Bluetooth is a high-speed, limited-range wireless technology through which any type of file or data gets transferred between devices, such as mobiles, laptops, desktops, tablets, PDAs (Personal Digital Assistants), and other devices that support the technology.
Exchanging data via Bluetooth can be performed by various means, but none ensures complete safety due to some historical experiences associated with data security vulnerabilities.
To report these security breaches via Bluetooth, the term bluesnarfing was introduced. In simple terms, bluesnarfing is stealing information through Bluetooth. Bluesnarfing, also known as the BlueSnarf attack, occurs when a Bluetooth-capable device is on “discoverable” mode. When Bluetooth mode in any device is turned on, the device can be located by other compatible devices within the range.
Data theft occurs between the wireless devices with Bluetooth capability, and it may involve information from contact lists, emails, calendars, text messages, or any other information. Such an act takes place as many-a-times users forget to turn off their Bluetooth, or it gets turned on without the user’s knowledge, resulting in data loss.
Researcher Marcel Holtmann is the one who discovered the term bluesnarfing. It was publicly known later when Adam Laurie of A.L. Digital let out the information about the data vulnerability. He came across the bug in November 2003 and reported the same to the Bluetooth device manufacturers immediately. It was due to this disclosure that the bluesnarfing became more popular.
Working of bluesnarfing
To understand how a bluesnarfing attack occurs, it is first essential to understand how Bluetooth works. Information between wireless devices that are Bluetooth-capable is exchanged under the object exchange (OBEX) protocol.
The OBEX Push Profile is something that an attacker must have to perform bluesnarfing. It is a service where authentication is not required and is optimized for the easy exchange of digital business cards and other objects.
The OBEX protocol holds inherent security vulnerabilities that attackers can easily exploit using tools such as Bluediving. Using it, attackers search for Bluetooth-enabled devices and connect with them without the users’ consent—thus, the chances of Blusnarfing increases when the device is unsecured or improperly implemented. The attackers can access and steal all the files whose names are either known or interpreted correctly. Sometimes, this even allows them to gain access to services available for the targeted user.
Some hackers even create their bluesnarfing tools using different programming languages. It is not only restricted to programmers; non-programmers also perform bluesnarfing using ready-to-use hacking tools available online. Also, various bluesnarfer-for-hire services can be used to employ hackers.
How to handle bluesnarfing attack?
As such, there is no foolproof way of preventing a bluesnarf attack. Bluesnarf attack is a point of concern because when an attack is under process, the victims have no idea of what’s going on about their valuable data, leaked into the hands of a cybercriminal.
Following are some best practices that can be undertaken to avoid falling as a victim of bluesnarfing-
- Creating at least eight characters long PIN (personal identification number) that would be difficult for attackers to crack
- Avoid accepting pairings from unknown numbers
- Make use of the phone’s security features, such as two-factor authentication (2FA), so that every request needs the users’ approval
- Turning off the phone’s discovery mode so that it remains invisible to unknown devices
- Anti-bluesnarfing tools are also available such as simple utilities that may configure to detect any unauthorized Bluetooth connection between the device and others nearby. Bluesnarfing resource websites are also a significant provider of defensive weapons.
Performing a bluesnarfing attack on a device is possible for a cybercriminal even when it is 300 feet away. The attacker can practically copy the entire content of a phone or any other device that includes emails, contact lists, phone numbers, passwords, and pictures.
Strange yet true, some bluesnarfing attackers may even use the victim’s phone to make a long-distance call, leaving the owner with a heavy telephone bill. All of it takes place out of the victim’s knowledge, and therefore there are higher chances that the attack may go on for a longer time.
So far, the most widely known bluesnarfing case was performed by Google back in 2013. It performed the act by collecting data from unencrypted wireless networks, which in standard terms is called bluesnarfing. The information obtained included emails and passwords. As a result, the tech giant had to pay a settlement amount of about USD 7 million.
Last words
Any form of theft is scary, and these days digital theft is prevalent. Bluesnarfing is just one of the many modern methods that attackers can use to steal user’s confidential and sensitive data.
Users who are concerned more about security will for sure give up their little convenience to get it. On the other side, manufacturers of Bluetooth phones will remain more alert by understanding the trade-off between security and convenience and designing phones in ways that push users toward security. They don’t want to get accused of vulnerable marketing technology as they have already faced the same a lot.
To gain more knowledge on security and related topics, download our latest whitepapers on Security.