Tag Archives: Microsoft Gadgets

Yes, Bluetooth Is Insecure, But Does It Matter?

Looks like the phone makers are finally taking a look at the Bluetooth security issue, which I mentioned in a recent posting.

ZDNet quotes a Nokia spokesperson as saying the company is aware of “security issues” relating to Bluetooth devices that “makes it possible to download and modify phone book, calendar and other information on the phone without the owner’s knowledge or consent, if Bluetooth is turned on.” But the spokesperson stresses “the attack was only possible if the phone was in ‘visible mode’ where it is set to actively search for other Bluetooth devices. The company admitted that a bluesnarf attack “may happen in public places, if a device is in the ‘visible’ mode, and the Bluetooth functionality is switched on.”

There are other possible attacks, the Nokia person conceded:

  • Hijacking someone’s phone: An attacker could also use at least one model to “send SMS messages and browse the Web via it.” The company said it had not been able to recreate this “backdoor” attack on the 6310, but would not confirm if the other models were vulnerable.
  • Crashing someone else’s phone: The 6310i handset is vulnerable to a Denial of Service attack — effectively crashing the phone — when it receives a “corrupted” Bluetooth message.

Nokia, surprisingly, said it would not be releasing fixes, ZDNet says, because it said the attacks are limited to “only a few models” and it does not expect them to “happen at large”. Instead it suggests users set their phones to ‘invisible’ — meaning no Bluetooth device can see it — or turn off the Bluetooth function entirely. Sony Ericsson, meanwhile, are “looking into” the matter. Why they are still doing that given the warning has been in the public domain since November beats me.

This is a much more serious case than the handphone manufacturers, or the Bluetooth community, have acknowledged. Folk assume that because an attack seems unlikely, the vulnerability that allows it to happen is somehow less important. That’s what people thought in the early days of viruses — why would someone create something to disrupt someone else’s computer, we would think? Or spam: Why would someone send an email with a fake email address? Now that kind of thinking looks a bit, well, duh.

Bluetooth is trying to become a pervasive technology. It wants to be in everything, and to make gadgets work with other gadgets seamlessly and ubiquitously. For that to happen security has to be paramount. Just because we can’t think of ways people could exploit these flaws doesn’t mean people won’t try. If I’m sitting in a business meeting and I can download everyone else’s phone book to my phone, or, read their messages, emails or whatever they have stored on their phone, that’s bad enough. But what about when every gadget is Bluetooth? Can I access someone else’s PDA remotely? Their laptop? Might I be able to send a message to make it look as if it’s coming from their phone?

We should be thanking the guys who discovered this vulnerability, and taking their reports seriously, not treating them like publicity hungry sleazeballs. That Nokia and the others have been so slow to take note is a serious black mark against them. If they show similar attitudes to Symbian we’re in trouble.

News: Psst! Wanna Buy Some Fake Bluetooth Gear?

 Apparently one of the reasons your Bluetooth gadgets won’t work well with each other is that they might be fake. Bizarre? Yes! True. Possibly. According to NewsWireless, over 50% of Bluetooth equipment on sale in the UK is counterfeit, according to a survey. And that figure is set to rise. The group that sets Bluetooth standards says that by year end, as little as 15% of the “Bluetooth” equipment on sale in retail outlets may be genuine.
So who would fake Bluetooth? Counterfeiters, apparently, who are trying to flood the market with fakes for the end-of-year boom expected in hands-free Bluetooth gear, which is expected as the result of impending legislation in several countries about driving with cellphones. Of course part of this is not that the gadgets are fake, so much as they don’t adhere to the Bluetooth Special Interest Group’s standards. So, while they shouldn’t use the name Bluetooth, they may possibly work. Given my miserable experience with Bluetooth gadgets until now, I can’t really see the difference.

News: Something For The Folk With Too Many Email Accounts

 If you’ve got a lot of email accounts, and access them from different kinds of gadgets, Danamail may interest you. It’s a new service that “lets you read and reply to all your email, from all your addresses, on any Internet-ready device, wherever you are.
Danamail consolidates all your email messages and attachments from multiple accounts into a secure, easy-to-use, single user interface. Danamail works on different platforms (Palm, PocketPC, WAP phones, Blackberry, even TVs). Might be worth a try. Basic plan costs $70 a year. Or you could just divert all your email to one account.