News 

Bluetooth security research group Trifinite has released details of a flaw in the Toshiba stack used in the Bluetooth kit installed in laptops from Toshiba, Dell, Sony, Asus and others.

The flaw can potentially be exploited remotely to cause affected laptops running Windows XP to crash to the 'Blue Screen of Death'.

The Toshiba Bluetooth Host Stack, up to version 4.0.23, can be attacked by sending large payloads with L2CAP Echo requests causing data to be written to non-paged memory space.

This causes a critical system exception resulting in an immediate rebooting of the machine.

The main mitigating factor in this denial of service attack is that the attacker needs to be within physical range of the target device - typically around 10m.

However, security company Kaspersky recently reported detecting more than 2,000 unprotected visible Bluetooth devices during

ADVERTISEMENT

a few days monitoring in London. However, the majority of these would be phones rather than laptops.

The reason behind Trifinite's decision to go public with the vulnerability is Toshiba's recalcitrance. The group alerted Toshiba to the problem in February this year, but the company didn't fix the problem. Trifinite subsequently contacted Toshiba again in April as the flaw was still in evidence and decided to issue the public advisory today as no action has been taken.

This puts Trifinite in the tricky area of responsible disclosure. Security research companies are governed by an unwritten rule that newly discovered flaws be reported only to the company whose products are affected in order for them to issue a fix before information on the vulnerability falls into the public domain.

However, come companies can be slow to act, leaving their customers defenceless against attacks using such a vector.

eEye Digital Security runs a public timer on the flaws it finds and the time it is taking companies to fix them. Currently, network product maker D-Link is nearly two months past the industry agreed 60 day period for such flaws to be fixed.

We contacted Toshiba for comment on the issue reported by Trifinite, but had not received a response by the time of publishing.

Trifinite says the advisory has been posted to the BugTraq, Full Disclosure and BlueTraq mailing lists. It suggests those affected should set their Bluetooth capabilities to invisible, as an attacker needs to know Bluetooth device address of the host machine.