D
daing
Guest
From todays TIMES
April 14, 2004
Bluesnarfing puts mobile security at risk
By Steve Boggan
MILLIONS of mobile phones have a serious security flaw that can allow a stranger to download contacts, diary details and stored pictures without the owner’s knowledge.
The Times has been given demonstrations of a technique for stealing the information, known as Bluesnarfing, which experts predict could have a devastating effect on Nokia and Sony Ericsson, the two companies whose phones appear vulnerable.
They say the hacking procedure could be used for industrial espionage, stalking celebrities or even by paedophiles. Phones most at risk include Nokia’s best-selling 6310 model and Sony Ericsson’s T610.
“The implications for users of susceptible handsets are enormous,” said Adam Laurie, the chairman of A. L. Digital, the computer software security firm that discovered the flaw. “You could sit outside your business rivals’ annual sales conference and download all the customer information, contacts and diary appointments stored in the phones of the sales force.
“You could use the information for criminal or terrorist purposes to see who a target has been talking to and is due to meet, and you could download the details of that target. “If you were a paedophile, you could download the contents of a child’s phone, giving you access to potential targets for grooming. This is a serious flaw, but the phone companies aren’t taking it seriously.”
The Times accompanied Mr Laurie on two demonstrations during which his laptop, using his own software, scanned for Bluetooth-compatible phones. Those with the facility switched on up to 90 metres away were vulnerable.
Before a Bluetooth connection can be made, the person contacted must agree to accept the link, but Mr Laurie has found a way to bypass this.In two cases, The Times witnessed him downloading the phones’ entire phone book, calendar and diary contents and, in one case, a stored picture.
Hundreds of vulnerable phones an hour came into range of an attack. During one test in the West End of London, Mr Laurie’s system identified vulnerable handsets at the rate of one a minute.
So far, Mr Laurie is thought to be the only person to have written the software that allows him to exploit the flaws in the technology. Last November, he reported it to manufacturers. They accept the security flaws exist, but Mr Laurie argues that they have not done enough to correct the problem.
“They don’t have long to fix this,” he said. “I believe other people are right behind me in finding the flaws. They may not be as responsible with the information as I have been.”
Ian Angell, Professor of Information Systems at the London School of Economics, described the discovery of the flaw as a devastating blow for the phone companies. “This could really disrupt the whole industry,” he said. “The idea that a perfect stranger could spy on you — that represents a technology too far.”
April 14, 2004
Bluesnarfing puts mobile security at risk
By Steve Boggan
MILLIONS of mobile phones have a serious security flaw that can allow a stranger to download contacts, diary details and stored pictures without the owner’s knowledge.
The Times has been given demonstrations of a technique for stealing the information, known as Bluesnarfing, which experts predict could have a devastating effect on Nokia and Sony Ericsson, the two companies whose phones appear vulnerable.
They say the hacking procedure could be used for industrial espionage, stalking celebrities or even by paedophiles. Phones most at risk include Nokia’s best-selling 6310 model and Sony Ericsson’s T610.
“The implications for users of susceptible handsets are enormous,” said Adam Laurie, the chairman of A. L. Digital, the computer software security firm that discovered the flaw. “You could sit outside your business rivals’ annual sales conference and download all the customer information, contacts and diary appointments stored in the phones of the sales force.
“You could use the information for criminal or terrorist purposes to see who a target has been talking to and is due to meet, and you could download the details of that target. “If you were a paedophile, you could download the contents of a child’s phone, giving you access to potential targets for grooming. This is a serious flaw, but the phone companies aren’t taking it seriously.”
The Times accompanied Mr Laurie on two demonstrations during which his laptop, using his own software, scanned for Bluetooth-compatible phones. Those with the facility switched on up to 90 metres away were vulnerable.
Before a Bluetooth connection can be made, the person contacted must agree to accept the link, but Mr Laurie has found a way to bypass this.In two cases, The Times witnessed him downloading the phones’ entire phone book, calendar and diary contents and, in one case, a stored picture.
Hundreds of vulnerable phones an hour came into range of an attack. During one test in the West End of London, Mr Laurie’s system identified vulnerable handsets at the rate of one a minute.
So far, Mr Laurie is thought to be the only person to have written the software that allows him to exploit the flaws in the technology. Last November, he reported it to manufacturers. They accept the security flaws exist, but Mr Laurie argues that they have not done enough to correct the problem.
“They don’t have long to fix this,” he said. “I believe other people are right behind me in finding the flaws. They may not be as responsible with the information as I have been.”
Ian Angell, Professor of Information Systems at the London School of Economics, described the discovery of the flaw as a devastating blow for the phone companies. “This could really disrupt the whole industry,” he said. “The idea that a perfect stranger could spy on you — that represents a technology too far.”
