were worn by attendees. The guys at
Flexilis may have scanned them all.

James Burgess, from Flexilis, a wireless think tank, says that the
BlueSniper gun is a very simple concept. "It's basically a gun stock,
with an antenna on it. The thing that makes it cool is the gumstick PC
built into the magazine. It is completely self-contained."

Flexilis demonstrated a similar gun at the 2004 Defcon Convention in
Las Vegas. That gun was hastily put together, basically with rubber
bands and tie straps. This updated version was better looking and much
bigger. So big the Flexilis guys had to mount it on a tripod.

Constructing the gun was easy. A tube shaped antenna, tuned for
Bluetooth frequencies, was attached to an aftermarket gun stock.  
LMR-400 cable connects the antenna to a miniature computer, located in
the magazine of the gun. The total cost of the parts was less than

While the gun looks impressive, John Hering says, "The real magic
happens inside the computer." The magazine containing a small computer
is loaded into the gun. A bright blue LED glows on the outside of the
gun, after the magazine is inserted and turned on. The computer is
powered by a 400Mhz Xscale processor and has serial output. It accepts
the Bluetooth signals from the antenna and has an MMC slot, which can
store and accepts all the signals from the Bluetooth antenna.

Kevin Mahaffey, the main programmer at Flexilis, explains their
homegrown software can find vulnerable phones, list their services and
perform exploits. During our demonstration, he only showed off the
vulnerability and service scans, but he says that it would have been
trivial to crash or even rip contact lists from vulnerable phones.

In a few minutes of scanning, the group picked up more than one
hundred phones. The phones were listed by the MAC address, which is
the unique hardware address burned into every phone. All of this
information can be stored on a MMC card inside the gumstick computer -
making the BlueSniper gun self-contained. So for the security
professionals at the RSA Security Conference, don't forget to look up,
as you are being watched.

More information about the ISN mailing list