++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! INSECURE WIRELESS COMMUNICATION PROTOCOL WITH HP CALCULATOR! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The researchers from GOBBLES Labs are pleased to bring the security community with the first research paper concerning the security of handheld calculators. This research has been inspired by the hours of research of PDA security contributed to the security community from @stake (www.atstake.com) who are also the Hackers Formerly Known as The L0pht (tHFKaTL). GOBBLES members are entering a Brave New World of security research and development and hacking now that we are extending our hacking from just operating systems and networking to now new realms of computer science and security where few researchers have yet dared to go. GOBBLES understand that there are some confusion concerning the operation of his group website www.bugtraq.org and now to make the record clear he would like to say that first www.bugtraq.org is a dot organisation which mean that it is not a for-profit group of any sort. We may not all be good for speaking English but we are good for contributing new security information to the security community free of charge. /* GOBBLES have resubmitted this to the mailing lists. Here is reason that GOBBLES advisory was not published earlier. >>>>> -------------------- >>>>> I don't allow messages with personal attacks. You'll notice that none of the ones about you were allowed to the list. Plus, I don't consider pointing out that something unencrypted is subject to interception to be much of an advisory. BB <<<<< -------------------- <<<<< This were in one of GOBBLES email boxes today concerning this advisory. What had happened is that a certain someone from this list had sent some mean email to GOBBLES about his poor English because when GOBBLES published he group advisory on the /bin/gzip bug it was accidently called multiple vulnerability in /bin/gzip when only we gave the detail on one of the different bugs that were found. There were many other but GOBBLES did not find it necessary to write them all up because just the one showed was good enough for the advisory. Yes GOBBLES did find multiple vulnerabilities and anyone with half a brain and a few moment of time and a copy of the /bin/gzip advisory in hand should have been able to figure them out for theirselves and not need GOBBLES to detail each one to them. Anyhow yes GOBBLES suppose that he wrong on the name of advisory but that is not a god reason for people to make such a personal attack on he concerning poor English. GOBBLES took the attack to heart and when finishing up this advisory (well the first advisory on the subject this version is editted) GOBBLES was still many upset and he better judgement aside put in some unkind observations about the fellow securityfocus.com pentester who had made such rude comments to GOBBLES. In hindsight GOBBLES is appreciative to the Blue Boar for not publishing the advisory in that form for that it reflect poorly on GOBBLES character as a human beings and even poorer reflect the other researchers from GOBBLES Security. The Blue Boar were right and was kind enough to not publish the unkind words spoken out against GOBBLES that were so inappropriate and immature. For this version of the advisory those have been removed and replaced with GOBBLES heartfelt apologies for GOBBLES never should have gone down to the level of that penetrator who spoke unkindly towards GOBBLES. GOBBLES are man enough to admit he make a mistake when insulting others and will do best to grow up and stop making such kiddish mistakes. Sorry to all who were affected by this. GOBBLES mostly sorry to the rest of the security community that did not get this information on time because of the moderation of it due to the off topic insults that were added in it regarding the character and worth of fellow reader. GOBBLES work hard so it should not happen again. Again GOBBLES sorry. LOVE, GOBBLES GOBBLES@hushmail.com http://www.bugtraq.org */ PRODUCT ******* Hewlett Packard 48 Series Calculators webpages at http://www.hp.com SECURITY HISTORY **************** To the best of the www.google.com (hehehe we like google.com because it is a lot like GOBBLES in spelling hehehehe ) research that GOBBLES members have done they can not find any other security problems being reported with these devices yet. GOBBLES know that a lot of people do security research on things and that sometimes different organisations will do the same research at different points in time independantly of eachother and get the same findings and publish them not knowing that the other group have done the same thing. This happened with the Netscape Mail bug that GOBBLES did find and publish when we were informed that another security researcher had found the same bug earlier and already submitted a report on it. It is a sad state of affairs when a bug is reported years in past and the developers do not a thing to fix the problem and it is reuncovered by other security researchers in the future. Maybe at some point software developers are to become more concerned with fixing the bugs in their softwares rather than to only introduce more new ones! This seems to be a idiot practice to GOBBLES who think that not fixing bugs and putting new ones in a program is not a smart thing for software developers to do! If once again GOBBLES background research into the security history of our subject have failed and you have already made this research known to the world we are very sorry. GOBBLES take good pride in being able to find their own bugs and we are not avid readers of certain mailinglists where many advisories are published only because said lists have sometimes become over commercialized and GOBBLES has some opposition to big capitialist machines which is not to say it is wrong to make money off doing what we all love to do but it sometimes is wrong to do it off the labor of hobbyist researchers which can often be the cases. GOBBLES submit that this is the first research known on the security of advanced calculators. ;) BACKGROUND ********** A while ago when GOBBLES himself was a student of Advanced Mathematics at he University he was taking Extreme Mathematics course which required the purchase of a sophisticated adding machine. While all GOBBLES peers were purchasing the standard TI (Texas Instruments) Advanced Calculator Models (mostly TI-85 at the time but some have bought TI-92 which look a lot like the new Nintendo Gameyboy Advance, GOBBLES suspect that Nintendo ripped off the design from Texas Instruments hehehe), GOBBLES decided to buy a Hewlett Packard Calculator. He bought a 48G which is a really nice machine. Amongst many of the advance features of this device is that it have a built in infrared communications port by which it can communicate data between itself and other calculators with the same feature and also between other devices such as laptops and desktop computers that also can support infrared communications. It is here that the problem that GOBBLES discover is. . . DESCRIPTION OF PROBLEM ********************** The calculator can communicate with either plain ASCII communications over infrared streams or with tunnelled KERMIT protocol over the same infrared streams. The trouble are that these are submitted through the atmosphere with out any means of encryption leaving the data to be easily intercepted by anyone who is trying to. Since many architects and physicists use these models of calculators, this could be very bad since sensitive information can be intercepted by evil parties who are using sophisticated electronic listening devices to listen in on the communications. Sensitive data like equations and graph data can be easily intercepted this way. This is a serious problem given the nature of the type of work that these devices are commonly used by (GOBBLES math professors have confirmed that many nuclear researchers use these devices because they like the stack-orientated operations the processors use in the calculators which makes them a better machine to use in advanced and complicated research fields of science). Organisations such like cia.gov, nsa.gov, kgb.gov.ru, echelon.gov, are known to have the sort of devices necessary to intercept these messages. GOBBLES understand that the level of complexity of intercepting infrared communications is rather difficult but it does not make this vulnerabilty any less severe. Imagine the following scenario. Professor GOBBLES is teaching he math class at Secure University and all students here use the HP48 series of calculators because it is one GOBBLES requirements for the course is to have one of them (hehehe GOBBLES really do like this product good work HP ;). Now one day GOBBLES is sitting at a desk doing math problem on his calculator writing the test questions for the exam. When GOBBLES all finished with his calculator work he point the calculator at his iMAC (real math people use MAC's for their desktops since they are many fast and Maple run so excellently on it) to upload all the exam equations for printing. Meanwhile unknown to GOBBLES are his students activities. Secure University gets goverment fundings to research electronic surveillence techniques and they have an arsenal of experimental prototype surveillence devices. GOBBLES students know of this (because Chris is in GOBBLES class and also in a research group for developing these devices). So then the students penetrate into this facility to "borrow" a device for a little while. They take the device and climb a tree out side of GOBBLES office and point it at his calculator while he doing his equations... Now back in the office GOBBLES hit "send" and is uploading to his computer. But what GOBBLES do not know is that his students are hiding up in the tree with the stolen goverment spy device! So now the students up in the tree have captured all the test questions and answers and are prepared to score perfectly on their tests! Now they break back into the stronghold and return the stolen espionage machine (but not the data it find) and no one knows any better! Now this is just a hypothetical scenario demonstrating how this vulnerability might be exploited by non-goverment spies in the academic world. GOBBLES is not really a Professor GOBBLES but maybe someday he would like to be, but until then he is just the leader of a security research group. In the academic world students are sometimes privy to such devices since universities such as Secure University (hehehe it is just an example do not be upset that it is not a real place hehehe) and it is well known fact that universities get lots of financing from goverments to do research and also it is well known that universities are often very lax in physical security so such devices could easily be stolen or "borrowed" for this sort of incident. So the problem is that these calculators use a faulty insecure communication method that is almost as poorly designed as 802.11b. By know GOBBLES hope you get the idea about this. =) FIXES ***** As of now there is no fix. The fix for this bug will probably be HP releasing a new model of calculators that utilize some sort of new protocol similar to IPSEC for their new calculators to use to prevent sniffing attacks. Until then GOBBLES proposes that you purchase a serial communication cable for your calculators to communicate across so that there is no wireless transmissions taking place that can be intercepted. VENDOR NOTIFICATION ******************* GOBBLES team has alerted used a web submission form on www.hp.com/go/hpux to alert Hewlett Packard about the bugs. At this time GOBBLES have received no answer from them and have decided it is the right time to fully disclose this information. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren, kevin mitnick, david koresh, the violent femmes (especially gordan gano), Legions of Doom, all our new friends from security.nnov.ru, and all our friends and family. GOBBLES Security Systems GOBBLES@hushmail.com http://www.bugtraq.org oh yeah and GOBBLES have learned that Lady Caroline from the Cult of the Dead Cows is not the same person as Carolyn Meinal and that it was completely wrong, many apologies to Ms. Meinal for the confusion. The mistake was that Carolyn and Caroline look many similar to an untrained eye. Sorry! http://www.bugtraq.org/funny/ntdll.jpg (heh heh heh!)