News

Snarfing: how serious is it?

If one didn't know better, one would suspect certain consultancies of indulging in wanton publicity hype about Bluetooth "snarfing" - and it seems that the House of Commons in Britain may have taken some of this a bit too seriously.

The reports that The Times discovered 46 phones "vulnerable to this kind of snooping" in the Palace of Westminster means that the security boss sounds very sensible when he says "No services using wireless technologies will be offered until security concerns have been addressed."

What Sir Archy Kirkwood, president of the House of Commons Commission actually means, of course, is that he doesn't know the first thing about wireless security, hasn't got a coherent security policy of any kind, and is going to deal with the need to bring parliament into the 21st century by the simple expedient of doing nothing.

The vulnerability of certain phones to "blue-snarfing" can't be dismissed. There are a lot of phones, both Nokia and Sony Ericsson models, which are vulnerable.

The problem, say experts (they asked not to be named) is that there's a flaw in the stack of the Bluetooth software they use. "It raises a very interesting question about whose code both these companies 'borrowed' the stack from," said one engineer. "But both have the fault, and it's the same fault."

The problem appears to be similar to a "buffer over-run" vulnerability; it means that someone else with the right hacking tools can get control over the phone.

For most of the phones concerned, this pretty much gives you access to the phone book, which is certainly not what you'd want. It would also, in theory (nobody has done this!) allow you to tell the phone to call your phone, allowing you to use it as a spy bug, listening to all conversations in range. Or perhaps it could even be set up to divert incoming calls to your hacker phone. Again, it's all - in theory - possible, and none of this is desirable.

On the other hand, there are some other questions worth asking.

For example: how close do you have to be to the phone? "About ten feet, really, if there aren't a lot of other people about. Closer, in a crowd," suggested one engineer. "Bluetooth range is improving, but it's still short range."

Won't that change with Class 1 Bluetooth, which has 100m range?

"Well, only if you believe people are going to equip mobile phones with Class 1 Bluetooth and keep this same flawed stack. There are no phones with Class 1, nor are there likely to be, since it uses considerably more power, which is bad for battery life."

So, we're looking at some phones on the market already, which have short range wireless, and which will be obsolete within a year; and we're looking at a software base which will not be repeated in any new phones. But surely, even so, the risk is real?

"So is the risk of a meteor hitting Parliament," said our expert.

You should ask what you need to bluesnarf. The answer is: a hacker stack. You need to be able to write your own Bluetooth stack which is capable of allowing the command processes to be initiated. Are there any phones with such a stack?

"No. At a generous guess, there are fewer than ten people in the world who have the technology to hack into your phone, and at best, they may have time to download your phone book."

Meanwhile, the security system which so zealously protects Westminster from this devastating scourge of wireless intrusion, allowed me to walk into the Parliamentary building two weeks ago. On my back was a rucksack with a computer (with wireless!) two bluetooth phones, and two cameras. The bag was searched, and I proceeded to my appointment. Nobody knew what I might be able to do, because they don't know anything about wireless. But the laptop is a Centrino ThinkPad ...

And quite rightly, too; whatever damage I might have been able to do with this "dangerous hacking equipment" is trivial compared to what anybody can do with Internet virus tools.

Of course, Parliament is quite safe from those. Nobody in Westminster has broadband; it's a security risk, I dare say. Result: MPs in the buildings have to use dialup, which restricts their protection to a software firewall - if they know that it's a good idea to turn one on, and if they know how to do this.

But at least, if there is a breach, nobody can point the finger at Sir Archy. He did nothing, and so it can't be his fault. Right? Or is it, rather, the case that unless the security boss kknows how to deal with wireless risks, he's merely ignorant of a whole area of technology where the only security lies in expertise?