So you just got this funky new cell phone. It’s thin, it’s got a camera, and you dig the way it makes you feel like Captain Kirk when you flip it open.
But it’s got this thing, “Bluetooth”. What’s up with that? Should you be afraid?
Bluetooth is a key component in the current generation of technology that’s all about mobilizing information, releasing it and making it accessible.
It’s a common form of wireless communication that lets all sorts of devices hash it out with each other. It’s pretty cool because it’s almost painless to set up and use. If you want to do stuff like sync the contacts from your computer to your cell phone, or use a wireless headset, Bluetooth’s da bomb. It makes it all effortless, which is both a good and bad thing.
I mean, if it’s so easy for you to set up, how easy might it be for someone else to hack?
Not too hard, it turns out.
Take “bluejacking”. This is apparently a popular way to flirt with local cell phone users by sending unsolicited messages. So you might be sitting there, minding your business in a busy café when suddenly your Bluetooth phone rings a text message. You check it out and it’s a romantic little note from someone nearby — but who?
One step up from bluejacking is hijacking, and this is how a nearby hacker might take advantage of your cell phone’s calling capabilities unbeknownst to you.
Again, you might be sitting down having a coffee with your cell in your pocket. Depending on its configuration, a hacker may be able to route his own communications through it for the duration of your stay. Later that month when your bill arrives you’ll be left wondering what those calls to Moscow and Belize were all about.
Notice that both of these scenarios take place in a public area. That’s because of the limited range of Bluetooth, normally no more than about 10 metres. So typically any risk to your cell phone’s security will be within your visual range.
Probably the most popular use for Bluetooth is between a cell phone and a wireless headset or car adapter. Once the two devices are paired, the headset can be used for making and receiving phone calls.
Enter the “Car Whisperer”. Sort of like a phone tap, but a bit easier, by accessing the Bluetooth connection between your cell phone and your headset hackers (or, alternatively, government agents) can eavesdrop on your conversations.
My favourite use for Bluetooth is to synchronize information between my Treo and my Mac. Most cell phones can handle at least synching up contacts, so you don’t have to manage your address book on two different devices. Many can synchronize much more than that, including calendar information, photos, videos, and even Microsoft Office documents.
And this is where probably the most nefarious and likely of the Bluetooth security risks comes in: “bluesnarfing”. In essence, it’s the theft of information right off of a device.
So, again, you’re sitting in a café, enjoying a killer Americano, chatting with a friend. Two tables over, Joe Hacker uses his PC to sniff out and breach the cell phone in your pocket. A few moments later he’s downloaded your contacts, address book and the photos you took of little Johnny’s birthday party — or whatever it was you took pictures of last night with your cell phone.
All this sounds pretty scary but, no worries, you can chill out. Many of Bluetooth’s security risks are in fact theoretical or have only been tested in a laboratory environment. Some, however, like bluesnarfing, are very real.
Fortunately, it’s not too hard to beef up your device’s defences. The basic principles for protecting your Bluetooth device sort of sound like rules for dating.
First: play hard to get.
Too many cell phones ship as “discoverable”. This is basically open door mode, making it easy for you to set up other devices, usually a headset, with your cell phone. Unfortunately, it also makes it trivial for hackers to walk in and do as they please. Close the door and lock it: disable your device’s “discoverable” setting.
Second rule: no public pairing.
If you’ve just picked up a new phone and headset and want to get them working together, don’t head down to the café to do it. Go somewhere private like your home.
The best way for a hacker to get into your device is to learn the PIN used during a pairing session. If you perform this act in a public place, he could snag your PIN out of thin air.
Final rule: use some common sense.
If you’re like me and just carry around pictures of your kids and phone numbers for your family, then there’s not a lot to fear from hackers.
On the other hand, if you’ve got sensitive or private information on a Bluetooth-enabled device, you may want to reconsider that location. Some large agencies such as governments and brokerage houses are actually playing it safe and banning Bluetooth-enabled devices from their offices all together.
If you do choose to carry around a copy of your company’s unreleased prospectus on your Treo and some hacker snags it and posts it on the web, remember this: no matter how much your phone looks like Captain Kirk’s communicator, nobody’s gonna beam you up out of the trouble you’ll be in.
First published in the Yukon News on Friday, May 19, 2006.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 Canada License.