Bluetooth phones at risk from 'snarfing'

A security flaw has been discovered in Bluetooth that lets an attacker download all contact details along with other information from a vulnerable phone, while leaving no trace of the attack.

Unlike bluejacking, which is where users can send a message to Bluetooth phones without authorisation, this latest discovery for the wireless-data standard allows data, such as telephone numbers and diary entries, stored in a vulnerable device to be stolen by the attacker. The new exploit is called bluesnarfing.

Bluesnarfing is said to affect a number of Sony Ericsson, Ericsson and Nokia handsets, but some models are at greater risk because they invite attack even when in 'invisible mode' -- in which the handset is not supposed to broadcast its identity and should refuse connections from other Bluetooth devices.

Adam Laurie, chief security officer at UK networking and security firm AL Digital, told ZDNet UK that the Nokia 6310, 6310i, 8910 and 8910i models were at greatest risk. "On some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in non-visible mode," he said.

Laurie said he discovered the problem when he was asked to test how safe Bluetooth devices actually were. "Before we deploy any new technology for clients or our own staff, one of my duties is to investigate that technology and ensure it is secure. Actually rolling your sleeves up and looking at it, not just taking the manufacturers' claims at face value. When I did that, I found that it is not secure," he said.

According to Laurie, he can initiate a bluesnarfing attack from his laptop after making a modification to its Bluetooth settings: "It is a standard Bluetooth-enabled laptop and the only special bit is the software I am using in the Bluetooth stack. I have a modified the Bluetooth stack and that enables me to perform this attack," he said.

Bluesnarfing has huge potential for abuse because it leave no trace and victims will be unaware that their details have been stolen: "If your phone is in your pocket, you will be completely unaware," he said.

Laurie said he has had trouble getting the major handset manufacturers to admit the problem exists: "I have had experts telling me that it can't possibly exist because they have been trying to do this and failing."

Although the problem may affect other Bluetooth devices, such as laptops, Laurie said they are more difficult to target because the systems are more complex: "Mobiles are liable to be more vulnerable simply because the resources for menus and configuration are limited. Manufacturers try and make Bluetooth simple to use on phones, so you don't have much granularity in setting options. On a lot of phones, Bluetooth is either on or off," he said.

Laurie said that for now, there is no fix available. He said that the only way to be completely safe is to switch off the Bluetooth functionality.

AL Digital has developed several proof-of-concept utilities, but has not released them into the wild, said Laurie. They include: Bluestumbler, to monitor and log all visible Bluetooth devices (name, MAC address, signal strength, capabilities), and identify the manufacturer from MAC address lookup; and Bluesnarf, which can copy data from a target device.

According to the AL Digital's bluestumbler Web site, vulnerable phones include: Ericsson T68; Sony Ericsson R520m, T68i, T610 and Z1010; and Nokia 6310, 6310i, 7650, 8910 and 8910i.

Nokia and Sony Ericsson were not immediately available for comment.