Press Releases

Codenomicon warns about poor quality of Bluetooth equipment

Bluetooth vulnerabilities are becoming easier to find and exploit

OULU, FINLAND - September 20rd, 2011 - Codenomicon, the leading vendor of proactive security solutions, warns consumers about the poor quality and security of Bluetooth equipment. Based on Codenomicon's robustness test results using smart model based fuzzing tools, 80% of all the tests against various Bluetooth devices find critical issues. Every device failed with at least one test suite against a critical communication profile.

"Together with our partners, we have tested over ten different Bluetooth-enabled carkits this year," says Ari Takanen, CTO of Codenomicon. "We found critical issues in all of them."

Bluetooth is particularly vulnerable against malformed input. Malformed input may cause Bluetooth device operation to slow down, or device may show unusual behavior or crash completely. In a worst case scenario, malformed input can be used by an outside attacker to gain unauthorized access to the Bluetooth device. When vulnerabilities are in low-level communication profiles such as L2CAP, they are not protected by the pairing process. These critical flaws can be exploited without the user accepting or even noticing the connection.

So far, Bluetooth quality and security has not been perceived as a problem. The pairing process and conformance testing is thought to provide enough protection. Bluetooth applications have not offered access to confidential information so there has been little motivation to attack the Bluetooth interface. However, Bluetooth is becoming more and more critical. Modern carkits and healthcare equipment for example use Bluetooth technology. When the number of critical applications increases, the importance of equipment robustness and reliability grows.

"Bluetooth is mostly used in consumer products and consumers tend to buy the cheaper rather than the best quality product. Unless customers require testing there is no requirement for the manufacturers to build secure code," concludes Takanen. "Hopefully test reports such as ours will help change the market behavior and will eventually result as Bluetooth equipment we can trust."

Whitepaper on Bluetooth Security:
http://www.codenomicon.com/resources/whitepapers/2011-bluetooth-fuzzing.shtml

More information about Defensics for Bluetooth: http://www.codenomicon.com/defensics/bluetooth/

For more information, contact:

  • Ari Takanen, CTO, Codenomicon
  • Tel: +358-40-5067678 (EMEA and APAC)
  • Mary Ann Charters, Codenomicon
  • Tel: (408) 252-4000 (USA/Canada)
  • Email: info@codenomicon.com



About Codenomicon Ltd.

Codenomicon develops security and quality testing software, which allows users to quickly find and identify both known and previously unknown flaws before business-critical products or services are deployed. Their unique, targeted approach to the fuzz testing of networked and mobile applications exposes more flaws and weaknesses than any other testing platform or methodology. Companies rely on Codenomicon's solutions to mitigate threats, like Denial of Service (DoS) situations and Zero-Day Attacks, which could increase liability, damage business reputation and cripple sales. Codenomicon is a member of the SDL Pro Network. For more information, www.codenomicon.com.