Bluesnarfing tools 'spreading quickly'

Bluesnarfing tools 'spreading quickly'

Summary: The software tools required to steal information from Bluetooth-enabled mobile phones are widely available on the Web, and knowledge of how to use them is growing, according to a researcher

TOPICS: Networking

An MP has called for mobile phone manufacturers to make a greater effort and fix the Bluetooth security problems in their handsets after a researcher revealed that software tools enabling a bluesnarf attack are widely available on the Internet.

Bluesnarfing is a method of hacking into a Bluetooth-enabled mobile phone and copying its entire contact book, calendar or anything else stored in the phone's memory. Nokia and Sony Ericsson have admitted some of their handsets are vulnerable and although Sony Ericsson has made an effort to fix the problem, Nokia said the problem is not serious enough to warrant repairing.

Mark Rowe, consultant at security company Pentest, told ZDNet UK that the number of people that know how to perform the attack is quickly increasing and tools that enable the attack are widely available online. "We have been contacted by a number of security researchers that have worked out how to do it themselves without any help from us," Rowe said. "We were concerned when the information was previously published and we were told you need special tools. But in reality, anybody who looked into it in any depth would quickly work out how the attack is possible."

Rowe urged the media not to publicise which tools are used in attacks because this "would make it really easy for somebody to work out what to do". A Web search revealed hundreds of sites distributing the tools.

According to Rowe, the problem lies in how manufacturers implemented the object exchange (OBEX) protocol, which is a common method used by mobile devices to exchange information. "It was a deliberate design decision not to include authentication -- that allows people to [easily] send business cards to each other," he said. But the companies had overlooked that this implementation would also mean files could be transferred back and forth without permission, he said.

Tom Watson, Labour MP for West Bromwich East and a Bluetooth-phone user, told ZDNet UK he is concerned about the privacy of consumers and hopes that mobile phone manufacturers will do more to help fix the problem. "Once again consumers have to bear the brunt of technological failure," he said. "This offers profound threats to people's privacy. The least the sector can do is put matters right," he said.

Rowe advises anyone with a Bluetooth handset to keep it in hidden mode or even better, switch Bluetooth off: "If devices are hidden they are very difficult to find. There are techniques to find hidden devices, but it is a brute-force method that would take a lot of time. If they are not in hidden mode, you can find their address by simply asking," he said.

Topic: Networking

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • i'd rather not have a phonebook on my phone than go without bluetooth.
  • Where are all these tools you're talking about? The most I can find is that AL Digital has resisted releasing the tool.
  • Surely it's only Managing Directors (who don't know how to use them) and "luddites" who wander around with Bluetooth enabled and full discoverable to other devices, or am I being a tad cynical here ?
  • I believe that there is a good protective measure on the market. When you want to ensure maximum protection, use an E2X bag. They are at www.e2xgear and originate from technology used to counter electronic espionage efforts directed against the US intelligence community.

    Since the manufacturers of wireless technologies seem uninterested in correcting product design vulnerabilities, it may be necessary for consumers to step in and take measures to ensure their privacy is protected. One thing is for certain, this is only the beginning of privacy issues for consumers who find wireless electronics becoming an integral part of daily life.
  • Suppose i have an attack, what immediate measures should be taken in order to secure my device of further suspected attacks?