The dark side of Bluetooth

Despite its many legitimate uses, Bluetooth's popularity is growing among the nefarious because of the ease with which it can be used to swipe files from other users, make calls or render mobile phones completely useless.

Bluetooth, the specification for wirelessly connecting with devices up to 30 feet away, is becoming the vector of choice for next-generation phone phreakers, who use the technology to swipe files from other users, make calls or render mobile phones completely useless.

Much of the malicious code and attacks can be stopped by users making their devices "undiscoverable," according to security experts. In undiscoverable mode, mobile device users can connect to Bluetooth headphones, for example, while remaining invisible to other devices.

But fast-spreading worms and viruses may outpace the release of more secure devices -- and efforts by IT to educate users. Not to mention users of Bluetooth devices don't always want to remain invisible.

Mobile phones are more ubiquitous than PCs, and mobile workers are storing more data than ever on their handheld gadgets. And like their corded, and weighty, desktop predecessors, Bluetooth-enabled phones are potential targets for widespread attacks.

The recent news about the emergence of the SymbOS.Cabir worm, which affects devices using the Symbian OS, will only invite more trouble for mobile device users, said the IT director of one highly mobile organization.

"Just as exploits of [Microsoft's software] follow the announcements of new vulnerabilities, news about Bluetooth viruses and exploits will get more hackers interested in its weaknesses," said Steve Conley, IT director for the Boston Red Sox. "If in a few months a lot of people get caught with their pants down, it would not surprise me one bit."

Antivirus experts at Finland-based F-Secure Corp. were among those surprised by the outbreak of a virus affecting users of mobile phones running the Symbian OS.

When F-Secure received reports of virus-infected handheld devices in the Philippines, the company's antivirus research team thought someone had his facts wrong.

"We were blowing them off," said Mikko Hypponen, director of antivirus research at F-Secure. "They were secondhand accounts. They just didn't seem credible."

Then a close associate of the F-Secure antivirus research team called from Singapore to report that a device at the Shangri-La Hotel was trying to install a virus on his phone via Bluetooth. Soon thereafter, another infected Bluetooth device, at a nearby Singapore Starbucks, made a similar attempt to spread the virus, the SymbOS.Cabir worm.

The United Arab Emirates, Beijing, New Delhi and Finland came next.

Hypponen said he knew that viruses would eventually turn up on phones using the Symbian OS and other mobile operating systems. "We just weren't thinking Bluetooth would be the first technique," said Hypponen.

Not long ago, people used mobile phones for making calls, and little else, said Bluetooth Special Interest Group executive director Michael Foley.

And Bluetooth was strictly a specification for connecting peripheral devices over short distances. "A couple of years ago," said Foley, "it was how you bought the device [that determined] how you used it. We're in a whole new world now."

Bluetooth aficionados now regularly use the technology to share contacts, make dates, and even meet new people. Young people often engage in Bluejacking, the non-malicious beaming of images and text messages to unsuspecting -- and often delighted -- recipients.

Bluetooth SIG, which publishes the Bluetooth specification, will be improving security in its next release, toward the end of 2005, according to Foley.

The changes, which include longer, alphanumeric PINs and better encryption for Bluetooth devices, may be fraught with their own problems, said Mark Rowe, IT security consultant at Cheshire, U.K.-based Pen Test, Ltd. "But any move towards improving security is a good thing," he said.

"Ellie," a Bluejacker from Surrey, U.K., hopes that not too many mobile users will take the first step to securing their devices -- making them undiscoverable.

That would spoil the fun for Ellie, who publishes the Web log But she conceded that unethical Bluejackers could launch denial-of-service type attacks at mobile users from a laptop.

"It's great fun to receiving a Bluejacking message," said Ellie. "I don't want to say set yourself undiscoverable. But if you are really worried about security, then you probably should."

Read more on Wireless networking