Nokia Admits Multiple Bluetooth Security Holes

An anonymous reader writes "Nokia has admitted that four of its handsets (6310, 6310i, 8910 and 8910i) have multiple security vulnerabilities that can allow an attacker to read, edit and copy the contacts and calendar entries using Bluetooth. This admission comes after a ZDNet UK article published earlier today. the spokesperson advises customers to switch off Bluetooth in public places!" For more information, see the bluesnarfing site pointed out by reader profet.

Re:bluejacking

[DJPenguin]

Bluejacking is just where you send a contact to available phones, and it just used to startle people. This is nothing to do with bluesnarfing which is the hacking/changing data!

Re:Great !

[Grounded0]

Go in to System Preferences, click Bluetooth applet, check "Support Non-Conforming Phones".

Re:bluejacking

[MrvFD]

According to this article [digitoday.fi] (in Finnish) Sony Ericsson is going to give a statement on Tuesday. Possible vulnerable SE models include R520m, T68i, T610 and Z1010.

Ingornace?

[juuri]

Bluetooth was built from the ground up with security in mind, obviously Nokia totally boggled this.

Re:K.I.S.S

[Anonymous Coward]

Actually if you are kind of loose in what you term an OS, many Symbian devices run basically 3 OS at the same time.

Application platform, misc. servers & UI apps (UIQ, Series 60, ...)

Symbian OS (kernel, middleware)

Some sort of Manufacturer RTOS for running a GSM stack, for which Symbian doesn't quite cut it.

These devices are far from simple. Given what you can do on this size of device, I wonder why someone doesn't make a solid state PC, with a few seconds boot time, and no noise. Wireless keyboard, monitor, mouse and LAN. (I don't mean a laptop).

I think the thing you mentioned (running up someones bill, on 0900 numbers, or otherwise) has already happened long ago, but by faking the SIM. I think the original GSMs had a fairly large security flaw related to the encryption key.

Or you could just steal someones phone ;)

Re:No big deal

[hanssprudel]

There are problems with Bluetooth by design. For one thing, no wireless protocol for interaction between devices can be truly secure unless peering requires physical contact between them (I place my phone next to my laptop, but the spook across the street has a directed antenna that is a thousand times stronger then the phone...)

It isn't like this hasn't come up before, Schneier predicted that Bluetooth would be a security nightmare three and a half years ago [schneier.com] ! Quoting:

What amazes me is the dearth of information about the security of this protocol. I'm sure someone has thought about it, a team designed some security into Bluetooth, and that those designers believe it to be secure. But has anyone reputable examined the protocol? Is the implementation known to be correct? Are there any programming errors? If Bluetooth is secure, it will be the first time ever that a major protocol has been released without any security flaws. I'm not optimistic.

And what about privacy? Bluetooth devices regularly broadcast a unique ID. Can that be used to track someone's movements?

The stampede towards Bluetooth continues unawares. Expect all sorts of vulnerabilities, patches, workarounds, spin control, and the like. And treat Bluetooth as a broadcast protocol, because that's what it is.

Both ZDNET and Nokia wrong

[linuxislandsucks]

You have to turn off bluetooth functionability to be safe..

Nokia is vunerabile to both having the device detect on and off in the hacks..

according to the bleustumbler.org site..

Re:Big Woop.

[zerosignal]

I have my phone (non-Nokia) on discoverable all the time for convenience. I run Mac OS X, and use the Address Book application to send SMS messages via the phone. I also have iSync configured to automatically sync my address book once a day when the phone is in the vicinity of the Mac. I don't notice a major drain on the battery with Bluetooth kept on. Having to disable it every time I went outside would be very annoying.

Re:Big Woop.

[INSSOMNIAK]

You only need to be discoverable when you are pairing. After that you can keep bluetooth on and it is _supposed_ to only talk to those devices you know about.

It's bad implementation, not specification

[rassie]

If nothing has changed since AL Digital released the it on bugtraq, then the most serious issues only affect phones that have previously been paired with the attacking Bluetooth device.

This means that you have to have given the attacker access to privileged services at one point in time, and then deleted him.

If you had not deleted him, he would obviously still have access.

But it is the missing deletion that is the problem.

You should not pair your device with any devices except your own. Your PDA requires to be paired with your Phone, Laptop, and access point, so it can dial up, synch, and have LAN access etc. But you don't have to pair it to send your business card to somebody else. There is no reason to pair with Joe Hackers device. So for most of the cases described by AL Digital it is just a bad implementation which does not affect the majority of users.

For the rest of the cases it is also a bad implementation by Nokia and "possibly other manufacturers", it is not a vulnerability in the protocol.

Re:Great !

[singleantler]

While I can use my 6310i as a modem for my Mac with no problems, I can't access the phone book in it, which is highly annoying, and using 'Support non-confirming phones' hasn't made any difference to that.

It's a shame - this is something the Sony/Ericsson phones do very well, but I still prefer Nokias overall (mainly because of their interface.)

Re:No big deal

[Anonymous Coward]

There is a shared pin code which is entered into both devices. If this pin code is short, as it typically is for low-security applications, then you have a point.

What's important, though, is that a shared key is negotiated without being sent over the wire. It may be possible to brute-force the pin with data captured from the initial authentication run, or there might be an attack against the key generation or encryption, but the "physical connection" you claim is required is only one way of ensuring that authentication data isn't sent over the radio channel.

From the article...

[ErnstKompressor]

According to the AL Digital's bluestumblerWeb site, vulnerable phones include: Ericsson T68; Sony Ericsson R520m, T68i, T610 andZ1010; andNokia 6310, 6310i, 7650, 8910 and 8910i.

Well that is just about all of the bluetooth phones out there then?

Re:Is Bluetooth upgradeable?

[Organized Konfusion]

No it doesn't wipe anything, even my call timers were still intact after upgrading the firmware.

Try this

[stere0]

PhoneManager [macmedia.sk] claims it can transfer contacts to/from a 6310i using bluetooth. It doesn't work without a cable for my non-i 6310 so I haven't tested it.