February 10th, 2004, 09:19 AM
Bluesnarfing: Is your phone's data at risk?
Nokia has admitted that some of its Bluetooth-enabled mobile phones are vulnerable to "bluesnarfing" - where an attacker could read, modify and copy a phone's address book and calendar without leaving any trace of the intrusion.
Following networking and security firm AL Digital's revelation that at least ten handsets from Nokia, Sony Ericsson and Ericsson were vulnerable to a bluesnarfing attack, a Nokia spokesperson said that the company is aware of "security issues" relating to Bluetooth devices that "makes it possible to download and modify phone book, calendar and other information on the phone without the owner's knowledge or consent, if Bluetooth is turned on."
However, the spokesperson said the attack was only possible if the phone was in 'visible mode' where it is set to actively search for other Bluetooth devices. The company admitted that a bluesnarf attack "may happen in public places, if a device is in the 'visible' mode, and the Bluetooth functionality is switched on. The phones vulnerable to 'snarf' attack include the Nokia 6310, 6310i, 8910 and 8910i phones as well as devices from another manufacturer."
According to Nokia, if an attacker had physical access to the 7650, the bluesnarf attack would not only be possible, but it would also allow the attacker's Bluetooth device to "read the data on the attacked device and also send SMS messages and browse the web via it." The company said it had not been able to recreate this "backdoor" attack on the 6310, but would not confirm if the other models were vulnerable.
Nokia also admitted that its 6310i handset is vulnerable to a Denial of Service attack when it receives a "corrupted" Bluetooth message: "A DoS attack would happen if a malicious party sends a malformatted Bluetooth... message to re-boot a victim's Nokia 6310(i). We have repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone," said the spokesperson, who sought to reassure customers by saying that following the crash, the phone will reset and function normally.
Nokia will not be releasing a fix for the devices in the near future because it said the attacks are limited to "only a few models" and it does not expect them to "happen at large".
The company advises customers in public places to set their phones to "invisible" or switch the Bluetooth functionality off: "In public places, where the above mentioned devices with Bluetooth technology might be targets of malicious attacks, at least in theory, the safest way to prevent hackers is to set the device in non-discoverable mode - 'hidden' - or switch off the Bluetooth functionality. This does not affect other functionalities of the phone," the spokesperson said.
A Sony Ericsson spokesperson said the company is "looking into" the matter and expected to make a statement on Tuesday.
February 12th, 2004, 03:42 AM
Why should we have to turn off functionality that we pay good money for! I mean bluetooth is used for headsets and other communications, are we supposed to not use headsets?? I think they should release a fix, even though its only on a few models - Im sure there are millions of each model sold throughout the world!!
Oh well, hackers limit our lives again.
--- 0wN3D by 3gG ---
June 20th, 2004, 12:37 PM
The chances of being bluesnarfed are very small, you need smeone running a laptop with the right programme a BT card and you need to stand within 10 meters of them for long enough (several minutes). More chance of Latvia winning euro 2004!