Nokia releases Bluetooth security fix

Company releases upgrades to protect five of its phones from Bluetooth-hacking technique.
Written by Munir Kotadia, Contributor
More than six months after acknowledging a Bluetooth security flaw in a number of its mobile phones, Nokia said it has released a software upgrade that fixes the vulnerabilities in some of its products.

In February, Nokia and Sony Ericsson admitted that some of their Bluetooth-enabled phones were vulnerable to "bluesnarfing," which means that an attacker could read, modify and copy the phone's address book and calendar without leaving any trace of the intrusion.

Some handsets contain an even more serious vulnerability that allows the phone to be "taken over" by the attacker, who could then use it to make phone calls, send text messages and modify the handset's settings.

Once the problems were discovered, Sony Ericsson offered to update any affected handsets, but Nokia said it did not think the vulnerabilities were serious enough to warrant an upgrade.

However, following pressure from customers, Nokia announced in May that it would provide a software upgrade in "the summer" but did not set a firm date for its release.

On Thursday, Nokia confirmed that it had released updates for five of its handsets and reiterated that it will issue fixes for all remaining vulnerable devices by the end of the summer. Fixes are now available for the Nokia 6230, 6650, 6810, 6820 and 7200, the company said in a statement.

The handset maker did not say exactly where customers might get the patches or whether they will be able to apply the fixes themselves.

Security experts have said it is important that users upgrade their phones, because more hacking Web sites have started publishing software tools designed to help nontechnical users launch bluesnarfing attacks.

Tim Ecott, manager of the S3 ethical hacking team at security company Integralis, added that bluesnarfing "cookbooks" are starting to appear.

"Rest assured, they do exist," he said. "They are certainly not widespread at this stage, but there are a number of locations where this code is exchanged and explored by various people. Our company is aware of some of these locations and has used some of the information to develop code to test the vulnerability in the first place."

Mark Rowe, an IT security consultant at Pentest, which was one of the companies that discovered the problem, said more people are learning how to carry out bluesnarfing and similar attacks. Furthermore, he said, because the upgrade hasn't been made available, the only way users can guarantee their safety is by turning Bluetooth off.

Still, Integralis' Ecott said Nokia was probably not treating the matter with great urgency, because overall, the risk is relatively low. He said conditions would have to be just right for an attack to occur: The potential victim would need to have a vulnerable phone with Bluetooth switched to visible; the victim would have to be in close proximity to the attacker; and the bluesnarfer would need some reason to attack that particular phone.

"If you are at an airport with a bit of time to kill, you could sit at a hot spot and try and get on the Web via someone else's phone," Ecott said. "There are examples where all the required conditions may well come together, but not in sufficient numbers to cause Nokia to lose any sleep."

Munir Kotadia of ZDNet UK reported from London.

Editorial standards