Hackers can attack Bluetooth devices
Adam Laurie, who is chief security officer and director of AL Digital and the Bunker, and Martin Herfurt - researcher for Salzburg Research demonstrated how software tools they created give them virtually total control over Bluetooth phones from a wide range of cellular phone manufacturers, including Nokia and Sony-Ericsson. The experts showed several different ways of attacking a phone.
One of them is called SNARF attack: obtaining all data stored on the phone without the owners knowledge. Lately many devices like PDAs and smart phones are used by individuals to not only store phone numbers and their calendar information but also passwords PIN numbers and other security information which could be an easy target if your handset is hacked.
Another one is the BACKDOOR attack this is when a hacker establishes trusted relationship with a handset, but then ensuring that it no longer appears in the target's registry of paired devices. This connection is granting him access not only to the data on your phone but also allowing him to use modems and WAP/GPRS services.
The third is called BLUEBUG attack. The reason for your phone to be attacked is for the hacker to use it to make a call, send or read SMS, connect to data services or even to monitor conversations in the surrounding area of the phone. The way the eavesdropping works is when the attacker directs your phone to call his device and when he picks up he will be able to listen to the chatter near by your phone.
Adam Laurie preformed several real life tests one of which was in the London underground station. He spend 2 hours there during rush-hour and was able to detect 336 Bluetooth enabled phones 77 of which was vulnerable to at least one attack. During another test in the Britain's House of Parliament he discovered 46 Bluetooth phones 8 of which were in danger of the attacks.
Another proof of Laurie's theory is a device referred to as BlueSniper Riffle. It is developed by John Hering and his colleagues from Flexilis. The gadget is composed from riffle looking stock, antenna, scope and cables running to either PDA or laptop. During a test from 11th floor of a hotel John Hering aimed the mechanism toward a busy taxi stand and was able to detect and collect data from over 300 Bluetooth enabled phones.
Several work-arounds are available to the consumers. The first option is to turn Bluetooth off. This will prevent SNARF and BLUEBUG. To protect against BACKDOOR attacks, you have to permanently remove a pairing, and this could be done by performing a factory reset, which will also erase all your personal data.
Here is a chart of vulnerable phones:
Vulnerability Matrix | ||||||
Make | Model | Firmware Rev | BACKDOOR | SNARF when Visible | SNARF when NOT Visible | BUG |
Ericsson | T68 | 20R1B | ? | Yes | No | No |
Sony Ericsson | R520m | 20R2G | ? | Yes | No | ? |
Sony Ericsson | T68i | 20R1B | ? | Yes | ? | ? |
Sony Ericsson | T610 | 20R1A081 | ? | Yes | No | ? |
Sony Ericsson | T610 | 20R1A081 | ? | ? | ? | Yes |
Sony Ericsson | Z1010 | ? | ? | Yes | ? | ? |
Sony Ericsson | Z600 | 20R2C007 | ? | Yes | ? | ? |
Nokia | 6310 | 04.10 | ? | Yes | Yes | ? |
Nokia | 6310i | 4.06 | No | Yes | Yes | Yes |
Nokia | 7650 | ? | Yes | No | ? | No |
Nokia | 8910 | ? | ? | Yes | Yes | ? |
Nokia | 8910i | ? | ? | Yes | Yes | ? |
* Siemens | S55 | ? | No | No | No | No |
* Siemens | SX1 | ? | No | No | No | No |
Motorola | V600 | ? | No | No | No | Yes |
- Watch a short movie showing the BlueSniper Rifle and now it works.
- Official A.L. Digital Press release
- Wired.com Article
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: