Slashdot Mirror

← Back to Stories (view on slashdot.org)

'BlueBag' PC Sniffs Out Bluetooth Flaws

Posted by ryuzaki0 on from the next-door-neighbors dept.

An anonymous reader writes "Why isn't Bluetooth set to "hidden" in all of Nokia's phones? Some hackers in Italy stuffed a computer with a bunch of Bluetooth dongles in a suitcase to see how many Bluetooth devices they could discover by wandering around airports, train stations and shopping malls. The answer? More than 1,400 in 23 hours." The team will present their findings at BlackHat later this summer.

9 of 76 comments (clear)

  1. Discovery is not pairing by wish+bot · · Score: 5, Insightful
    That's great, but how many could they actually pair with?

    Ohh...none?!

    --
    lemonade was a popular drink and it still is
    1. Re:Discovery is not pairing by mlk · · Score: 3, Insightful

      If you rename your device to "Nokia Download Center: Snake Superupdate aviable, type 1234 for this free update"(1) I wonder how many people would blindly tap it in, and bond with you. But to be honest, I'm not really sure what you could do then over Bluetooth.

      Mmm. Bonding.

      My computer (in a 2nd floor flat) will every now and again get Bluetooth bonding requests, and popups welling me that I've connected to someones PIM (until I turned it off).

      1) Or "Free PORN!" equivalent.

      --
      Wow, I should not post when knackered.
    2. Re:Discovery is not pairing by Tim+C · · Score: 4, Funny

      In related news, 100% of people walking past my front door can see it...

      --
      It's official. Most of you are morons.
  2. From the makers of cell phone anti-virus software by elrous0 · · Score: 4, Informative
    Convenient findings from the makers of cell phone anti-virus software, no?

    -Eric

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. news? by SillyNickName4me · · Score: 4, Informative

    While it is a fun experiment, it is really not news at all.

    I have to make a 5 1/2 hours trip by train about twice a month, and for a while one of my ways to waste some time was bugging people who have bluetooth enabled phones...

    My 'toolset' ?

    A Palm m505 equipped with a bluetooth sdcard.

    Typically, just walking through the train from one end to another would get me some tens of phones and a laptop here and there.

    Often you can't pair with devices you find, but many of them don't really require pairing for getting data from them, and besides, pairing requests allow for sending text messages, and a 'yes' is an instinctive reply whenever people get bugged by popups.. also on a phone.. Even if that doesn't work, you can still bug people and even make use of their phone difficult... (great when you can find the phone of that extremely loudly talking person)

    This was some 3 years ago, and it was well documented back then already.

    1. Re:news? by eraserewind · · Score: 3, Funny

      Do you also knock on people's doors and then run away?

  4. Re:Nuclear Powerstations and Missiles by Darth_brooks · · Score: 4, Informative

    Her sidekick didn't get hacked via bluetooth. The just used a really simple, easy to guess password and her web access (Sidekicks dont actually store much data, they ship photos & the address book off to the T-mobile servers.). IIRC she used the name of that little rat dog she used to carry around.

    Her "incident" touched off a series of B-list celebs getting their sidekick data plasted around the web. I think Fred Durst was another one that was caught the same way.

    --
    There are some people that if they don't know, you can't tell 'em.
  5. Re:NOT a dongle! by mjh · · Score: 4, Insightful

    The problem is that language doesn't work that way. All of us, as a group, are in control of language. Words that were intended for one context frequently apply to all kinds of other contexts. And people gravitate towards analogies. So the "dongle" that you speak of, works very well as an analogy for a bluetooth peripheral. Pretty soon, "dongle" means any sort of thing you plug into a PC that sticks out the end.

    It is very difficult to keep people from using words the way that they want to. This is the motivation behind trademark laws. Once the mass decides that a word (e.g. kleenex or xerox) means something more than the specific original intention, the game is up. I believe that dongle has passed that threshold.

    So you can continue, in a Quixote-esque manner, to try and steer people back to the single specific meaning of dongle. But I don't think you'll succeed. And I think you're likely to get very frustrated. But if that's what you want to do, have at it!

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  6. Re:Ok, so they discovered a whole lot of phones by Rob+Kaper · · Score: 3, Informative

    Bluetooth device IDs can be forged, so if someone knows the ID of a paired device they can easily gain access, so this isn't a good idea. As long as you have a device that requires you to accept incoming objects (v-cards/images/mp3s/etc) you should be fine. Never accept an incoming object unless you trust the source - it's kind of like e-mail.