Many of the most popular models of Bluetooth-enabled cell phones can be hacked easily, enabling a malicious hacker to steal phone books, images, calendar information, or virtually anything else stored on the phone, say a pair of security experts.
Adam Laurie, chief security officer and director of AL Digital and the Bunker, a secure web hosting facility in Europe, and Martin Herfurt, a researcher at Salzburg Research, described the danger at a session Friday at the Defcon 12 conference in Las Vegas.
The pair demonstrated how software tools they created give them virtually total control over Bluetooth phones from a wide range of handset manufacturers, including Nokia, Sony-Ericsson and TDK.
Herfurt demonstrated three different ways to attack a phone. He could send unsolicited text messages to the phone's screen, download all the data stored on a phone (or manipulate the data on the phone itself), and turn the phone into a roaming bug by forcing a targeted phone to call another phone.
This last attack, which the pair call "BlueBugging," is potentially the most damaging because once the attacker initiates a call on the victim's phone, there's no need to stay within Bluetooth range, typically about 30 feet. The target need only be in a phone service area to be exploited.
This kind of attack could also be used to commit fraud, according to Laurie. For example, an attacker could force victims' phones to dial a phone service that bills the victim per call or per minute.
Increasingly, "phones are being used as portable data stores" for information such as passwords, PIN numbers, and other sensitive data, Laurie added – another danger if a phone can be hacked.
"Fifty to seventy percent of the phones we see are vulnerable" to at least one of the three types of hacking attacks, Laurie said. He added that security researchers from computer security consulting firm @stake has further uncovered flaws in Bluetooth encryption, which could make the danger worse.
Bluetooth adoption is growing, especially in Europe.
"If we can implement [@stake researcher] Ollie Whitehouse's cracks, any Bluetooth phone would be vulnerable," Laurie said.
Many users set their phones on what hackers call discoverable mode in order to use Bluetooth accessories, such as headsets, but carelessly leave it in that mode, he noted. Also, many manufacturers set discoverable mode as the default, to help customers quickly and easily connect accessories or devices.
Data theft using Bluetooth is especially hazardous because "you don't have to be visible to the person you're targeting," Laurie said. He found that he could connect to many Bluetooth devices well beyond the usual range of the wireless technology. Using just a small dongle on his laptop increased the range to about 40 meters, and some high-gain antennas could stretch communications to 90 meters.