February 9, 2004 12:02 PM PST

Nokia: Bluetooth flaw gnaws at phone security

Nokia has confirmed that some of its Bluetooth-enabled cell phones are vulnerable to "bluesnarfing," in which an attacker exploits a flaw to read, modify and copy a phone's address book and calendar without leaving any trace of the intrusion.

Networking and security company AL Digital said on Monday that it had discovered a security flaw in Bluetooth, a wireless data standard, that could allow such an attack. The flaw affects a number of Sony Ericsson, Ericsson and Nokia handsets, but some models--including a handful of Nokia phones--are at greater risk because they invite attack even when in "invisible mode," according to AL Digital.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


A Nokia representative told ZDNet UK that the Finnish device maker is aware of "security issues" relating to devices with Bluetooth that "(make) it possible to download and modify phone book, calendar and other information on the phone without the owner's knowledge or consent, if Bluetooth is turned on."

However, the representative said the attack was possible only if the phone was in "visible" mode, or when it is set to actively search for other Bluetooth devices. Nokia said that a bluesnarf attack "may happen in public places, if a device is in the visible mode and the Bluetooth functionality is switched on. The phones vulnerable to 'snarf' attack include the Nokia 6310, 6310i, 8910 and 8910i phones as well as devices from another manufacturer."

According to Nokia, if an attacker had physical access to a 7650 model, a bluesnarf attack would not only be possible, but it would also allow the attacker's Bluetooth device to "read the data on the attacked device and also send SMS messages and browse the Web via it."

The company said it had not been able to recreate this backdoor attack on the 6310 handset, and would not confirm if other models were vulnerable to it.

Nokia also said that its 6310i handset is vulnerable to a denial-of-service attack when it receives a "corrupted" Bluetooth message: "A DoS attack would happen if a malicious party sends a malformated Bluetooth...message to reboot a victim's Nokia 6310i. We have repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310i phone," said the representative, who sought to reassure customers by saying that following the crash, the phone will reset and function normally.

A Sony Ericsson representative told ZDNet UK the company is "looking into" the matter and expected to make a statement on Tuesday.

Handsets at risk
England-based AL Digital said that the risk of a bluesnarf attack was highest for the four phone models listed by Nokia. Some models were described as more vulnerable than others in invisible mode, in which the handset is not supposed to broadcast its identity and should refuse connections from other Bluetooth devices.

"On some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in nonvisible mode," said Adam Laurie, chief security officer at AL Digital.

AL Digital has developed several proof-of-concept utilities, but has not released them, Laurie said. The utilities include Bluestumbler, designed to monitor and log all visible Bluetooth devices (name, MAC address, signal strength, capabilities), and identify the manufacturer from MAC address lookup; and Bluesnarf, which can copy data from a target device.

According to AL Digital's Bluestumbler Web site, vulnerable phones include: Ericsson T68; Sony Ericsson R520m, T68i, T610 and Z1010; and Nokia 6310, 6310i, 7650, 8910 and 8910i.

Laurie said he discovered the problem when he was asked to test how safe Bluetooth devices actually were. "Before we deploy any new technology for clients or our own staff, one of my duties is to investigate that technology and ensure it is secure--actually rolling your sleeves up and looking at it, not just taking the manufacturers' claims at face value. When I did that, I found that it is not secure," he said.

According to Laurie, he can initiate a bluesnarfing attack from his laptop after making a modification to its Bluetooth settings. "It is a standard Bluetooth-enabled laptop, and the only special bit is the software I am using in the Bluetooth stack. I have a modified the Bluetooth stack, and that enables me to perform this attack," he said.

Bluesnarfing has huge potential for abuse because it leaves no trace and victims will be unaware that their details have been stolen, Laurie said. "If your phone is in your pocket, you will be completely unaware."

Although the problem may affect other Bluetooth devices, such as laptops, Laurie said they are more difficult to target because the systems are more complex. "(Mobile phones) are liable to be more vulnerable simply because the resources for menus and configuration are limited. Manufacturers try and make Bluetooth simple to use on phones, so you don't have much granularity in setting options. On a lot of phones, Bluetooth is either on or off," he said.

Laurie said that for now, there is no fix available. He said that the only way to be completely safe is to switch off the Bluetooth functionality.

Nokia will not be releasing a fix for its devices in the near future because the attacks are limited to "only a few models" and it does not expect them to "happen at large," the Nokia representative said. The company is advising customers in public places to set their phones to invisible or switch the Bluetooth functionality off.

"In public places, where the above-mentioned devices with Bluetooth technology might be targets of malicious attacks--at least in theory--the safest way to prevent hackers is to set the device in nondiscoverable mode--'hidden'--or switch off the Bluetooth functionality. This does not affect other functionalities of the phone," the Nokia representative said.

Munir Kodatia of ZDNet UK reported from London.

2 comments

Join the conversation!
Add your comment
Bluetooth snarfing
It be better for mobile phone manufacturers to indicate on their mobile phones that bluetooth traffic is being sent by a phone. This would cover future threats, at least the phone owner would know that their phone has been "hacked" and then they have the option of taking precautions etc. etc.
Indication could be in the form of a message on the phone coupled with a short burst of vibration or other. Additionally they could keep a log of bluetooth activity e.g. session start and end etc. Even if a hacker gets past the security layer, there will be activity in the form of messages goin to and fro form the phone.
Other security would be voice activation of the bluetooth channel. Either way it looks as though restricting security to high level requets for service is just not good enough.
Posted by (1 comment )
Reply Link Flag
Wireless Device Vulnerabilities - an effective countermeasure
Concerned about people exploiting vulnerabilities being discovered in your wireless devices? I believe that there is a good protective measure on the market when it comes to ensuring privacy protection. When you want to ensure maximum protection, use an E2X bag. They are at www.e2xgear.com and originate from technology used to counter electronic espionage efforts directed against the US intelligence community. They can even shield your phone, pda, or any other wireless device to prevent it from transmitting or receiving when you dont want it to. Furthermore, GPS tracking is blocked. When you need it, simply remove it from the bag. You dont even have to turn your device off anymore (or remember to turn it back on.)
Since the manufacturers of wireless technologies seem uninterested in correcting product design vulnerabilities, it may be necessary for consumers to step in and take measures to ensure their privacy is protected. One thing is for certain, this is only the beginning of privacy issues for consumers who find wireless electronics becoming an integral part of daily life.
Comments may be directed to jschweitzer@e2xgear.com
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.