What is Bluesnarfing?
Serious flaws in Bluetooth security lead to disclosure of personal data
In November 2003, Adam Laurie of A.L. Digital Ltd. discovered that there are serious flaws in the authentication and/or data transfer mechanisms on some Bluetooth enabled devices. Specifically, three vulnerabilities have been found:
First, confidential data can be obtained, anonymously, and without the owner's knowledge or consent, from some Bluetooth enabled mobile phones. This data includes, at least, the entire phonebook and calendar, and the phone's IMEI.
Second, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted ("paired") device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be "backed up" to an attacker's own system.
Third, access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this vulnerability.
Finally, the current trend for "Bluejacking" is promoting an environment which puts consumer devices at greater risk from the above attacks.
The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real time clock, business card, properties, change log, IMEI (International Mobile Equipment Identity, which uniquely identifies the phone to the mobile network, and is used in illegal phone 'cloning'). This is normally only possible if the device is in "discoverable" or "visible" mode, but there are tools available on the Internet that allow even this safety net to be bypassed. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.