More than six months after
acknowledging a Bluetooth security flaw in a number of its mobile
phones, Nokia said it has released a software upgrade that fixes the
vulnerabilities in some of its products.
In February, Nokia and Sony Ericsson
admitted that some of their Bluetooth-enabled phones were vulnerable to
"bluesnarfing," which means that an attacker could read, modify and
copy the phone's address book and calendar without leaving any trace of
Some handsets contain an even more serious vulnerability that allows
the phone to be "taken over" by the attacker, who could then use it to
make phone calls, send text messages and modify the handset's settings.
Once the problems were discovered, Sony Ericsson offered to update
any affected handsets, but Nokia said it did not think the
vulnerabilities were serious enough to warrant an upgrade.
However, following pressure from customers, Nokia announced in May
that it would provide a software upgrade in "the summer" but did not
set a firm date for its release.
On Thursday, Nokia confirmed that it had released updates for five
of its handsets and reiterated that it will issue fixes for all
remaining vulnerable devices by the end of the summer. Fixes are now
available for the Nokia 6230, 6650, 6810, 6820 and 7200, the company
said in a statement.
The handset maker did not say exactly where customers might get the
patches or whether they will be able to apply the fixes themselves.
Security experts have said it is important that users upgrade their
phones, because more hacking Web sites have started publishing software
tools designed to help nontechnical users launch bluesnarfing attacks.
Tim Ecott, manager of the S3 ethical hacking team at security company Integralis, added that bluesnarfing "cookbooks" are starting to appear.
"Rest assured, they do exist," he said. "They are certainly not
widespread at this stage, but there are a number of locations where
this code is exchanged and explored by various people. Our company is
aware of some of these locations and has used some of the information
to develop code to test the vulnerability in the first place."
Mark Rowe, an IT security consultant at Pentest,
which was one of the companies that discovered the problem, said more
people are learning how to carry out bluesnarfing and similar attacks.
Furthermore, he said, because the upgrade hasn't been made available,
the only way users can guarantee their safety is by turning Bluetooth
Still, Integralis' Ecott said Nokia was probably not treating the
matter with great urgency, because overall, the risk is relatively low.
He said conditions would have to be just right for an attack to occur:
The potential victim would need to have a vulnerable phone with
Bluetooth switched to visible; the victim would have to be in close
proximity to the attacker; and the bluesnarfer would need some reason
to attack that particular phone.
"If you are at an airport with a bit of time to kill, you could sit
at a hot spot and try and get on the Web via someone else's phone,"
Ecott said. "There are examples where all the required conditions may
well come together, but not in sufficient numbers to cause Nokia to
lose any sleep."
Munir Kotadia of ZDNet UK reported from London.