Bluetooth, schmootooth

Bluetooth, schmootooth

I once had a Bluetooth phone — a Sony-Ericsson T68i which I got because my geek friends told me it was the only one that worked with Mac OSX.

Well, it kind-of worked, but was fantastically erratic and unreliable. T-mobile replaced the phone twice, but it got to the point where I couldn’t ever depend on it. And if your mobile is your main phone (as mine is) then that’s just not on. So one day last January I dumped it and went out and bought a cheapo, no-frills Nokia which has worked faultlessly ever since.

My main complaint was with the manufacturer, not the technology. Bluetooth seemed to me to be a good idea in principle. It meant, for example, that I could use the phone (when it worked) to drive presentations on my laptop. And I hate wires, so anything that reduced wiring seemed, a priori, to be A Good Thing.

That was before Adam Laurie went to work on it. He’s the Chief Security Officer at a British company, AL Digital. “Before we deploy any new technology for clients or our own staff”, he told C-Net, “one of my duties is to investigate that technology and ensure it is secure–actually rolling your sleeves up and looking at it, not just taking the manufacturers’ claims at face value. When I did that, I found that it is not secure,” he said.

Laurie found that phones are vulnerable to “bluesnarfing,” in which an attacker exploits a flaw to read, modify and copy a phone’s address book and calendar without leaving any trace of the intrusion. The flaw affects a number of Sony Ericsson, Ericsson and Nokia handsets (including my benighted T68i), but some models–including a handful of Nokia phones–are at greater risk because they invite attack even when in “invisible mode” — i.e. when they are supposed not to be broadcasting their presence. For the grisly details, see the web page he has prepared.

On Wednesday last (April 14) the London Times carried an interesting article by Steve Boggan, who went out on the streets with Adam Laurie and found that Bluesnarfing was indeed as easy as Laurie had claimed. It was also intriguing to see the differences between the two main companies affected. Sony-Ericsson put up a feeble spokesbot who first tried to downplay the problem. Nokia, in contrast, were more forthcoming. When quizzed by C-Net, they acknowledged that some of their phones were vulnerable, but claimed that an attack was only possible if the Bluetooth was in ‘visible’ mode. (Wrong, according to Laurie, for some models.) The Nokia spokesman also volunteered some extraordinary news:

If an attacker had physical access to a 7650 model, a bluesnarf attack would not only be possible, but it would also allow the attacker’s Bluetooth device to “read the data on the attacked device and also send SMS messages and browse the Web via it.”

What does all this mean? Well, it’s worrying, simply because mobile phones are becoming the repository for increasing amounts of personal data. If they are not secure, then there is massive scope for mischief. And the riposte that “one can always switch Bluetooth off” is not as reassuring today as it was a few months ago. The UK law which makes it a criminal offence to use a handheld mobile while driving has led to a massive increase in the use of Bluetooth headsets — which of course require that Bluetooth be switched on!