Cracks appear in Bluetooth security

IDG News Service |  Mobile & Wireless

Be careful the next time you turn on your Bluetooth-enabled phone: You could unknowingly be opening the door to a nasty intruder who could steal confidential information such as your address book or even use your phone to make expensive calls.

Security experts in the U.K. have discovered serious flaws in some Bluetooth-enabled phones, prompting one supplier of the vulnerable phones, Nokia Corp., to recommend precautionary measures.

"We have developed a tool that allows us to connect to a number of Bluetooth-enabled phones and download all sorts of confidential information, such as address books, calendars and other attachments without going through the normal pairing, or handshaking, process between devices," said Adam Laurie, technical director and co-founder of A.L. Digital Ltd. in London. "In fact, we have been able to obtain this confidential data without giving users any indication whatsoever that an intrusion is taking place."

A.L. Digital has discovered security flaws in four Nokia phone models: 6310, 6310(i), 8910 and 8910(i).

Janne Ahlberg, manager of technology platforms at Nokia, confirmed on Wednesday that these models are susceptible to potential attacks. Users of these phones in public places, he recommended, should either switch their phone to the "non-discoverable" or hidden mode, making them invisible to others, or turn off the Bluetooth functionality completely. Users should also check that their Bluetooth "pairings," or approved connections with trusted partners, are correct.

The U.K. security company detected similar flaws in phones manufactured by Sony Ericsson Mobile Communications AB. The Sony Ericsson models include the R520, T68i, T610 and Z1010.

Sony was unavailable for immediate comment.

Bluetooth technology allows users to swap data between mobile phones, PDAs (personal digital assistants), notebook computers and a string of other devices within a few meters of each other. It is becoming a standard feature of many high-end devices.

Until now, the only known Bluetooth security shortcoming has been "bluejacking," an increasingly popular means of exchanging short three- or four-word messages in the display area designated for the name of the initiating device, according to Laurie. The process, essentially, allows communication to take place without pairing, which requires partners to exchange a PIN (personal identification number) to establish a connection.

But Laurie said he and his colleagues at A.L. Digital have uncovered not one but two new security flaws. He referred to the one as "bluesnarf" and the other as a "backdoor" attack.

"Bluesnarf is a tool I've written that allows you to bypass the pairing process to connect to a Bluetooth-enabled phone and, essentially, break into the device to steal or manipulate data," he said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Mobile & WirelessWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness