[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Wednesday, 21 April, 2004, 11:03 GMT 12:03 UK
Taking a peek inside your mobile
BBC ClickOnline's Spencer Kelly investigates just how safe your Bluetooth mobile phone is from attack.

Bluetooth headset
Bluetooth headsets allow hands-free mobile calls
My PDA and my phone can talk to each other through a Bluetooth connection using short-range radio waves.

To stop me accessing someone else's phone without their permission, I have to enter the same code numbers on both devices.

This proves that they are both in my possession. But experts have shown how they can hack into certain models of phones without an access code.

Using a Bluetooth enabled laptop and specially written software, security expert Adam Laurie can take your data at the push of a button in an attack he has dubbed bluesnarfing.

"Currently we can steal the whole of your phone book, that's your whole contact list, your calendar, any multimedia objects that you've associated with any of those," said Mr Laurie, Managing Director of A. L. Digital Ltd.

"So if you've taken a picture of your girlfriend and associated that with her entry in your phone book, I'll get that picture as well, and some technical details about your phone, including its serial number, which is used in phone cloning."

Commercial edge

If you are the victim of a bluesnarf attack, the only clue that a phone is being accessed is a change in the Bluetooth icon on screen, which is easily missed.

A bluesnarf attack is not instantaneous. The more data you snarf, the longer it takes.

Mr Laurie showed how it could be done by taking information from my mobile.

NOKIA RECOMMENDATIONS
Bluetooth menu
Check Bluetooth pairings of the device are correct
Remove any unwanted Bluetooth pairings
In public places, set the device in non-discoverable mode
Switch off Bluetooth
Although stealing phone numbers from random passers-by is not generally going to benefit you, Mr Laurie foresees real commercial advantages for potential bluesnarfers.

"I think the worst case scenario commercially, you can see an instance where a competitor came along, snarfed all of your contact list, all of your calendar, got all your appointments and pipped you to the post on selling that double glazing or whatever," he said.

Not all phones are vulnerable, but so far the problem has been shown to exist on some of the most popular models.

In order for an attack to work, you would need to maintain a Bluetooth connection with the target phone throughout, which means you would have to stay within a few metres for several minutes.

But if you can do it, the data comes across without any argument.

As well as taking data, a different activity allows you to send messages to any nearby Bluetooth phone, unsolicited, and without knowing the target phone number.

This is called bluejacking, and you do not need any security training or special software to do it.

"Some people laugh, mainly they're laughing, some people are freaked out, and some people ask people around them if it was them," said a 13-year-old schoolgirl who goes by the name Jelly Ellie and is behind the bluejacking site, bluejackq.com.

Nuisance calls

Bluetooth allows you to send electronic business cards between phones without permission, and Ellie's website explains how to exploit this facility to send unsolicited messages to nearby phones.

Since we found out about the bluesnarfing problem we have fixed it in our new and future handsets
Richard Dorman, Sony Ericsson
If there are lots of Bluetooth phones within range, sending the right message to the right victim is a case of trial and error.

"You'd normally send an opening message like 'hello', then you listen for whose phone beeps, see who pulls it out, and then send a message specific to what they're wearing," said Jelly Ellie.

Although it can be a nuisance bluejacking does not involve any theft of data, so it is not illegal. However, if you bluesnarf, you are breaking the law. Both Sony Ericsson and Nokia have acknowledged there is an issue with bluesnarfing.

"Since we found out about the bluesnarfing problem we have fixed it in our new and future handsets," said Richard Dorman of Sony Ericsson.

"However if there are concerned consumers out there then there are two routes they can take. Firstly, they can switch off Bluetooth in areas they regard as unsafe and only use it in areas they regard as safe.

"Secondly, later on this year we will be bringing out a patch for existing handsets which will be available from our service centres and mobile phone retailers."

For its part, Nokia referred ClickOnline to a prepared statement.

"Nokia is aware of the claims that there would be security issues relating to certain devices with Bluetooth technology," said the company.

"Based on the information available to date, it is highly unlikely that devices with Bluetooth technology would become broadly exposed to security attacks. Still, we feel that it is important to raise consumers' awareness and concern, especially of the concept of Bluejacking."

The Finnish handset manufacturer said it was working on the security features of Bluetooth phones with the "objective to be more than one step ahead of those groups that design and promote criminal security attacks - hacking - against mobile devices".

Rich pickings

But how widespread is this problem? ClickOnline sent Adam Laurie out and about on the streets of London, with his snarfing laptop up-and-running in his bag.

Although he did not actually steal anyone's data, he did test how many phones would be vulnerable to the snarf attack.

In 30 minutes, he made contact with 192 Bluetooth phones, of which 54 would have given up their data without question, and without their owners' knowledge.

Most people are quite happy to leave their phone's Bluetooth facility on, ready for use.

But the simplest protection from a bluesnarf attack is to go into the menu, and turn Bluetooth off, or at least to undiscoverable.

This renders it invisible to anyone or anything that might be looking for it. And it might be best to keep it that way, until all security holes have been closed.


SEE ALSO:
Mobility mania drives Bluetooth
22 Apr 03  |  Technology
Pickpockets turn to technology
17 Nov 03  |  Technology
Life without wires
21 Nov 03  |  Technology
New mobile message craze spreads
04 Nov 03  |  Technology


RELATED BBC LINKS:

RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific