We pinged Flexilis's John Hering [second from the left], part of the team behind the world record-setting Bluetooth connection (and exploit) and creators of the BlueSnipe rifle. John talked about the still-lingering weaknesses in most current Bluetooth-enabled phones, plans Flexilis has in the future to help cell phone manufacturers lock down their security, and how many video game industry executives' phones you can scan at E3 in just 90 minutes.
One thing John asked me to make clear, though, and I thought I'd do it up front. None of these tests have involved hacking into any phones that weren't authorized by the participants. The record-setting Bluesnarf attack was done with one of their own phones, for instance. But just because they didn't doesn't mean they couldn't. Lucky for us they're trying to play by the rules and help the Bluetooth community batten down its hatches.
It's runs a little long, but I added magical color codes to make it easier on the eyes. Read on inside.
Gizmodo: so what are you guys doing at flexilis, exactly, that makes building hacking rifles part of your business?
John Hering: we are a wireless research and development firm working primarily with bluetooth and wifi
John Hering: the bluesniper was a good way to really get peoples attention, the equipment that was the functional part of the rifle was what was the key
Gizmodo: did anyone freak out when they saw you sniping?
John Hering: we weren't using the bluesniper
John Hering: we actually did the link from the santa monica pier
John Hering: to a hill 1.08 miles away
Gizmodo: oh, well, wait, do-over
John Hering: there is a police substation right there
John Hering: so.
Gizmodo: i still have bluesniper on my mind
John Hering: the bluesniper was used at defcon
John Hering: [for the record breaking shot] we used a 19dbi panel antenna
Gizmodo: b/c i just watched that tom's video [This Video - ed]
John Hering: and mind you, we were able to connect to a Class 3 device from 1.08 miles
John Hering: a standard nokia 6310i
Gizmodo: so when wired says 1.1 miles they mean 1.08?
John Hering: yes
John Hering: i hate it when people get the facts wrong
John Hering: thats why i emailed you.
Gizmodo: i bet wired is getting paid links from the 1.1mi consortium
John Hering: lol
John Hering: typically manufacturers discounted the bluetooth attacks
John Hering: snarfing, jacking, bugging
John Hering: because they said that the ranges were short
Gizmodo: and you're proving that it's not
John Hering: we have completely destroyed that notion
John Hering: not only were we able to establish a link from 1.08 miles
John Hering: we were able to attack the phone too
John Hering: ripped the entire contact list, and sent sms messages
John Hering: full snarf attack
Gizmodo: i presume the phone wasn't pre-softened for the test, either
John Hering: not at all
John Hering: on the first world record attempt
John Hering: if you heard about it
John Hering: last week before defcon
John Hering: we pre-softened it
John Hering: and hit .5 miles
John Hering: this attempt was MUCH more significant
Gizmodo: have you heard anything from the phone companies, officially or otherwise?
John Hering: since this test no, but we have contacted most major manufacturers
John Hering: i know martin has contacted them as well
John Hering: martin herfurt, who discovered bluebugging, was in from germany
John Hering: we had a pretty tight crew
John Hering: there is a select group of people working to fix the inherent vulnerabilities of bluetooth
Gizmodo: i know that nokia and sony ericsson and everybody has basically said their new firmware fixes most of the exploits
Gizmodo:have you guys found that to be the case?
John Hering: i know that isnt so
John Hering: nokia did release an announcement of a fix BUT
John Hering: you must take your phone into a store and get the the firmware flashed to get it fixed
John Hering: most consumers are clueless
John Hering: and sonyerricson
John Hering: i believe that their phones are still vulnerable as well
Gizmodo: well yeah, but are the flashed phones safe from the current exploits?
John Hering: the snarf attack yes
John Hering: tests have shown that the bluebug attack may still work though
John Hering: we are working on a full release as well as a white paper
John Hering: hopefully the manufacturers will pay close attention
John Hering: i know martin is also working on a java api
John Hering: for symbian phones
John Hering: you can now snarf from a phone to a phone!
John Hering: don't need a linux box anymore
Gizmodo: that's brilliant
Gizmodo: if, you know, awful
John Hering: we are doing this for the good of the industry
Gizmodo: you're certainly being up front about it
Gizmodo: building a rifle and all
John Hering: we in no way want this information to fall into the wrong hands
Gizmodo: yeah, have you released the exploits or your code?
John Hering: of course not
John Hering: we are release a security vulnerability assesment tool
John Hering: which identifies vulnerable phones
John Hering: we showed it off in the toms video
John Hering: if you saw
Gizmodo: yeah, you're going to release that?
John Hering: yes
Gizmodo: throw in an OSX version so I don't have to use this stupid dongle
John Hering: ill definitely keep you posted, we have some amazing software
John Hering: we are working on integrating location tracking too
John Hering: and other bluetooth tools
Gizmodo: yeah, definitely v. v. interested
Gizmodo: but first
Gizmodo: you have to let me ask about the rifle
John Hering: of course
Gizmodo: you can't build something like that without expecting a little attention
Gizmodo: is the antenna you used for your distance record a yagi, too?
John Hering: i think that was the point, people discounted bluetooth exploits, we found a way that not only displayed using the technology in a way it had never been pushed, but also we were able to attract attention to the manufacturers as our goal is to fix the inherent vulnerabilities within the bluetooth stack
John Hering: the yagi is what we used for the first distance record
John Hering: the 0.5 miles
John Hering: we used a few different types
John Hering: vwe used a different 19dbi panel antenna for the 1.08 miles though
Gizmodo: were you shooting over the ocean?
John Hering: no
John Hering: beach
Gizmodo: or from the pier to somewhere on land?
John Hering: yes
John Hering: we were a bit worried about the moisture in the air
John Hering: LOL
John Hering: you wouldnt believe how far away it was
John Hering: we couldnt even see martin and mike on the hill
Gizmodo: i bet it was over a mile!
Gizmodo: so are you going to make an attempt?
Gizmodo: to beat the record?
Gizmodo: or have you proven your point?
John Hering: we still have a few cards up our sleeves
John Hering: bluetooth is an amazing technology
John Hering: we are going to push it in new directions
Gizmodo: are you guys incorporated yet?
John Hering: in the process
Gizmodo: get a lawyer
John Hering: definitely
Gizmodo: so like i was asking before, but at the wrong time
Gizmodo: did anybody see you sniping them when you were doing that tom's video (or whenever)?
John Hering: well, we were misquoted in the wired article
John Hering: we simply scanned
John Hering: never actually snarfed
John Hering: at defcon
John Hering: that would be illegaal
John Hering: when we attack its on our own phones
John Hering: in a closed testing enviornment
Gizmodo: well, i just mean people freaking out that there was some kid with a weird gun
John Hering: but, no, people had no clue we were scanning their phones for vulnerabilities
John Hering: people at defcon thought it was cool
John Hering: but defcon isnt your average place
Gizmodo: thank god
John Hering: most definitely
John Hering: we had it in a case too
John Hering: i think what the bluesniper was proof of concept more than anything
John Hering: if someone were to build a similar device into a briefcase
John Hering: it could be taken anywhere
Gizmodo: sure, it's mostly just a useful form factor
John Hering: definitely
Gizmodo: well let us know when you release the software
Gizmodo: i'm sure lots of script kiddies such as myself would get a kick out of scanning
Gizmodo: "look who i could own if i actually knew how to write code!"
John Hering: haha definitely
John Hering: i bet you would be intersted in this
John Hering: we did a proof of concept at e3
John Hering: 700 vulnerable phones
John Hering: and thats where the industry's top people are
Gizmodo: over how many hours?
John Hering: 90 minutes
Gizmodo: you could have assembled the best video game industry address book ever
John Hering: i know.
John Hering: we walked up to the nokia booth
John Hering: and showed them all the execs phones
Gizmodo: we could have prank called john carmack!
John Hering: the went bonkers
Gizmodo: i bet
John Hering: they know there is a problem
BlueSniper Rifle and More Fun Bluetooth Exploits [Gizmodo]