Exploiting buffer overflows over Bluetooth: the BluePass tool

Mobile devices enable users to have ubiquitous access to resources and perform purchases, payments, authentication, storage. Furthermore, short range networks, as Bluetooth, are going to introduce new application paradigms, varying from identification based on mobile device to m-payments. The mobile device, becoming a personal trust device (PTD) can replace every ID card and credit cards, preserving the privacy and confidentiality requested by customers. For this reason is not acceptable any kind of unexpected or unsafe failure. Since many embedded systems don´t include a security framework and are vulnerable to buffer overflow attacks they can represent the weakest link in the business model security chain. Furthermore, embedded systems often use proprietary drivers, whose code is not inspectable: thus it´s important to perform tests generating all the inputs, looking for protocol-related or application failures. This paper, after presenting the threats to Bluetooth application in embedded systems, focusing on layer 2 and above DoS attacks, presents a easy-to-use testing application to preserve the safe failures before software application deployment.