Bluejacking ain't hijacking

And snarfing is purely theoretical

Letter Last week we reported on preliminary research from security firm A.L. Digital which suggested a number of security problems with Bluetooth-enabled mobile phones from Nokia and Ericsson. The paper argued that digital pickpockets could swipe address books and data from mobile phones because of security shortcomings in the implementation of Bluetooth by the manufacturers.

Not so, says Nick Hunn, who in addition to his day job at TDK Systems is a long-standing proponent of and expert on Bluetooth. Nick reckons A.L. Digital's research gives little cause for concern. The easiest way to get data off a mobile phone is to steal it, according to Nick:

Having just read the article on The Reg, I'd like to explain a bit more about the issues raised. The Laurie pere et fils article jumps between some observations about technology and scare mongering without paying too much attention to actual implementation and user models.

The recent Bluejacking stories describe a way that Bluetooth users can push messages onto other users' handsets. This uses the same basic OBEX (Object Exchange) stack that was developed for Infrared and used to acclaim in the Palm for "beaming" business cards and applications. When used on Bluetooth phones it behaves in the same way - a user is alerted to a message which they can then read.

Bluejacking isn't hijacking

Despite the name it doesn't hijack the phone or suck off the information - it simply presents a message. The recipient can ignore it, read it, respond or delete it. After beaming became such a success on the Palm it seems a little unfair to castigate it on mobile phones just because it is becoming a youth culture rather than an implied serious business use.

Snarfing is more interesting. If it were possible it would be damaging, but we've yet to find out how to do it. We've been playing with Bluetooth devices at all levels of the protocol stack for six years and have yet to find a commercial device we can hack into.

That's not for want of trying.

Pairing up

To get access you need to pair with a device. Whenever another device requests a pairing, the user of the targeted handset is presented with a message along the lines of "Device xyz is attempting to pair. Enter your password." The password must be the same as the one on the device attempting to pair - in other words you don't know it unless the person trying to hack into your phone comes over and tells you. If they're going to do that it's probably much easier for them to grab your phone and leg it.

A.L. Digital talk about the risk of removing a pairing from a previously paired device. They don't mention how that device was paired in the first place, but imply this is a major threat. Given that you have to know and have made a conscious effort to pair in the first place I don't see how it is. It is like giving somebody you meet in the street your house key, not changing the locks and then being surprised when the family silver goes missing.

Show us the vulnerabilities

It's possible to think up all sorts of scenarios of how it could go wrong, but the industry's been pretty busy doing that itself and ensuring that these access methods are blocked and the user alerted. One of the complaints levelled at Bluetooth is that it should be easier to use. The reason there are restrictions is because of the security and warnings that have been built into real devices.

Looking specifically at the tools, there is little new:

bluestumbler - Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup. This is nothing new - we've had a freeware utility called Blue Alert availed for around 24 months that does exactly that. You can do the same with Mobile phone IMEIs, Ethernet cards, Wi-Fi access points, Web IP addresses - essentially anything that has an IP or Ethernet type address. Knowing the name doesn't give you any deeper access.

bluebrowse - Display available services on a selected device (FAX, Voice, OBEX etc). This is part of Bluetooth. If a device is discoverable you can ask it what it does. If you couldn't do that it all gets a bit pointless, as you'd have no idea of whether you were trying to print to a headset or a printer. Not a lot of use, Mr Bond.

bluejack - Send anonymous message to a target device (and optionally broadcast to all visible devices). It's a posh name for Object Push, as described above and comes built into almost every Bluetooth device you buy. It just sounds sexier to give it a name with undertones of hacking. So the major theft is from any user who pays a shareware fee for duplicating what came free with their Bluetooth device. Once again, not world shattering.

bluesnarf - Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message. This is the most interesting claim, but in my experience it remains unsubstantiated. We have failed at all attempts to get data off an unpaired device. If the device is paired then yes, you can do it, but to say it's a security flaw to give away data to someone who comes up to you and asks "Can I steal your data", to which you reply "Yes - help yourself" is not a great claim.

As a Bluetooth manufacturer we've not been approached by A.L. Digital. I've asked them for details of this and look forward to receiving them and putting them to the test. If there is an issue then the Bluetooth industry needs to address it. The people I talk to in the SIG understand the need to get security right and be honest about it - they all saw what the consequence is if you don't - look at the IEEE and 802.11. I suspect that what A.L. Digital have seen is a facet of having previously paired devices and then correlating the subsequent behaviour to that of a pristine, unpaired device. It would not be the first time that mistake has been made.

At the end of the day all security has to come down to the question of what is adequate for the application. In the case of Bluetooth on a mobile phone my interpretation is that the easiest way to get data off the phone is still to nick it. You can't blame Bluetooth for that.

Nick Hunn
Managing Director
TDK Systems Europe Ltd

External Links

Serious flaws in bluetooth security lead to disclosure of personal data, paper by A.L. Digital

Related Stories

Bluetooth is attack vector for mobile phones
Bluetooth boom spawns 'bluejacking'
SMS phone crash exploit a risk for older Nokias
Mobile phone Java risks 'minimal'

Related Products
Get all your Bluetooth gear from The Reg mobile store

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021