Tag Archives: Snarfing

Infrared Snarfing?

Is the Infrared port on your computer a security hazard?

LA-based Ligatt Corp, a computer security company, reckon so. In a press release issued yesterday, the company says it was able “to gain entry into two out of ten computers and started copying files” belonging to customers at a local Borders bookstore using a Windows CE-powered PDA. This was done by simply pointing the PDA at the target laptop and using a custom built program to grab, or snarf, files on those computers that had the infrared port switched on.

Ligatt’s conclusion: ”The good news is that Microsoft has been careful in deploying appropriate defaults so that it would not be easy for someone to maliciously send you a virus or worm. Amazingly enough, little attention is paid to the infrared port that comes standard with most laptops on the market.”

Ligatt, in fact, is not alone in recognising the vulnerabilities of the infrared port, although it does not appear to be a point often made. I found references to it on websites like LabMice.Net, a laptop security site, and Nottingham University’s inform online, both of which advised users to disable the port, as does Ligatt.

So how big a deal is this? The knee-jerk answer is: Not much. Infrared works over pretty short distance (my tests indicated four feet); you need to have the infrared ports on each device pointed directly at each other; in Windows a notification window pops up should any infrared connection be established; and finally, connection speeds are pretty slow, so snarfing files of any size is probably going to take to long to be that stealthy.

That said, I think Ligatt probably have a point. Infrared is on by default, both with Windows and PDAs (I think). I imagine it’s relatively easy to write software that could bypass the notification window in Windows, and distance (and angle) are not going to deter the committed industrial spy. Infrared may not be the best way in to a computer or PDA, but it is a way, and it’s probably best to turn it off on your machine until you use it.

Welcome To Long Distance Bluesnarfing

(Please note: I’m not in possession of any bluesnarfing software and I’m not going to link to any. So please don’t bother leaving comments requesting it.)

Long distance Bluesnarfing is here.

Austrian researcher and Bluetooth expert Martin Herfurt tells me that he and some friends — Mike Outmesguine, John Hering, James Burgess and Kevin Mahaffey — were able to Bluesnarf a cellphone more than 1 mile away in Santa Monica Bay early on Wednesday. This follows a similar experiment late last month in which some of the same guys successfully connected to a Bluetooth phone 1 km away.

(Bluesnarfing is the practice of using a vulnerability in cellphones’ implementation of Bluetooth to steal data or to hijack a cellphone to make calls or send text messages without the user’s permission or knowledge.)

Martin says the distance was exactly 1.08 miles, or 1.78 km, which is in itself something of a feat, given they were using pretty basic stuff — a 19db antenna with a modified class 1 dongle on one side and on the other the victim’s unmodified phone. But it wasn’t just that: He says they were able to not only snarf the entire address book but also send an SMS from the victim’s phone.

Here’s Martin the victim in the foreground, the pier in the background near where the attacker is located:

I hope this kind of experiment lays to rest those folk who don’t see how this kind of thing would be a problem. Most of the naysayers claim that Bluesnarfing only works close by, but this shows that’s not true. What’s more, it shows how Bluesnarfing can be a sniper or a vacuum cleaner: Martin says they spotted dozens of Bluetooth phones in their experiment but just focused on the target phone. But if they’d wanted they could have sucked up the address books and data in most of those phones — information that might have proved very valuable.

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

Bluetooth Security – The World Wakes Up?

The corporate world, it seems, is waking up to Bluetooth security issues. At the same time there is a growing slew of products to make them sleep safer.

InfoSync World writes of new security software from Bluefire Security which “disables Bluetooth and Infrared communication to minimize the risk of information theft.” Bluefire Mobile Firewall Plus 3.0 allows system administrators to disable Infrared and Bluetooth communication capabilities on any company PDAs or other gadgets before they’re handed over to workers.

GeekZone also reports that AirDefense has launched what the company is calling “the industry’s first Bluetooth monitoring solution”. BlueWatch monitors an organisation’s ‘airspace’ and can identify different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones, their signal strength and illustrate the connectivity among various devices.

Here’s a piece from ComputerWorld on what IT managers are doing. Of course, there’s a danger of an over-reaction here. Some folk don’t see Bluesnarfing, Bluejacking et al to be a problem. But this is usually because they are only considering it from their own point of view (‘I’ve only got my mum’s and girlfriend’s telephone number in there, who would want that? They’re welcome to it’). But for companies this is a serious issue. If a rival could sit outside their office and download all the marketing department’s contacts from their cellphones, PDAs or (theoretically) their laptops, then that might be something to worry about.

This week’s column – Mailbag

This week’s Loose Wire column answers readers’ questions on Bluesnarfing, the unpleasant term for the unpleasant process of remotely stealing the data from a Bluetooth-equipped cellphones, the wonders of PowerDesk and ExplorerPlus, and browser wars.

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

This week’s column – Snarf

This week’s Loose Wire column is about Bluetooth security:

 Next time you’re carrying your whiz-bang Bluetooth phone watch out: Serious flaws mean your contact numbers and other info stored in the phone could be stolen without you even knowing it. This latest threat is called Bluesnarfing.  

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

For readers looking for more resources on snarfing, check out the snarf page on Loose Wire Cache.

The Dangers Of Snarf

Is Bluesnarfing something to worry about? Yes, according to an Austrian study.

In the middle of last month a researcher at Salzburg’s Research Forschungsgesellschaft mbH, Martin Herfurt, set up a laptop and Bluetooth dongle near the public restrooms in Hall 11 at CeBIT, Europe’s biggest IT-exposition in Hannover. He then started to sniff for Bluetooth cellphones. In four days he found 1,269 different devices.

Bluesnarfing, or SNARFing, involves connecting to a device without permission (what’s called pairing) and then accessing data on the device or using its features. Martin didn’t do anything to the devices he did find, but he makes clear he could have:

  • sent SMS (text) messages from the victim’s phone without her knowledge;
  • made phone calls from the victim’s phone and
  • altered the phone book and the record of dialled numbers on the victim’s phone.

Worst off: The Nokia 6310 and the more enhanced Nokia 6310i, which he says, “are very vulnerable to the SNARF attack. About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction.” And Martin thinks it could have been a lot worse: By basing himself near the restrooms, a lot of his victims were passing by, moving away before he could complete a full ‘attack’. (He stresses he has not kept any of the information he obtained this way.)

I’ve said in the past that this sort of thing sounds obscure, and therefore not something we think we should worry about. But just because we can’t think of how these vulnerabilities might be exploited doesn’t mean they won’t be, and that this is not a serious breach of our security. 

These tricks in themselves may not in themselves be dangerous, but highlight the fact that most of us walk around with a lot of personal data inside our phone/PDA — our address book, who we called, a record of messages sent and received, our name, our exact position, passwords and bank account numbers, email messages — which could be obtainable by someone with the interest and a modicum of equipment.

I don’t think the problem here is hijacking a phone to make a call, or SMS spam, or whatever. It’s that as cellphones and PDAs merge, these devices will inevitably become attractive targets of ID thieves, commercial spies and anyone else with an interest in finding out more about us. Unless we’re careful, Bluetooth will become just one more open door through which they can do it.

Bluetooth And The Art Of Sex

Is Bluetooth helping Brits meet each other and have sex?

Apparently, according to WIRED, which reports on a new craze called ‘toothing’ (couldn’t they have come up with something sexier?). Toothing involves using the Bluetooth feature in a cellphone — used to transfer data between one Bluetooth device and another, without wires — to send messages to another cellphone within range (across a room, say.)

What the toothers do, apparently, is to spot someone else messing with their cellphone on a train, a mall or, somewhat unromantically, in a carpark, and then send them a message using this feature (via a trick called Bluejacking, or its more criminal cousin, Bluesnarfing). They then converse via SMS, or text, hook up and have sex. It sounds a bit like the letters pages in Penthouse.

There’s even a website dedicated to toothing (intriguingly, the Google context-aware ads that appear at the top of the site seem as confused as I: They are all about teeth whitening).

Now I have to express a bit of scepticism about this, it being so close to April 1 and all that. The story says that “when a Bluetooth phone locates another, it can see the name that the device’s owner has given it. And most, though not all, toothers use names that in one way or another betray their gender.” Is that true? In my experiments with Bluejacking, if you try to ‘discover’ other devices, the only results you will get are likely to be the name of the device (Nokio 7650, or whatever). But maybe that’s not the case everywhere.

Still, there’s no denying that Bluetooth has brought a bit of romance into people’s lives. A service called Serendipity will sniff out other phones and, if their owners are using the service, look to see whether the two people are compatible based on its database, according to the Daily Telegraph.