Figure Bluetooth Devices Forming a Scatternet

Business Intelligence...

The Art of Bluejacking and Bluesnarfing

Bluejacking first showed up in popular use in 2003 or so when Bluetooth devices gained popularity. Bluejacking is more of a prank than an attack, and an annoying one at that. The term apparently was coined in late 2002 by a fellow going by the moniker ajack. Although there are some rather amusing stories about bluejacking, to date there are no stories of unmitigated corporate network attacks having their genesis in a bluejacking. A story in 2003 by the Associated Press is a great example of how bluejacking typically works.

"The group of lanky tourists strolling through Stockholm's old town never knew what hit them. As they admired Swedish handicrafts in a storefront window, one of their cell phones chirped with an anonymous note: "Try the blue sweaters. They keep you warm in the winter." The tourist was "bluejacked" — surreptitiously surprised with a text message sent using a short-range wireless technology called Bluetooth. As more people get Bluetooth-enabled cell phones — both sender and recipient need them for this to work — there is bound to be more mischievous messaging of the unsuspecting. It's a growing fad, this fun with wireless. Already, Web sites are offering tips on bluejacking, and collections of startled reactions are popping up on the Internet." —Matt Moore, "Cell phone messaging takes a mischievous turn," The Associated Press, November 13, 2003 (from http://www.wordspy.com/ words/bluejacking.asp).

Bluesnarfing, on the other hand, is an illegal activity that involves stealing data from a Bluetooth-enabled device. Typically, this involves stealing contacts or calendar entries. The calendar entries might be embarrassing ("Cosmetic surgery, 4 pm") but rarely damaging unless the calendar entry also has confidential information in it ("Meet Doug M. at 2 am in southwest corner of parking lot to hand off illegally gotten trade secrets"). More importantly, most of us don't want our contacts just handed over to a complete stranger. If you're like most people, you have a mixture of personal contacts (Mom, Dentist, Local Pizza Place) and business contacts (Boss: Home, Boss: Work, Boss: Cell, Boss: Husband, Boss: VacationHome, CEO of Company A, CIO of Company B). It would

Continued be pretty creepy (and potentially dangerous) to have your mother get phone calls at 2 am from someone telling her that he knows her home phone number, address, zip code, and alarm code.

Stealing calendar and contact information via bluesnarfing requires both Bluetooth devices be on and available. The quickest and easiest way to avoid bluesnarfing (which requires about two to three minutes of continuous connection time) is to disable Bluetooth when not specifically in use. If you're using a cell phone with a Bluetooth headset, you can disable Discovery mode (sometimes called Visible mode), which makes it difficult for someone to find your Bluetooth-enabled device.

There's an excellent article you can read from 2004 that contains in-depth information about various Bluetooth attacks and the devices that were (at that time) vulnerable to such attacks. Head to this URL for more information: http://www.thebunker.net/security/bluetooth.htm.

One might argue that the threats to Bluetooth devices are greatly exaggerated by the media. At the same time, if you're sitting in a crowded airport awaiting your flight, there's always a chance someone could grab your contacts and have a field day with them. Suppose you were fortunate enough to get the home phone number (or the private line at the remote cabin) for the CIO of your company, a Fortune 500, publicly traded company. Do you really want someone getting that number, calling the CIO in the middle of the night saying that the Director of IT Security (you) gave the caller his number? Talk about a CTM (Career Terminating Move).The point is that confidential information is routinely stored on Bluetooth devices from PDAs to cell phones and data is at risk, regardless of how great or small you perceive that risk to be. This is an excellent example of a case where evaluating risk and remediation is pretty simple.You'll most likely create a user policy guideline (see the chapter on security policy later in this book) that requires users to set their Bluetooth devices so they are not in Discovery or Visible mode except when purposely participating in a Bluetooth network in a relatively safe location (at a business meeting, for example). Most (if not all) newer Bluetooth devices are updated to protect against attack but attackers are often smart, persistent folks and they'll no doubt find the next open door to go through. Staying up to date on attack types is a never-ending task, so make sure there are people on your IT staff that are specifically tasked with doing so and keeping the rest of the team informed. Dividing this work into topic areas is a good way to keep everyone on the prowl for the latest data, and can be a great way to improve the skills of everyone on your team.

Was this article helpful?

0 0
Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook


Post a comment