Tag Archives: Martin Herfurt

Bluetooth Jackets For The Hip – And The Hip-Replaced

Thanks to Martin Herfurt for this: A jacket that, via Bluetooth, doubles as an entertainment centre, complete with (1) hands-free set with microphone in the collar and voice recognition, (2) integrated headphone connection, (3) flexible keyboard embodied into the material and (4) docking station for an MP3 player with a Bluetooth headset:

The HUB-Jacket comes with 128 Megabyte memory offers enough storage capacity for two hours of music. The MP3 files are loaded into the module from a PC via a USB cable. The fabric keyboard woven into the jacket’s left-hand sleeve “can be comfortably operated even when wearing gloves”. All the electronic connections “are sewn directly into the textile material. They are thus out of sight, robust and enable total freedom of movement”. If this is not enough for you, a “helmet with integrated headphones is also available as an option”. The Bluetooth module in the player allows the user to operate a mobile phone. And, in case you’re wondering, the electronic hardware “is tough enough to withstand repeated falls and washing sessions”. The HUB is part of O’Neill’s Winter Collection and costs 500 euros.

Actually, the HUB-Jacket ain’t alone. There’s the Memswear prototype from my Singaporean neighbours up the road which senses when the owner — presumably an elderly person — has taken a fall and puts in an emergency phone call via Bluetooth. (Here’s the original CNN story). And Nike has developed a Comm-Jacket which, according to DPA, “fitted with an integrated microphone and earplugs and a plug for a walkie-talkie”.

Welcome To Long Distance Bluesnarfing

(Please note: I’m not in possession of any bluesnarfing software and I’m not going to link to any. So please don’t bother leaving comments requesting it.)

Long distance Bluesnarfing is here.

Austrian researcher and Bluetooth expert Martin Herfurt tells me that he and some friends — Mike Outmesguine, John Hering, James Burgess and Kevin Mahaffey — were able to Bluesnarf a cellphone more than 1 mile away in Santa Monica Bay early on Wednesday. This follows a similar experiment late last month in which some of the same guys successfully connected to a Bluetooth phone 1 km away.

(Bluesnarfing is the practice of using a vulnerability in cellphones’ implementation of Bluetooth to steal data or to hijack a cellphone to make calls or send text messages without the user’s permission or knowledge.)

Martin says the distance was exactly 1.08 miles, or 1.78 km, which is in itself something of a feat, given they were using pretty basic stuff — a 19db antenna with a modified class 1 dongle on one side and on the other the victim’s unmodified phone. But it wasn’t just that: He says they were able to not only snarf the entire address book but also send an SMS from the victim’s phone.

Here’s Martin the victim in the foreground, the pier in the background near where the attacker is located:

I hope this kind of experiment lays to rest those folk who don’t see how this kind of thing would be a problem. Most of the naysayers claim that Bluesnarfing only works close by, but this shows that’s not true. What’s more, it shows how Bluesnarfing can be a sniper or a vacuum cleaner: Martin says they spotted dozens of Bluetooth phones in their experiment but just focused on the target phone. But if they’d wanted they could have sucked up the address books and data in most of those phones — information that might have proved very valuable.

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

The Dangers Of Snarf

Is Bluesnarfing something to worry about? Yes, according to an Austrian study.

In the middle of last month a researcher at Salzburg’s Research Forschungsgesellschaft mbH, Martin Herfurt, set up a laptop and Bluetooth dongle near the public restrooms in Hall 11 at CeBIT, Europe’s biggest IT-exposition in Hannover. He then started to sniff for Bluetooth cellphones. In four days he found 1,269 different devices.

Bluesnarfing, or SNARFing, involves connecting to a device without permission (what’s called pairing) and then accessing data on the device or using its features. Martin didn’t do anything to the devices he did find, but he makes clear he could have:

  • sent SMS (text) messages from the victim’s phone without her knowledge;
  • made phone calls from the victim’s phone and
  • altered the phone book and the record of dialled numbers on the victim’s phone.

Worst off: The Nokia 6310 and the more enhanced Nokia 6310i, which he says, “are very vulnerable to the SNARF attack. About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction.” And Martin thinks it could have been a lot worse: By basing himself near the restrooms, a lot of his victims were passing by, moving away before he could complete a full ‘attack’. (He stresses he has not kept any of the information he obtained this way.)

I’ve said in the past that this sort of thing sounds obscure, and therefore not something we think we should worry about. But just because we can’t think of how these vulnerabilities might be exploited doesn’t mean they won’t be, and that this is not a serious breach of our security. 

These tricks in themselves may not in themselves be dangerous, but highlight the fact that most of us walk around with a lot of personal data inside our phone/PDA — our address book, who we called, a record of messages sent and received, our name, our exact position, passwords and bank account numbers, email messages — which could be obtainable by someone with the interest and a modicum of equipment.

I don’t think the problem here is hijacking a phone to make a call, or SMS spam, or whatever. It’s that as cellphones and PDAs merge, these devices will inevitably become attractive targets of ID thieves, commercial spies and anyone else with an interest in finding out more about us. Unless we’re careful, Bluetooth will become just one more open door through which they can do it.