NEWS FROM THE LAB - Monday, December 19, 2005

Vulnerability in Widcomm Bluetooth stack allows remote audio listening Posted by Jarno @ 13:43 GMT

In August 2004 we warned people about a serious vulnerability in Widcomm Bluetooth stack used by many PC Bluetooth dongles. The Widcomm stack contains vulnerability which allows remote code execution over Bluetooth, so that an attacker or a worm can take a PC over just by being inside the Bluetooth communication range.

Last week people at Digital Munition have found another vulnerability that allows unauthorized remote access to PC Bluetooth audio profile. Basically this means that anyone with proper software can eavesdrop a PC that has Widcomm Bluetooth software and a microphone, or play audio on the target PC.

While this vulnerability is not nearly as dangerous as the remotely exploitable buffer overflow, it is a good reminder that nobody should be using the old and vulnerable Widcomm software anymore.

However, as Widcomm was bought by another company (Broadcomm), no security fixes have been made for devices that don't use Broadcomm chipset. Fixing this problem is not easy.

The best advise we can give to people is to look for some other Bluetooth stack, for example many Bluetooth devices work without any extra drivers with Windows XP Service Pack 2.

If there is no compatible Bluetooth stack available, we recommend to set authentication for the Headset Audio Gateway profile, as described in the advisory, and set PC Bluetooth to non-discoverable mode.

Setting your PC Bluetooth to non-discoverable will not remove the problem completely, as your PC can still be found by brute force scanning. But it will significantly limit the exposure.