Nokia admits multiple Bluetooth security holes

Summary:Nokia has admitted that a number of its Bluetooth handsets are vulnerable to bluesnarfing - in which data can be stolen from a phone without the owner's knowledge

Nokia has admitted that some of its Bluetooth-enabled mobile phones are vulnerable to "bluesnarfing", which is where an attacker could read, modify and copy a phone's address book and calendar without leaving any trace of the intrusion.

Following networking and security firm AL Digital's revelation that at least ten handsets from Nokia, Sony Ericsson and Ericsson were vulnerable to a bluesnarfing attack, a Nokia spokesperson told ZDNet UK that the company is aware of "security issues" relating to Bluetooth devices that "makes it possible to download and modify phone book, calendar and other information on the phone without the owner's knowledge or consent, if Bluetooth is turned on."

However, the spokesperson said the attack was only possible if the phone was in 'visible mode' where it is set to actively search for other Bluetooth devices. The company admitted that a bluesnarf attack "may happen in public places, if a device is in the 'visible' mode, and the Bluetooth functionality is switched on. The phones vulnerable to 'snarf' attack include the Nokia 6310, 6310i, 8910 and 8910i phones as well as devices from another manufacturer."

According to Nokia, if an attacker had physical access to the 7650, the bluesnarf attack would not only be possible, but it would also allow the attacker's Bluetooth device to "read the data on the attacked device and also send SMS messages and browse the Web via it." The company said it had not been able to recreate this "backdoor" attack on the 6310, but would not confirm if the other models were vulnerable.

Nokia also admitted that its 6310i handset is vulnerable to a Denial of Service attack when it receives a "corrupted" Bluetooth message: "A DoS attack would happen if a malicious party sends a malformatted Bluetooth... message to re-boot a victim's Nokia 6310(i). We have repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone," said the spokesperson, who sought to reassure customers by saying that following the crash, the phone will reset and function normally.

Nokia will not be releasing a fix for the devices in the near future because it said the attacks are limited to "only a few models" and it does not expect them to "happen at large".

The company advises customers in public places to set their phones to "invisible" or switch the Bluetooth functionality off: "In public places, where the above mentioned devices with Bluetooth technology might be targets of malicious attacks, at least in theory, the safest way to prevent hackers is to set the device in non-discoverable mode -- 'hidden' -- or switch off the Bluetooth functionality. This does not affect other functionalities of the phone," the spokesperson said.

A Sony Ericsson spokesperson told ZDNet UK the company is "looking into" the matter and expected to make a statement on Tuesday.

Topics: Networking

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.