Companies using Bluetooth-enabled mobile phones need to audit them for security, or risk leaving valuable data open to eavesdroppers. That's the warning from a London-based security expert who has discovered a way to wirelessly hack into popular business handsets without the phone users being aware.
Adam Laurie of AL Digital, who did the research into what he calls Bluesnarfing, says that the problem definitely affects popular handsets such as the Nokia 6310i and SonyEricsson T68i.
The attack uses a modified Bluetooth software stack, running on a PC, to bypass the pairing mechanism on the handset. It allows Laurie to extract the address book, calendar, IMEI number and other data, but not information held on the SIM card. "We've not got SMS yet, but it's a possibility," he says.
So far, he has only tested a limited range of handsets that were immediately available to him. Some, such as the 6310i, are vulnerable even in non-discoverable mode, in which case a technique such as Red Fang could be used to locate the victim prior to Bluesnarfing.
Laurie claims that with a powerful Class I Bluetooth adapter in his PC, he could snarf the contents of some phones in the time it takes the owner to walk past his front door.
"Eighty percent of the devices we've tested are vulnerable, including most of the phones my staff use and I don't like that. I want them fixed," he says. "We are working on an auditing tool that can be used by bona fide interested parties to audit devices but further research needs to be paid for."
He adds that he has tried attacking some PDAs too, so far without success: "It took work to tune the attacks for different phones though, so maybe PDAs could be vulnerable too once we set to it."
Nick Hunn, the managing director of TDK Systems Europe, thinks this is unlikely. He says the problem appears to be an exception-handling fault in a specific Bluetooth stack, or family of stacks, where the phone is fooled by the PC sending it a response that it did not expect.
"I still think the spec is solid," he says. "We've been through all the other stacks we have, seeing if there's any way we can hack in and we can't. It only appears to affect a limited number of handsets - the problem is that they are the best-selling models."
Amazingly, although Nokia admits that the 6310, 6310i, 8910 and 8910i are all vulnerable, it has refused to fix the problem, even though AL Digital's research shows that they are still vulnerable when set to non-discoverable mode. The only suggestion Nokia offers is turning Bluetooth off altogether, which is not exactly useful advice given the new laws on mobile phones in cars.
SonyEricsson says it has fixed the hole in the phones now shipping, while older phones can be upgraded with new firmware. However, it has not issued a public statement advising users to obtain the upgrade, so there will be plenty of vulnerable SonyEricsson handsets around for the foreseeable future.
"You need to look at how serious this is," counters a SonyEricsson spokesman. "Even if you hack in, you have to make sense of the information."
That might not be difficult, however, as Laurie demonstrated to Techworld. Confronted with a SonyEricsson T610, which he had never seen before, Laurie successfully downloaded the entire phonebook and calendar. Photos attached to phone numbers were transferred too and displayed on the screen of his laptop.
There were no PIN requests or 'synchronising' messages on the phone's screen - the only sign of the hack underway was a tiny symbol indicating an active Bluetooth connection.
A spokeswoman for the Information Commissioner confirmed that data on a business mobile phone is covered by the Data Protection Act, if it could be used to identify an individual. She said that, so far, protecting your phone against physical theft has constituted adequate security under the law.
However, with smartphones allowing you to carry your PC diary and address book round with you, and Bluesnarfing opening new routes for industrial espionage, that attitude will have to change.
Efforts to protect data on mobile devices have begun with the more familiar PCs and moved on to PDAs. It looks as if smartphones equipped with Bluetooth are still a wild and somewhat dangerous frontier.