'BlueBag' PC Sniffs Out Bluetooth Flaws

An anonymous reader writes "Why isn't Bluetooth set to "hidden" in all of Nokia's phones? Some hackers in Italy stuffed a computer with a bunch of Bluetooth dongles in a suitcase to see how many Bluetooth devices they could discover by wandering around airports, train stations and shopping malls. The answer? More than 1,400 in 23 hours." The team will present their findings at BlackHat later this summer.

From the makers of cell phone anti-virus software

[elrous0]

Convenient findings from the makers of cell phone anti-virus software, no?

-Eric

Re:Discovery is not pairing

I believe you meant your answer to be: 0000

news?

[SillyNickName4me]

While it is a fun experiment, it is really not news at all.

I have to make a 5 1/2 hours trip by train about twice a month, and for a while one of my ways to waste some time was bugging people who have bluetooth enabled phones...

My 'toolset' ?

A Palm m505 equipped with a bluetooth sdcard.

Typically, just walking through the train from one end to another would get me some tens of phones and a laptop here and there.

Often you can't pair with devices you find, but many of them don't really require pairing for getting data from them, and besides, pairing requests allow for sending text messages, and a 'yes' is an instinctive reply whenever people get bugged by popups.. also on a phone.. Even if that doesn't work, you can still bug people and even make use of their phone difficult... (great when you can find the phone of that extremely loudly talking person)

This was some 3 years ago, and it was well documented back then already.

Nuclear Powerstations and Missiles

[k1980pc]

I can use my laptop and find out the location of each and every single strategic installations in the world. That surely does not allow me to log in to or enter any of them and cause mischief. Just because they were able to 'see' bluetooth device is not a security risk - It becomes serious only if they were able to pair to any of them,with or without a passcode. But I remember P.Hilton or somebody getting plastered all over the net with pics hacked from her cell using bluetooth. Just can't find the link.

Re:Nuclear Powerstations and Missiles

[Darth_brooks]

Her sidekick didn't get hacked via bluetooth. The just used a really simple, easy to guess password and her web access (Sidekicks dont actually store much data, they ship photos & the address book off to the T-mobile servers.). IIRC she used the name of that little rat dog she used to carry around.

Her "incident" touched off a series of B-list celebs getting their sidekick data plasted around the web. I think Fred Durst was another one that was caught the same way.

NOT a dongle!

[youngerpants]

OK, this peeves me. A "Dongle" is a hardware license. that is, an adapter/ chip that plugs into a PC/ Server/ Whatever that verifies a license.

These guys plugged several bluetooth peripherals into a laptop.

Sorry, but this is a technology site.

Re:May not be news, but...

[SillyNickName4me]

Simply turning off bluetooth alltogether unless you are actually using it may also do some nice things for talk/standby time btw.

Re:Ok, so they discovered a whole lot of phones

[Rob+Kaper]

Bluetooth device IDs can be forged, so if someone knows the ID of a paired device they can easily gain access, so this isn't a good idea. As long as you have a device that requires you to accept incoming objects (v-cards/images/mp3s/etc) you should be fine. Never accept an incoming object unless you trust the source - it's kind of like e-mail.

This is old news, done already in 2004

A firm carried out similar research way back in 2004, so to skip ahead and see what the findings were, check here Nick