Traditionally, security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.
Recently, Britains government instructed members of Parliament to disable the Bluetooth functions on their cellphones because of the dangers of “bluesnarfing,” so it must be a real threat, right?
Well, technically, it is. The idea of snarfing—grabbing files from someone elses store without their permission (and preferably, without their knowledge!)—is an old one, and there are some cellphones that can have their data purloined over Bluetooth.
The problem isnt with Bluetooth itself. Its a particular stack, which has shown up on several phones from Nokia and Ericsson (exactly how the same bug got into software from two rival manufacturers is a question that may yet come to embarrass both of them!). But the bug does mean that you can—technically—get data off any public Bluetooth phone (meaning that it shows that it has Bluetooth) that has this stack.
My own view is: Its a load of hooey.
For starters, you have to get within a few paces of the phone you want to raid. The effective range of Bluetooth is said to be about 30 feet, but thats in clear air, not in a crowded room. Next, you have to identify the phone correctly. You wont see “Im Tony Blairs phone full of secrets!” in nice helpful letters; youll see the make of the phone.
The phone also needs to be vulnerable to attack. Adams Lauries Web site BlueStumbler contains an up-to-date list of affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets. There are no validated problems with Motorola, Panasonic, Philips or Siemens phones, or with any Symbian-based models, according to Nick Hunn, managing director at TDK Systems Europe.
Then, you have to have a “hacker stack.” There are no phones with hacker stacks. You have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants.
Finally, what do you get? A list of phone numbers?
And yet, the head of security at Westminster has deemed the threat sufficiently real to instruct Parliament to disable its phones. Can it really be the case that members of Parliament have phone numbers so secret that under no circumstances should any of them ever let these numbers slip?
Of course not. The purpose of these “news scares” is simple. It convinces a large group of people that the guy who discovered the “security loophole” is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.
If you think you really, really need those phone numbers, the way to do it is far simpler. Follow the Parliament members home whenever they take taxis. Statistically, youll get three phones in a month just by being the next passenger in the taxi, because thats how many of them will leave the phone on the seat when they get out.
Be sure to add our eWEEK.com mobile and wireless news feed to your RSS newsreader or My Yahoo page: