Is Bluesnarfing something to worry about? Yes, according to an Austrian study.
In the middle of last month a researcher at Salzburg’s Research Forschungsgesellschaft mbH, Martin Herfurt, set up a laptop and Bluetooth dongle near the public restrooms in Hall 11 at CeBIT, Europe’s biggest IT-exposition in Hannover. He then started to sniff for Bluetooth cellphones. In four days he found 1,269 different devices.
Bluesnarfing, or SNARFing, involves connecting to a device without permission (what’s called pairing) and then accessing data on the device or using its features. Martin didn’t do anything to the devices he did find, but he makes clear he could have:
sent SMS (text) messages from the victim’s phone without her knowledge;
made phone calls from the victim’s phone and
altered the phone book and the record of dialled numbers on the victim’s phone.
Worst off: The Nokia 6310 and the more enhanced Nokia 6310i, which he says, “are very vulnerable to the SNARF attack. About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction.” And Martin thinks it could have been a lot worse: By basing himself near the restrooms, a lot of his victims were passing by, moving away before he could complete a full ‘attack’. (He stresses he has not kept any of the information he obtained this way.)
I’ve said in the past that this sort of thing sounds obscure, and therefore not something we think we should worry about. But just because we can’t think of how these vulnerabilities might be exploited doesn’t mean they won’t be, and that this is not a serious breach of our security.
These tricks in themselves may not in themselves be dangerous, but highlight the fact that most of us walk around with a lot of personal data inside our phone/PDA — our address book, who we called, a record of messages sent and received, our name, our exact position, passwords and bank account numbers, email messages — which could be obtainable by someone with the interest and a modicum of equipment.
I don’t think the problem here is hijacking a phone to make a call, or SMS spam, or whatever. It’s that as cellphones and PDAs merge, these devices will inevitably become attractive targets of ID thieves, commercial spies and anyone else with an interest in finding out more about us. Unless we’re careful, Bluetooth will become just one more open door through which they can do it.