This forum is intended as announcements for new and updated software for Series 60.
I download a java game and two ringtones at www.mobidel.com and the operator warned about a virus in series 60 software because I justed bluetooth:
its not just virus's(or is it virii) that people need to be wary of. here is a few articles about bluetooth being used from up to 1 ile away successfully. also, being able to disable the camera via bluetooth and stealing all phone data. the most vulnerable phones from attack are nokia, ericsson, and sony ericsson. here is an article about bluetooth (you can find the source here):
Using Bluetooth To Disable Camera Phones
Here's a possible solution to the problem of camera-phone voyeurs.
Lee Choo Kiong of Singapore's AsiaOne reports (thanks ITJournoAsia, subscription required) on three Temasek Polytechnic students who have come up with software that will disable camera functions on some cellphones, using Bluetooth.
What I think happens is that software is loaded into the cellphone (presumably with the user's permission and knowledge) and then once the cellphone comes into range of the Bluetooth device, its camera functions are disabled. Other functions of the phone would work normally, the report says. The report quotes one of the inventors, Lu Qian, 21, as saying: �This technology is useful in places where confidentiality is paramount, such as on military grounds, where visitors are not allowed to bring in their cellphones.�
Obviously this is limited by the fact that you can only load the software with the user's cooperation. And the software has so far been successfully tested only with Nokia 6600 and 7210 Bluetooth phones. It failed with a Nokia 7650 model, the report says.
On the other hand, as the inventors say, this might be useful in places where, instead of banning all phones, owners could submit their phone for modification and then be allowed to keep it, the camera disabled. That would make sense in military installations, factories, gyms or other places of sensitivity or virtue.
Welcome To Long Distance Bluesnarfing
Long distance Bluesnarfing is here.
Austrian researcher and Bluetooth expert Martin Herfurt tells me that he and some friends -- Mike Outmesguine, John Hering, James Burgess and Kevin Mahaffey -- were able to Bluesnarf a cellphone more than 1 mile away in Santa Monica Bay early on Wednesday. This follows a similar experiment late last month in which some of the same guys successfully connected to a Bluetooth phone 1 km away.
(Bluesnarfing is the practice of using a vulnerability in cellphones' implementation of Bluetooth to steal data or to hijack a cellphone to make calls or send text messages without the user's permission or knowledge.)
Martin says the distance was exactly 1.08 miles, or 1.78 km, which is in itself something of a feat, given they were using pretty basic stuff -- a 19db antenna with a modified class 1 dongle on one side and on the other the victim's unmodified phone. But it wasn't just that: He says they were able to not only snarf the entire address book but also send an SMS from the victim's phone.
Here's Martin the victim in the foreground, the pier in the background near where the attacker is located:
I hope this kind of experiment lays to rest those folk who don't see how this kind of thing would be a problem. Most of the naysayers claim that Bluesnarfing only works close by, but this shows that's not true. What's more, it shows how Bluesnarfing can be a sniper or a vacuum cleaner: Martin says they spotted dozens of Bluetooth phones in their experiment but just focused on the target phone. But if they'd wanted they could have sucked up the address books and data in most of those phones -- information that might have proved very valuable.
The Bluesnarfing Skeptics
Is Bluesnarfing the big problem it's made out to be?
"Traditionally," wrote Guy Kewney of eWeek earlier this month, "security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them." He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are "a load of hooey". Here's why:
* Range: "You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room";
* Phone ID: "You have to identify the phone correctly. You won't see "I'm Tony Blair's phone full of secrets!" in nice helpful letters; you'll see the make of the phone";
* Affected brands: "The phone also needs to be vulnerable to attack...affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets";
* Tools: "you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants";
* Results: "what do you get? A list of phone numbers?"
Guy sees such 'news scares' as intended to "convince a large group of people that the guy who discovered the 'security loophole' is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them."
OK, let's take a look at Guy's points. The first one, range, is pretty simple. Bluetooth doesn't have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you're talking about. But the problem is not the range of the targetted gadget, but of the attacker's. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.
The second issue, Phone ID, is somewhat misleading. While it's true Tony Blair is unlikely to have had the time or interest to alter his phone's default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)
Affected brands: While it's true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that's still a lot of handsets.
Tools: Yes, it's unlikely you'd be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you're doing. But it's naive to suggest that it's only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you're going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can't imagine someone doing it, doesn't mean a criminal can't.
Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts -- in themselves potentially valuable -- but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user's phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk -- which then appears to the recipient to be coming from your phone -- raises all sorts of problem scenarios, but I'll leave those to your imagination.
It's not a new mantra, but it's worth repeating: Just because we can't think of how someone might benefit from these kind of security holes doesn't mean someone else can't. Sure, there are plenty of pseudo-security problems out there, and it's good to be skeptical, but as long as the manufacturers don't address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.