News

Opinion: Bluesnarfing is a load of hooey

Traditionally, security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.

I'm not sure that "BlueSnarfing" comes into the same category, really.

Recently, Britain's Government instructed Members of Parliament to disable the Bluetooth functions on their cellphones, because of the dangers of BlueSnarfing, so it must be a real threat, right?

Well, technically, it is. The idea of snarfing is an old one - grabbing files from someone else's store, without their permission (and preferably, without their knowledge!) and there are some cellphones which can have their data purloined, over Bluetooth.

The problem isn't with Bluetooth itself. It's a particular stack, which has shown up on several phones from Nokia and from Ericsson. Exactly how the same bug got into software from two rival manufacturers is a question which may yet come to embarrass both of them! - but the bug does mean that you can - technically - get data off any Bluetooth phone which is public (showing that it has Bluetooth) and has this stack.

My own view is: it's a load of hooey.

For a start, you have to get within a few paces of the phone you want to raid. The effective range of Bluetooth is said to be ten metres, but that's in clear air, not in a crowded room. Next, you have to identify the phone correctly. These things don't say: "I'm Tony Blair's phone full of secrets!" in nice helpful letters. They show the make.

Then, you have to have a "hacker stack." There are no phones with hacker stacks. You have to have a PC. I doubt there are more than ten people in the world who could be bothered to create one, and they are almost certainly all security consultants.

Finally, what do you get? A list of phone numbers?

And yet, the head of security at Westminster has deemed the threat sufficiently real to instruct Parliament to disable its phones. Can it really be the case that MPs have phone numbers so secret that under no circumstances should any of them ever let these numbers slip?

Of course not. The purpose of these "news scares" is simple. It convinces a large group of people that the guy who discovered the "security loophole" is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.

If you think you really, really need those phone numbers, the way to do it is far simpler. Follow MPs home whenever they take taxis. Statistically, you'll get three phones in a month just by being the next passenger in the taxi, because that's how many of them will leave the phone on the seat when they get out ...