WAPjacking And The End Of Innocence

Here’s a new kind of cellphone scam (via Mike Masnick of Techdirt, writing in TheFeature): WAPjacking (well that’s what he calls it, and I like it):

Taking a page from the still popular redialer scam on PCs – where a secretive trojan tries to disconnect your modem (assuming you’re using dialup) and reconnect you secretly to a premium rate phone number in some distant country – the WAPjacking scam basically does the same thing. It involves an SMS message that overwrites the WAP settings on your phone, replaces the standard WAP home page with something else – and then switches the call to a premium rate number.

The original article on NewMediaAge in the UK says ”the issue is considered so severe that operators have raised the prospect of banning all third party binary, or data, SMS messages, which would kill the content industry”. The article points to these dialers making calls to 0700 numbers, which in the UK are about 40p ($1 or thereabouts) a minute. But I imagine the real threat would only occur if the numbers being dialled were offshore, otherwise these kind of locally-based scams could be shut down quite quickly.

In his article Mike compares the scam to to Bluejacking and Bluesnarfing, which, he says “both seemed to be hyped well beyond any real threat”. While I’d agree there’s been some overkill in the British press, I don’t agree that neither represent “any real threat”. The point is always about stealing data and compromising communications, something the two processes do quite well. It’s not up to us to decide whether this represents a threat: If someone stands to lose valuable, sensitive or private data this way, it’s a threat for them.

Similarly, I wouldn’t put WAPjacking in the same category, at least for now. Diverting someone’s phone so the user loses money is not the same thing as losing the combination to your office safe, or a competitor grabbing all your contacts. But I think what all these cases have in common is that we’re just beginning to understand the vulnerability of holding in our hand an object that contains so much information, an object that can be hijacked to connect with anyone or anything without our knowledge. As Mike puts it: “It’s safe to assume that the wireless data industry has lost its innocence.”

Bluetooth Security – The World Wakes Up?

The corporate world, it seems, is waking up to Bluetooth security issues. At the same time there is a growing slew of products to make them sleep safer.

InfoSync World writes of new security software from Bluefire Security which “disables Bluetooth and Infrared communication to minimize the risk of information theft.” Bluefire Mobile Firewall Plus 3.0 allows system administrators to disable Infrared and Bluetooth communication capabilities on any company PDAs or other gadgets before they’re handed over to workers.

GeekZone also reports that AirDefense has launched what the company is calling “the industry’s first Bluetooth monitoring solution”. BlueWatch monitors an organisation’s ‘airspace’ and can identify different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones, their signal strength and illustrate the connectivity among various devices.

Here’s a piece from ComputerWorld on what IT managers are doing. Of course, there’s a danger of an over-reaction here. Some folk don’t see Bluesnarfing, Bluejacking et al to be a problem. But this is usually because they are only considering it from their own point of view (‘I’ve only got my mum’s and girlfriend’s telephone number in there, who would want that? They’re welcome to it’). But for companies this is a serious issue. If a rival could sit outside their office and download all the marketing department’s contacts from their cellphones, PDAs or (theoretically) their laptops, then that might be something to worry about.

Bluetooth, Women And Guerrilla Research

An interesting survey of Bluetooth, both in its results and methods, found by Gizmodo.

The survey (PDF) was conducted by, as far as I can work out, something called Guerrilla Research using technology provided by Zero Sum (I can’t find out much more about these folk, and the PDF file doesn’t deliver up any clues). They seem to have set up a Bluetooth sniffer in London’s business district this month, and recorded the device name and type of anything giving off a Bluetooth signal. The survey is aimed at gauging the commercial potential of Bluetooth, and is based on the premise that, unlike SMS and WAP, Bluetooth is a marketing opportunity not to be missed. Out of approximately 1,500 folk buzzed, there were 177 devices found.

The results of the survey are revealing. First off, PDAs and laptops are negligible in Bluetooth terms. Secondly, more than 60% of devices found still had their default names — their models, such as Nokia 6310i, or whatever. Those that did assign names mostly assigned male ones, which the report offered possible explanations for: men are more into Bluetooth than women; women may not feel the overwhelming urge to ‘personalise’ their device; women may alter the default settings to make their device invisible (for a more ‘natural’ approach to these possible explanations, see Gizmodo’s posting).  

My conclusion: Until we know more background information about these folk the survey will remain highly suspect. But it is revealing, firstly, that so many people keep their Bluetooth devices on their default setting, that is ‘discoverable’, and don’t bother to change the default name. That would suggest that a lot of folk simply don’t know their device has Bluetooth, or don’t know about the dangers of Bluesnarfing or Bluejacking.

Secondly, either women give male names to their devices or there’s an interesting gender difference in using cellphones. Although I’d guess that women and men use their cellphones to an almost equal extent, clearly Bluetooth remains something of a nerdy feature. I’d guess that women are just as likely to alter the customisable features on their cellphone — ringtone, background image — that does not include Bluetooth. That has interesting implications for the raft of new Bluetooth social networking tools we’re seeing. It must also mean there are some seriously frustrated ‘toothing’ guys out there.

Blind Dating By Bluetooth Goes Live

Further to my column on bluesnarfing, a Marseilles company called Kangourouge has launched a service which, as far as I can work out, uses the same sort of Bluetooth vulnerability catalogued by AL Digital and others, namely Bluejacking.

It’s called ProxiDating (interestingly, Google doesn’t like the word and suggests ‘peroxidation’ instead, which is presumably the excuse one offers if the first date doesn’t work out, as in ‘Sorry I can’t go out with you tonight I’m in a Domestic Hair Peroxidation Situation’.) Anyway, the blurb says:

Using bluetooth technology, ProxiDating allows you to meet people with common interests in pubs, restaurants, shops, clubs, discos, sports arenas, in fact, almost anywhere !

ProxiDating is a totally new way for single people to meet up instantly. All you need to do is install ProxiDating on your mobile phone, create your profile, enable bluetooth and wait for your dream date to appear. Whenever you come within about 15m of a person with a matching profile your phone will alert you !

Only people with matching profiles will be linked via their phones. ProxiDating automatically sends the text and image that you have defined to your potential date. In the same way, you will receive text and image from the matched partners phone… then its up to you…

Imagine, you are crossing the street when the girl/boy of your dreams passes before you, your phone buzzes and their face appears on your phone’s screen…

The website doesn’t offer much, so far, and most of the few pages there are, are empty.

Now I know people have been talking about this kind of service for a while, but I believe this might be the first to go live. Something called Serendipity was mentioned a few weeks back as a MIT Media Lab project but I haven’t seen anything hit the streets yet. (I’m ready to stand corrected on this, although I gave the MIT website a look.)

As pointed out elsewhere, this kind of system is not going to be popular with the service providers, not because it’s insecure, but because it’s not likely to make them any money. The software is network independent, since the interaction requires only the users to input their data and ‘find’ each other using Bluetooth. No network, no pinging back to the network to update or match profiles, no large amounts of money.

Which explains why the software costs $5. It’s a commercial version of the Brits’ own toothing fad, I guess.

The Dangers Of Snarf

Is Bluesnarfing something to worry about? Yes, according to an Austrian study.

In the middle of last month a researcher at Salzburg’s Research Forschungsgesellschaft mbH, Martin Herfurt, set up a laptop and Bluetooth dongle near the public restrooms in Hall 11 at CeBIT, Europe’s biggest IT-exposition in Hannover. He then started to sniff for Bluetooth cellphones. In four days he found 1,269 different devices.

Bluesnarfing, or SNARFing, involves connecting to a device without permission (what’s called pairing) and then accessing data on the device or using its features. Martin didn’t do anything to the devices he did find, but he makes clear he could have:

  • sent SMS (text) messages from the victim’s phone without her knowledge;
  • made phone calls from the victim’s phone and
  • altered the phone book and the record of dialled numbers on the victim’s phone.

Worst off: The Nokia 6310 and the more enhanced Nokia 6310i, which he says, “are very vulnerable to the SNARF attack. About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction.” And Martin thinks it could have been a lot worse: By basing himself near the restrooms, a lot of his victims were passing by, moving away before he could complete a full ‘attack’. (He stresses he has not kept any of the information he obtained this way.)

I’ve said in the past that this sort of thing sounds obscure, and therefore not something we think we should worry about. But just because we can’t think of how these vulnerabilities might be exploited doesn’t mean they won’t be, and that this is not a serious breach of our security. 

These tricks in themselves may not in themselves be dangerous, but highlight the fact that most of us walk around with a lot of personal data inside our phone/PDA — our address book, who we called, a record of messages sent and received, our name, our exact position, passwords and bank account numbers, email messages — which could be obtainable by someone with the interest and a modicum of equipment.

I don’t think the problem here is hijacking a phone to make a call, or SMS spam, or whatever. It’s that as cellphones and PDAs merge, these devices will inevitably become attractive targets of ID thieves, commercial spies and anyone else with an interest in finding out more about us. Unless we’re careful, Bluetooth will become just one more open door through which they can do it.

Bluetooth And The Art Of Sex

Is Bluetooth helping Brits meet each other and have sex?

Apparently, according to WIRED, which reports on a new craze called ‘toothing’ (couldn’t they have come up with something sexier?). Toothing involves using the Bluetooth feature in a cellphone — used to transfer data between one Bluetooth device and another, without wires — to send messages to another cellphone within range (across a room, say.)

What the toothers do, apparently, is to spot someone else messing with their cellphone on a train, a mall or, somewhat unromantically, in a carpark, and then send them a message using this feature (via a trick called Bluejacking, or its more criminal cousin, Bluesnarfing). They then converse via SMS, or text, hook up and have sex. It sounds a bit like the letters pages in Penthouse.

There’s even a website dedicated to toothing (intriguingly, the Google context-aware ads that appear at the top of the site seem as confused as I: They are all about teeth whitening).

Now I have to express a bit of scepticism about this, it being so close to April 1 and all that. The story says that “when a Bluetooth phone locates another, it can see the name that the device’s owner has given it. And most, though not all, toothers use names that in one way or another betray their gender.” Is that true? In my experiments with Bluejacking, if you try to ‘discover’ other devices, the only results you will get are likely to be the name of the device (Nokio 7650, or whatever). But maybe that’s not the case everywhere.

Still, there’s no denying that Bluetooth has brought a bit of romance into people’s lives. A service called Serendipity will sniff out other phones and, if their owners are using the service, look to see whether the two people are compatible based on its database, according to the Daily Telegraph.

How Secure Is Bluetooth?

Could people use Bluetooth to access your phone and steal confidential data? Apparently, yes.

A company specialising in security and encryption, London-based A.L. Digital Ltd, says it has discovered “serious flaws” in the way that some Bluetooth gadgets authenticate connect to other Bluetooth gadgets and share information. In two separate flaws, the company says:

  • The SNARF attack: confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some Bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar;
  • The BACKDOOR attack: the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

There’s more detail here. Of course, just because someone’s found out this is possible, doesn’t mean it’s happening. But with Bluejacking becoming popular, the pairing of Bluetooth devices becomes commonplace. The other point is that it’s hard to see what benefit could be extracted from this sort of thing, except to grab some phone numbers.

But that doesn’t mean it’s not a threat. In my part of the world, police have managed to roll up terrorist networks (Jemaah Islamiyah is the prime example) by looking through their handphone address book. If that kind of information could be gained remotely imagine the benefits for law enforcement, or crime, or extortionists, or politicians, or whatever. Just because we can’t see a use for it, just means our imaginations aren’t working properly.

What’s also worrying, according to CommDesign, a technical website, is that the company appeared to get short shrift from the manufacturers when it tried to show them what it had found, particularly Nokia. Given this issue first came to late last November, it would be good to know where the manufacturers are on this: I will follow this up with Nokia and post their response.

Update: More On Bluejacking

 Interesting discussion about Bluejacking — the new craze whereby folk send messages to unsuspected cellphone/PDA users across the room — on Slashdot. The impression I get is that parts of Europe have already been using the Bluetooth function on phones to spam other people for some time. One contributor says that in Copenhagen
…every other time I get in a taxi I get a Bluetooth transmitted business card from the company or sometimes specifically the driver of the taxi. The first time this happened it was a slightly novel new thing I didn’t mind much – but now I find myself cursing the people who implemented this standard for not doing it like on Palm where you have to ‘accept’ the infrared beamed cards. On the Nokia cellphones it’s just stored without question so if this practice gets more widespread, soon your address book will be seriously burdened with unwanted business cards. Just finding them will be a big hassle. That’s when you switch off Bluetooth I guess.