Tag Archives: Bluesnarfing

Bluetooth as a Beacon for the Missing?

Thinking about the poor Londoners unable to call their loved ones because of the overloaded cellphone networks on Thursday morning, I wondered whether Bluetooth might help in such incidents in future.

Most cellphones come with Bluetooth now (the number of devices containing Bluetooth doubled last year to 250 million; this figure is expected to double again this year): Is there no way that a connection could be created so cellphone users can transmit urgent messages via Bluetooth to a landline system, via Bluetooth receptors placed at strategic spots in a place that might not be easily accessible, or easy to escape from — say in a tunnel, or tall building? Then, even if the cellphone network is congested, those messages could get thro, perhaps via a central switching station that could monitor the messages as way to build a list of the missing, the victims and the found? These messages could be built in to the fabric of the phone — a sort of panic button — which would try to relay a standard message about the user and her emergency contact numbers, first via SMS, then, if no network signal is available, by Bluetooth to the nearest emergency receptor. This sort of thing isn’t going to work in big open spaces, but it might suit urban spaces and places like subways.

This Bluetooth network could also be used to locate the missing buried under rubble or otherwise not readily reachable. With the network down, emergency services could not use mobile phone signals to locate the missing (indeed, many lines in London do not have any mobile signal, unlike places like Hong Kong and Singapore, although this may change), but Bluetooth signals would not be hampered in this way. (Bluetooth doesn’t require a network to operate, since the connection is from one device to another creating an ‘ad-hoc network’.) Rescue teams armed with powerful Bluetooth transmitters could seek out Bluetooth phones or other devices, the strength of the signal giving some clue about location.

Of course this would require some rethinking of how Bluetooth devices are configured: The devices would have to be given names that might identify the user, and the devices would have to be set to on (and possibly ‘discoverable’ although I guess there’s a way around this hiding aspect of Bluetooth that emergency services could utilise). Both of these elements — identifiable device names, discoverability — are not recommended in this age of Bluesnarfing, but if the Bluetooth SIG could think differently about what Bluetooth is and what it could do — i.e., not just a pairing technology but a limited-range location ‘beacon’ technology — maybe these problems could be overcome.

Of course, Bluetooth as a beacon could be used in different ways — to find ATMs, or your car in a large parking lot, or your children in a crowd. Perhaps this is already being done. And while there’s a good argument for saying Wi-Fi could do all this better, over greater distances, the great thing about Bluetooth is that it’s already in the one device that most people are carrying around with them: Their cellphone.

Welcome To Long Distance Bluesnarfing

(Please note: I’m not in possession of any bluesnarfing software and I’m not going to link to any. So please don’t bother leaving comments requesting it.)

Long distance Bluesnarfing is here.

Austrian researcher and Bluetooth expert Martin Herfurt tells me that he and some friends — Mike Outmesguine, John Hering, James Burgess and Kevin Mahaffey — were able to Bluesnarf a cellphone more than 1 mile away in Santa Monica Bay early on Wednesday. This follows a similar experiment late last month in which some of the same guys successfully connected to a Bluetooth phone 1 km away.

(Bluesnarfing is the practice of using a vulnerability in cellphones’ implementation of Bluetooth to steal data or to hijack a cellphone to make calls or send text messages without the user’s permission or knowledge.)

Martin says the distance was exactly 1.08 miles, or 1.78 km, which is in itself something of a feat, given they were using pretty basic stuff — a 19db antenna with a modified class 1 dongle on one side and on the other the victim’s unmodified phone. But it wasn’t just that: He says they were able to not only snarf the entire address book but also send an SMS from the victim’s phone.

Here’s Martin the victim in the foreground, the pier in the background near where the attacker is located:

I hope this kind of experiment lays to rest those folk who don’t see how this kind of thing would be a problem. Most of the naysayers claim that Bluesnarfing only works close by, but this shows that’s not true. What’s more, it shows how Bluesnarfing can be a sniper or a vacuum cleaner: Martin says they spotted dozens of Bluetooth phones in their experiment but just focused on the target phone. But if they’d wanted they could have sucked up the address books and data in most of those phones — information that might have proved very valuable.

Bluesnarfing From Across Town?

Some guys in California, Mike Outmesguine, John Hering and James Burgess, have managed to connect to an ordinary Bluetooth cellphone from 1 kilometer away, using off-the-shelf stuff, including a high-gain antenna connected to a Class 1 Bluetooth adapter kit. Their conclusion: “A typical unmodified cell phone can be reached at a distance of one kilometer by using slightly modified equipment on only one side of the link. Imagine the possibilities with modifications on both ends of the link!”

Some folk on Slashdot agree. Someone called Carbolic (who may or may not be related to the actual testers), points out the implication: “now it’s easy to Bluesnarf without even being near the target phone”. (Bluesnarfing is the trick whereby someone else can grab the contents of someone else’s phone — even make calls with it — using Bluetooth. Some more posts on that here.) I’m no techie, but it does seem to undermine those arguments that we keep hearing that somehow Bluetooth will never be a security issue because it only works within a few metres.

WAPjacking And The End Of Innocence

Here’s a new kind of cellphone scam (via Mike Masnick of Techdirt, writing in TheFeature): WAPjacking (well that’s what he calls it, and I like it):

Taking a page from the still popular redialer scam on PCs – where a secretive trojan tries to disconnect your modem (assuming you’re using dialup) and reconnect you secretly to a premium rate phone number in some distant country – the WAPjacking scam basically does the same thing. It involves an SMS message that overwrites the WAP settings on your phone, replaces the standard WAP home page with something else – and then switches the call to a premium rate number.

The original article on NewMediaAge in the UK says ”the issue is considered so severe that operators have raised the prospect of banning all third party binary, or data, SMS messages, which would kill the content industry”. The article points to these dialers making calls to 0700 numbers, which in the UK are about 40p ($1 or thereabouts) a minute. But I imagine the real threat would only occur if the numbers being dialled were offshore, otherwise these kind of locally-based scams could be shut down quite quickly.

In his article Mike compares the scam to to Bluejacking and Bluesnarfing, which, he says “both seemed to be hyped well beyond any real threat”. While I’d agree there’s been some overkill in the British press, I don’t agree that neither represent “any real threat”. The point is always about stealing data and compromising communications, something the two processes do quite well. It’s not up to us to decide whether this represents a threat: If someone stands to lose valuable, sensitive or private data this way, it’s a threat for them.

Similarly, I wouldn’t put WAPjacking in the same category, at least for now. Diverting someone’s phone so the user loses money is not the same thing as losing the combination to your office safe, or a competitor grabbing all your contacts. But I think what all these cases have in common is that we’re just beginning to understand the vulnerability of holding in our hand an object that contains so much information, an object that can be hijacked to connect with anyone or anything without our knowledge. As Mike puts it: “It’s safe to assume that the wireless data industry has lost its innocence.”

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

Bluetooth Security – The World Wakes Up?

The corporate world, it seems, is waking up to Bluetooth security issues. At the same time there is a growing slew of products to make them sleep safer.

InfoSync World writes of new security software from Bluefire Security which “disables Bluetooth and Infrared communication to minimize the risk of information theft.” Bluefire Mobile Firewall Plus 3.0 allows system administrators to disable Infrared and Bluetooth communication capabilities on any company PDAs or other gadgets before they’re handed over to workers.

GeekZone also reports that AirDefense has launched what the company is calling “the industry’s first Bluetooth monitoring solution”. BlueWatch monitors an organisation’s ‘airspace’ and can identify different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones, their signal strength and illustrate the connectivity among various devices.

Here’s a piece from ComputerWorld on what IT managers are doing. Of course, there’s a danger of an over-reaction here. Some folk don’t see Bluesnarfing, Bluejacking et al to be a problem. But this is usually because they are only considering it from their own point of view (‘I’ve only got my mum’s and girlfriend’s telephone number in there, who would want that? They’re welcome to it’). But for companies this is a serious issue. If a rival could sit outside their office and download all the marketing department’s contacts from their cellphones, PDAs or (theoretically) their laptops, then that might be something to worry about.

This week’s column – Mailbag

This week’s Loose Wire column answers readers’ questions on Bluesnarfing, the unpleasant term for the unpleasant process of remotely stealing the data from a Bluetooth-equipped cellphones, the wonders of PowerDesk and ExplorerPlus, and browser wars.

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

Bluetooth, Women And Guerrilla Research

An interesting survey of Bluetooth, both in its results and methods, found by Gizmodo.

The survey (PDF) was conducted by, as far as I can work out, something called Guerrilla Research using technology provided by Zero Sum (I can’t find out much more about these folk, and the PDF file doesn’t deliver up any clues). They seem to have set up a Bluetooth sniffer in London’s business district this month, and recorded the device name and type of anything giving off a Bluetooth signal. The survey is aimed at gauging the commercial potential of Bluetooth, and is based on the premise that, unlike SMS and WAP, Bluetooth is a marketing opportunity not to be missed. Out of approximately 1,500 folk buzzed, there were 177 devices found.

The results of the survey are revealing. First off, PDAs and laptops are negligible in Bluetooth terms. Secondly, more than 60% of devices found still had their default names — their models, such as Nokia 6310i, or whatever. Those that did assign names mostly assigned male ones, which the report offered possible explanations for: men are more into Bluetooth than women; women may not feel the overwhelming urge to ‘personalise’ their device; women may alter the default settings to make their device invisible (for a more ‘natural’ approach to these possible explanations, see Gizmodo’s posting).  

My conclusion: Until we know more background information about these folk the survey will remain highly suspect. But it is revealing, firstly, that so many people keep their Bluetooth devices on their default setting, that is ‘discoverable’, and don’t bother to change the default name. That would suggest that a lot of folk simply don’t know their device has Bluetooth, or don’t know about the dangers of Bluesnarfing or Bluejacking.

Secondly, either women give male names to their devices or there’s an interesting gender difference in using cellphones. Although I’d guess that women and men use their cellphones to an almost equal extent, clearly Bluetooth remains something of a nerdy feature. I’d guess that women are just as likely to alter the customisable features on their cellphone — ringtone, background image — that does not include Bluetooth. That has interesting implications for the raft of new Bluetooth social networking tools we’re seeing. It must also mean there are some seriously frustrated ‘toothing’ guys out there.

This week’s column – Snarf

This week’s Loose Wire column is about Bluetooth security:

 Next time you’re carrying your whiz-bang Bluetooth phone watch out: Serious flaws mean your contact numbers and other info stored in the phone could be stolen without you even knowing it. This latest threat is called Bluesnarfing.  

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

For readers looking for more resources on snarfing, check out the snarf page on Loose Wire Cache.

Blind Dating By Bluetooth Goes Live

Further to my column on bluesnarfing, a Marseilles company called Kangourouge has launched a service which, as far as I can work out, uses the same sort of Bluetooth vulnerability catalogued by AL Digital and others, namely Bluejacking.

It’s called ProxiDating (interestingly, Google doesn’t like the word and suggests ‘peroxidation’ instead, which is presumably the excuse one offers if the first date doesn’t work out, as in ‘Sorry I can’t go out with you tonight I’m in a Domestic Hair Peroxidation Situation’.) Anyway, the blurb says:

Using bluetooth technology, ProxiDating allows you to meet people with common interests in pubs, restaurants, shops, clubs, discos, sports arenas, in fact, almost anywhere !

ProxiDating is a totally new way for single people to meet up instantly. All you need to do is install ProxiDating on your mobile phone, create your profile, enable bluetooth and wait for your dream date to appear. Whenever you come within about 15m of a person with a matching profile your phone will alert you !

Only people with matching profiles will be linked via their phones. ProxiDating automatically sends the text and image that you have defined to your potential date. In the same way, you will receive text and image from the matched partners phone… then its up to you…

Imagine, you are crossing the street when the girl/boy of your dreams passes before you, your phone buzzes and their face appears on your phone’s screen…

The website doesn’t offer much, so far, and most of the few pages there are, are empty.

Now I know people have been talking about this kind of service for a while, but I believe this might be the first to go live. Something called Serendipity was mentioned a few weeks back as a MIT Media Lab project but I haven’t seen anything hit the streets yet. (I’m ready to stand corrected on this, although I gave the MIT website a look.)

As pointed out elsewhere, this kind of system is not going to be popular with the service providers, not because it’s insecure, but because it’s not likely to make them any money. The software is network independent, since the interaction requires only the users to input their data and ‘find’ each other using Bluetooth. No network, no pinging back to the network to update or match profiles, no large amounts of money.

Which explains why the software costs $5. It’s a commercial version of the Brits’ own toothing fad, I guess.