An MP has called for mobile phone manufacturers to make a greater effort and fix the Bluetooth security problems in their handsets after a researcher revealed that software tools enabling a bluesnarf attack are widely available on the Internet.
Bluesnarfing is a method of hacking into a Bluetooth-enabled mobile phone and copying its entire contact book, calendar or anything else stored in the phone's memory. Nokia and Sony Ericsson have admitted some of their handsets are vulnerable and although Sony Ericsson has made an effort to fix the problem, Nokia said the problem is not serious enough to warrant repairing.
Mark Rowe, consultant at security company Pentest, told ZDNet UK that the number of people that know how to perform the attack is quickly increasing and tools that enable the attack are widely available online. "We have been contacted by a number of security researchers that have worked out how to do it themselves without any help from us," Rowe said. "We were concerned when the information was previously published and we were told you need special tools. But in reality, anybody who looked into it in any depth would quickly work out how the attack is possible."
Rowe urged the media not to publicise which tools are used in attacks because this "would make it really easy for somebody to work out what to do". A Web search revealed hundreds of sites distributing the tools.
According to Rowe, the problem lies in how manufacturers implemented the object exchange (OBEX) protocol, which is a common method used by mobile devices to exchange information. "It was a deliberate design decision not to include authentication -- that allows people to [easily] send business cards to each other," he said. But the companies had overlooked that this implementation would also mean files could be transferred back and forth without permission, he said.
Tom Watson, Labour MP for West Bromwich East and a Bluetooth-phone user, told ZDNet UK he is concerned about the privacy of consumers and hopes that mobile phone manufacturers will do more to help fix the problem. "Once again consumers have to bear the brunt of technological failure," he said. "This offers profound threats to people's privacy. The least the sector can do is put matters right," he said.
Rowe advises anyone with a Bluetooth handset to keep it in hidden mode or even better, switch Bluetooth off: "If devices are hidden they are very difficult to find. There are techniques to find hidden devices, but it is a brute-force method that would take a lot of time. If they are not in hidden mode, you can find their address by simply asking," he said.
Talkback
i'd rather not have a phonebook on my phone than go without bluetooth.
www.blueserker.com
Where are all these tools you're talking about? The most I can find is that AL Digital has resisted releasing the tool.
Surely it's only Managing Directors (who don't know how to use them) and "luddites" who wander around with Bluetooth enabled and full discoverable to other devices, or am I being a tad cynical here ?
I believe that there is a good protective measure on the market. When you want to ensure maximum protection, use an E2X bag. They are at www.e2xgear and originate from technology used to counter electronic espionage efforts directed against the US intelligence community.
Since the manufacturers of wireless technologies seem uninterested in correcting product design vulnerabilities, it may be necessary for consumers to step in and take measures to ensure their privacy is protected. One thing is for certain, this is only the beginning of privacy issues for consumers who find wireless electronics becoming an integral part of daily life.
Suppose i have an attack, what immediate measures should be taken in order to secure my device of further suspected attacks?