Mac OS Bluetooth exploit – Inqtana.d

By | October 25, 2006

Inqtanad is a proof-of-concept exploit, which has not yet been seen in the wild, that is installed on a Mac OS X computer via Bluetooth from a computer or PDA running a Linux system.

This can affect Macs running Mac OS X 10.3 and 10.4 that have not been updated with all available security updates or system updates. Bluetooth must be active, but Bluetooth file transfer does not need to be turned on. The attacking computer must be within Bluetooth range, which, by default is 10 m or 30 ft, but can be extended with repeaters and/or antennas.

This exploit is installed from a Linux system, and exploits an rfcomm security hole in Bluetooth software. Unlike previous versions of Inqtana malware, no user interaction is required. It installs a user account (named “bluetooth”), with no password, which grants root access to malicious users logging into this account. This account is available immediately, and the Mac OS X 10.4 computers do not need to be restarted (Macs running OS X 10.3 do need to be restarted).

The exploit installs a number of files on computers it attacks, and the user account it installs contains a backdoor that allows malicious users to log into that account by any network means (Ethernet or AirPort). Once the exploit has been installed, Bluetooth is no longer needed to take advantage of it. Users with updated Mac OS X systems will already have installed a security update that protects against this vulnerability.

Apple’s security update 2005-005 protects against this vulnerability in Mac OS X 10.3; Apple’s Mac OS X 10.4.7 update protects against this vulnerability in computers running Mac OS X 10.4. If users have not installed these updates, they should do so, along with all subsequent security updates.

Leave a Reply