Munir Kotadia
ZDNet UK
February 09, 2004, 17:50 GMT
Nokia has admitted that some of its Bluetooth-enabled mobile phones are vulnerable to "bluesnarfing", which is where an attacker could read, modify and copy a phone's address book and calendar without leaving any trace of the intrusion.
Following networking and security firm AL Digital's revelation that at least ten handsets from Nokia, Sony Ericsson and Ericsson were vulnerable to a bluesnarfing attack, a Nokia spokesperson told ZDNet UK that the company is aware of "security issues" relating to Bluetooth devices that "makes it possible to download and modify phone book, calendar and other information on the phone without the owner's knowledge or consent, if Bluetooth is turned on."
However, the spokesperson said the attack was only possible if the phone was in 'visible mode' where it is set to actively search for other Bluetooth devices. The company admitted that a bluesnarf attack "may happen in public places, if a device is in the 'visible' mode, and the Bluetooth functionality is switched on. The phones vulnerable to 'snarf' attack include the Nokia 6310, 6310i, 8910 and 8910i phones as well as devices from another manufacturer."
According to Nokia, if an attacker had physical access to the 7650, the bluesnarf attack would not only be possible, but it would also allow the attacker's Bluetooth device to "read the data on the attacked device and also send SMS messages and browse the Web via it." The company said it had not been able to recreate this "backdoor" attack on the 6310, but would not confirm if the other models were vulnerable.
Nokia also admitted that its 6310i handset is vulnerable to a Denial of Service attack when it receives a "corrupted" Bluetooth message: "A DoS attack would happen if a malicious party sends a malformatted Bluetooth... message to re-boot a victim's Nokia 6310(i). We have repeated the attacks and found that there are some corrupted Bluetooth messages that could crash the Nokia 6310(i) phone," said the spokesperson, who sought to reassure customers by saying that following the crash, the phone will reset and function normally.
Nokia will not be releasing a fix for the devices in the near future because it said the attacks are limited to "only a few models" and it does not expect them to "happen at large".
The company advises customers in public places to set their phones to "invisible" or switch the Bluetooth functionality off: "In public places, where the above mentioned devices with Bluetooth technology might be targets of malicious attacks, at least in theory, the safest way to prevent hackers is to set the device in non-discoverable mode -- 'hidden' -- or switch off the Bluetooth functionality. This does not affect other functionalities of the phone," the spokesperson said.
A Sony Ericsson spokesperson told ZDNet UK the company is "looking into" the matter and expected to make a statement on Tuesday.
|