Could people use Bluetooth to access your phone and steal confidential data? Apparently, yes.
A company specialising in security and encryption, London-based A.L. Digital Ltd, says it has discovered “serious flaws” in the way that some Bluetooth gadgets authenticate connect to other Bluetooth gadgets and share information. In two separate flaws, the company says:
- The SNARF attack: confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some Bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar;
- The BACKDOOR attack: the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.
There’s more detail here. Of course, just because someone’s found out this is possible, doesn’t mean it’s happening. But with Bluejacking becoming popular, the pairing of Bluetooth devices becomes commonplace. The other point is that it’s hard to see what benefit could be extracted from this sort of thing, except to grab some phone numbers.
But that doesn’t mean it’s not a threat. In my part of the world, police have managed to roll up terrorist networks (Jemaah Islamiyah is the prime example) by looking through their handphone address book. If that kind of information could be gained remotely imagine the benefits for law enforcement, or crime, or extortionists, or politicians, or whatever. Just because we can’t see a use for it, just means our imaginations aren’t working properly.
What’s also worrying, according to CommDesign, a technical website, is that the company appeared to get short shrift from the manufacturers when it tried to show them what it had found, particularly Nokia. Given this issue first came to late last November, it would be good to know where the manufacturers are on this: I will follow this up with Nokia and post their response.