More than six months after admitting there was a Bluetooth security flaw in a number of its mobile phone handsets, Nokia said it has released a software upgrade that fixes the vulnerabilities.
In February, Nokia and Sony Ericsson admitted that some of their Bluetooth-enabled mobile phones were vulnerable to "bluesnarfing", in which an attacker can read, modify and copy a phone's address book and calendar without leaving any trace of the intrusion.
Some handsets contained an even more serious vulnerability that allowed the phone to be "taken over" by the attacker, who could then use it to make phone calls, send text messages or even modify the handset's settings.
Once the problems were discovered, Sony Ericsson offered to update any affected handsets but Nokia said it did not think the vulnerabilities were serious enough to warrant an upgrade.
However, following pressure from customers, Nokia announced in May that it would provide a software upgrade in "the summer" but did not set a firm date for its release.
On Thursday, Nokia confirmed that it had released updates for five of its handsets and reiterated that it will issue fixes for all remaining vulnerable devices by the end of the summer.
"Nokia will introduce a software update in summer 2004 to address Bluetooth security in certain Nokia mobile device models. For many of them (Nokia 6230, Nokia 6650, Nokia 6810, Nokia 6820, Nokia 7200) the upgrade is already available," Nokia said in a statement.
However, Nokia could not clarify exactly where customers might get hold of the patches or even whether they will be able to apply it themselves.
Further details are expected in the near future.
Security experts have said it is important that users do upgrade their phones because more cracking and hacking Web sites have started publishing software tools designed to help nontechnical users launch a bluesnarfing attack.
Tim Ecott, manager of the S3 (ethical hacking) team at security firm Integralis, said bluesnarf "cook books" are starting to appear.
"Rest assured they do exist. They are certainly not widespread at this stage but there are a number of locations where this code is exchanged and explored by various people. Our company is aware of some of these locations and has used some of the information to develop code to test the vulnerability in the first place," Ecott said.
Mark Rowe, an IT security consultant at Pentest, which was one of the companies that first discovered the problem, said more people are learning how to carry out bluesnarfing and similar attacks; and because the upgrade hasn't been made available, the only way users can guarantee their safety is by turning Bluetooth off.
But Integralis's Ecott said Nokia was probably not treating the matter with great urgency because overall the risk is relatively low. He said a potential victim would need to have a vulnerable phone with Bluetooth switched to visible; then they would have to be in close proximity to the attacker; and finally, the bluesnarfer would need some reason to attack their particular phone.
"If you are at an airport with a bit of time to kill, you could sit at a hot spot and try and get on the Web via someone else's phone. There are examples where all the required conditions may well come together, but not in sufficient numbers to cause Nokia to lose any sleep," Ecott said.
Talkback
well thats not the way to get market share and confidence is it!
The virus seemed to only be a Proof of Concept bug. However, just knowing that the problem can be solved is a step in the right direction. It's great how companies such as Nokia see the importance of this. Agree?
I contacted Nokia about this patch for my 6820 phone and this is the response I got. Needless to say I am very unhappy with Nokia's response
Dear Brian,
Thank you for e-mailing Nokia's Contact Center.
We understand your concern about the recently announced security issue with Bluetooth enabled devices. We understand your concern about the recently announced security issue with Nokia devices that use Bluetooth technology.
Nokia takes all security issues seriously and we constantly develop and integrate advanced security features in all of our products.
Nokia is aware of claims that there are security issues relating to malicious attempts by hackers to access another user's mobile device that uses Bluetooth technology. To date, Nokia is not aware of any confirmed attacks against Bluetooth enabled phones, however, Nokia manufacturers several phone models that use Bluetooth technology and Nokia is addressing Bluetooth security concerns for them. We believe the real security threat is minimal. To date, the incidents have been limited to laboratory tests and publicity stunts.
We invite you to visit Nokia’s web site where you may read the latest information about Nokia’s security solutions for Nokia phone models that feature Bluetooth technology. Please visit <http://www.nokia.com/nokia/0,,56221,00.html>. This web page is updated on a regular basis.
If you have any additional questions, please contact us. To ensure proper handling, please continue to use the current subject line.
Thank you for choosing Nokia for your mobile needs.