Nokia Admits Multiple Bluetooth Security Holes

An anonymous reader writes "Nokia has admitted that four of its handsets (6310, 6310i, 8910 and 8910i) have multiple security vulnerabilities that can allow an attacker to read, edit and copy the contacts and calendar entries using Bluetooth. This admission comes after a ZDNet UK article published earlier today. the spokesperson advises customers to switch off Bluetooth in public places!" For more information, see the bluesnarfing site pointed out by reader profet.

Great !

[mpeeters]

Great, not a single Mac OS X app can correctly address my 6310i, but Joe Random Hacker can? Urgh. I need to get my priorities straight.

Re:Great !

[Grounded0]

Go in to System Preferences, click Bluetooth applet, check "Support Non-Conforming Phones".

Re:Great !

[singleantler]

While I can use my 6310i as a modem for my Mac with no problems, I can't access the phone book in it, which is highly annoying, and using 'Support non-confirming phones' hasn't made any difference to that.

It's a shame - this is something the Sony/Ericsson phones do very well, but I still prefer Nokias overall (mainly because of their interface.)

No big deal

[cwernli]

What's happening with Bluetooth happened with wireless networks.

What happened with wireless networks happened with anonymous ftp servers.

What happened with anon ftp servers happened with telnet access (you remember the "guest" login provided by most hosts ?).

Every time a new technology is used there are some flaws with it. No big deal.

Re:No big deal

[pesc]

What's happening with Bluetooth happened with wireless networks.
What happened with wireless networks happened with anonymous ftp servers.
What happened with anon ftp servers happened with telnet access (you remember the "guest" login provided by most hosts ?).
Every time a new technology is used there are some flaws with it. No big deal.

BIG DEAL!

You could expect that someone that designs a new communication protocol today builds on past experience. It's not like viruses, spam, malware and and crackers are something unknown. Instead, you should make the security requirements absolutely central in your new protocols. With the bluetooth technology becoming the most widespread wireless communications protocol (if you believe its proponents) not having security as a top priority is absofuckinglutely brainlessly idiotical.

Re:No big deal

[infiniti99]

Just to clarify, this article is about a problem in Nokia's implementation of Bluetooth, not necessarily a problem in the actual Bluetooth protocol/specification. As an analogy, we hear about security holes in IIS, Apache, OpenSSL, etc, but these do not necessarily indicate problems in the relevant RFC documents. At least, we can hope so ...

Re:No big deal

[hanssprudel]

There are problems with Bluetooth by design. For one thing, no wireless protocol for interaction between devices can be truly secure unless peering requires physical contact between them (I place my phone next to my laptop, but the spook across the street has a directed antenna that is a thousand times stronger then the phone...)

It isn't like this hasn't come up before, Schneier predicted that Bluetooth would be a security nightmare three and a half years ago ! Quoting:

What amazes me is the dearth of information about the security of this protocol. I'm sure someone has thought about it, a team designed some security into Bluetooth, and that those designers believe it to be secure. But has anyone reputable examined the protocol? Is the implementation known to be correct? Are there any programming errors? If Bluetooth is secure, it will be the first time ever that a major protocol has been released without any security flaws. I'm not optimistic.

And what about privacy? Bluetooth devices regularly broadcast a unique ID. Can that be used to track someone's movements?

The stampede towards Bluetooth continues unawares. Expect all sorts of vulnerabilities, patches, workarounds, spin control, and the like. And treat Bluetooth as a broadcast protocol, because that's what it is.

Hey, do you want....

[lofoforabr]

a fresh list of emai^H^H^H^H telephone numbers so you can send your email marketing to?

K.I.S.S

[OlivierB]

Keep It Simple Stupid. Phones are tools. We don't "need" them to be fully featured akin a full OS. Today we have Bluetooth hole sin a few phones. What's next tomorrow on MSFT Smart Phones? Hackers turning in using your line to call 0900 numbers? People hacking your e-wallet? When it comes to commodity devices we should make sure they do reliably and securely work. I don't expect anything less.

Re:K.I.S.S

Actually if you are kind of loose in what you term an OS, many Symbian devices run basically 3 OS at the same time.

Application platform, misc. servers & UI apps (UIQ, Series 60, ...)

Symbian OS (kernel, middleware)

Some sort of Manufacturer RTOS for running a GSM stack, for which Symbian doesn't quite cut it.

These devices are far from simple. Given what you can do on this size of device, I wonder why someone doesn't make a solid state PC, with a few seconds boot time, and no noise. Wireless keyboard, monitor, mouse and LAN. (I don't mean a laptop).

I think the thing you mentioned (running up someones bill, on 0900 numbers, or otherwise) has already happened long ago, but by faking the SIM. I think the original GSMs had a fairly large security flaw related to the encryption key.

Or you could just steal someones phone ;)

Re:K.I.S.S

[little_fluffy_clouds]

Think about the damages on windows PCs. Users are advised to keep their machines up to date and yet a significant proportion of them do not listen (want proof? Mydoom is now in version C and still taking hits at MSFTs website).

Your comparison with "their machines" and the phone firmware (essentially this is the phone "OS"), makes me think you believe that Windows Update can defeat MyDoom.

Actually, MyDoom has fuck all to do with keeping your Windows PC up to date. It is about keeping your _virus_ scanning up to date, and not running attachments that make it through to you. I could have just run and completed Windows Update, but still be infected with MyDoom via the very next email I received and (stupidly) ran the attachment of. Remember, virus scanning is NOT part of the Windows OS, it is something that must be loaded and configured and paid for (usually, unless you go with grisoft or similar).

Your point would be a lot better made if you referred to something like the Blaster or Nachi worm, where the fix was available via Windows Update for several weeks.

Re:K.I.S.S

[beeblebrox87]

Keep It Simple Stupid. Computers are tools. We don't "need" them to be fully featured with a full OS. Today we have network holes in a few applications. What's next tomorrow on MSFT Longhorn? Hackers turning in using your modem to call 0900 numbers? People hacking your e-wallet? When it comes to commodity devices we should make sure they do reliably and securely work. I don't expect anything less.
---
Dman luddites. Just because you would rather have a device that gives up freedom for security does not mean all of us do. There is a market for "KISS" phones, just as there is a market for locked-down xbox or "internet appliance" computers. Your post, however, implies that companies shouldn't produce more complicated phones. Personally, my phone's main source of usefullness is as a general-purpose, hackable device, and I don't expect anything less.

Adding security doesn't mean we have to remove features. Linux is a prime example of this. Substantially more secure than most alternatives, not because it removes features, but because people actually paid attention to security when they wrote it.

Re:Important note:

[grazzy]

most people would probably be better off without the wheel.. but try telling them..

Re:bluejacking

[DJPenguin]

Bluejacking is just where you send a contact to available phones, and it just used to startle people. This is nothing to do with bluesnarfing which is the hacking/changing data!

Social science wonder?

[orzetto]

These days we have all possible material about encryption available publicly. We have RSA, we have digital signatures, we have freely available software which can create perfectly encrypted material which would give bad headaches to the NSA if they had to crack it, even I can encode anything with gpg.
Yet, a mobile-phone giant does this. Are they just plain stupid, or is this another example of the wonders of social science? I can't help thinking how intelligent an ant nest can be though ants singularly are so stupid, and how an organization with some of the brightest engineers on the planet can act so carelessly.

Re:Is Bluetooth upgradeable?

[DJPenguin]

I had the firmware upgraded on my 6310i to resolve some bluetooth connection issues, and I imagine the whole stack is upgradeable in this manner.

I don't think the bluetooth protocol is broken - just the implementation.

Ingornace?

[juuri]

Bluetooth was built from the ground up with security in mind, obviously Nokia totally boggled this.

Re:It could be a lot worse...

[sokeeffe]

This is exactly the reason why its such a big issue.

As an consumer, if you have a bluetooth phone all you are likely to have is the phone number of your friends.

As a geek, you are more than likely to have a PDA for keeping anything more detailed/sensitive.

Business users, executives etc. are more likely to use the advanced functions of there phones and therefore it is they that are most at risk to losing sensitive data.

So, whilst most models dont have bluetooth, the ones that do are the ones that are liekly to have the most valuable information.

Both ZDNET and Nokia wrong

[linuxislandsucks]

You have to turn off bluetooth functionability to be safe..

Nokia is vunerabile to both having the device detect on and off in the hacks..

according to the bleustumbler.org site..

nokia is not the only one

[collin.m]

Nokia is not the only phone maker with broken or stupid bluetooth implementations. Just look at the Siemens S55 which by default (when bluetooth is on) accpets any kind of files and saves them to your phones inbox. Also it has several bugs, like the Nokia. I'm have setup a small website (http://www.betaversion.net/btdsd/) with a currently very small list of bluetooth capable phones with there security settings and bugs. I tell you bluetooth will be real fun in the future :-)

What's the truth?

[Tug3]

Interestingly from what I have read about the security vulnerabilities with the *five* models affected by this (Nokia 6310, 6310i, 8910, 8910i and 7650), Nokia has confirmed only that the 7650 has the problem. Also reported that some SonyEricsson phones would have similar vulnerabilities, but it was not stated which models. So, I take it that at least these five Nokia phones have the Bluetooth holes. But what is interesting is that different news-feeds report Nokia confirming/denying different models! What this really tells us that the writers of the news themselves are either: 1) Too lazy to look it up from Nokia itself. 2) Too naive to take some other newsfeeds info as a fact. 3) Too inexperienced to check the validity of the info. 4) Too ??? to ??? So, who made the mistake? ALL the "reporters" who did not check the validity of the news by themselves straight from the source.

Protected 6310

[Fizzl]

I think I hava 6310 from the first batch. Never bothered to flash it because I rarely use it.

This one does not have the vulnerability. You see, if you switch bluetooth on, the whole phone crashes immediately.

Re:Unbelievable

[ebbe11]

I can't believe this, a company as big as Nokia making mistake as stupid as this ?

I can. The mobile phone manufactures in general and Nokia in particular is very much focused on time-to-market. That means that their phones are not always finished when they hit the shelves. To be fair, neither was my Ericsson R520m phone when I first got it.

Re:Big Woop.

[INSSOMNIAK]

You only need to be discoverable when you are pairing. After that you can keep bluetooth on and it is _supposed_ to only talk to those devices you know about.

Not true - wires leak like hell

[CrystalFalcon]

That's why my home LAN is wired -- so I at least know if anyone is tapping me, then they must be on the inside.

This isn't true -- you can pick up (copper) LAN signals from a reasonable distance, which is why the military always uses fiber outside of shielded environments. At least when sensitive data is expected to travel along the pipes.

The most obvious way to test this is to place an ordinary FM radio antenna along the network wire and see how much junk you are picking up; you can clearly hear the intensity of the network traffic.

I heard this traffic when sitting in my car in the company parking lot at one of my previous jobs and so knew when the builds were done.

Granted, the equipment is fairly expensive, but don't think for a second that you're safe because you're wired. Wires leak like hell.

It's bad implementation, not specification

[rassie]

If nothing has changed since AL Digital released the it on bugtraq, then the most serious issues only affect phones that have previously been paired with the attacking Bluetooth device.

This means that you have to have given the attacker access to privileged services at one point in time, and then deleted him.

If you had not deleted him, he would obviously still have access.

But it is the missing deletion that is the problem.

You should not pair your device with any devices except your own. Your PDA requires to be paired with your Phone, Laptop, and access point, so it can dial up, synch, and have LAN access etc. But you don't have to pair it to send your business card to somebody else. There is no reason to pair with Joe Hackers device. So for most of the cases described by AL Digital it is just a bad implementation which does not affect the majority of users.

For the rest of the cases it is also a bad implementation by Nokia and "possibly other manufacturers", it is not a vulnerability in the protocol.