Nokia Admits Multiple Bluetooth Security Holes

An anonymous reader writes "Nokia has admitted that four of its handsets (6310, 6310i, 8910 and 8910i) have multiple security vulnerabilities that can allow an attacker to read, edit and copy the contacts and calendar entries using Bluetooth. This admission comes after a ZDNet UK article published earlier today. the spokesperson advises customers to switch off Bluetooth in public places!" For more information, see the bluesnarfing site pointed out by reader profet.

bluejacking

[martin]

Old news. The concept of hijacking bluetooth links was first mentioned here [slashdot.org] back in November.

But I guess Nokia finally admitting they have an issue is interesting. I wonder what the other Bluetooth capable device manufacturers do about this???

K.I.S.S

[OlivierB]

Keep It Simple Stupid. Phones are tools. We don't "need" them to be fully featured akin a full OS. Today we have Bluetooth hole sin a few phones. What's next tomorrow on MSFT Smart Phones? Hackers turning in using your line to call 0900 numbers? People hacking your e-wallet? When it comes to commodity devices we should make sure they do reliably and securely work. I don't expect anything less.

Unbelievable

[sufehmi]

I can't believe this, a company as big as Nokia making mistake as stupid as this ?

I thought most people would have learned something on the WiFi fiasco by now, especially Nokia (who also make security products such as firewalls by the way)

Now let's see if they're dedicated enough to their customers to fix this problem quickly.
In the meantime, it's good idea to keep this on the headlines of the media.

On another note, I'd be interested about other bluetooth-enabled devices - handsfree headset ? iPAQs? Palm? Sony Clies?

It could be a lot worse...

[heironymouscoward]

Except that Nokia have built Bluetooth support only into a limited number of phones, mainly those aimed at the "business market". For instance, my 6800 has almost every conceivable option but no Bluetooth.

I can't guess their reasons for not including Bluetooth with all their more expensive models, since it can't cost more than one Euro or so, but at least it means that of all the phones out there, relatively few are exploitable.

Re:It could be a lot worse...

[sokeeffe]

This is exactly the reason why its such a big issue.

As an consumer, if you have a bluetooth phone all you are likely to have is the phone number of your friends.

As a geek, you are more than likely to have a PDA for keeping anything more detailed/sensitive.

Business users, executives etc. are more likely to use the advanced functions of there phones and therefore it is they that are most at risk to losing sensitive data.

So, whilst most models dont have bluetooth, the ones that do are the ones that are liekly to have the most valuable information.

nokia is not the only one

[collin.m]

Nokia is not the only phone maker with broken or stupid bluetooth implementations. Just look at the Siemens S55 which by default (when bluetooth is on) accpets any kind of files and saves them to your phones inbox. Also it has several bugs, like the Nokia. I'm have setup a small website (http://www.betaversion.net/btdsd/) with a currently very small list of bluetooth capable phones with there security settings and bugs. I tell you bluetooth will be real fun in the future :-)

What's the truth?

[Tug3]

Interestingly from what I have read about the security vulnerabilities with the *five* models affected by this (Nokia 6310, 6310i, 8910, 8910i and 7650), Nokia has confirmed only that the 7650 has the problem. Also reported that some SonyEricsson phones would have similar vulnerabilities, but it was not stated which models. So, I take it that at least these five Nokia phones have the Bluetooth holes. But what is interesting is that different news-feeds report Nokia confirming/denying different models! What this really tells us that the writers of the news themselves are either: 1) Too lazy to look it up from Nokia itself. 2) Too naive to take some other newsfeeds info as a fact. 3) Too inexperienced to check the validity of the info. 4) Too ??? to ??? So, who made the mistake? ALL the "reporters" who did not check the validity of the news by themselves straight from the source.

Re:K.I.S.S

[beeblebrox87]

Keep It Simple Stupid. Computers are tools. We don't "need" them to be fully featured with a full OS. Today we have network holes in a few applications. What's next tomorrow on MSFT Longhorn? Hackers turning in using your modem to call 0900 numbers? People hacking your e-wallet? When it comes to commodity devices we should make sure they do reliably and securely work. I don't expect anything less.
---
Dman luddites. Just because you would rather have a device that gives up freedom for security does not mean all of us do. There is a market for "KISS" phones, just as there is a market for locked-down xbox or "internet appliance" computers. Your post, however, implies that companies shouldn't produce more complicated phones. Personally, my phone's main source of usefullness is as a general-purpose, hackable device, and I don't expect anything less.

Adding security doesn't mean we have to remove features. Linux is a prime example of this. Substantially more secure than most alternatives, not because it removes features, but because people actually paid attention to security when they wrote it.

Not true - wires leak like hell

[CrystalFalcon]

That's why my home LAN is wired -- so I at least know if anyone is tapping me, then they must be on the inside.

This isn't true -- you can pick up (copper) LAN signals from a reasonable distance, which is why the military always uses fiber outside of shielded environments. At least when sensitive data is expected to travel along the pipes.

The most obvious way to test this is to place an ordinary FM radio antenna along the network wire and see how much junk you are picking up; you can clearly hear the intensity of the network traffic.

I heard this traffic when sitting in my car in the company parking lot at one of my previous jobs and so knew when the builds were done.

Granted, the equipment is fairly expensive, but don't think for a second that you're safe because you're wired. Wires leak like hell.

Re:Not true - wires leak like hell

[ajs318]

Um, you know, you could be right with that one, especially since I upgraded from thin co-ax to Cat5. Although I thought the twisted pairs had some sort of a shielding effect. And also, most of my kit seems to give off plenty of RF noise, so maybe that helps to mask it.

An ordinary radio set gives only a qualitative estimate. To recover the actual data, you'd need equipment costing more than any of my data is worth {but I wouldn't put it past the M.I.B. to sue me for wasting their time with junk data}. You'd also probably need to be inside my house {which is usually occupied, due to become occupied soon, or locked} and near the actual segment carrying the data; and, since the ADSL connection goes off into who knows where, that would probably be the easier target.

Also, the military deliberately go overboard on security so as in order to make people think things are less secure than they really are. Overkill is just part of the theatre: it makes the top brass feel important, and it cultivates insecurity among the lower ranks.