Red-Ms Bluetooth Server Vulnerable

@stake identifies numerous flaws in the Bluetooth short-range wireless access points sold by Red-M, the most serious of which could compromise the administration password.

Security researchers have identified numerous flaws in the Bluetooth short-range wireless access points sold by Red-M Communications Ltd., the most serious of which could compromise the administration password.

@stake Inc., a security research and consultant firm in Cambridge, Mass., discovered the six vulnerabilities in Red-Ms 1050AP, which is the only server on the market that supports access by multiple Bluetooth clients.

Although Bluetooth has been in existence for several years, vendors have been slow to produce devices that support it. Designed mainly for linking desktop and notebook computers to peripherals such as cell phones and headsets, some advocates have touted the protocol as a more secure alternative to 802.11b.

But, security experts say, Bluetooth gear is not immune from many of the same design flaws that have resulted in security problems for wired and other wireless networks.

"The design and implementation issues havent been resolved because [Bluetooth networks] rely on corporate networks to be secure," said Ollie Whitehouse, director of security architecture and team leader of @stakes Wireless Security Center of Excellence, which discovered the flaws. "We suffer from the same problems in the wireless world as in the wired world. Theyre common programming issues as opposed to Bluetooth issues."

The companys advisory is due to be published Wednesday.

Red-M, based in Bucks, England, responded to @stakes discoveries by saying that the attacks and vulnerabilities the researchers identified would result from the access point being installed on a poorly secured wired network. However, Red-M has fixed the denial-of-service flaws in a recent firmware upgrade and plans to address the others in its next update, due in August.

Whitehouse said that none of the vulnerabilities or attacks his team identified was very difficult to find or execute.

"Its not going to take someone with a high level of intellect to exploit these," he said. "We spent a total of two weeks on this."

Potentially the most damaging vulnerability is a flaw in the TFTP server that ships with the 1050AP. The server, which is used for configuration backups and firmware updates, cannot be disabled and an attacker could use it to launch a UDP-based attack to crack the administrative password, according to Whitehouse. Combined with the fact that the devices password is case insensitive and can be no longer than 16 characters, this vulnerability gives an attacker an effective way of cracking the administrative password.

The 1050AP also has a vulnerability in its management session state storage capability that is susceptible to several different attacks. When a user logs into the Web interface with the administrative password, the device does not send a cookie, session ID or any authentication data to the client, nor does the client send any to the server. Instead, the server remembers until the session times out or the user logs out that that particular IP address has been authenticated.

As a result, a second user coming via the same proxy server can connect to the administrative interface without having to authenticate himself. Or, if the first user connects to the 1050AP through a firewall that does network address translation, any other user behind the same IP address can access the administrative interface as well.

Also, because the device does not ask for the current password when a user tries to change the administrators password, once hes logged on, an attacker could lock the administrator out of the device, @stake says.

The Red-M device also broadcasts its name via UDP to a specific broadcast IP address about once a minute, Whitehouse said. Anyone looking to find an access point on a given network would need simply to listen on port 8887, and could easily determine the 1050 APs name, IP address, netmask, serial number and aerial address.

@stake also identified two separate denial-of-service vulnerabilities in the access point. The flaw in the management Web server simply requires an attacker to enter a long string of characters in the administrative password field, which will generate a connection error and cause the server to die until it is manually restarted. The second such flaw results from an attacker entering an overly long string in the PPP (point to point protocol) username field.

Red-M officials said they dont see these issues as problems with the 1050AP.

"The current design philosophy for the 1050AP is that it would be used on a corporate network already secured by implementation of a corporate security policy," the company wrote in an e-mail response to @stakes advisory. "This should mitigate the risk of attacks from the wired network. We believe that [@stakes advisory] does not demonstrate a practical vulnerability over the wireless interface, as the 1050APs wireless security mechanisms has not been shown to be vulnerable."

Related stories:

  • Review: 802.11a 5 Times Faster Than 11b
  • Review: Sizing Up Early Bluetooth Devices