Remote control of laptops via Bluetooth hole
Following in the footsteps of this summer's DoS vulnerability, a security hole has now surfaced in laptops from Toshiba, Dell, Sony and Asus, at least when the pre-installed version of Windows XP is being run. Service provider SecureWorks has reported that it is possible to exploit a hole in the implementation of Toshiba's Bluetooth driver to plant and launch arbitrary software on computers. However, under some circumstances Windows does no more than crash.
Toshiba's Bluetooth stack comes pre-installed on the aforementioned machines. The attacker must be in the vicinity of his victim for an attack to succeed, potentially as little as ten meters away, but given the layout of airports and train stations this represents no real hurdle. The Toshiba Bluetooth Stack in versions 3.x, 4 through 4.00.35, as well as all OEM versions, are affected. The 64-bit version of the driver is not vulnerable. Toshiba has released an update.
The error report details vulnerable Dell models separately. Owners of Dell Latitude models 820/D620/D420/D520 should get in contact with the manufacturer if their software version is not 4.00.22(D) SP2 or higher. For Dell Latitude models D810/D610/D410/D510/X1, the software should be at least 4.00.20(D) SP2. The installed versions can be queried in the device manager under Properties/Drivers. As a workaround, users can deactivate Bluetooth or at least switch to invisible mode to conceal themselves from attackers.
The hole was discovered by David Maynor and Jon Ellch of SecureWorks. The pair was at the centre of significant controversy a few weeks ago related to security holes in Apple's WLAN drivers. Apple maintained that it never received information from the pair verifying the problem. Communication appears to have worked this time, at least with Toshiba and Dell. SecureWorks explicitly thanked the Dell Security Response Team and Toshiba's Bluetooth Support Team for their cooperation.
The advisory also uses the Common Vulnerability Scoring System (CVSS), which is still quite uncommon. It involves a risk assessment for security holes to help users more effectively decide how critical a problem really is and which patches should be applied:
Access Vector: Remote
Access Complexity: High
Authentication: Not Required
Impact Bias: Normal
- Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability, Advisory from SecureWorks