++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! INSECURE WIRELESS COMMUNICATION PROTOCOL WITH HP CALCULATOR! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The researchers from GOBBLES Labs are pleased to bring the security
community with the first research paper concerning the security of
handheld calculators.  This research has been inspired by the hours of
research of PDA security contributed to the security community from @stake
(www.atstake.com) who are also the Hackers Formerly Known as The L0pht
(tHFKaTL).  GOBBLES members are entering a Brave New World of security
research and development and hacking now that we are extending our hacking
from just operating systems and networking to now new realms of computer
science and security where few researchers have yet dared to go.

GOBBLES understand that there are some confusion concerning the operation
of his group website www.bugtraq.org and now to make the record clear he
would like to say that first www.bugtraq.org is a dot organisation which
mean that it is not a for-profit group of any sort.  We may not all be
good for speaking English but we are good for contributing new security
information to the security community free of charge.  

/* GOBBLES have resubmitted this to the mailing lists.  Here is reason
   that GOBBLES advisory was not published earlier.

>>>>> -------------------- >>>>>
I don't allow messages with personal attacks.  You'll notice that none
of the ones about you were allowed to the list.  Plus, I don't
consider pointing out that something unencrypted is subject to
interception to be much of an advisory.

                                        BB

<<<<< -------------------- <<<<<

   This were in one of GOBBLES email boxes today concerning this advisory.
   What had happened is that a certain someone from this list had sent
   some mean email to GOBBLES about his poor English because when GOBBLES
   published he group advisory on the /bin/gzip bug it was accidently 
   called multiple vulnerability in /bin/gzip when only we gave the detail
   on one of the different bugs that were found.  There were many other
   but GOBBLES did not find it necessary to write them all up because just
   the one showed was good enough for the advisory.  Yes GOBBLES did find
   multiple vulnerabilities and anyone with half a brain and a few moment
   of time and a copy of the /bin/gzip advisory in hand should have been
   able to figure them out for theirselves and not need GOBBLES to detail
   each one to them.  Anyhow yes GOBBLES suppose that he wrong on the name
   of advisory but that is not a god reason for people to make such a 
   personal attack on he concerning poor English.  GOBBLES took the attack
   to heart and when finishing up this advisory (well the first advisory
   on the subject this version is editted) GOBBLES was still many upset
   and he better judgement aside put in some unkind observations about the
   fellow securityfocus.com pentester who had made such rude comments to
   GOBBLES.  In hindsight GOBBLES is appreciative to the Blue Boar for not
   publishing the advisory in that form for that it reflect poorly on
   GOBBLES character as a human beings and even poorer reflect the other
   researchers from GOBBLES Security.  The Blue Boar were right and was 
   kind enough to not publish the unkind words spoken out against GOBBLES 
   that were so inappropriate and immature.  For this version of the
   advisory those have been removed and replaced with GOBBLES heartfelt
   apologies for GOBBLES never should have gone down to the level of that
   penetrator who spoke unkindly towards GOBBLES.  GOBBLES are man enough 
   to admit he make a mistake when insulting others and will do best to
   grow up and stop making such kiddish mistakes.  Sorry to all who were
   affected by this.  GOBBLES mostly sorry to the rest of the security
   community that did not get this information on time because of the
   moderation of it due to the off topic insults that were added in it
   regarding the character and worth of fellow reader.  GOBBLES work hard
   so it should not happen again.  Again GOBBLES sorry.

   LOVE,
   GOBBLES
   GOBBLES@hushmail.com
   http://www.bugtraq.org
*/

PRODUCT
*******

Hewlett Packard 48 Series Calculators
webpages at http://www.hp.com

SECURITY HISTORY
****************

To the best of the www.google.com (hehehe we like google.com
because it is a lot like GOBBLES in spelling hehehehe ) research that
GOBBLES members have done they can not find any other security problems
being reported with these devices yet.  GOBBLES know that a lot of people
do security research on things and that sometimes different organisations 
will do the same research at different points in time independantly of
eachother and get the same findings and publish them not knowing that the 
other group have done the same thing.  This happened with the Netscape Mail 
bug that GOBBLES did find and publish when we were informed that another
security researcher had found the same bug earlier and already submitted a 
report on it.  It is a sad state of affairs when a bug is reported years in 
past and the developers do not a thing to fix the problem and it is
reuncovered by other security researchers in the future.  Maybe at some point 
software developers are to become more concerned with fixing the bugs in 
their softwares rather than to only introduce more new ones!  This seems to 
be a idiot practice to GOBBLES who think that not fixing bugs and putting
new ones in a program is not a smart thing for software developers to do!

If once again GOBBLES background research into the security history of our
subject have failed and you have already made this research known to the
world we are very sorry.  GOBBLES take good pride in being able to find
their own bugs and we are not avid readers of certain mailinglists where
many advisories are published only because said lists have sometimes
become over commercialized and GOBBLES has some opposition to big
capitialist machines which is not to say it is wrong to make money off
doing what we all love to do but it sometimes is wrong to do it off the
labor of hobbyist researchers which can often be the cases.

GOBBLES submit that this is the first research known on the security of
advanced calculators. ;)

BACKGROUND
**********

A while ago when GOBBLES himself was a student of Advanced Mathematics at
he University he was taking Extreme Mathematics course which required the
purchase of a sophisticated adding machine.  While all GOBBLES peers were
purchasing the standard TI (Texas Instruments) Advanced Calculator Models
(mostly TI-85 at the time but some have bought TI-92 which look a lot like
the new Nintendo Gameyboy Advance, GOBBLES suspect that Nintendo ripped
off the design from Texas Instruments hehehe), GOBBLES decided to buy a
Hewlett Packard Calculator.  He bought a 48G which is a really nice
machine.  

Amongst many of the advance features of this device is that it have a
built in infrared communications port by which it can communicate data
between itself and other calculators with the same feature and also
between other devices such as laptops and desktop computers that also can
support infrared communications.  It is here that the problem that GOBBLES
discover is. . .


DESCRIPTION OF PROBLEM
**********************

The calculator can communicate with either plain ASCII communications over
infrared streams or with tunnelled KERMIT protocol over the same infrared
streams.  The trouble are that these are submitted through the atmosphere
with out any means of encryption leaving the data to be easily intercepted
by anyone who is trying to.  Since many architects and physicists use
these models of calculators, this could be very bad since sensitive
information can be intercepted by evil parties who are using sophisticated
electronic listening devices to listen in on the
communications.  Sensitive data like equations and graph data can be
easily intercepted this way.  This is a serious problem given the nature
of the type of work that these devices are commonly used by (GOBBLES math
professors have confirmed that many nuclear researchers use these devices
because they like the stack-orientated operations the processors use in
the calculators which makes them a better machine to use in advanced and
complicated research fields of science).  Organisations such like cia.gov,
nsa.gov, kgb.gov.ru, echelon.gov, are known to have the sort of devices 
necessary to intercept these messages.  

GOBBLES understand that the level of complexity of intercepting infrared
communications is rather difficult but it does not make this vulnerabilty
any less severe.  Imagine the following scenario.

Professor GOBBLES is teaching he math class at Secure University and all
students here use the HP48 series of calculators because it is one GOBBLES
requirements for the course is to have one of them (hehehe GOBBLES really
do like this product good work HP ;).  Now one day GOBBLES is sitting at a
desk doing math problem on his calculator writing the test questions for
the exam.  When GOBBLES all finished with his calculator work he point the
calculator at his iMAC (real math people use MAC's for their desktops
since they are many fast and Maple run so excellently on it) to upload all
the exam equations for printing.

Meanwhile unknown to GOBBLES are his students activities.  Secure
University gets goverment fundings to research electronic surveillence
techniques and they have an arsenal of experimental prototype surveillence
devices.  GOBBLES students know of this (because Chris is in GOBBLES class
and also in a research group for developing these devices).  So then the
students penetrate into this facility to "borrow" a device for a little
while.  They take the device and climb a tree out side of GOBBLES office
and point it at his calculator while he doing his equations... 

Now back in the office GOBBLES hit "send" and is uploading to his
computer.  But what GOBBLES do not know is that his students are hiding up
in the tree with the stolen goverment spy device!  So now the students up
in the tree have captured all the test questions and answers and are
prepared to score perfectly on their tests!  Now they break back into the
stronghold and return the stolen espionage machine (but not the data it
find) and no one knows any better!

Now this is just a hypothetical scenario demonstrating how this
vulnerability might be exploited by non-goverment spies in the academic
world.  GOBBLES is not really a Professor GOBBLES but maybe someday he
would like to be, but until then he is just the leader of a security
research group.  In the academic world students are sometimes privy to
such devices since universities such as Secure University (hehehe it is
just an example do not be upset that it is not a real place hehehe) and it
is well known fact that universities get lots of financing from goverments
to do research and also it is well known that universities are often very
lax in physical security so such devices could easily be stolen or
"borrowed" for this sort of incident.

So the problem is that these calculators use a faulty insecure
communication method that is almost as poorly designed as 802.11b.  By
know GOBBLES hope you get the idea about this. =)

FIXES
*****

As of now there is no fix.  The fix for this bug will probably be HP
releasing a new model of calculators that utilize some sort of new
protocol similar to IPSEC for their new calculators to use to prevent
sniffing attacks.  Until then GOBBLES proposes that you purchase a serial
communication cable for your calculators to communicate across so that
there is no wireless transmissions taking place that can be intercepted.

VENDOR NOTIFICATION
*******************

GOBBLES team has alerted used a web submission form on www.hp.com/go/hpux
to alert Hewlett Packard about the bugs.  At this time GOBBLES have
received no answer from them and have decided it is the right time to
fully disclose this information.

GREETS
******

dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,
knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,
blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,
bugtraq (thanks aleph1 and david ahmad for devoting your time to a great
list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin
bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,
manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,
radiohead, george michael, larry wall, beethoven, francis bacon, bruce 
willis, bruce schneier, alan turing, john von neumann, donald knuth, michael 
abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren,
kevin mitnick, david koresh, the violent femmes (especially gordan gano),
Legions of Doom, all our new friends from security.nnov.ru, and all our
friends and family.


GOBBLES Security Systems
GOBBLES@hushmail.com
http://www.bugtraq.org


oh yeah and GOBBLES have learned that Lady Caroline from the Cult of the
Dead Cows is not the same person as Carolyn Meinal and that it was
completely wrong, many apologies to Ms. Meinal for the confusion.  The
mistake was that Carolyn and Caroline look many similar to an untrained
eye.  Sorry!

http://www.bugtraq.org/funny/ntdll.jpg (heh heh heh!)