My mobile phone, lying on the table in front of me, flashes "Connecting" a couple of times and then falls back to blank normality. Adam Laurie looks up from his laptop and says, "Do you have a phone book entry 'marca03?' "
Yes, I do.
Laurie, a security expert, co-organizer of the annual hacker conference Defcon and head of the London-based data security company AL Digital, has just Bluesnarfed my phone. That is, he's hacked my phone's Bluetooth connection to demonstrate that he can access my information without my knowledge or consent. This flaw exists in many manufacturers' Bluetooth devices, and it represents an increasing danger as mobile phones become all-purpose communicators that can handle payments and banking transactions.
As a personal networking standard, Bluetooth allows devices to connect to one another over short distances. Bluetooth replaces cables and infrared connections, enabling computers, cell phones, PDAs, keyboards, printers and other devices to communicate with one another. (It is not to be confused with 802.11, otherwise known as Wi-Fi, which permits wireless Internet and local-area networking.)
The creators of Bluetooth were conscientious about security. Data in transit are encrypted. Depending on the built-in features, a Bluetooth connection can often be configured so that the device talks only to specified other devices and is not discoverable except by them. The problem is, this setting is not always available or easy to use. Just like Wi-Fi networks in residential neighborhoods, many Bluetooth connections are left open and vulnerable.
In his attack, Laurie convinced my phone that it was paired with his laptop, even though his laptop does not appear on my list of authenticated devices. He has made use of the fact that Bluetooth devices have a common standard. Bluetooth serves as the conduit for familiar services--such as voice, file transfer, printing and faxing--and relies on customized sets of protocols referred to as profiles. Laurie will not say exactly how he exploits the profiles, but he does explain that he is using Bluetooth to access flaws in the manufacturers' implementation of those services. He adds that most of the necessary software for his eavesdropping is readily available on the Internet and otherwise has legitimate purposes, such as utilities for data backup and short message service (SMS) text.
To most people, the data at risk don't sound like much at first. "People think it doesn't matter," Laurie says, "but usually they find a few entries in their phones they don't want the world to see." This will be even truer as functions and storage space continue to grow to include e-mail, recordings, photographs and other forms of data.
While attempting to duplicate Laurie's work, Martin Herfurt, a researcher at Salz-burg Research in Austria, stumbled onto something even worse: Bluebugging. It relies on the same pairing double cross as Bluesnarfing, but it then connects to that device's Bluetooth profile for a serial port--the traditional spot for modem connections. You can then send the "AT" commands familiar from the old dial-up days to take control of the device. Standard utilities enable you to use the phone to call premium rate numbers, send SMS text (which also may be charged at premium rates) and connect to the Internet. You can even get the hijacked phone to call you without the owner's knowledge and thereby listen in on nearby conversations.
Some of the affected manufacturers have fixed their phone software. Meanwhile Laurie is working with the Bluetooth creators to help improve security on the next generation of standards. But the incident is a good reminder of a basic problem: going from cable to wireless adds a whole new layer of invisible risk.