Yes, Bluetooth Is Insecure, But Does It Matter?
Looks like the phone makers are finally taking a look at the Bluetooth security issue, which I mentioned in a recent posting.
ZDNet quotes a Nokia spokesperson as saying the company is aware of “security issues” relating to Bluetooth devices that “makes it possible to download and modify phone book, calendar and other information on the phone without the owner’s knowledge or consent, if Bluetooth is turned on.” But the spokesperson stresses “the attack was only possible if the phone was in ‘visible mode’ where it is set to actively search for other Bluetooth devices. The company admitted that a bluesnarf attack “may happen in public places, if a device is in the ‘visible’ mode, and the Bluetooth functionality is switched on.”
There are other possible attacks, the Nokia person conceded:
- Hijacking someone’s phone: An attacker could also use at least one model to “send SMS messages and browse the Web via it.” The company said it had not been able to recreate this “backdoor” attack on the 6310, but would not confirm if the other models were vulnerable.
- Crashing someone else’s phone: The 6310i handset is vulnerable to a Denial of Service attack — effectively crashing the phone — when it receives a “corrupted” Bluetooth message.
Nokia, surprisingly, said it would not be releasing fixes, ZDNet says, because it said the attacks are limited to “only a few models” and it does not expect them to “happen at large”. Instead it suggests users set their phones to ‘invisible’ — meaning no Bluetooth device can see it — or turn off the Bluetooth function entirely. Sony Ericsson, meanwhile, are “looking into” the matter. Why they are still doing that given the warning has been in the public domain since November beats me.
This is a much more serious case than the handphone manufacturers, or the Bluetooth community, have acknowledged. Folk assume that because an attack seems unlikely, the vulnerability that allows it to happen is somehow less important. That’s what people thought in the early days of viruses — why would someone create something to disrupt someone else’s computer, we would think? Or spam: Why would someone send an email with a fake email address? Now that kind of thinking looks a bit, well, duh.
Bluetooth is trying to become a pervasive technology. It wants to be in everything, and to make gadgets work with other gadgets seamlessly and ubiquitously. For that to happen security has to be paramount. Just because we can’t think of ways people could exploit these flaws doesn’t mean people won’t try. If I’m sitting in a business meeting and I can download everyone else’s phone book to my phone, or, read their messages, emails or whatever they have stored on their phone, that’s bad enough. But what about when every gadget is Bluetooth? Can I access someone else’s PDA remotely? Their laptop? Might I be able to send a message to make it look as if it’s coming from their phone?
We should be thanking the guys who discovered this vulnerability, and taking their reports seriously, not treating them like publicity hungry sleazeballs. That Nokia and the others have been so slow to take note is a serious black mark against them. If they show similar attitudes to Symbian we’re in trouble.