Networking and security company AL Digital said on Monday that it had discovered a security flaw in Bluetooth, a wireless data standard, that could allow such an attack. The flaw affects a number of Sony Ericsson, Ericsson and Nokia handsets, but some models--including a handful of Nokia phones--are at greater risk because they invite attack even when in "invisible mode," according to AL Digital.
A Nokia representative told ZDNet UK that the Finnish device maker is aware of "security issues" relating to devices with Bluetooth that "(make) it possible to download and modify phone book, calendar and other information on the phone without the owner's knowledge or consent, if Bluetooth is turned on."
However, the representative said the attack was possible only if the phone was in "visible" mode, or when it is set to actively search for other Bluetooth devices. Nokia said that a bluesnarf attack "may happen in public places, if a device is in the visible mode and the Bluetooth functionality is switched on. The phones vulnerable to 'snarf' attack include the Nokia 6310, 6310i, 8910 and 8910i phones as well as devices from another manufacturer."
According to Nokia, if an attacker had physical access to a 7650 model, a bluesnarf attack would not only be possible, but it would also allow the attacker's Bluetooth device to "read the data on the attacked device and also send SMS messages and browse the Web via it."
The company said it had not been able to recreate this backdoor attack on the 6310 handset, and would not confirm if other models were vulnerable to it.
Nokia also said that its 6310i handset is vulnerable to a denial-of-service attack when it receives a "corrupted" Bluetooth message: "A DoS attack would happen if a malicious party sends a malformated Bluetooth...message to reboot a victim's Nokia 6310i. We have repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310i phone," said the representative, who sought to reassure customers by saying that following the crash, the phone will reset and function normally.
A Sony Ericsson representative told ZDNet UK the company is "looking into" the matter and expected to make a statement on Tuesday.
Handsets at risk
England-based AL Digital said that the risk of a bluesnarf attack was highest for the four phone models listed by Nokia. Some models were described as more vulnerable than others in invisible mode, in which the handset is not supposed to broadcast its identity and should refuse connections from other Bluetooth devices.
"On some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in nonvisible mode," said Adam Laurie, chief security officer at AL Digital.
AL Digital has developed several proof-of-concept utilities, but has not released them, Laurie said. The utilities include Bluestumbler, designed to monitor and log all visible Bluetooth devices (name, MAC address, signal strength, capabilities), and identify the manufacturer from MAC address lookup; and Bluesnarf, which can copy data from a target device.
According to AL Digital's Bluestumbler Web site, vulnerable phones include: Ericsson T68; Sony Ericsson R520m, T68i, T610 and Z1010; and Nokia 6310, 6310i, 7650, 8910 and 8910i.
Laurie said he discovered the problem when he was asked to test how safe Bluetooth devices actually were. "Before we deploy any new technology for clients or our own staff, one of my duties is to investigate that technology and ensure it is secure--actually rolling your sleeves up and looking at it, not just taking the manufacturers' claims at face value. When I did that, I found that it is not secure," he said.
According to Laurie, he can initiate a bluesnarfing attack from his laptop after making a modification to its Bluetooth settings. "It is a standard Bluetooth-enabled laptop, and the only special bit is the software I am using in the Bluetooth stack. I have a modified the Bluetooth stack, and that enables me to perform this attack," he said.
Bluesnarfing has huge potential for abuse because it leaves no trace and victims will be unaware that their details have been stolen, Laurie said. "If your phone is in your pocket, you will be completely unaware."
Although the problem may affect other Bluetooth devices, such as laptops, Laurie said they are more difficult to target because the systems are more complex. "(Mobile phones) are liable to be more vulnerable simply because the resources for menus and configuration are limited. Manufacturers try and make Bluetooth simple to use on phones, so you don't have much granularity in setting options. On a lot of phones, Bluetooth is either on or off," he said.
Laurie said that for now, there is no fix available. He said that the only way to be completely safe is to switch off the Bluetooth functionality.
Nokia will not be releasing a fix for its devices in the near future because the attacks are limited to "only a few models" and it does not expect them to "happen at large," the Nokia representative said. The company is advising customers in public places to set their phones to invisible or switch the Bluetooth functionality off.
"In public places, where the above-mentioned devices with Bluetooth technology might be targets of malicious attacks--at least in theory--the safest way to prevent hackers is to set the device in nondiscoverable mode--'hidden'--or switch off the Bluetooth functionality. This does not affect other functionalities of the phone," the Nokia representative said.