September 21, 2007 6:56 AM PDT
Symantec warns users over Bluetooth security
- Related Stories
Analyst: Virtualization set to boost mobile securitySeptember 21, 2007
Gartner: Businesses should be wary of iPhoneJune 28, 2007
Symantec pumps up Windows Mobile protectionMarch 27, 2007
Securing consumer-friendly smart phonesOctober 17, 2006
Stolen smart phones scream to be foundAugust 29, 2006
Security firms squabble over mobile threatsJuly 24, 2006
2006: Year of the mobile malwareDecember 19, 2005
Expert: Cell phone virus threat is overblownMay 5, 2005
- Related Blogs
Mobile carriers' message: In SMS spam, users pay
July 24, 2007
Mobile security saves you from yourself
July 17, 2007
A study by research firm InsightExpress revealed that 73 percent of mobile device users are not acquainted with security issues that could put at risk mobile devices such as cell phones and Bluetooth-equipped notebooks. To these users, terms such as "bluejacking," "bluesnarfing" or even "bluebugging" would probably be unfamiliar.
"There are many other methods that (launch) a variety of denial-of-service attacks, and even some that could allow an attack to eavesdrop on private conversations," Ooi Szu-Khiam, senior security consultant at Symantec Singapore, said in an e-mail interview. Ooi noted that "numerous instances of mobile viruses, worms and Trojan horses" have emerged in the past year.
Bluejacking, also known as "bluespamming," is a technique used to send anonymous text messages to mobile users via Bluetooth, Ooi explained. "Phones that are Bluetooth-enabled can be tweaked to search for other handsets that will accept messages sent via Bluetooth."
"Despite the name, it doesn't hijack the phone or suck off the information. It simply presents a message, similar to e-mail spam. The recipient can ignore the unsolicited message, read it, respond or delete it," Ooi said. "While bluejacking can be an extremely annoying onslaught of unsolicited messages, it is generally a minimal security risk."
Bluesnarfing, however, is a more dangerous technique that can allow a hacker to access information stored on a mobile device without its user's knowledge, said Ooi.
"This technique takes advantage of a security flaw, (inherent) in some older versions of Bluetooth-enabled handsets, that could allow an attacker to access and copy data stored on the device without the user's knowledge," Ooi said. The Symantec executive noted that it is still possible to connect to such devices even if the users have configured their devices to be in "nondiscovery" mode, where the device remains hidden when someone searches the vicinity for Bluetooth devices.
"Any potentially valuable information stored on a phone, such as address books, calendars, e-mail and text messages, are at risk in a bluesnarfing attack," Ooi said.
A third threat, and possibly the most serious of the three risks, is bluebugging. This technique allows attackers to access mobile-phone commands using Bluetooth technology, without notifying or alerting the device owner, Ooi noted.
"This vulnerability allows the hacker to initiate phone calls, send and receive text messages, read and write phonebook contacts, eavesdrop on phone conversations and connect to the Internet," Ooi explained. "As with all the attacks, the hacker must be within a 10-meter range of the (targeted) phone."
Unlike bluesnarfing, which simply provides attackers access to personal information on the phone, bluebugging allows the attacker to take control of the device, he said.
To ensure their wireless devices are well-protected, Ooi noted, users can equip their gadgets with mobile-security products, which include antivirus, firewall, anti-SMS spam and data-encryption technologies, that are easy to deploy, manage and maintain.
"This kind of layered security can not only mitigate the unique security risks of mobile devices, but can also enable companies to more easily and cost-effectively comply with internal security policies and external regulations," Ooi said.
Ooi highlighted four tips on how mobile users can protect their Bluetooth-enabled devices:
Turn off features that you are not using. If you have a Bluetooth-equipped device and do not need the function, then don't turn it on.
If you are using the Bluetooth function and don't require your device ID to be visible to others, make sure the device's visibility setting is set to "hidden," so hackers will not be able to scan and search for it.
Verify incoming transmissions
Do not accept and run attachments from unknown sources unless you are expecting them. For example, if you receive a message to install an application and you don't know its origin, don't run it.
Ideally, use passwords with a large number of digits. A four-digit PIN or password can be broken in less than a second, and a six-digit PIN in about 10 seconds, while a 10-digit PIN is likely to take weeks to crack.
Lynn Tan of ZDNet Asia reported from Singapore.
1 commentJoin the conversation! Add your comment