Bluetooth phone hacking tools 'spreading quickly'

An MP has called for mobile phone manufacturers to make a greater effort and fix the Bluetooth security problems in their handsets after a researcher revealed that software tools enabling a 'bluesnarf' attack are widely available on the internet.

Bluesnarfing is a method of hacking into a Bluetooth-enabled mobile phone and copying its entire contact book, calendar or anything else stored in the phone's memory. Nokia and Sony Ericsson have admitted some of their handsets are vulnerable and although Sony Ericsson has made an effort to fix the problem, Nokia said the problem is not serious enough to warrant repairing.

Photo stories

Check out silicon.com's latest photo stories here…

1. Photos: Bill Gates puts on a show at CES
2. Photos of the year
3. Photos: Satellite mapping through clouds
4. Photos: Future tech at Microsoft Innovation day
5. Photos: The super 3D body scanner
6. Photos: 10 gadgets to wish for this Xmas
7. Photos: The best of Google Sky
8. Photos: Five mobile gadgets for cops
9. Photos: Floating computers keep an eye on the oceans
10. Photos: The best of Google Earth

Mark Rowe, consultant at security company Pentest, told silicon.com's sister site ZDNet UK that the number of people that know how to perform the attack is quickly increasing and tools that enable the attack are widely available online. "We have been contacted by a number of security researchers that have worked out how to do it themselves without any help from us," Rowe said. "We were concerned when the information was previously published and we were told you need special tools. But in reality, anybody who looked into it in any depth would quickly work out how the attack is possible."

Rowe urged the media not to publicise which tools are used in attacks because this "would make it really easy for somebody to work out what to do". A web search revealed hundreds of sites distributing the tools.

According to Rowe, the problem lies in how manufacturers implemented the object exchange (OBEX) protocol, which is a common method used by mobile devices to exchange information. "It was a deliberate design decision not to include authentication - that allows people to [easily] send business cards to each other," he said. But the companies had overlooked that this implementation would also mean files could be transferred back and forth without permission, he said.

Tom Watson, Labour MP for West Bromwich East and a Bluetooth-phone user, told ZDNet UK he is concerned about the privacy of consumers and hopes that mobile phone manufacturers will do more to help fix the problem. "Once again consumers have to bear the brunt of technological failure," he said. "This offers profound threats to people's privacy. The least the sector can do is put matters right," he said.

Rowe advises anyone with a Bluetooth handset to keep it in hidden mode or even better, switch Bluetooth off. "If devices are hidden they are very difficult to find," he said. "There are techniques to find hidden devices, but it is a brute-force method that would take a lot of time. If they are not in hidden mode, you can find their address by simply asking."

Munir Kotadia writes for ZDNet UK