bluejack Q :: Mobile Phone Bluejacking
An SD Time email newsletter (that they don't webify for some stupid reason - hence it's clipped in its entirety since I can't link to it) reminded me to post this.
From SD Times “News on Thursday” 2005.12.29:
What the Heck Is Blue Jacking, and Can I Do It in Public?
By Alex Handy
There was a time when our wallets were the most secure location on our bodies. Then, along came cell phones and PDAs, and human beings were granted the ability to lock down their portable information with a password. But as phone and PDA technology advances, those wallets are starting to look a lot more secure.
Enter blue jacking, the act of sniffing out information transmitted via Bluetooth. While a pickpocket must be physically touching his victim in order to yank out that wad of bills, a blue jacker need only be within effective transmission range. And that range has been extended by garage-bound geeks with high-gain directional antennae. And, as is usually the case with new security vulnerabilities, many developers weren't even aware that they should have been trying to prevent such attacks.
While the art of preventing blue jacking is still in its infancy, there is now a tool to help. It's called Bluediving, and it's only just hit version 0.1 this week. But since it's an open-source project, the more cooks, the faster the soup will be finished.
Bluediving is a Bluetooth penetration tester, designed to poke Bluetooth-using hardware with the dreaded BlueSnarf, BlueSnarf ++, BlueSmack and BlueBug attacks common among cyberpunks. In addition, Bluediving can spoof Bluetooth addresses, allowing testers and their nefarious evil twins to jump into transactions and muck things up.
So for device developers and Bluetooth users, it's time to start paying attention to blue jackers. Otherwise, we'll all have to start keeping our precious information on folded sticky notes inside our wallets again.
My only criticism of Alex's piece is that he gives developers of insecure software a complete pass for developing sniffable, insecure crap and dumping it on us unawares. I don't. Security nazis have been wailing in the wilderness for DECADES about insecurity in software. This is more evidence that there are too many people who don't belong in software development -- both on the developer side AND the management side.
In my experience many of the security lapses are due to executive management pushing too aggressive a timeline to ship product and failing to take seriously the security issues raised by developers. It's time that we impose civil liability for software security violations. Where's a good attorney when you need one?! Oh, wait, there aren't any. Except mine - when I get sued. Heh. Yes, I'm talking out of both sides of my mandibles. Deal with it.
I started leaving Bluetooth turned off on my phone a couple weeks back when I caught another Avanaut (who shall remain nameless) on my current project sniffing Bluetooth traffic... unless I absolutely have to use my headset (currently busted awaiting warranty replacement Jabra 250v) or ActiveSync via Bluetooth, but I turn it right back off when I’m done. You should, too. Think of it the same way you do locking your doors or setting your car alarm.
I’ll bet most people don’t know if their Exxon-Mobile SpeedPass or even their cell phone are constantly broadcasting “Me! Hack me!"... Heh.