++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! INSECURE WIRELESS COMMUNICATION PROTOCOL WITH HP CALCULATOR! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The researchers from GOBBLES Labs are pleased to bring the security community with the first research paper concerning the security of handheld calculators. This research has been inspired by the hours of research of PDA security contributed to the security community from @stake (www.atstake.com) who are also the Hackers Formerly Known as The L0pht (tHFKaTL). GOBBLES members are entering a Brave New World of security research and development and hacking now that we are extending our hacking from just operating systems and networking to now new realms of computer science and security where few researchers have yet dared to go. GOBBLES understand that there are some confusion concerning the operation of his group website www.bugtraq.org and now to make the record clear he would like to say that first www.bugtraq.org is a dot organisation which mean that it is not a for-profit group of any sort. We may not all be good for speaking English but we are good for contributing new security information to the security community free of charge. GOBBLES get upset when he get email from people like Mr. Merit James who brag he have a CISSP and other worthless certifications and who can only mock GOBBLES English when he himself do not do anything but leech off the independant nonprofit researchers such as GOBBLES and his team who submit their hard work and research for nothing. Like that little rabbit Humper in the deer cartoon movie say, "If you don't got anything nice to say, don't say nothing at all!" GOBBLES do not like making personal references to individuals in our advisories such as we did with Mr. James but it is felt that he a good example for this problem. He probably is not such a bad guy once you get to know him in person but he can be a real asshole online! After searching for his name for a while on securityfocus.com and reading his posts all we can find submitted from him is him regurgitating the words and ideas of others and showing off in his email signature that he has a CISSP degree but offers no useful or unique ideas of he own! OK, now it is on to the advisory time hehehehe. PRODUCT ******* Hewlett Packard 48 Series Calculators webpages at http://www.hp.com SECURITY HISTORY **************** To the best of the www.google.com (hehehe we like google.com because it is a lot like GOBBLES in spelling hehehehe ) research that GOBBLES members have done they can not find any other security problems being reported with these devices yet. GOBBLES know that a lot of people do security research on things and that sometimes different organisations will do the same research at different points in time independantly of eachother and get the same findings and publish them not knowing that the other group have done the same thing. This happened with the Netscape Mail bug that GOBBLES did find and publish when we were informed that another security researcher had found the same bug earlier and already submitted a report on it. It is a sad state of affairs when a bug is reported years in past and the developers do not a thing to fix the problem and it is reuncovered by other security researchers in the future. Maybe at some point software developers are to become more concerned with fixing the bugs in their softwares rather than to only introduce more new ones! This seems to be a idiot practice to GOBBLES who think that not fixing bugs and putting new ones in a program is not a smart thing for software developers to do! If once again GOBBLES background research into the security history of our subject have failed and you have already made this research known to the world we are very sorry. GOBBLES take good pride in being able to find their own bugs and we are not avid readers of certain mailinglists where many advisories are published only because said lists have sometimes become over commercialized and GOBBLES has some opposition to big capitialist machines which is not to say it is wrong to make money off doing what we all love to do but it sometimes is wrong to do it off the labor of hobbyist researchers which can often be the cases. GOBBLES submit that this is the first research known on the security of advanced calculators. ;) BACKGROUND ********** A while ago when GOBBLES himself was a student of Advanced Mathematics at he University he was taking Extreme Mathematics course which required the purchase of a sophisticated adding machine. While all GOBBLES peers were purchasing the standard TI (Texas Instruments) Advanced Calculator Models (mostly TI-85 at the time but some have bought TI-92 which look a lot like the new Nintendo Gameyboy Advance, GOBBLES suspect that Nintendo ripped off the design from Texas Instruments hehehe), GOBBLES decided to buy a Hewlett Packard Calculator. He bought a 48G which is a really nice machine. Amongst many of the advance features of this device is that it have a built in infrared communications port by which it can communicate data between itself and other calculators with the same feature and also between other devices such as laptops and desktop computers that also can support infrared communications. It is here that the problem that GOBBLES discover is. . . DESCRIPTION OF PROBLEM ********************** The calculator can communicate with either plain ASCII communications over infrared streams or with tunnelled KERMIT protocol over the same infrared streams. The trouble are that these are submitted through the atmosphere with out any means of encryption leaving the data to be easily intercepted by anyone who is trying to. Since many architects and physicists use these models of calculators, this could be very bad since sensitive information can be intercepted by evil parties who are using sophisticated electronic listening devices to listen in on the communications. Sensitive data like equations and graph data can be easily intercepted this way. This is a serious problem given the nature of the type of work that these devices are commonly used by (GOBBLES math professors have confirmed that many nuclear researchers use these devices because they like the stack-orientated operations the processors use in the calculators which makes them a better machine to use in advanced and complicated research fields of science). Organisations such like cia.gov, nsa.gov, kgb.gov.ru, echelon.gov, are known to have the sort of devices necessary to intercept these messages. GOBBLES understand that the level of complexity of intercepting infrared communications is rather difficult but it does not make this vulnerabilty any less severe. Imagine the following scenario. Professor GOBBLES is teaching he math class at Secure University and all students here use the HP48 series of calculators because it is one GOBBLES requirements for the course is to have one of them (hehehe GOBBLES really do like this product good work HP ;). Now one day GOBBLES is sitting at a desk doing math problem on his calculator writing the test questions for the exam. When GOBBLES all finished with his calculator work he point the calculator at his iMAC (real math people use MAC's for their desktops since they are many fast and Maple run so excellently on it) to upload all the exam equations for printing. Meanwhile unknown to GOBBLES are his students activities. Secure University gets goverment fundings to research electronic surveillence techniques and they have an arsenal of experimental prototype surveillence devices. GOBBLES students know of this (because Chris is in GOBBLES class and also in a research group for developing these devices). So then the students penetrate into this facility to "borrow" a device for a little while. They take the device and climb a tree out side of GOBBLES office and point it at his calculator while he doing his equations... Now back in the office GOBBLES hit "send" and is uploading to his computer. But what GOBBLES do not know is that his students are hiding up in the tree with the stolen goverment spy device! So now the students up in the tree have captured all the test questions and answers and are prepared to score perfectly on their tests! Now they break back into the stronghold and return the stolen espionage machine (but not the data it find) and no one knows any better! Now this is just a hypothetical scenario demonstrating how this vulnerability might be exploited by non-goverment spies in the academic world. GOBBLES is not really a Professor GOBBLES but maybe someday he would like to be, but until then he is just the leader of a security research group. In the academic world students are sometimes privy to such devices since universities such as Secure University (hehehe it is just an example do not be upset that it is not a real place hehehe) and it is well known fact that universities get lots of financing from goverments to do research and also it is well known that universities are often very lax in physical security so such devices could easily be stolen or "borrowed" for this sort of incident. So the problem is that these calculators use a faulty insecure communication method that is almost as poorly designed as 802.11b. By know GOBBLES hope you get the idea about this. =) FIXES ***** As of now there is no fix. The fix for this bug will probably be HP releasing a new model of calculators that utilize some sort of new protocol similar to IPSEC for their new calculators to use to prevent sniffing attacks. Until then GOBBLES proposes that you purchase a serial communication cable for your calculators to communicate across so that there is no wireless transmissions taking place that can be intercepted. VENDOR NOTIFICATION ******************* GOBBLES team has alerted used a web submission form on www.hp.com/go/hpux to alert Hewlett Packard about the bugs. At this time GOBBLES have received no answer from them and have decided it is the right time to fully disclose this information. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren, kevin mitnick, david koresh, the violent femmes (especially gordan gano), Legions of Doom, all our new friends from security.nnov.ru, and all our friends and family. GOBBLES Security Systems GOBBLES@hushmail.com http://www.bugtraq.org oh yeah and GOBBLES have learned that Lady Caroline from the Cult of the Dead Cows is not the same person as Carolyn Meinal and that it was completely wrong, many apologies to Ms. Meinal for the confusion. The mistake was that Carolyn and Caroline look many similar to an untrained eye. Sorry! http://www.bugtraq.org/funny/ntdll.jpg (heh heh heh!)