Bluetooth - forget about snarfing, concentrate on interference

by Guy Kewney | posted on 15 November 2004

It is six months, at least, since this column poured scorn on the House of Commons security meister for banning mobile phones because of the "risk of bluesnarfing" - and today, Scientific American has "exposed the risk of bluesnarfing."

Guy Kewney

At that time, I called it a load of hooey. The purpose of bluesnarfing is not, as journalists seem to have been persuaded, to steal your phone numbers from your phone. If you want to steal someone's phone number, you borrow their phone while they are in the loo, and write the number down.

The purpose of bluesnarfing (not to be confused with airsnarfing) is to get Adam Laurie a job consulting for the Bluetooth SIG. In this, it has succeeded, and Laurie is now collecting a fee - and a well deserved one - from their experts, in order to help expose any other weaknesses in future Bluetooth security.

Bluesnarfing: it's the exploit which was exposed in February 2004 in Comms Design. It looks at a flaw in coding in one particular implementation of the Bluetooth stack. It isn't a flaw in Bluetooth - it was a bug in one particular programmer's code, which appeared on a half dozen phones (listed, all now obsolete. The flaw has already been rectified on new phones.

It's one of several quite trivial exploits, which were discussed November 2003 in The Bunker, in ponderously apocalyptic tones. One even "exposed" the fact that a trusted device could access the phone (well, duh) even after it had been deleted from the list of trusted devices.

Here's what you need to steal a phone number out of my Bluetooth phone

1) a laptop computer. The special-purpose Bluetooth code that Laurie uses is not available on any mobile phone in the world.

2) close access to the victim. Bluetooth is being extended to 100m range, but that's the next generation, not the obsolete models that Laurie is demonstrating on; current phones get confused if asked to communicate with the next room. Yes, if you have a huge, high-gain directional antenna in your pocket, and your target is out of doors, you could extend that to several hundred metres.

3) No people inbetween you and the target phone. Bluetooth uses the same frequency that microwave ovens use. The 2.4 GHz band was selected because of the opacity of water to that frequency; all the energy is absorbed by the liquid. Humans are 95% liquid - water, specifically. They block Bluetooth like a fleece blocks the cold.

4) Some way of knowing what brand of phone your target is using. In a room with a half dozen people in it, you will probably find six phones, maybe more. Which one is George Bush's phone? Unless he shows it to you, you can waste a long time guessing. (And if it's not one of the old obsolete, snarfable phones, you will waste your time anyway, because it won't be vulnerable).

5) Expertise. You can't just buy one of these programs on the Internet, run it, and find snarfable phones. You have to be a friend of Laurie, and get instruction from him in running the software. And he's a responsible consultant; if you think you just have to wait till he releases a virus, you'll have to think again.

6) A perverse and obstinate mentality. You want my phone? A kid in North London managed that. He just took it out of my hand while I was talking on it, and ran away. You want George Bush's phone directory? Trickier, yes. Well, he'll probably leave the phone lying in a taxi one day. The statistics for lost and stolen mobile phones are huge.

Here's what you do: find out what sort of phone your target uses, and buy a duplicate. Find a way of getting close to his office (you'll have to get closer to him than that anyway, to snarf) and wait till he puts his phone down. Swap them.

Sounds tediously complex? Believe me, it's simplicity itself compared with snarfing.

Sci-Am says: "This flaw exists in many manufacturers' Bluetooth devices, and it represents an increasing danger as mobile phones become all-purpose communicators that can handle payments and banking transactions."

Well, no, it doesn't. It represents a spectacularly successful publicity stunt by a clever consultant.

Is your mobile phone vulnerable? - yes, of course it is. Increasingly, mobile phones are data-enabled, and the data they send and receive goes over the Internet. The Internet is a dangerous, insecure place, and it's going to get worse. Worry about that. Forget about Bluetooth flaws. There's only one Bluesnarfer on the planet, and he's a respectable businessman. You're a thousand times more likely to be eaten by a crocodile, than be snarfed.

And banning mobile phones with Bluetooth and leaving internet connections open is like trying to keep your cabin dry on the Titanic by throwing thimblefuls of water through the open porthole.

Of course, discovering vulnerabilities in wireless is important! Nobody is saying it isn't. What is a bit unnecessary is selling these vulnerabilities as the end of civilization and the collapse of e-commerce.

If there's a moral, it's probably this: No matter how careful you think you've been in setting up a security model, you can be pretty sure that someone will find a way through it. Discovering those gaps in the fortress is worth the effort; but it doesn't mean that the person who found the gaps is therefore much cleverer than the people who built the fort.

You can discuss this article on our discussion board.