Bluesnarfing: The Modern-Day Security Vulnerability in a Wireless and Mobile World

Once known as the next big thing in wireless communication since the invention of mobile phones, Bluetooth technology has since gained a reputation as one of the gaping barriers in mobile and wireless device security — almost as bad as public Wi-Fi access points.

This may seem like a bum rap for Bluetooth. The advanced technology makes it possible for the visually and motion-impaired to enjoy the benefits of the Internet, connect multiple devices or computer systems, and allow the remote control of motor-driven appliances and machinery. But Bluetooth really does have its drawbacks — especially when considering its vulnerability to attacks. One of these attacks is gaining in infamy: bluesnarfing.

Understanding Bluesnarfing

Bluetooth technology uses a high-speed but very short-range medium for exchanging data by wireless means between desktops, mobile computers, smartphones, tablets, personal digital assistants (PDAs), and other devices. Later versions of Bluetooth support multiple device connections and even its own network called Piconet.

Bluesnarfing (or a Bluesnarf attack) is a device hack that involves the theft of data including contact lists, calendars, emails, or text messages from a Bluetooth-enabled wireless device set to “discoverable” mode. It was first observed back in 2003 by a group of researchers in a technology lab.

Bluesnarfing in Action

To set up a bluesnarf attack, a hacker needs to exploit the vulnerabilities present in some deployments of the object exchange (OBEX) protocol, widely used to execute the exchange of information between wireless devices. The attacker only needs to connect to a service which doesn’t require authentication and request the required information.

Once the OBEX protocol is compromised, a hacker can synchronize their own system with their targeted victim’s device in a process known as pairing. If the firmware on a device is unsecured, an attacker may be able to gain access to and steal all information. They may also be able to gain access to any services available to the targeted user.

Finding Bluesnarfing Resources Is Easy and Cheap

On the dark web, bluesnarfing tools and services are readily available — if one knows where to look.

These resources are accessible to all hackers, regardless of their experiences. The first tool to be deployed from the bluesnarf attacker’s bag of tricks is typically a utility like bluediving, which is essentially an easily downloadable penetration test application that probes Bluetooth-compatible devices for OBEX protocol vulnerabilities.

*Snarf! Snarf!*

Countering Bluesnarfing

What makes bluesnarfing such a concern? When an attack is happening, the victim can be completely in the dark, unaware that their high-value data is leaking into cyber-criminal hands. Unfortunately, there’s no way to completely prevent bluesnarfing. However, there are many ways to decrease chances of becoming a victim.

Knowing what type of devices exist in a wireless radio-wave environment is the first line of defense. That said, the Inpixon IPA Security solution features sensors equipped with Bluetooth-device detection and positioning. Within a facility, and on a given floorplan, IPA Sensors pinpoint and position potential high-risk Bluetooth devices used for bluesnarfing. Once identified and located, users can take further action by physically disabling a risky device.

Other ways to avoid bluesnarfing include deactivating discovery mode, keeping your mobile device in invisible mode, and using available anti-bluesnarfing tools which restrict device connection to only those which are already known.

To learn more about Inpixon IPA for security, contact us or request a demo.

About the Author:

Danny is a Presales Systems Engineer at Inpixon. A reader by day and writer by night, his passion for helping others understand the complexity of radio frequency technology is backed by his years of experience in the telecommunication industry. He also enjoys hacking his own mobile phones, playing soccer, listening to 80s and 90s music, traveling to new places, and driving race car tracks. A domain expert in the Inpixon Indoor Positioning Analytics (IPA) solution, Danny will do whatever it takes to help others achieve their network security goals.

Leave A Comment